Introduction
This Internal Control Questionnaire (ICQ) is designed to assist Institute DLCs in performing a self review of controls over financial systems and activities. While not intended to assess every activity performed by a DLC, the ICQ is intended to focus on core activities including financial management, cash receipts, purchasing and accounts payable, travel, payroll and personnel, computer operations, gifts, accounts receivable and sponsored research. In addition, there are questions relating to the overall control consciousness of the DLC and the quality of financial information and communications. We recognize that not all of these questions will be applicable to all DLCs. Since the questionnaire covers several activities, we encourage users to have several members of their staff participate in this review. The questions have been designed so that each "no" response indicates an area of potential weakness. Negative responses to questions that refer to policies and procedures covered by the Financial Review and Control Guidelines may call for immediate action. Negative responses to other questions may merit attention, but not necessarily action, depending on the significance and the perceived risk involved. DLCs are not expected to be able to answer "yes" to every item. We encourage all DLCs to complete the ICQ. If you have any questions, please contact your Financial Dean or the Audit Division at 3-4136.
The Financial Review and Control Team
Control Environment
1. DLC management should clearly communicate its high expectation regarding integrity, ethical values, and full compliance with laws, regulations, and policies to all employees within the DLC.
2. The DLC's organizational structure should be clearly defined, with clear lines of communication within the DLC, between the DLC and MIT central administration, and between the DLC and Deans.
3. The Institute's human resource policies should be clearly communicated to all employees. All new employees attend MIT's orientation program. Personnel should have the knowledge and skills required for their positions and be encouraged to attend job related training programs. Job descriptions should be accurate and up to date, including all major expectations. Employees are cross-trained within the DLC.
Information and Communication
1. Periodic staff meetings should be held to ensure personnel receive information regarding legislation, regulatory developments, economic changes, or similar external factors that may affect the DLC on a timely basis.
2. Trust between employees, supervisors, and other DLCs should be actively promoted, emerging information needs should be identified, and employees should be encouraged to provide recommendations for improving operations.
3. Clear and understandable financial information about your DLC's operations should be identified and provided to appropriate individuals on a timely basis.
Budgets and Physical Security
1. A budget process should be developed involving key members of DLC management. Budgets should incorporate long-range financial plans, and provide a reasonable level of detail to allow meaningful analysis (e.g., by G/L Account, Cost Object, etc.).
2. Actual income and expenditures should be monitored against budget on a monthly basis, with significant variances identified and reported to management.
Authorizations
1. Review the number and scope of authorized signers on a periodic basis and reminded them of their responsibilities. Promptly delete authorization of signers when employment is terminated.
2. Standards should be established for approval of "exception items" such as large dollar or unusual transactions. Cost Objects should be reviewed annually for usefulness and closed when no longer needed. Procedures should be established to follow up and resolve errors noted in reports on a timely basis.
Charges to Other DLCs
If the DLC charges users for services provided, a proper basis for determining prices should be established and adequate documentation maintained.
Petty Cash Funds
Petty cash funds should be maintained in a secure location such as a locked drawer or file cabinet and detailed records maintained to document disbursements from petty cash funds.
Records Retention
MIT record retention policies should be followed at all times.
Cash Receipts
1. The following duties should be distributed among different individuals: receiving cash or checks, preparing credit vouchers, and review of the monthly DTRs.
2. All checks should be endorsed "For Deposit Only" immediately upon receipt. Detailed records of all of cash and checks received should be maintained and cash and check receipts should be sent to the Cashier for deposit on a daily basis, or a dollar threshold should be established above which cash deposits are made at the end of the day. All cash and checks should be safeguarded in a locked area prior to deposit.
3. Copies of Institute credit vouchers should be retained in a sequential or other logical manner.
4. Tickets issued for an event in exchange for cash and checks should be pre-numbered, maintained in a secure location, and reconciled to cash or checks received.
5. Detail records of cash and checks received should be reconciled to the DTR each month by an individual who does not accept cash or checks and reviewed by a supervisor.
6. Cash and checks should be reconcilied to the DTR.
Purchasing and Accounts Payable
1. The following duties should be distributed among different individuals: requisitioning goods and services, receiving goods, preparing payment vouchers, approving payment vouchers and reconciling to the DTR. Receiving reports should be signed by the individual receiving goods and maintained by the DLC as the document of record.
2. Competitive bids must be obtained for large dollar purchases and DLCs should purchase from MIT partner vendors (VWR, Office Depot, NECX, and BOC Gases) whenever possible.
3. Are there controls to prevent double payment of invoices such as not paying vendor statements or invoice copies and researching old invoices to ensue they were not already paid?
4. Purchasers should be made aware that sales tax charged by vendors should not be paid (the Institute is exempt from Massachusetts state sales tax).
5. The use of Requests for Payment (RFPs) should be limited to unusual circumstances.
6. Authorized signers should ensure that personal expenditures are not being made with DLC funds.
7. Purchasing activity appearing each month on the DTR should be reviewed by someone independent of purchasing or receiving and errors noted should be researched and corrected on a timely basis.
Travel
1. To ensure the DLC has taken advantage of negotiated discount terms such as airfare, MIT Travel-authorized agencies should be used exclusively for airfare, hotels, and rental cars.
2. A supervisor should review and approve travel advance requests to ensure they are necessary and reasonable.
3. Expense reports should also be reviewed and approved by an authorized signer. Authorized signers (subordinates) should be prohibited from approving expense reports for their superiors.
4. Authorized signers should also ensure that travelers are not reimbursed for expenses previously paid with DLC funds or paid separately by sponsors.
Payroll and Personnel
1. The following duties should be distributed among different individuals: hiring, firing, payroll processing, check distribution, and reconciliation of payroll charges to the DTR.
2. Is access to payroll records and confidential files restricted to authorized personnel?
3. For weekly employees, does the immediate supervisor review time sheets for accuracy and completeness and sign them before processing?
4. For casual employees, are hours and length of stay monitored to ensure they do not exceed Institute maximum limits? In accordance with Personnel Policy, casual employees are limited to 17.5 hours per week unless they are (a) hired for a period not to exceed three months or (b) hired to replace a regular employee who is temporarily absent for a period of time.
5. For College Work Study students, are earnings monitored by the DLC to ensure they do not exceed their award?
6. Are DACCAs reviewed and signed by a supervisor with first-hand knowledge of the work performed before they are submitted to CAO?
7. Are monthly DTRs reviewed by a supervisor independent of payroll processing to ensure payroll charges are recorded properly?
8. Are any errors noted researched and corrected on a timely basis?
9. Are records of vacation, personal and sick time maintained, keeping track of each employee's actual and accrued amounts, and are annual limits adhered to?
10. Is payment of extra compensation properly documented and approved?
11. Are duties and roles of individuals employed by the DLC but not classified as employees reviewed to determine if they meet the definition of employee versus independent contractor?
12. Are there procedures to ensure recovery from terminating employees of keys, I.D. cards and other MIT property?
13. For individuals who physically receive pay checks, are the checks properly safeguarded prior to distribution?
Computer Operations
1. Are computers secured to the desk or located in a secure room?
2. Are offices containing computers secured during non-work hours?
3. Are computers located in areas free from dust and moisture?
4. Is a complete and accurate inventory of hardware and software maintained?
5. Are computers listed on insurance policies with the MIT Insurance Office?
6. Are all computers under warranty or a maintenance plan?
7. Are computers protected from unauthorized access by use of screen saver software requiring passwords?
8. Does DLC policy mandate password standards such as configuration, length and periodic change?
9. Has sensitive data been identified and additional security been placed on its access?
10. Are removable data media such as diskettes, tapes and CDs appropriately protected and stored in a secure area? Are they disposed of in a secure manner?
11. Have employees been instructed on how to use virus protection software?
12. Have critical data files been identified and are they periodically backed up and stored in a secure off site location?
13. Is there a tested backup and recovery procedure to protect daily work files?
14. Is there a written and tested disaster recovery plan?
15. Has a recent review been undertaken of application software in use to ensure software licensing and copyright provisions are not being violated?
Gifts and Endowments
See cash receipts section for questions relating to controlling checks received.
1. Does the DLC maintain a listing of gifts and endowments received from donors?
2. The Office of Resource Development (RD) requires DLCs send them original documentation from the donor, including restrictions as to the use of funds, before they can be processed. Is original documentation sent to RD?
3. Are copies of original documentation maintained at the DLC to substantiate the purpose and restriction of gifts and endowments?
4. Is the listing of gifts and endowments received reconciled to the DTR each month by an individual without cash handling responsibility?
5. Is the reconciliation referred to in question 4 reviewed by a supervisor?
6. Are any errors noted researched and corrected in a timely manner?
7. Are there controls to ensure restricted gifts and endowments are not classified as unrestricted, such as a review of general ledger account coding?
8. Are endowment and gift terms used as a reference when expenditures are made to ensure that terms and restriction are adhered to?
9. Are restricted accounts with deficit balances reviewed and are such situations resolved in a timely manner?
10. Are restricted accounts reviewed to determine if there are some with which the DLC can no longer comply due to changes in Institute, DLC, or research objectives?
Accounts Receivable
This section is applicable to DLCs that separately bill customers for goods shipped or services performed.
1. Are the following duties distributed among different individuals: preparing invoices, collecting and depositing cash and writing off uncollectable receivables?
2. Are invoices prenumbered and subsequently accounted for?
3. Is there a supervisory review to ensure bills are sent timely to customers for goods shipped or services performed?
4. Is an aged accounts receivable report generated and reviewed by a supervisor on a monthly basis?
5. Are there follow up procedures to ensure past due receivables are subsequently collected?
6. Are detail records reconciled to the general ledger?
7. Are errors noted researched and corrected on a timely basis?
Sponsored Research
1. Are supervisory reviews performed to ensure proposals are properly completed and approved before submission to the sponsor?
2. Is documentation on grant requirements, restrictions and budgets maintained by the DLC?
3. Are all expenditures approved by an authorized signer?
4. Are monthly DTRs reviewed to ensure all expenditures are proper and charged to the correct account?
5. Are monthly DACCAs for staff and administrative personnel reviewed and approved on a timely basis?
6. Are annual and summer Salary Certifications for faculty reviewed and approved on a timely basis?
7. Are cost transfers made on a timely basis and are they properly documented and approved?
8. Are costs related to the cost sharing portion of a sponsored research project properly identified, approved and reported?
9. If the DLC operates a "service center", are costs properly charged to users and is documentation maintained?
10. Does the DLC monitor sub recipient compliance with contractual and sponsor requirements?
11. Are sub recipient invoices reviewed against the budget for compliance?
12. Are periodic progress reports and financial status reports prepared and sent to sponsors on a timely basis?
13. Have faculty, staff and administrators received sponsored research training commensurate with their responsibilities?