The University of Memphis

Preventing Fraud, Waste, or Abuse of University Resources



POLICIES

Issued:  July 7, 2016
Responsible Official:  President
Responsible Office:  Internal Audit

Policy Statement


Policy Statement

University officers, members of management, and all other employees have a responsibility to help prevent fraud, waste, or abuse of University resources. In particular, management at all levels is responsible for designing and implementing internal controls for the purpose of preventing irregularities of all kinds, including fraud, waste, or abuse.  University officers, managers, employees, contractors, vendors, students, and others are responsible for behaving in an ethical and honest manner.  University officers and members of management are also responsible for maintaining a work environment that generally promotes ethical and honest behavior.



Purpose


  To describe the role of officers, managers, and all other employees in helping to prevent fraud, waste, or abuse of University resources.


Definitions


Fraud

Fraud– An intentional deception that violates a law or the public trust for personal benefit or the benefit of others.


Waste

Waste – Behavior involving the extravagant, careless, or needless use of government funds, property, and/or personnel.


Abuse

 Abuse – Behavior involving the use of government funds or property that a prudent person would not consider reasonable and necessary business practice given the facts and circumstances.

 

Definitions are from the Office of the Tennessee Comptroller of the Treasury.


Internal Controls

Processes carried out by an entity’s management and other personnel designed to provide reasonable assurance that:

  • Cash, equipment, and other assets are safeguarded.
  • Operations are effective and efficient.
  • Financial reports are reliable.
  • Laws, regulations, and policies are complied with.

In accordance with the Tennessee Financial Integrity Act, University management is responsible for establishing adequate internal controls within the organization.  (TCA-9-8-101-102-103

LINK
Tennessee Department of Finance and Administration – Risk Management



Procedures


Creating Effective Internal Controls

The steps in creating effective internal controls are:

1)  Review the operational processes of the office, function, department, or division under consideration.

2)  Ascertain the potential risk of fraud, waste, or abuse inherent in each process.

3)  Make a list of actions included in the process (or actions that could be included) for the purpose of decreasing the inherent risk – these are the actual or potential internal controls.

4)  Assess whether there are internal controls that need to be improved or added to the process under consideration.

5)  Implement controls (or improvements to existing controls) that are judged to be most efficient and effective for decreasing the risk of fraud, waste, or abuse.

Most managers will find that their processes already contain a number of internal controls, but these controls should be reviewed for adequacy and effectiveness on a regular basis and improved as needed.

Some typical internal controls include, but are not limited to:

  • Adequate separation of duties between employees
  • Physical safeguards over cash or equipment
  • Documentation of transactions
  • Independent review and approval of transactions or other activities
  • Proper supervision over employees, processes, projects, or other functions
  • Independent validation of transactions for accuracy and completeness.

Some examples include,

  • All offices or departments that handle cash and receipts are required to follow the University’s cash handling guidelines.
  • All assets, which include equipment and computers must be controlled by department management in accordance with the procedures posted on the Finance Program Guide for Fixed Assets.
  • Department management is responsible for ensuring purchasing cards are handled in accordance with the information posted for the Purchasing Card Program.

The examples above and the information within the links contain many typical internal controls.


Maintaining an Ethical Work Environment

Management is responsible for maintaining a work environment that promotes ethical and honest behavior on the part of all employees, contractors, vendors, students, and others. To do so, management at all levels must behave ethically and communicate to employees and others that they are expected to behave ethically. Management must demonstrate through words and actions that unethical behavior will not be tolerated.

Management can further encourage and promote ethical behavior by taking steps to ensure a generally positive work environment. There are a variety of  practices that should be considered, though not all are applicable to every situation. Some common examples include:

  • Rewarding or recognizing appropriate behavior.
  • Engaging in a participatory style of management.
  • Clearly assigning job responsibilities.
  • Setting reasonable goals.
  • Providing training and promotional opportunities.

The Role of Internal Audit

University management has the primary responsibility for internal controls under the Tennessee Financial Integrity Act and the COSO Internal Controls Framework (Committee of Sponsoring Organizations of the Treadway Commission -2013 Internal Control-Integrated Framework). This “Framework” is also the basis used by the external auditors for evaluating internal controls for the University’s annual financial statement audit.

Internal Audit is responsible for assessing the adequacy and effectiveness of internal controls that are implemented by management and other personnel.  Internal Audit will often recommend control improvements as a result of this assessment. However, it is important that managers not wait for an Internal Audit before they take steps to review their internal controls.

Internal Audit will also, during an audit of a department or process, perform tests designed to detect fraud, waste, or abuse that may have already occurred. However, the primary responsibility for prompt detection, as well as prevention, belongs to management. Therefore, management should not rely solely on Internal Audits as a means of either preventing or detecting fraud, waste, or abuse.

Finally, Internal Audit serves in a consulting role. University officials, managers, or other employees who need additional guidance on identifying risks and implementing appropriate controls should contact Internal Audit at (901) 678-2125 or uom_audit@memphis.edu


External Audits

Other parties who take a strong interest in the University’s internal control system and actions to reduce the risk of fraud, waste, or abuse include the Tennessee Comptroller’s Office, Division of State Audit and federal, state and other entities that fund sponsored research. the Tennessee Board of Regents (TBR). The Division of State Audit within the Tennessee Comptroller’s Office performs an annual financial audit, part of the purpose of which is to determine the adequacy of the University’s internal controls under Generally Accepted Auditing Standards (GAAS) and Generally Accepted Government Auditing Standards (GAGAS). In addition, the University is included in the state-wide “Uniform Guidance” audit (aka “The Single Audit” and “The A-133 Audit”) by the State Auditors which reviews internal controls over federally funded programs and research. TBR does not perform audits but maintains an oversight role directly related to internal controls and audits. Finally, various University programs may be subject to audits or reviews by outside agencies or others based on the type of program, function, or funding.

 



FAQs


As a manager, why should I spend time implementing and maintaining good internal controls?

Though it takes time to ensure you have the right controls, once in place, good internal controls should operate smoothly and not greatly increase the amount of time spent accomplishing basic tasks. Additionally, having proper controls in place ultimately saves time by preventing irregularities that, if they occurred, would have to be researched and, in a worst-case scenario, could require an investigation, court proceedings, and interaction with the media.  Finally, as a manager, the University requires you to view the implementation, maintenance, and review of internal controls as an important part of your job.


Won’t my employees think I don’t trust them if I go around talking about fraud and implementing new controls?

Not if you present these topics in an appropriate way. Most employees understand that any organization must have standard operating procedures in place to protect its assets. In addition, good internal controls are a key part of a positive work environment and, if presented in the right way, will increase morale. Remember that the occurrence of fraud, waste, or abuse of assets is an extremely negative event that can adversely affect all employees – good internal controls help to keep this from occurring, and they demonstrate that you are concerned about what happens in your department.


Whom can I contact for more information?

The Chief Audit Executive at (901) 678-2125 or uom_audit@memphis.edu.


Links for additional information on internal controls

Internal Controls Framework – COSO

GAO Green Book – Internal Controls



Revision Dates


  UM1642 -- revised July 7, 2016
UM1642 -- issued January 7, 2011


Subject Areas:

Academic Finance General Human Resources Information Technology Research Student Affairs
      XX