Common Recommendations for Common Audit Findings

General Cash Handling

• The unit should establish accountability for all forms of revenue received. This is typically done through the use of cash receipt logs, cash registers, or tickets.
• The unit should be depositing revenue received in a timely manner. University policy requires revenue be deposited whenever there is $1,000 on hand or a minimum of once a week, whichever comes first.
• The unit should be reconciling all cash received to the deposit of those revenues. Any differences should be recognized as a cash over/short, and significant differences should be investigated and reported where appropriate.
• The unit should be documenting and reviewing higher risk transactions, such as cash register voids, transaction deletions, cash refunds, and discounts. These transactions should also be monitored independently.
• The unit should establish segregation of duties and cash handling controls, including separation of duties between the person receiving/handling cash from the person who deposits the cash, and then having a separate person reconcile cash received to the deposit.

Specialized Revenue Situations

• The unit should be reconciling credit card revenues to WellsFargo and PeopleSoft EFS to ensure all revenues due have been collected and credited to the appropriate chartfield string(s).

Where applicable, these recommendations are in alignment with University Information Security Policy (please reference policy.umn.edu/it/securedata)

• The unit should establish processes around technology governance, coordination, and oversight for systems and/or services it manages, including defining IT roles and responsibilities and related support processes.
• The unit should perform a gap analysis or request a University Information Security (UIS) risk assessment on its systems and/or applications designated as a high security level.
• The unit should establish appropriate user administration/access management processes (e.g., documenting approvals to assign access, removing user access upon termination, and conducting formal periodic access and role reviews).
• Inappropriate/unnecessary access including shared and default/vendor accounts where possible should be removed or altered.
• The unit should be utilizing two-factor authentication when required by University policy and/or meeting strong password requirements.
• The unit should develop and implement log management and monitoring processes, actively monitor for anomalies, document actions taken to remediate high-risk anomalies, and ensure formal access and activity monitoring processes exist.
• The unit should establish appropriate technology vendor management including: removing persistent and/or unmonitored access from vendors to University managed systems and periodically evaluating software as a service (SaaS) vendors' security and control processes, ideally through review of a 3^rd party attestation (e.g., SOC2 report or similar).
• The unit should be applying formal change management processes that ensure all changes are formally tested and approved prior to implementation, proper segregation of duties exist, and formal test plans and results are documented at least for high-risk changes.
• The unit should develop and regularly test a business continuity plan and disaster recovery procedures.
• The unit should establish vulnerability management and intrusion detection processes for its critical systems including regularly scanning critical systems for vulnerabilities, remediating high-risk vulnerabilities, and assessing system configuration settings against best practices to ensure they are adequately secured from compromise.

• The unit should ensure contracts are in place where appropriate to support external sales.
• The unit should be verifying sales tax collected and remitted are appropriate and accurate.
• Policies and methodology for the pricing of goods and services sold should be established and reviewed periodically.
• The unit should ensure subsidies are reasonable and appropriate per University internal and external sales policies and procedures.
• The unit should obtain approval of internal and external sales activities from the University’s Internal and External Sales Office in alignment with University policy. If there is a change in the scope of these activities, units are to submit an amendment to the Internal and External Sales Office. Amendments may include changes to compensation, additional services, or changes to the terms of the service agreement.
• The unit should be completing an analysis to establish the proper billing rate.
• A separate account for charges by an Internal Service Organization should be established.

• The unit should maintain accurate and current inventory records that include all pertinent information (e.g., item description, count, unique identifier, location).
• The unit should be performing periodic inventory counts and reconciling physical counts to perpetual inventory records. Any discrepancies should be investigated and documented.
• The unit should ensure physical inventory counts are verified by an independent person (i.e., a separation of duties exists in the process).
• Processes for adjusting inventory (e.g., updating counts, deleting items) should be established, including approval to make adjustments and monitoring of adjustments to ensure they are reasonable and appropriately approved.
• The unit should report year-end inventories to Accounting Services for inclusion in the University's financial statements.
• The unit should be maintaining adequate security over inventories and ensuring unnecessary personnel do not have access to them.
• The unit should establish inventory order quantities and re-order points with appropriate management input.
• The unit should create a clear, documented process for the disposal of inventory items. This prevents inventory from being improperly taken or sold, ensuring accountability from acquisition to final disposition.

• The unit should ensure proper completion of background checks when employees are hired, transferred, rehired, or working in a program involving minors (see Safety of Minors under Safety and Compliance for policy compliance).
• The unit should ensure I-9 compliance and timelines.
• The unit should establish an adequate separation of duties in the payroll function, including having different people verify and approve biweekly payroll verification reports.
• The unit should be reconciling departmental payroll records to amounts appearing on payroll verification reports.
• Appointment documents, pay rate changes, and all other payroll transactions should be adequately documented and approved.
• The unit should monitor to ensure applicable employees are completing the Report of External Professional Activities (REPA) and Request for Outside Commitment (ROC) in alignment with University policies.
• The unit should be submitting payroll and HR information timely to payroll processors to avoid overpayments and other erroneous entries.
• The unit should ensure that payroll transactions utilize accurate earning codes.
• The unit should ensure there is adequate back-up capability to cover for the primary payroll processor when absent.
• The unit should be periodically reviewing PeopleSoft HRMS access for appropriateness and business need.
• The unit should monitor unapproved absences and timeliness of time and absence submissions and approval.
• The unit should limit and review approvals made by Time and Absence Administrators or the Office of Human Resources.

Purchasing

• The unit should be reviewing contracts for professional services to ensure they adequately describe the service provided and are approved before services are performed.
• The unit should ensure proper reviews for IT software purchases are completed prior to purchase and renewal (e.g., University Information Security has performed a vendor risk assessment and the Office of the General Counsel has reviewed the contract).
• Purchasing card transactions should be monitored to ensure appropriate use.
• The unit should ensure purchase orders (PO) are created before the receipt of goods/services (e.g., PO is created first, then the invoice is received at a later date).
• The unit should be providing adequate review and approval of change orders and the related purchase order revisions.
• The unit should be establishing procedures to ensure University purchasing limits are complied with (e.g., to ensure PCard purchases are not split to avoid the transaction limit, or purchases that exceed the threshold go to bid).
• The unit should ensure PCards are given to only those with a business need, and PCards are deactivated when no longer needed.
• The unit should be completing the Price and Supplier Justification Form when required.
• The unit should ensure purchases not from U Market nor on a U-Wide Agreement that are over $50,000 are processed through Purchasing Services and utilize a competitive process to select a supplier or an exception to this has been granted by Purchasing Services.
• The unit should be tracking purchases made using blanket purchase orders to ensure compliance with contract terms and prices.
• The unit should ensure the proper method was used for the purchase (e.g., UMarket, PCard, PO).
• The unit should ensure purchases made via the non-purchase order process are appropriate/allowed (e.g., it is on the Non Purchase Order Related Payments list).
• The unit should ensure sales taxes are not paid on purchases unless the purchase is for an item in which the University's exempt sales does not apply (e.g., lodging, prepared food, candy, soft drinks, motor vehicles, waste disposal services, alcohol, airfare).

Disbursements

• The unit should ensure disbursements are supported by appropriate documentation and justification.
• The unit should establish procedures to ensure disbursement documents are processed timely.
• The unit should be monitoring disbursement documents to ensure they are classified correctly.
• The unit should be reviewing and approving disbursement documents at the appropriate level (one-up approval should be used in most cases).
• The unit should be reviewing hospitality, entertainment, business expenses, and fundraising expenses to ensure compliance with University policies.
• The unit should establish a procedure to consistently match invoices to purchase orders and receiving documents.
• The unit should ensure itemized receipts and guest lists are included when required.
• The unit should ensure gift cards of any amount provided to students are reported to Student Finance.

Safety of Minors

• Background checks should be completed before the program begins and renewed every 3 years thereafter for all required program staff.
• The unit should ensure the Safety of Minors online training is completed by all required program staff.
• The unit should ensure a health and safety training (program specific) is created and the training is completed by all required program staff.
• The unit should ensure that University approved waivers are used or if nonstandard waivers are used, the Office of the General Counsel has reviewed and approved them.
• The unit should ensure programs for youth are registered on Youth Central.
• The unit should ensure a mechanism to track/monitor completion of policy requirements is maintained.

Controlled Substances

• The unit should maintain detailed and accurate perpetual inventory records for all controlled substances including: conducting regular physical inventories to compare against perpetual records, documenting and investigating all discrepancies (over/shorts) and adjustments, and ensuring all records (e.g., disposition logs, authorized user lists, purchase receipts) are complete, up-to-date, and maintained for the required period.
• The unit should ensure compliance with University policies and federal regulations with regards to controlled substances (i.e., access to controlled substances is restricted and inventory securely stored, authorized users have signed the authorized user list, controlled substances purchase receipts are signed and stored by the Registrant, DEA 222 form is posted in the space with the controlled substances, and the Registrant performs a physical count of controlled substance inventory at least every two years).

Emergency Plans

• To minimize the risk and duration of service disruption following an interruption of operations, units should develop Emergency Plans. Units should conduct a Business Impact Analysis (BIA) to determine the scope of their Emergency Plan and consult with the University’s Department of Emergency Management (DEM) and/or Department of Environmental Health & Safety (DEHS) as needed.
• If the unit is a critical operating unit as defined by University policy, a Continuity of Operations Plan (COOP) is required. Employees should be trained on their roles and responsibilities, the plan should be reviewed and updated at least annually, and the plan should be periodically tested to confirm it works properly.
• Each building on campus should have a Building Emergency Plan completed, employees should be trained on their roles and responsibilities, the plan should be reviewed and updated annually, and the plan should be periodically tested to confirm it works properly. 

Labs

• The unit should ensure that research labs are operating in a safe manner and in accordance with University and Department of Environmental Health & Safety (DEHS) policies and procedures.
• The unit should ensure a lab safety plan exists for research labs.

Health Insurance Portability and Accountability Act (HIPAA)

• The unit should take steps to ensure compliance with HIPAA and University requirements, including consulting with offices such as the Health Information Privacy and Security Office (HIPCO) and the Office of the General Counsel (OGC) to ensure Business Associate Agreements (BAAs) and contracts are in place and meet University requirements.
• The unit should implement protected health information (PHI) view monitoring to ensure records are accessed with a business need and review activity logs. 

Managing Safety Risks

• The unit should work with Health, Safety and Risk Management to identify safety risks specific to their operations, ensure employees complete required training, and all other compliance requirements are met (e.g., having standard operating procedures up to date and readily available). 

Scholarships

• The unit should have documented procedures for awarding and managing scholarships that include key process steps and define roles and responsibilities.
• Documentation to demonstrate the justification and approval for scholarship decisions should be retained, including evidence of the decision-making process for all candidates. This documentation should be retained in accordance with the University’s Record Retention Schedule.  
• The unit should ensure scholarship criteria and donor intent are aligned and met by the recipient(s).
• The unit should implement quality assurance mechanisms to detect scholarships awarded in error.

Admissions

• The unit should have documented admissions procedures that include key process steps and define roles and responsibilities.
• The unit should establish and document the criteria used for making admissions decisions, and a rationale for admissions decisions and the individual(s) that made the decision should be documented.

Tenure

• The unit should ensure they have current 7.12 statements in place (used to evaluate tenure candidates) and the statements have been appropriately approved. 

Sabbaticals

• The unit should ensure that sabbaticals have documented approvals, required reporting has been submitted in Works, and monitoring and oversight processes are in place.

Program Reviews

• The unit should conduct periodic internal program reviews, and a program review schedule should be established to ensure academic program reviews remain current.

Pre-Award

• The unit should ensure that all correspondence with sponsors follows the proper processes (i.e., requests for changes, extensions, approvals, etc. should first go to Sponsored Projects Administration before sending them to the sponsor).
• The unit should verify that sponsored project proposals are accurate and properly approved before submission.
• All proposals need to carry the standard indirect cost rate or have an authorized waiver from the Research and Innovation Office.
• The unit should develop cost sharing policies for the department or college, which include strategies to minimize the amount required and voluntary cost sharing.
• The unit should establish procedures to analyze revenue for proper classification into the sponsored project, gift, and external sales categories. Clarification should be obtained from the University’s transaction classification group if needed.
• The unit should ensure that any expense for a sponsored project for which funding has not yet been received is charged to an approved pre-award account.
• The unit should ensure employees involved in sponsored project research have received the appropriate training prior to the start of the project.

Effort and Salary

• The unit should monitor committed effort levels to determine whether they are in accordance with the terms of the grant/contract and also consider any cost share requirements.
• The unit should be reviewing salaries to ensure adjustments are timely and appropriate.
• The unit should establish a process to ensure all researchers certify effort on their projects (i.e., principal investigators must certify a minimum 1% annually), effort statements are submitted timely, overload payments are not certified, and statements are properly approved.
• The unit should develop procedures to ensure salary for all faculty over the National Instiitute of Health (NIH) salary cap is adjusted accurately.

Award Management

• The unit should ensure that all required employees file Report of External Professional Activities (REPA) and Request for Outside Commitment (ROC) forms in accordance with University policy and established deadlines.
• The unit should be reviewing expenditures on sponsored projects and subrecipient expenditures for allowability, allocability, appropriateness, authorization, proper justification or relation to the project and accurate coding.
• The unit should ensure the Fly America Act is complied with on sponsor funds. To comply with federal regulations, travel using federal project funds must use a U.S. flag air carrier if service provided by such a carrier is "available." This rule applies to air transportation to, from, between, or within a country other than the U.S.
• The unit should establish procedures to ensure that all extensions, re-budgeting, and changes in principal investigators, key personnel, committed effort level, and work scope are approved by the agency when required.
• The unit should be documenting all committed cost sharing and matching funds by tracking expenses made for the benefit of the project but not directly charged to the project.
• The unit should be monitoring for technical and financial report deadlines to ensure they are submitted in accordance with the terms of the grant/contract.
• The unit should be monitoring fixed price contract accounts to ensure expenses are charged appropriately, deficits are addressed, and accounts are closed on a timely basis.
• The unit should develop procedures to ensure timely communication of completion of projects to Sponsored Financial Reporting (SFR) for the preparation of final reports.

Human Participants

• The unit should ensure Institutional Review Board (IRB) approval for use of human participants is obtained and maintained throughout award.
• The unit should ensure the most recent IRB approved consent forms are utilized for human participants, participants are re-consented when necessary, and there is evidence of a consent conversation if possible.
• The unit should ensure consent forms were signed and dated by the participant and the person performing the consent process on the same day.
• The unit should ensure that the number of participants complies with the number approved by the IRB.
• The unit should ensure no procedures occurred before consent was obtained.
• The unit should ensure there is a signed consent form for those participants between ages 8 (approximately) and 17.
• The unit should ensure that research subject payment vouchers are appropriately documented, controls to prevent fraud are appropriate and effective, and inventories are maintained, (i.e., gift cards, other incentives). 

Animals

• The unit should ensure Institutional Animal Care and Use Committee (IACUC) approval is obtained for use of animal subjects.
• The unit should ensure purchases were in accordance with University policies (e.g., purchased from Research Animal Resources (RAR), purchase was approved, and animals are the same species noted in the proposal or IACUC approval is given otherwise).

Clinical Trials

• The unit should ensure clinical trials are registered at Clinicaltrials.gov prior to work beginning.
• The unit should ensure reporting of adverse events and significant adverse events is complete and timely.

• The unit should ensure travel reimbursements are supported by sufficient documentation and are properly justified.
• The unit should monitor travel reimbursements to ensure they are accurate and comply with University regulations and policies (e.g., accurate per diem calculations, attached itemized receipts, timely submissions).
• The unit should be reviewing trip return dates to ensure travelers submit their expenses timely (i.e., within 60 days of return).
• The unit should ensure that personal travel is appropriately documented when combined with business travel.
• The unit should ensure international travel is registered with Global Programs and Strategy Alliance.