Resources for Managers

Overview

For managers who want to assess the risks and internal controls in their area, below are some tools and guidance to help.

Internal risk assessment questions

Conducting an internal risk assessment enables managers to act proactively to reduce the chance of unwanted occurrences.  Some questions to ask include:

  • What can go wrong?
  • Where are we most vulnerable?
  • Where is our greatest exposure?
  • What types of transactions in our area provide the most risk?
  • Do we have "liquid" assets or assets that have alternative uses?
  • How can someone bypass the internal controls?
  • What potential risk areas could cause adverse publicity?
  • Are there others in similar situations with whom we can benchmark?

When assessing risk, consider both quantitative and qualitative costs.

Quantitative costs tend to be numerical, measurable amounts.  Examples include:

  • Cost of property, equipment or inventory
  • Cash dollar loss
  • Damage and repair costs
  • Cost of defending a lawsuit

Qualitative costs can have wide-ranging impications, but they may be more difficult to measure.  Examples include:

  • Loss of public trust
  • Loss of future grants, gifts and donations 
  • Injury to the school's reputation 
  • Increased legislation 
  • Violation of laws 
  • Default on a project 
  • Bad publicity 
  • Decreased enrollment

Certain financial transaction types can also pose higher risks and benefit from additional review, such as:

  • Assets with alternative uses (e.g., computers)
  • Cash receipts (e.g., continuing education programs, gifts, endowments, special events, bookstore, athletic programs, performances)
  • Consultant payments and other payments for services
  • Travel expenditures
  • Scholarships
  • Payments to non-vendors
  • Equipment delivered directly to department
  • Purchase exemptions (sole source)
  • Payroll (e.g., rates, changes, terminations)
  • Equipment on location
  • Software licensing issues
  • Intellectual property
  • Confidential information
  • Grants (e.g., meeting terms, not overspending)

Internal control questionnaires (ICQs)

During the course of a departmental audit, Audit & Advisory Services may send department managers an internal control questionnaire (ICQ) for purposes of obtaining information and evaluating business processes. Departments can use the same technique to do a self-evaluation; the goal of the questionnaire is to answer the question, "How do I know that [x] is happening [or going to happen]?" 

An ICQ sample document with general questions is available here; for more specifically tailored ICQs, please contact Audit & Advisory Services.

Separation of duties

Separation of duties is a key control for enabling departmental transactions that reflect appropriate University business. It ensures that no individual employee can complete a significant business transaction in its entirety.

Essentially, no one person should be able to:

  • Initiate a transaction
  • Approve a transaction 
  • Record a transaction 
  • Reconcile balances 
  • Handle assets 
  • Review reports

Specific examples of separation of duties include:

  • The person who requisitions the purchase of goods or services should not be the person who approves the purchase. 
  • The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports. 
  • The person who approves the purchase of goods or services should not be able to obtain custody of checks. 
  • The person who maintains and reconciles the accounting records should not be able to obtain custody of checks. 
  • The person who opens the mail and prepares a listing of checks received should not be the person who makes the deposit.
  • The person who opens the mail and prepares a listing of checks received should not be the person who maintains the accounts receivable accounting records.