Transcript Getting Ready for an Internal Audit – Cycle 2 A Review of Internal Controls.

Getting Ready for an Internal
Audit – Cycle 2
A Review of Internal Controls
1
Areas that will be reviewed…
I.
Financial
A. Accounts Receivable
B. Cash Receipting & Petty Cash
C. Procurement
II.
Human Resources
A. Employee Termination Process
III. Information Systems
A. Security Controls
B. Backup & Recovery
IV. General
A. Scholarship Award Process
B. Policies & Procedures
2
I. FINANCIAL
A. Accounts Receivable
B. Cash Receipting & Petty Cash
C. Procurement
3
A. Accounts Receivable
1. Monthly aging schedules or other adequate tracking
methods must be used/documented to track past due
accounts.
Amounts owed to departments should be monitored monthly.
Forgiving a debt is an impermissible donation, which is against
Mississippi Constitution (Article 4, Section 100).
Amounts owed (account balances) can be monitored using an
accounts receivable (A/R) aging schedule.
Aging schedules can be prepared using accounting software
(i.e. QuickBooks, Excel, etc).
4
What is an Accounts Receivable
Aging Schedule?
An accounts receivable aging schedule is a
list of all customers who are allowed to
delay payment (i.e. charge items that they
purchase from the department).
The schedule shows who owes money, how
much, and how current their balance is.
Aging schedules are normally categorized
as 0-30 days; 30-60 days; 60-90 days.
Accounts Receivable Aging
Schedule
Customer payments are normally broken down into one of
the following categories:
– Current: amounts where the payment date has not passed (i.e. sales made
during the current month).
– 1 – 30 days: outstanding amounts where payment date has passed 1 – 30 days
– 31 – 60 days: outstanding amounts where payment date has passed 31 – 60
days
– 61 – 90 days: outstanding amounts where payment date has passed 61 – 90
days
– 90+ days: outstanding amounts where payment date has passed over 90 days
Usually consists of 7 columns setup as follows:
– Column 1: Customer name
– Column 2: Total customer A/R amount (Current + 1-30 days + 31-60 days, etc.)
– Columns 3 – 7: Aging categories (Current, 1 – 30 days, 31 – 60, etc.)
6
Example of an Accounts Receivable Aging
Schedule
Customer
Name
John Adams
Suzy Jones
Jim Davis
Tom Smith
Lucy Walters
Total
31-60
61-90
Over 90
1-30 Days
Total A/R Current
Days Past Days Past Days Past
Past Due
Due
Due
Due
1,600
2,800
1,200
1,600
2,000
9,200
300
2,800
1,000
1,100
5,200
500
1,600
500
2,600
500
400
900
200
200
300
300
7
A. Accounts Receivable
2. Documentation must exist to prove timely/routine
attempts to collect past due accounts.
Department should follow-up monthly on past due
amounts:
– Letters
– Phone calls
– Email
Documentation
– Copies of letters and emails should be kept in customer’s file
– Collection calls should be documented (i.e. who spoke with whom,
summary of the conversation, date, time, etc.)
Retention
– Copies of letters, emails, or call documentation should be retained in the
customer’s file.
– Documentation should be kept in the department for 7 years.
8
A. Accounts Receivable
3. Payroll deductions must be uploaded in a timely manner
and monitored adequately.
Departments must monitor to ensure that funds
are received from payroll deductions.
Departments should monitor for rejected charges
resulting from mismatched names, incorrect ID,
etc.
Without monitoring, funds may not be received
and services may continue to be provided without
payment.
9
A. Accounts Receivable
4. Bursar accounts must be uploaded in a timely manner
and adequately monitored.
Departments should monitor to ensure that funds
due to the department are received.
Departments should monitor for rejected charges
resulting from mismatched names, incorrect ID,
etc.
If problems are detected, they should be
addressed immediately to ensure that
problematic items are uploaded.
10
A. Accounts Receivable
5. Duties related to receiving funds, posting
customer accounts, and reconciling must be
adequately separated.
The same employee should not be
responsible for receiving funds, writing
receipts, preparing deposits, and updating
accounts.
No single employee should have access to
funds AND the ability to update accounts.
How We Test Accounts Receivable
Controls 1 & 2: Select 2 monthly aging schedules &
select a sample of 5 customers from each schedule.
– Verify that A/R aging schedule is correct
– Inspect files to see that collection follow-up is
occurring
Control 3: Select a sample of 5 fees that should have
been uploaded as payroll deductions.
– Verify that fee uploaded correctly
– Verify that fee uploaded timely
12
How We Test Accounts Receivable
(continued)
Control 4: Select a sample of 5 fees that should have
been uploaded as bursar charges.
– Verify that fee uploaded correctly
– Verify that fee uploaded timely
Control 5: Combination of interview and inspection of
documentation during testing to determine if there are
proper segregation of duties.
13
B. Cash Receipting & Petty Cash
1. Departmental cash receipting and petty cash procedures
must be in accordance with university policy.
The forms used are:
(1) The University of Mississippi official receipt. Cash receipt books can be ordered on the
Internal Audit Website at the following link:
http://www.olemiss.edu/depts/internal_audit/receiptbook1.htm
(2) The Cash Report, which can be found on the Internal Audit Website at the following link:
http://www.olemiss.edu/depts/internal_audit/cashreport.htm
Once accumulated funds have reached $100, a deposit should be made;
however, deposits should be processed no less than weekly regardless
of the amount of receipts.
14
B. Cash Receipting & Petty Cash
When a department receives funds (i.e. cash, checks or credit card payments),
the following steps apply:
1. Checks received should be carefully examined for complete information.
Specifically:
a.
b.
c.
The amount, both numerical and written, must be accurate,
The payor’s proper signature must be included, and
Checks should be made payable to The University of Mississippi, as
opposed to a department or individual.
If all information is correct, the check must be immediately endorsed with a restrictive
endorsement. (Contact the Bursar’s Office for required restrictive endorsement
information.)
2. An official university receipt must be prepared by the department and
processed as follows:
15
University Cash Receipt Example
16
University Cash Receipt Example
(Continued)
17
B. Cash Receipting & Petty Cash
a.
b.
The original copy (white) is given to the payor.
The second copy (yellow) is attached to the department’s copy of the cash
report and maintained within the department.
The remaining copy (pink) is kept in the receipt book by the department for
three fiscal years.
If an error is made when preparing a receipt, all copies should be marked
“VOID”. The department should retain all three copies of the voided
receipt in the receipt book.
c.
d.
Note: As illustrated above, cash receipts must be completed as follows:
–
–
–
–
–
–
–
Department name
Date, including the year
Amount
Payor’s name
Detailed description of the source of revenue to be completed in the “For” section of the cash receipt. The
description should be adequate enough to enable the employee completing the Cash Report to know which
account and G/L code should be used.
Type of payment (i.e. cash, check, or other)
Signature of person accepting the payment
3. The department completes the cash report:
18
University Cash Report Example
19
B. Cash Receipting & Petty Cash
a.
b.
c.
d.
e.
All reports must be numbered consecutively beginning
each fiscal year (July 1st) with the number 1.
The departmental name must appear on the form.
The report must reflect the beginning and ending dates in which all
cash, checks or credit card payments are receipted. Note: Cash
Report dates should match cash receipt dates and funds must be
receipted when received.
The complete business area, general ledger number (BA-G/L No.),
and profit center or short A/C Assignment number must appear on
the form. Additional columns are available if funds are to be credited
to multiple G/L numbers and profit centers/cost centers.
The report must reflect beginning and ending official receipt numbers
corresponding to the funds to be deposited. Note: If a department
uses multiple cash receipt books, the numbers from each series
should be shown separately.
20
B. Cash Receipting & Petty Cash
f.
g.
h.
i.
j.
k.
Amounts must be totaled and recorded in the space provided (Total
Receipts).
Total credit card amounts must be subtracted from Total Receipts and
included in the space provided (Less Total Credit Card Amts).
The breakdown of the deposit (silver, currency, and/or checks) must
be recorded in the space provided (Deposited as Follows). The total of
the breakdown must equal Total Amount Deposited to Bursar.
Any overage or shortage (difference between Total to be Accounted
For and Total Amount Deposited to Bursar) must be recorded in the
space provided. Note: If an overage or shortage is reflected on the
form, an explanation should also be noted.
Checks must be added twice and both adding machine tapes
attached to the checks.
The report must be signed by the department head.
Note: The report should also be signed and dated by the preparer and counter,
21
if separate from the preparer.
B. Cash Receipting & Petty Cash
4. On a weekly basis, or when total receipts reach $100, the
department should deliver the cash report and all corresponding funds
to the Bursar’s Office for the following steps:
a.
b.
c.
d.
The deposit is processed by the Bursar’s Office.
A Bursar’s receipt is given to the department to be filed with a copy
of the cash report and corresponding yellow official receipts in the
department.
The Bursar’s receipt number is recorded on the cash report.
The original cash report is filed in the Bursar’s Office.
22
B. Cash Receipting
2. Funds must be adequately safeguarded.
Access to the funds should
be restricted to a few
individuals.
Funds should be kept in a
secure location until
deposited (i.e. lockbox,
locked desk drawer, etc.).
23
B. Cash Receipting
3. Duties related to receipting, preparing deposits, and
reconciliation of funds must be adequately separated.
The same employee should not receive
funds, prepare the deposit, and
reconcile.
One way to separate is to have the
same employee receive funds and
reconcile, and another employee
prepare the deposit.
24
B. Cash Receipting
If a department receives a lot of revenues, reconciliation should
include performing a revenue trend analysis (i.e. monthly, quarterly,
or annually). This should be performed by someone other than the
employee responsible for receiving funds and preparing cash
reports.
25
Petty Cash
When a petty cash custodian transfers or terminates
from a department, a petty cash audit must be requested
from internal audit and university records should be
updated.
Petty cash funds on hand must equal the amount
recorded in the university general ledger. Fund
custodian is responsible for any shortages.
Cashing personal checks and IOUs or “borrowing” from
petty cash for personal use is implicitly disallowed.
26
How We Test Cash Receipting
Control 1: Select 2 months of cash reports and
select a sample of 5 from each month.
– Verify reports are consecutively numbered each fiscal year &
numbers start over each July.
– Verify reports and receipt books are retained by the department
for 3 years.
– Verify copies of Bursar receipts and correct cash receipt copy is
attached to Cash Report.
– Review receipt books and verify receipt copies: white – payer,
yellow – cash report, pink – stays in receipt book. Verify all three
copies of voided receipts are in receipt book.
– Verify deposits are recorded correctly, timely, and cash reports
are filled out correctly.
– Verify checks are made payable to the University of Mississippi.
27
How We Test Cash Receipting
(continued)
Control 2: Combination of interview and
inspection to determine if funds are
safeguarded.
Control 3: Combination of interview and
inspection of documentation during testing to
determine if there are proper segregation of
duties.
28
Related University Policy
Cash Receipting and Reporting (Policy Code: ADM.AC.400.200)
Petty Cash (Policy Code: ADM.AC.400.100)
29
Sales Tax Liability
Departments must work with the Accounting
Office to determine if revenue collected within
the department requires the collection and
reporting of sales tax.
If sales tax is required, departmental employees
must implement proper procedures to ensure
that sales tax is reported accurately and timely.
If sales tax is not collected and reported in a
timely manner, the result could be monetary
penalties to the University.
30
C. Procurement
1. Expenditures must be adequately documented
to fully explain purchases.
A clear business purpose should be recorded for all
P-card purchases, Request for Payments, Purchase
Requisitions, Purchase Orders, and G/L Account
Posting Document backup. This can be achieved in
one of the following ways:
– Writing business purpose on document copy sent to procurement
– Writing business purpose on document copy retained by
department
– Creating a spreadsheet maintained by the department that lists
each expense and its business purpose
31
C. Procurement
2. Adequate documentation must be maintained to support fuel card
expenditures.
Fuel receipts should be submitted to appropriate departmental
personnel in a timely manner for reconciliation and submission to
Procurement Services.
UM Vehicle/Asset number should be noted on fuel receipts.
Fuel receipts and statements should be submitted to Procurement
Services with Request for Payments.
Copies of fuel receipts, corresponding statements, and Request
for Payments should be retained within the department.
Fuel related documentation (i.e. Request for Payment) must
contain adequate explanation of the business purpose of the
expenditures.
There should not be any food or drink charges to the fuel card.
32
Did you know…
Fuel cannot be charged for personal use.
Only departments with university vehicles can apply for a
departmental fuel card.
Fuel card applications must go through Shelley Morrison in
Procurement Services.
Reconciliation of fuel charges can be delegated to other employees
by the department head/signatory officer; however, the delegation
should be included in the departmental policy and procedure
manual.
Responsibility for reconciling fuel charges should not be delegated
to employees purchasing fuel.
Signatory officers should review fuel reconciliations/receipts for
reasonableness and appropriateness when approving/signing the
Request for Payment.
33
Did you know….
Fuel cards should NOT be used in the Oxford area. Use PPD
Fueling Station instead.
Fueling Station has fuel available 24 -7. It operates by having an
assigned fuel key, coded to a specific vehicle, with specific
employee ID numbers that are approved to purchase fuel.
To use one of the fuel pumps, plug in your unique key, type in on
the pump’s key pad the SAP employee number, the vehicle unit
number, and the current mileage.
PPD produces a monthly fuel report for each vehicle that
purchased fuel, which is sent to all users to place in the monthly
IHL Vehicle Report compiled by Patti Mooney.
34
C. Procurement
3. Request for Payments must be signed/approved by
signatory officers.
Employees cannot sign the signatory’s name on Request for
Payments.
The signatory’s name cannot be stamped on Request for Payments
.
35
C. Procurement
4. Documentation must be maintained to fully explain the purpose of
purchases processed as interdepartmental charges (i.e. Inn at Ole
Miss, Printing, etc.).
36
Examples:
Inn at Ole Miss
– Departments should have a copy of the G/L Account Posting Document and
itemized charges for each room.
– Departments should note on documents the business purpose for the
individual’s stay.
Housing & Other Space Rental
– Departments should have an interdepartmental invoice or email request.
– A clear business purpose/explanation should be included with/attached to
these documents.
Printing Services
– Departments should have a packing slip, quote, or email request.
– A clear business purpose should be included with/attached to these documents.
Ole Miss Express
– Departments should have an email/ memorandum request with a clear
explanation of the business purpose.
37
C. Procurement
5.
Duties related to purchasing, approving, and
reconciling must be adequately separated.
The same individual should not be purchasing,
approving, and reconciling.
Someone other than the individual responsible for
purchasing (i.e. processing purchase requisitions) should
be receiving Purchasing Notification Reports.
38
How We Test Procurement
Control 1: Select a sample of P-card and Request
for Payment expenses to see if adequate
documentation exists.
Control 2: Select a sample of fuel card expenses to
see if adequate documentation exists.
Control 3: Select a sample of Request for
Payments and inspect documentation to verify if
they were signed/approved by signatory officers.
39
How We Test Procurement
(continued)
Control 4: Select a sample of interdepartmental charges
(i.e. G/L documents) to see if adequate documentation
exists.
Control 5: Check recipients of Purchasing Notification
Reports (PNRs). (PNRs should be reviewed by
appropriate personnel. Failure to contact the Office of
Procurement Services within 2 business days will be
interpreted as approval of these transactions.)
40
Related University Policy
Documentation of Financial Transactions (Policy Code:
ADM.AC.200.200)
Use of Procurement Card (Policy Code:
PUR.PC.107.002)
41
General Procurement Information:
Department heads are responsible for unallowable items paid, NOT
Procurement Services.
Signatory officers are responsible for monitoring expenses
submitted for payment to ensure compliance with university policy
and state law. Monitoring includes determining if an expense is
appropriate/allowable and if adequate documentation/explanation is
provided.
Documents should not be submitted with the intent of Procurement
Services’ personnel making this determination.
Departments are responsible for ensuring that
appropriate/authorized signatures are recorded on all expenditure
documents.
42
General Procurement Information:
Alcohol cannot be reimbursed with university funds. This
must be clearly communicated to all departmental
employees. To help ensure compliance,
receipts/documents should be reviewed by the
department head or his/her designee prior to submission
for reimbursement.
Document examples:
– Receipts included with requests for reimbursement
– Receipts related to procurement card purchases
– Hotel bills related to university travel (i.e. mini bar charges)
43
II. HUMAN RESOURCES
A. Employee Termination Process (includes
resignations or transfers to another department)
Related University Correspondence
An excerpt from the August 8, 2007
Chancellor’s email regarding the Mandatory
Exit Checklist for Terminating/Transferring
Employees:
“Effective immediately, the Employee Exit
Checklist…must be completed and
forwarded to Human Resources for all nonstudent employees terminating from or
transferring within the University.”
A. Employee Termination Process
1. The University’s Employee Exit Checklist must be
used consistently within the department.
Accounting (i.e. payroll) and security risks (i.e. network access)
arise when the University is not aware of employees changing
departments or leaving the University.
The Employee Exit Checklist must be completed anytime an
employee terminates from the University or transfers departments
within the University.
This form can be accessed through the Human Resources
website.
Completed checklists must be forwarded to Human Resources.
A non-mandatory Student Exit Checklist is also available on the
Human Resources website for departmental use. These should
not be forwarded to Human Resources.
Employee Exit Checklist
47
Student Employee Exit Checklist
48
A. Employee Termination Process
2. The Accounting Office must be contacted to change
signatory officers or recipients of Monthly Budget
Statements.
Controls that rely solely on the automated emails sent by SAP (i.e.
Budget Statements, Purchasing Notification Reports, etc.) will not
be effective if accounting records are not updated.
Signatory Officers must be updated anytime turnover occurs (i.e. a
signatory officer terminates).
Signatory officers should be reviewed in SAP or on Monthly Budget
Statements periodically for accuracy.
To request a change in signatory officer, email Ms. Nina Jones in
the Accounting Office.
Maintain a copy of the request (i.e. email) with the departmental
copy of the Employee Exit Checklist.
How We Test Employee
Termination
Controls 1 & 2: Select a sample of employees that
have either transferred to a different department or
have left the University.
- Verify that an Exit Checklist was completed for the employee.
- Verify that employee was removed as signatory officer and/or
recipient of budget statements and Purchasing Notification
Reports.
50
Related University Policy
Terminal Interviews (Policy Code:
HRO.EM.300.270)
III. INFORMATION SYSTEMS
A. Security Controls
B. Backup and Recovery
Remember these are applicable to both PCs and Macs!
52
A. Security Controls (Physical)
1. Adequate controls must be in place to secure sensitive
data, as well as equipment, against theft or physical
damage.
Physical access to servers maintained within the department
should be restricted (i.e. should be in an office or locked room).
Physical access to computers should be safeguarded against
theft (i.e. laptops should not be left unattended when taken out of
the office; computers should not be left in an unlocked area after
hours, etc).
More departments are now using external hard drives. These
must have restricted access as well.
Server rooms should have a fire extinguisher. Contact PPD for
appropriate type.
53
A. Security Controls
It is recommended that departmental personnel determine if
confidential data must be maintained on their computers; confidential
data should not be maintained if it is accessible online (i.e.
SAP). Maintaining confidential data exposes the department and
University to security breach risks.
According to Mississippi Data Breach Notification Law, Miss. Code
Ann. § 75-24-29, “A person who conducts business in this state
shall disclose any breach of security to all affected individuals. The
disclosure shall be made without unreasonable delay…”
In addition to the state law description, other types of data, such as
student grades and classified research, are considered confidential
by the University and federal law.
54
A. Security Controls (Logical)
2. Access to university records must be adequately
restricted through the use of unique user ids and
passwords.
Laptops, desktops, servers, SAP,
other software programs (i.e.
QuickBooks), etc. should require a
unique user id and password to log
on.
User ids and passwords should not be
visually displayed.
User ids and passwords should never
be shared.
We recommend that computers be set
to require a password once the screen
saver appears (i.e. the computer
remains dormant for a period of time).
55
A. Security Controls
3. The latest anti-virus software and operating system (OS)
patches must be installed on all departmental computers
and servers.
Viruses are costly to the University in terms of data loss, staff
time to recover systems, and delay of important work.
Departments are responsible for purchasing virus protection
software for all departmental machines.
Employees are responsible for:
– Updating virus protection software regularly
– Configuring machines to perform frequent (at least weekly)
automatic full system scans
– Being careful when opening attachments
– Reporting all significant virus incidents to the IT Helpdesk
56
Windows 7 Auto OS Update Setting
57
Symantec Anti-Virus Full Scan
Setting
58
A. Security Controls
4. Servers containing critical and confidential information
must have a hardware firewall.
To help avoid unauthorized access to data by employees,
hackers, etc.
To help reduce viruses/attacks to university systems.
Confidential information cannot be stored on external
systems/servers (3rd party applications) unless contracts include
certain provisions relating to confidential information (Section 11
of the Information Confidentiality/Security Policy).
59
A. Security Controls
5. Servers which contain confidential information or have open
ports, and computers which contain confidential information
must be registered with the Campus Security Coordinator.
(Departments can contact David Drewrey’s office to determine if the server has open
ports.)
Vulnerability scans are performed on
registered servers.
To register, log into portal via,
http://my.olemiss.edu then click the
“Tools and Resources” tab at the top
to get to the Server Registry.
60
The decision as to whether
a machine has Critical or
Non-Critical data will
depend on each
department and user.
61
How We Test Security Controls
Controls 1 – 3: Select a sample of computers (PCs and Macs)
and servers (internal and external).
– Verify physical security by inspection and employee inquiry.
– Perform vulnerability scans to check for computers with high security risks.
– Verify the use of unique user IDs and passwords by inspection and
employee inquiry.
– Verify the computer/server has adequate anti-virus, receives regular
updates, etc.
Control 4: Verify that computers and servers with confidential
information are protected by a firewall.
Control 5: Verify that appropriate computers and servers are
registered with the Campus Security Coordinator.
Note: We will NEVER look at personal files while we are
performing testing; we are only looking for security settings.
62
B. Backup and Recovery
1. Routine backup procedures must be established for
departmental computers.
Specific departmental procedures, including how to backup and
how often, should be documented in the departmental policies
and procedures manual, which should be reviewed by all
employees.
Backups should be scheduled to run automatically on a routine
basis.
– We suggest that critical data be backed up daily and non-critical data be
backed up weekly or semi-weekly.
– Automatic backups can be setup through Windows Backup Utility, Mac Time
Capsule, etc.
– We don’t recommend backups to a USB drive because they can be lost or
stolen very easily.
A departmental employee should be assigned the responsibility
for ensuring that adequate backups are performed.
A detailed recovery plan should be established and included in
the policies and procedures manual.
63
How We Test Backup and
Recovery
Control 1: Select a sample of computers (PCs and
Macs) and servers (internal).
– Verify that computers and servers are backed up appropriately
based on the type of data that it contains.
– Determine if backups are being performed manually or
automatically by the system.
– If an external hard drive is used for backup, determine if it is kept
physically secure.
64
Related University Policies
Anti-Virus Protection for UM Computers (Policy
Code: ACA.IT.100.040)
IT Appropriate Use (Policy Code:
ACA.IT.100.010)
Information Confidentiality/Security (Policy
Code: ACA.IT.400.030)
65
General Information Regarding
Information Systems:
All departmental SAP users, as well as any employee
using and/or maintaining electronic confidential and/or
critical data should attend Security Awareness Training
every two years.
Departments should track and document attendance for
employees required to attend Security Awareness
Training.
Confidential information should not be forwarded through
email. Use the secure document exchange in myOleMiss.
66
IV. GENERAL
A. Scholarship Award Process
B. Policies and Procedures
67
A. Scholarship Award Process
1. The department must establish a formal process by
which scholarship applicants are reviewed and
selected.
Formal Process should include:
–
–
–
–
–
Documentation as to the funding source of scholarships (i.e. grants,
departmental budget, etc.)
Description of the Application Process
Guidelines of awarding scholarships including: minimum criteria, who
decides the recipient and the amount of the award, if anyone is
ineligible from receiving the scholarship (i.e. family members of
faculty staff within the department)
Having more than one individual involved in the selection process
Maintain good documentation, especially if family members of
departmental personnel are awarded scholarships.
68
How We Test Scholarship Awards
Control 1: Select 5 scholarship recipients.
– Determine if the award process was
documented, including the selection of each
scholarship winner.
69
B. Policies and Procedures
1.
Documented departmental policies and procedures must
be established for areas under review.
Written departmental policies and procedures should be
developed for all areas reviewed.
Within departmental manual, include a list of university policies
related to the department / areas so employees (especially
new employees) are aware of them.
Periodically review university policies related to their areas to
help determine if changes or updates are needed to maintain
compliance .
Personnel should be assigned to perform duties in the event of
another employee’s absence.
Written departmental policies and procedures will help to
ensure that data is recorded accurately, procedures are
performed consistently, and new and backup personnel have
necessary information to help maintain continuity of operations.
70
How We Test Policies and
Procedures
Control 1: Obtain departmental policies and
procedures manual.
– Review for all areas covered under our ICA audit.
– Determine whether manual has been
communicated to/reviewed by departmental
employees.
– Determine whether there is documentation of
communication to employees (i.e. email,
signatures indicating review, etc).
– Determine whether there is a process in place to
update annually.
71
QUESTIONS?
72