Common Recommendations for Common Audit Findings

General Cash Handling

• The unit should establish accountability for all forms of revenue received. This is typically done through the use of cash receipt logs, cash registers, or tickets.
• The unit should be depositing revenue received in a timely manner. University policy requires revenue be deposited whenever there is $1,000 on hand or a minimum of once a week.
• The unit should be reconciling all cash received to the deposit of those revenues. Any differences should be recognized as a cash over/short, and significant differences should be investigated and reported where appropriate.
• The unit should be documenting and reviewing higher risk transactions, such as approving cash register voids, transaction deletions, cash refunds, and discounts. These transactions should also be monitored independently.
• The unit should be using care in the preparation of Deposit Detail Reports to avoid making depositing errors to the wrong EFS chartstring.
• The unit should establish segregation of duties and cash handling controls (e.g., separation of duties between the person receiving/handling cash from the person who deposits the cash, and then having a separate person reconcile cash received to the deposit).

Specialized Revenue Situations

• The unit should be reconciling credit card revenues to WellsFargo and EFS to ensure all revenues have been collected.

Where applicable, these recommendations are in alignment with University Information Security Policy (please reference https:policy.umn.edu/it/securedata):

• The unit should establish processes around technology governance, coordination, and oversight for systems and/or services it manages.
• The unit should be establishing appropriate user administration / access management processes (e.g., documenting approvals to assign access, removing user access upon termination, formally periodically reviewing access).
• The unit should eliminate the use of shared accounts where possible.
• The unit should be utilizing two-factor authentication and/or meeting strong password requirements.
• The unit should ensure logs are secured, and formal access and activity monitoring processes exist.
• The unit should establish appropriate technology vendor management including: removing persistent and/or unmonitored access from vendors to University managed systems, and periodically evaluating software as a service (SaaS) vendors' security and control processes ideally through review of a 3^rd party attestation.
• The unit should be applying formal change management processes that ensure all changes are formally tested and approved by end users prior to implementation.
• The unit should create and regularly test formal backup and recovery procedures.
• The unit should establish vulnerability management and intrusion detection processes for its critical systems to ensure they are adequately secured from compromise.
• The unit should perform a gap analysis or request a University Information Security (UIS) risk assessment on its systems and/or applications designated as a high security level.

• The unit should ensure contracts are in place where appropriate to support external sales.
• The unit should be verifying sales tax collected and remitted are appropriate and accurate.
• The unit should establish policies and methodology for pricing of goods and services sold.
• The unit should be ensuring subsidies are reasonable and appropriate per University internal and external sales policies and procedures.
• The unit should be receiving approval of internal and external sales activities from the UMN Internal and External Sales Office.
• The unit should be completing the appropriate analysis to establish the proper billing rate.
• The unit should ensure there is a separate account for charges by an Internal Service Organization.

• The unit should be maintaining accurate and current inventory records.
• The unit should be performing periodic inventory counts and reconciling physical counts to perpetual inventory records.
• The unit should ensure physical inventory counts are verified by an independent person.
• The unit should report year end inventories to Accounting Services for inclusion in the University's financial statements.
• The unit should be maintaining adequate security over inventories and ensuring unnecessary personnel do not have access to inventories.
• The unit should establish inventory order quantities and re-order points with appropriate management input.

• The unit should establish an adequate separation of duties in the payroll function, including having different people verify and approve biweekly payroll verification reports.
• The unit should be reconciling departmental payroll records to amounts appearing on payroll verification reports.
• Appointment documents, pay rate changes, and all other payroll transactions should be adequately documented and approved.
• The unit should be monitoring to ensure applicable employees are completing the report of external professional activities (REPA and ROC) in order to ensure compliance with University policies.
• The unit should ensure vacation, comp, and sick leave records are adequately reviewed and approved and in compliance with University policies.
• The unit should be submitting payroll and HR information timely to payroll processors to avoid overpayments and other erroneous entries.
• The unit should ensure that payroll transactions utilize accurate earning codes.
• The unit should ensure there is adequate back-up capability to cover for the primary payroll processor when absent.
• The unit should be periodically reviewing HRMS access for appropriateness and business need.
• The unit should be monitoring unapproved absences and timeliness of time and absence submissions and approval.
• The unit should limit and review approvals made by Time and Absence Administrators or OHR.
• The unit should ensure proper completion of background checks when employees are hired, transferred, rehired, or working in a program involving minors (see Safety of Minors under Safety and Compliance for policy compliance).
• The unit should ensure I-9 compliance and timelines.

Purchasing

• The unit should be reviewing contracts for professional services to ensure they adequately describe service provided and are approved before services are performed.
• The unit should be monitoring purchasing card transactions to ensure appropriate use.
• The unit should be providing adequate review and approval of change orders and the related purchase order revisions.
• The unit should be establishing procedures to ensure University purchasing limits are complied with (e.g., to ensure P-Card purchases are not split up to avoid transaction limit, or that purchases exceeding the threshold go to bid).
• The unit should be completing the Price and Supplier Justification Form when required.
• The unit should ensure purchases not from U Market nor on a U-Wide Agreement that are over $50,000 are processed through Purchasing Services and utilize a competitive process to select a supplier.
• The unit should be tracking purchases made using blanket purchase orders to ensure compliance with contract terms and prices.
• The unit should ensure the proper mechanism was used for the purchase (e.g., if a purchase is allowable via P-Card or out-of-pocket vs.using a PO).
• The unit should ensure purchases made via non-PO process are appropriate/allowed (e.g., it is on the Non-PO related purchases list).
• The unit should ensure sales taxes are not paid on purchases unless the purchase is for an item in which the University's exempt sales does not apply (e.g., lodging, prepared food, candy, soft drinks, motor vehicles, waste disposal services, alcohol, airfare).

Disbursements

• The unit should ensure disbursements are supported by appropriate documentation and justification.
• The unit should establish procedures to ensure disbursement documents are processed timely.
• The unit should be monitoring disbursement documents to ensure they are classified correctly.
• The unit should be reviewing and approving disbursement documents at the appropriate level (one-up approval should be used in most cases).
• The unit should be reviewing hospitality, entertainment, business expenses, and fundraising expenses to ensure compliance with University policies.
• The unit should establish a procedure to consistently match invoices to purchase orders and receiving documents.
• The unit should ensure itemized receipts and guest lists are included when required.

(Includes Safety of Minors, Controlled Substances, Emergency Plans, and Labs)

Safety of Minors

• The unit should ensure programs for youth are registered on Youth Central.
• The unit should ensure the Safety of Minors online training is completed by all required program staff.
• The unit should ensure a health and safety training (program specific) is created and the training is completed by all required program staff.
• The unit should ensure background checks are completed before the program begins and renewed every 3 years for all required program staff.
• The unit should ensure a mechanism to track/monitor completion of policy requirements is maintained.

Controlled Substances

• The unit should ensure a lab safety plan exists for research labs.
• The unit should ensure compliance with University policies and federal regulations with regards to controlled substances (i.e., access to controlled substances is restricted and inventory securely stored, authorized users have signed the authorized user list, controlled substances purchase receipts are signed by the Registrant and stored with the Registrant, DEA 222 form is posted in the space with the controlled substances, and the Registrant performs a physical count of controlled substance inventory at least every two years).
• The unit should ensure authorized user logs are maintained and up to date.
• The unit should ensure inventories of controlled substances are maintained, and if there are substances present in a lab which are no longer intended for use, they should be properly disposed of. The holder of the controlled substances should perform a complete inventory once a year, and the results sent to the Registrant.

Emergency Plans

Units should be in contact with the U of M Department of Emergency Management (DEM) and/or Department of Environmental Health & Safety (DEHS) with any questions regarding Building Emergency Plans or Continuity of Operations Plans.

• If the unit is a critical operating unit, a Continuity of Operation Plan should be completed, employees should be trained on their roles and responsibilities, the plan should be reviewed and updated at least annually, and the plan should be periodically tested to confirm it works properly – all in alignment with University policy.
• Each building on campus should have a Building Emergency Plan completed, employees should be trained on their roles and responsibilities, the plan should be reviewed and updated annually, and the plan should be periodically tested to confirm it works properly – all in alignment with University policy. Units should work with the designated building contact(s). In order to complete the plan, each building should identify one representative from each department located in the building to participate in a working group that will complete the plan template.

Labs

• The unit should ensure that research labs are operating in a safe manner and in accordance with University and DEHS policies and procedures.

Health Insurance Portability and Accountability Act (HIPAA)

• The unit should take steps to ensure compliance with HIPAA and University requirements, including ensuring a business associate agreement (BAA) is in place with third party vendors and performing protected health information (PHI) view monitoring.

• The unit should ensure scholarship processes are documented.
• The unit should ensure deadlines are met.
• The unit should ensure rationale for scholarship selections are clearly documented.
• The unit should ensure scholarship criteria and donor intent are met by the recipient(s).
• The unit should implement quality assurance mechanisms to detect scholarships awarded in error.
• The unit should ensure recipients do not receive both a departmental scholarship and the Regents Scholarship.
• The unit should ensure colleges/departments are developing spending plans in order to distribute available funds for scholarships and fellowships.

(Includes Pre-Award, Effort and Salary, Award Management, Human Participants, Animals, and Clinical Trials)

Pre-Award

• The unit should ensure that all correspondence with sponsors follows the proper processes (i.e., requests for changes, extensions, approvals, etc. should first go to SPA before sending to sponsor).
• The unit should verify that sponsored project proposals are accurate and properly approved before submission.
• All proposals need to carry the standard IDC rate or have an authorized waiver from the Office for the Vice President of Research.
• The unit should develop cost sharing policies for the department or college, which include strategies to minimize the amount of required and voluntary cost sharing.
• The unit should establish procedures to analyze revenue for proper classification into the sponsored project, gift, and external sales categories.
• The unit should ensure that any expense for a sponsored project for which funding has not yet been received is charged to an approved pre-award account.
• The unit should ensure employees involved in sponsored project research have received the appropriate training prior to the start of the project.

Effort and Salary

• The unit should be monitoring committed effort levels to determine if they are in accordance with the terms of the grant/contract.
• The unit should be reviewing salaries to ensure adjustments are timely and appropriate.
• The unit should establish a process to ensure all researchers certify effort on their projects (PIs must certify a minimum 1% annually), effort statements are submitted timely, overload payments are not certified, and statements are properly approved.
• The unit should develop procedures to ensure salary for all faculty over the NIH salary cap is adjusted accurately.

Award Management

• The unit should ensure that all required employees file REPA and ROC forms in accordance with University policy and established deadlines.
• The unit should be reviewing expenditures on sponsored projects for allowability, allocability, appropriateness, authorization, proper justification or relation to the project and accurate coding.
• The unit should ensure the Fly America Act is complied with on sponsor funds. To comply with federal regulations, travel using federal project funds must use a U.S. flag air carrier if service provided by such a carrier is "available." This rule applies to air transportation to, from, between, or within a country other than the U.S.. See University policy for further details.
• The unit should establish procedures to ensure that all extensions, re-budgeting, and changes in principal investigators, key personnel, committed effort level, and work scope are approved by the agency when required.
• The unit should be documenting all committed cost sharing and matching funds by tracking expenses made for the benefit of the project but not directly charged to the project.
• The unit should be monitoring for technical and financial report deadlines to ensure they are submitted in accordance with the terms of the grant/contract.
• The unit should be monitoring fixed price contract accounts to ensure expenses are charged appropriately, deficits are taken care of, and accounts are closed on a timely basis.
• The unit should develop procedures to ensure timely communication of completion of projects to SFR for the preparation of final reports.

Human Participants

• The unit should ensure IRB approval for use of human participants is obtained and maintained throughout award.
• The unit should ensure the most recent IRB approved consent forms are utilized for human participants, participants are re-consented when necessary, and there is evidence of a consent conversation if possible.
• The unit should ensure consent forms were signed and dated by the participant and the person performing the consent process on the same day.
• The unit should ensure that the number of participants complies with the number approved by the IRB.
• The unit should ensure no procedures took place before consent was obtained.
• The unit should ensure there is a signed consent form for those participants between ages 8 (approximately) and 17.
• The unit should ensure that research subject payment vouchers are appropriately documented, controls to prevent fraud are appropriate and effective, and inventories are maintained, (i.e., gift cards, other incentives). 

Animals

• The unit should ensure IACUC approval is obtained for use of animal subjects.
• The unit should ensure purchases were in accordance with University policies (e.g., purchased from RAR, purchase was approved, and animals are the same species noted in the proposal or IACUC approval is given otherwise).

Clinical Trials

• The unit should ensure clinical trials are registered at Clinicaltrials.gov prior to work beginning.
• The unit should ensure reporting of adverse events and significant adverse events is complete and timely.

• The unit should ensure travel reimbursements are supported by appropriate documentation and are properly justified.
• The unit should be monitoring travel reimbursements to ensure they are accurate and comply with University regulations and policies (e.g., accurate per diem calculations, attached itemized receipts, currency conversions included, timely submissions).
• The unit should be reviewing trip return dates to ensure travelers submit their expenses timely (i.e. within 60 days of return).
• The unit should be monitoring spouse travel expenses to ensure they are reimbursed only when there is a documented bona fide business purpose.
• The unit should ensure international travel is registered with Global Programs and Strategic Alliance.