REVENUE CYCLE

Internal Control Questions

Degree Of Risk
1.) Does adequate segregation of duties exist within your
VC
department between staff members responsible for
receiving, depositing and reconciling cash and checks?

2.) What is the minimum information required to review

the creditworthiness of

the Buyers?

MC

3.) Are billings reviewed and approved prior to billing

and/or recording?

MC

4.) Do changes to the prescribed billing amount require

the approval of an authorized individual?

VC

5.) If cash is accepted, are pre-numbered receipts used to

track payment?

vC

6.) Do tellers have their own vault cubicle or controlled

cash drawer in which to store their cash supply?

VC

7.) Is each tellers cash checked daily to an independent

control from the proof or accounting control department?

VC

8.) Is an individual cumulative over and short record

maintained for all persons handling cash, and does
management review the record?

VC

9.) Are checks photocopied or is a cash receipt log

maintained to create supporting documentation to which
you can reconcile deposits?

MC

10.) Are deposits of funds made on the next business

day?

VC

CONVERSION CYCLE
Internal Control Questions
Degree Of Risk
1.
Are production scheduled prepared by the
VC
production planning team?

2. Are bill of materials (BOM) prepared by the

production planning team?

3. Are route sheet prepared?

MC

4. Are work orders or production order drawn from

BOMs and route sheets?

VC

5. Does the company use move tickets?

VC

6. Does the company use material requisition?

VC

7. Are materials, as well as the machining and the

labor required to manufacture the product, applied in
compliance with the work order?

VC

8. Is there a way to confirm stage of production has

been completed?

VC

9. Do work center supervisors records and sends labor

time cost information?

VC

10. Are inventory controls present?

VC

11. Are raw materials updated by matching materials

requisitions and material return tickets?

12. Are finished goods updated using information from

work order from the last work center?

13. Is there an inventory model used?

VC

14. Are materials requisitions, excess materials

requisitions and materials return matched in the cost
accounting department?

15. Are job tickets and completed move tickets sent to

cost accounting department?

VC

16. Are deviations from standard usage accounted?

17. Is WIP account closed when goods are finished?

18. Is segregation of transaction authorization and

transaction processing observed?

VC

19. Is there separation in record keeping from asset

custody?

VC

20. Is there a supervisor assigned to oversee activities?

VC

21. Are access controls to physical product and

production process implemented?

VC

PURCHASES
Internal Control Question

Degree of Risk

1. Is the purchasing function separate VC

from accounting, receiving and payment
processing?

2. Does the organization obtain

competitive bids for items to be
purchased over specified amounts?

3. Are there procedures to obtain the

best possible price for items not subject
to competitive bidding requirements,
such as approved vendor lists and supply
item catalogs?

VC

4. Is the inventory level continually

monitored to assess when purchases are
needed?

5.

Are purchase requisitions:

a. Required for all purchases of

goods and services?

b. Approved by officials
designated to authorize
requisitions?

c. Pre-numbered and controlled?

VC

6.

Are purchase orders:

a. Pre-numbered and controlled?

b. Required for all non-exempt

purchases (exempt small items
purchased from petty cash)?

c. Prepared only on the basis of

purchase requisitions approved
by authorized persons?

VC

d. Compared to unencumbered
balances to avoid budget over
expenditure?

e. Approved by an authorized
individual?

7. Is the purchasing agent required to

obtain additional approval on purchase
orders above a stated amount?

8. Does the purchasing agent prepare

sufficient copies of PO to be used and
distributed to the respective
departments?

9. Are received goods inspected and

verified as to purchase order terms?

10. Does the receiving clerk use a blind

copy upon receipt of goods?

VC

11. Does the receiving clerk prepare

sufficient copies of receiving report?

12. Does the company set up liability

upon receipt of vendor invoices?

13. Are invoices reviewed or reconciled

with other source documents before
liability is set up?

MC

14. Is there a policy statement with

MC
regard to conflicts of interest, including
employee-vendor relationships?

REVENUE CYCLE

Issues/Process/Transactions
No one person should have complete control over the cash handling process.

In Ithaca College, proper segregation of duties is exercised to safeguard assets.

1. All persons accepting cash (ie. currency, checks, money orders) must be authorized to do so by the
Cashiering Services Office.

2. Departmental receipt logs must be maintained for the purpose of documenting a permanent record
of incoming cash, checks or money orders. The departmental supervisor is responsible for
reviewing the cash log on a regular basis and ensuring all cash receipts have been deposited to
the proper account.

3. At the end of each business day, a physical count of all cash and checks received must be completed
and those amounts must be reconciled to the receipt log. The receipt log must be signed and dated
by a departmental designee, other than the individual who performed the physical count and
reconciliation to the receipt log.

4. All deposits should be personally handed to the cashier.

The management must ensure that the cashhandling and recordkeeping functions be kept separate.
For smaller departments where separation of duties is impossible or impractical, the supervisory
personnel who do not handle cash should perform specific verification for reasonable and sound
internal controls.

An entity needs to do a background check on its buyers to know whether or not they have the capacity
to meet payments on time. Entities need to set up standards on the kind and amount of transactions
that potential clients with different financial capacities can enter into.

In universities, however, a different kind of background check is conducted. Donors and rich parents
aside, admissions to large universities are largely based on academic performance and potential.

In Yale University, for example, an applicants academic strength is the first consideration. The school
review grades, standardized test scores, and evaluations by a counselor and two teachers to determine
academic strength. The admissions committee then factors in student qualities such as motivation,
curiosity, energy, leadership ability, and distinctive talents.

In universities, threats in this area include

(1) tuition bills incorrectly prepared, and/or billings and other terms may be misstated,

(2) tuition bills may have occurred but may

not have been billed and/or recorded and

(3) Intentional errors or misappropriation of information could occur

In University of Arizona, accountability for tuition bills are the responsibility of the
Registrar/Student\Business Services (SBS) and may not be delegated to any other functional
area.

Where invoices are computer generated, SBS should ensure adequate controls exist over invoice
preparation.

All credit transactions should be included in the accounting records and should be approved by the
proper individuals.

In University of Arizona, all credit memos issued to students should be supported by documentation
and approved by Financial Services prior to issuance.

Also, credit memo transactions should be numerically controlled and accounted for periodically.
Credit memos should be pre-numbered where the integrity of sequencing is not computer controlled.

Unless documented, there is no way to trace the movement of money. A proper internal control entails
the documentation of every sale of goods or services with a cash register entry, a pre-numbered
receipt form, an invoice, etc. Customers are issued a duplicate.

In institutions like Ithaca College, whenever cash/check is received in person, an acceptable form of
receipt must be used:

1. Uniquely and consecutively prenumbered receipts, with a duplicate copy maintained as a

cash receipts log.

2. Dated cash log

3. Prenumbered tickets

4. Cash register tapes

5. Other documentation
In the University of Glasgow, a receipt must be issued for all cash received and a copy retained. The
receipt should be processed through the Cash Register, or issued manually and shall show

Date received
Name of the payee
Amount received
What the payment was for
Type of payment received ie cash, cheque, postal order, credit card, debit card

Unique receipt number

As much as possible, each cashier should start his/her shift with a new beginning cash balance and
his/her own cash drawer. If a register must be shared, it must have

sufficient controls to allow collections to be attributed to individual cashiers (e.g.,separate user IDs
and passwords to access the register).

In University of Wellington, the following guidelines in the storage of cash is implemented:

(a) During business hours all cash should be securely stored in a locked cash register, cash drawer, or
similar, with access restricted to authorised cash handling staff.

(b) For staff security, during business hours the amount of cash securely stored in a locked cash
register, cash drawer, or similar, should be monitored. Where necessary cash should be transferred
into a safe or similar for secure storage.

(c) Outside of business hours, all cash should be securely stored in a safe or similar, away from where
cash is typically handled. Cash should not be stored in an obvious place, such as in a locked cash
tin on the cashier counter.

Reconciliations should be completed by a specified individual who does not collect funds. If this is
not feasible within a department, someone outside of the collections process should review the
reconciliation.

Daily reconciliations should be performed by a specified individual, comparing the following:

the cash receipt records (e.g., cash register balancing records, prenumbered
receipts, and bank deposit slip, if applicable)

the completed Collections Report

Monthly reconciliation should be performed by a specified individual, comparing deposit information

to the Organization Detail Activity Report from Banner.

In University of Wellington, a daily cash balance is created. The cash collection point should create
a formal record of cash handling transactions at the close of each business day.

The daily balance must contain information on the following:

(i) the total physical cash received;

(ii) the total physical cash distributed;
(iii) a breakdown of the modes of cash received;

(iv) a breakdown of the modes of cash distributed;

(v) a reconciliation of physical cash received and distributed against the receipting system, regardless
of whether that system is manual or automated;

(vi) a breakdown of any difference between the physical cash balance against the cashier system cash
balance (referred to as a cash surplus or cash shortage); and

an explanation of any difference between the physical cash balance against the system cash balance.

The supervisor of the cashier department, together with someone from the accounting
department, counts the cash and reconciles it with the daily cash balance at the end of the day.

It is important that a record for overage and shortages be kept for cashiers to identify differences in
records and actual cash count. This would also identify patterns that will determine fraud perpetrators
in the cash receiving department.

In University of Houston, the following guidelines are followed:

A. Overages and Shortages of less than $20 on cash receipts are recorded to the departmental cost
center on the deposit journal using account 50015.

B. Departments must maintain a log of all overages/shortages which is recorded on Overage/Shortage

Report Form

C. Individual overages/shortages of $20 or more, or annual cumulative overages/shortages of $40 or

more, must be immediately reported to General Accounting and the Treasurers Office. Departments
with large cash handling operations may be permitted larger overage/shortage allowances with
permission from the Treasurer. The Treasurer will provide the names of these units/departments to
Internal Auditing.

To ensure proper documentation and transfer of accountability, records of transfer of assets is a must.

Ithaca College has the following rules regarding the deposit of cash by the cashier to the Cashiering
Services Office.

Cash Deposits Control

1. All deposits should be accompanied by a deposit slip. These forms can be found on the
Cashiering Services website and are also available at the Cashiering Services Office.

2. Deposits are to be made at the Cashiering Services Office window.

1. All deposits should be personally handed to the cashier.

2. Do not leave a deposit at an unattended window or on the counter if the cashier is

busy with another customer.

3. All cash deposits must be processed and a receipt generated while the depositor is
present.

3. Deposits should always be in a sealed envelope or locked bag.

4. A calculator tape listing the cash total for each denomination and each check along with a
grand total for each must accompany deposits.

5. Each check must include the Parnassus account number to be deposited into.

6. Do not group more than 100 checks together in a single deposit.

Cash Reconciliation Control

1. Upon completion of a deposit made at the Cashiering Services Office a receipt would have
been given to the depositor.

2. It is the responsibility of each department to reconcile all deposit receipts against their own
departmental receipt log and Parnassus account(s).

3. This reconciliation process should be done no less than once a month and approved by the
departmental supervisor.

When proper internal controls are existing and effective regarding the deposit or transfer of money
from the cashier to the bank or to another department, proper trail of the asset will be created. Thus,
creating a small, if not non-existent, window for theft or fraud.

Deposits are to be made in a timely manner to insure proper posting of accounts and to insure the
safety of funds.

In Northwestern University, all bank deposits are to be made at the Bursar's Office on the Evanston or
Chicago campuses unless alternate arrangements have been made in conjunction with the Bursar
Office for armored car service. Deposits may be made at the Chicago Bursar's Office, Monday Friday between 9 a.m. and 4 p.m. and at the Evanston Bursar's Office, Monday - Friday between 8:30
a.m. and 4 p.m.

Deposits must be routed directly from the department to the University Bursar. University funds for
deposit must never be taken off campus.

A chart is provided to guide department on the deposit of their income.

CUMULATIVE RECEIPTS

FREQUENCY OF DEPOSIT

UP TO $499.99

WITHIN 5 BUSINESS DAYS

$500.00 TO $4,999.99

WITHIN 2 BUSINESS DAYS

$5,000.00 TO $49,999.99

NEXT DAY

$50,000.00 OR MORE

SAME DAY

ANY SINGLE ITEM $250,000.00 OR MORE

SAME DAY/IMMEDIATELY (BURSAR WILL

PREPARE FOR IMMEDIATE BANK
DEPOSIT)

CONVERSION CYCLE
Issues/Process/Transactions
An example of transaction authorization control in the conversion cycle is the Production Schedule.
Production Schedule is the formal plan and authorization to begin production. This document
describes the specific products to be made, the quantities to be produced in each batch, and the
manufacturing timetable for starting and completing production. Bill of materials specifies the types
and quantities of the raw material and subassemblies used in producing a single unit of finished
product. The raw materials for an entire batch are determined by multiplying the BOM by the number
of items in the batch.

Route sheet shows the production path that a particular batch of product follows during
manufacturing. It is similar conceptually to a BOM. Whereas the BOM specifies material
requirements, the route sheet specifies the sequence of operations (machining or assembly) and the
standard time allocated to each task.

In the traditional manufacturing environment, production planning and control authorize the
production activity via a formal work order. This document reflects production requirements.

The work order or production order draws from BOMs and Route sheet to specify the material and
production (machining, assembly, and so on) for each batch. These, together with move tickets,
initiate the manufacturing process in the production departments.

Another example of Transaction Authorization control is Move Tickets. Move tickets record work
done in each work center. Move tickets signed by the supervisor in each authorize activities for each
batch and for the movement of products through the various work centers.

Material requisition authorizes the storekeeper to release materials (and subassemblies) to individuals
or work centers in the production process. This document usually specifies only standard quantities.
Materials needed in excess of standards amounts require separate requisitions that may be identified
explicitly as excess materials requisition. This allows for closer control over the production process
by highlighting excess materials usage. In some cases. Less than the standard amount of material is
used in production. When this happens, the work centers return the unused materials to the storeroom
accompanied by a materials return ticket.

Materials, as well as the machining and the labor required to manufacture the product are applied in
compliance with the work order. When the task is complete at a particular work center, the supervisor
or other authorized person signs the move ticket, which authorizes the batch to proceed to the next
work center.

To evidence that a stage of production has been completed, a copy of the move ticket is sent back to
production planning and control to update the open work order file. Upon receipt of the last move
ticket, the open work order file is closed. The finished product along with a copy if the work order is
sent to the finished goods warehouse. Also, a work order is sent to inventory control to update the FG
inventory records.

Work centers also fulfill in an important role in recording labor time costs. This task is handled by
work center supervisors, who at the end of each workweek, send employee time cards and job tickets
to the payroll and cost accounting departments, respectively.

Inventory control function consists of three main activities. First, it provides production planning and
control with status reports on finished goods and raw materials inventory. Second, the inventory
control function is continually involved in updating the raw material inventory records form the
materials requisitions, and materials return tickets. Finally, upon receipt of the work order form the
last work center, inventory control records the completed production by updating the finished goods
inventory records.

An objective of inventory control is to minimize total inventory cost while ensuring that adequate
inventories exist to meet current demand. Inventory models used to achieve this objective help answer
two fundamental question:

1. When should inventory be purchase?

2. How much inventory should be purchased?

The cost accounting process for a given production run begins when the production planning and
control department sends a copy of the original work order to the cost accounting department. This
marks the beginning of the production event by causing a new record to be added to the WIP file,
which is the subsidiary ledger for the WIP control account in the general ledger.

As material and labor are added throughout the production process, documents reflecting these events
flow to the cost accounting department. Inventory control sends copies of materials requisitions,
excess materials requisitions, and materials returns. The various work centers send job tickers and
completed move tickets. These documents, along with standards provided by the standards cost file,
enable cost accounting to update the affected WIP accounts with the standard charges for direct labor,
material, and manufacturing overhead (MOH). Deviations from standard usage are recorded to
produce material usage, direct labor, and manufacturing overhead variances. Calculated variances are
an important source of data for the management reporting system.

The receipt of the last move ticket for a particular batch signals the completion of the production
process and the transfer of products from WIP to the FG inventory. At this point cost accounting
closes the WIP account. Periodically, summary information regarding charges (debits) to WIP,
reductions (credits) to WIP, and variances are recorded on journal vouchers and sent to the GL
department for posting to the control account.

The production planning and control department is organizationally segregated from the work centers
because there should be separation in transaction authorization and transaction processing.

The following separations apply:

1. Inventory control maintains accounting records for RM and FG inventories. This activity is kept
separate from the materials storeroom and from the FG warehouse functions, which have custody of
these assets.

2. Similarly, cost accounting functions should be separate from the work centers in the production
process.

The following supervision procedures apply to conversion cycle.

1. The supervisors in the work centers oversee the usage of RM in the production process. This
helps to ensure that all materials released form stores are used in production and that waste is
minimized. Employee time cards and job tickets must also be checked for accuracy.

2. Supervisors also observe and review timekeeping activities. This promotes accurate employee
time cards and job tickets.

1. Firms often limit access to sensitive areas, such as storerooms, production work centers, and FG
warehouses. Control methods used include identification badges, security guards, observation
devices, and various electronic sensors and alarms.

2. The use of standard costs provides a type of access control. By specifying the quantities of
material and labor authorized for each product, the firm limits unauthorized access to those resources.
To obtain excess quantities requires special authorization and formal documentation.

PURCHASES
Issues/ Process/ Transactions
Segregation of Duties
No one employee should have complete control over the entire purchasing function. The
responsibilities for requisitioning goods and services, purchasing, receiving goods, and
approving payments for goods and services, preparing payment vouchers, approving payment
vouchers should be assigned among different employees. This is primarily to prevent or make
it less easy for employees to collude for fraudulent purposes. Assigning one employee with
the combined responsibilities of preparing and approving purchase requisitions, receiving the
goods, recording the transaction, etc. could be an opportunity to perpetrate fraud against the
company. For instance, he could make personal purchases and record them as the companys
purchases thus the company will have to pay for purchases not really incurred in relation to
the business.

Purchases should be made by a competitive process, even when not expressly required, to
ensure a prudent and efficient use of funds. This entails a process of selecting valid vendors
offering cost-effective and quality items in the most reasonable price for the company to
minimize cost.

The company can establish purchase policies setting thresholds on when will the need for bids
arise. For example:

a. Less than $5,000 - no bid required.

b. $5,000 to $25,000- buyer discretion and must be from small business, unless impractical

c. $25,000 to $50,000 - informal bids required

d. Greater than $50,000 - request for proposal, formal bids

For purchases not subject to competitive bidding requirements, the company should assess the
adequacy of their pricing by cross-referencing to a price book a document that contains
policies on the point or price at which the products can be negotiated and will help determine
whether the prices are appropriate by referring to the threshold on at what level can the prices
be inflated. The company can also refer the current industry market prices in comparing the
vendors prices.

The inventory control function should

continually monitor inventory levels. When the
inventory levels drop to the predetermined
reorder points, inventory control formally
prepares a purchase requisition for
replenishment. This document will have to be
authorized by the inventory control manager.
Formal authorization process promotes efficient
inventory management and ensures the
legitimacy of purchases transactions. Without
this step, purchasing agents could purchase
inventories at their own discretion if they both
have the task of authorizing and processing the
transactions. Unauthorized purchasing can also
result to over or under stocking of inventory
which will be potentially damaging to the
company as excessive inventory will increase
storage or handling costs while stock-outs will
lead to lost sales and manufacturing delays.

Purchase orders (PO) are prepared based on valid, approved purchase requisitions and are
properly executed as to price, quantity, and vendor. The potential risks of not preparing POs as
to the appropriate price quantity and vendor are as follows:

Payment in excess of optimum price.

Quantities not adequate or in excess of need.

Quality of materials or services received or substandard.

All purchases should be for necessary goods and services to support the departments mission
and programs and in accordance with established budgetary guidelines. In cases where
purchases are exceeding the standard quantity and amount, additional approval with sufficient
explanation as to the excess arise are necessary to justify that the purchases are still in line to
support the companys operations and programs.

A purchase order is prepared by vendor and a copy is sent to each vendor. In addition, a copy
is sent to the accounts payable function for temporary filing in the AP pending file, and a
blind copy is sent to the receiving goods function. The last copy is for filing in the purchase
order file.

Verify goods and services received agree with contract/purchase order terms.

Received goods are secured in a safe location and inspected for quality and condition.

Goods arriving from the vendor are reconciled with the blind copy of the PO. The blind copy
contains no quantity or price information about the products being received. The purpose of
the blind copy is to force the receiving clerk to count and inspect the inventories prior to
completing the receiving report.

Upon completion of the physical count and inspection, the receiving clerk prepares a
receiving report stating the quantity and condition of the inventories in which one copy
accompanies the physical inventories to the warehouse and another copy is filed in the PO
file. The other copies are sent to the AP and inventory control functions. The final copy is
placed in the receiving report file.

The company will have to defer recording of liability until the vendors invoice arrives.

When invoices arrives, invoices are matched with purchase orders and receiving reports
before approval for payment. The AP clerk performs a three-way match by reconciling the
financial information with the receiving report and PO in the pending file. This will also be a
means to review invoices for accuracy by comparing charges (e.g. quantity, price, etc.) to
amounts indicated in purchase orders, contracts, or other source documents.

Employees involved in the purchasing function should not use their position to receive any
type of personal benefit from any vendor or contractor, and, any potential conflict of interest
should be disclosed to an appropriate supervisor or manager.

For example, vendors might bribe or give gifts to the purchasing clerk to win the bids or to
misstate the prices. Another conflict of interest might be when the vendor is a relative, e.g
sister, of the purchasing clerk. If no policy prohibiting the transaction, the clerk might be
biased in choosing the vendor even if the quality and other requirements by the company for
the purchase are not met.

Internal Control Questions

Degree Of
Risk
Issues/Process/Transactions

1.) Are the employees who perform

VC
each of the following payroll functions
independent of the other five functions?

personnel
and approval
of payroll
changes

a.) Segregate payroll authorizations (hiring/

firing, pay rate setting, and other payroll
changes) from the preparation and
processing of payroll records and checks.

- In a computerized payroll system, payroll

changes should be entered into the system
by the personnel department or an
employee who does not process the payroll
register and checks.


preparation
of payroll
data

- Segregating payroll authorizations from

preparation duties reduces the risk of a
single employee establishing ghost
employees, increasing hourly rates and
salaries, or recording overtime not worked
without being detected.

 approval
of payroll

Example Scenario: In the City and County

of San Francisco, the Controllers Payroll
and Personnel Services Division disburses
salaries and wages for approximately City
27,000 employees through biweekly
paychecks and direct deposits. To make this
possible, the following City organizations
and department payroll/personnel staff
work together to execute payroll duties:

 signing
of paychecks

Payroll & Personnel Services Division

(PPSD) processes payroll data for
employees of city departments and ensures
compliance with city, state, and federal tax,
wage, and hour regulations.


distribution
of paychecks

Department Payroll Staff are responsible

for administering the departments payroll
and ensuring that employees time
information is submitted accurately to
PPSD.


reconciliatio
n of payroll
account

eMerge is a unit within the Controllers

Office that manages and operates
PeopleSoft, an integrated system that
provides human resources, benefits
administration, and payroll services to the
City's active, retired, and future workforce.

Department of Human Resources (DHR)

administers City-wide personnel policies
and procedures, negotiates and administers
collective bargaining agreements with labor
unions, and advises the Citys other
departments in these areas.

Civil Service Commission (CSC)

oversees the merit system for the City by
establishing rules and policy related to the
merit system; hearing appeals on
examinations, eligibility lists, minimum
qualifications, classification, discrimination
complaints, and future employment; and
interpreting rules and policies.

San Francisco Employees Retirement

System (SFERS) secures, protects, and
invests pension trust assets, administers the
mandated benefits programs, and provides
promised benefits to active and retired
members of the system. And lastly,

Health Service System (HSS) creates

contracts based on negotiations with health
providers, which offer eligible employees
the opportunity to enroll themselves and
eligible family members in medical, dental,
vision, and flexible spending account
benefits.

Threat if control is missing: Fraud; theft

of paychecks

*We will use the payroll procedures of City

and County of San Francisco as the example
scenario in each internal control questions .

2.) Are payroll changes (hires,

separations, salary changes, overtime,
bonuses, promotions, etc.) properly
authorized and approved?

VC

a.) All changes in employment status (e.g.,

additions and terminations), salary, and
wage rates should be properly authorized,
approved, and documented to support
employment status changes.

- When a formal process exists to document

authorized changes to salaries and wages,
the opportunity for fraudulent or erroneous
payroll changes to occur without detection
decreases

b.) When appropriate, payroll change

forms should be used to document and
authorize wage and salary changes
authorized by the governing board.

Example Scenario: The Controllers Payroll

and Personnel Services Division had
established a policy where :

- Any changes to employee pay must be

documented and approved by proper
authorities.

- Before any modifications to employee

pay is entered into PeopleSoft, department
payroll/personnel staff must have
documentation that describes the specifics
of the pay change (such as the pay change
amount, the effective date(s),
classification(s) affected, etc.) and copies
of approving documentation must be
retained in filed for future auditing review.

- And lastly, any adjustment requests for

pay rate changes must be submitted to
PPSD with the following documentation:
Problem Description Form (PDF), Payroll
Register, Multiple Pay Period Adjustment
Worksheet (form 1004A), For a promotion
at a higher step, a letter from DHR or
department head and Relevant page(s) from
the MOU.

Threat if control is missing: Unauthorized

pay raises and fictitious employees.

3.) Is change in payroll recording

MC
periodically reviewed by supervisors or
internal audit personnel?

a.) Management or the internal auditor

should periodically review payroll change
reports. When unusual changes are
identified, those items should be traced to
authorization documents (i.e., board
minutes, payroll change forms, or
collective bargaining agreements).

- Managerial review of this type of report

provides assurance that payroll changes are
being properly authorized and input
correctly.

Example Scenario: The Controllers Payroll

and Personnel Services Division had
established a policy where :

- Department payroll/personnel staff must

closely review and analyze PeopleSoft
payroll reports each pay period to identify
whether any employee payroll errors
occurred. Numerous reports and queries are
available in PeopleSoft to aid in review
activities.

-Further, management should periodically

review payroll change reports to ensure that
any payroll changes are being properly
authorized and input correctly into
PeopleSoft.

Threat if control is missing: Errors not

detected and corrected.

4.) Are payrolls disbursed through a

direct deposit?

MC

a.) Requests for direct deposit should be

made in writing and kept on file for audit
purposes

- Direct deposits can be used to disguise

payments to nonexistent employees.

In large units of local government such as

San Francisco, a once-a-year verification of
the legitimacy of all direct deposits may
detect unauthorized or fictitious employees.
It may also detect the continuation of
terminated or retired employees on the
payroll.

Example Scenario: City and County of San

Francisco (CCSF) employees may access
their pay information through direct
deposit.

Although, All employees are strongly

encouraged to enroll in direct deposit for
their pay and electronically access their
employee pay information. Departments
only allow exceptions in limited
circumstances at the written request of the
employee.

Threat if control is missing: payment to

unauthorized or fictitious employees.

5.) Is reconciliation of the payroll fund VC

or bank account done regularly by
employees independent of all other
payroll transaction processing
activities?

a.) The payroll bank reconciliation should

be performed by an employee who is not
connected with the authorization of payroll
changes or with payroll preparation.

- Segregating reconciliation duties from

authorization and preparation duties
provides for an independent review of
transactions that have been processed by
the bank and of outstanding checks

b.) Reconcile the payroll account monthly.

- Payroll is often one of the last bank

accounts to be reconciled because it is
generally a zero balance account. It is
important to reconcile this account monthly
so that uncashed payroll checks can be
promptly identified and rectified.

Example Scenario: In continuation to the

previous illustration, monthly payroll
reconciliations in the Controllers Payroll
and Personnel Services Division is
reviewed and signed by the supervisor, and
recorded appropriately. In addition,
reconciliations is performed by an
employee who does not have modification
rights to the payroll system or processes
payroll.

Threat if control is missing: Failure to

detect and correct problems. Further,
without regular, systematic reconciliation
activities and report cross-checks,
undetected payroll errors can result in overor under-payments.

6.) Is access to personnel and payroll VC

records, checks, forms, signature plates,
etc. limited?

a.) Limit access to payroll applications and

data files containing potentially
confidential information such as social
security numbers and deductions to prevent
fraudulent payroll.

b.) The payroll process involves a range of

confidential and personal information.
Hence, access to computerized applications
and paper files (such as personnel files)
should be restricted to the fewest number
of officers and employees possible.

c.) If payroll change forms are used, control

access to these forms by keeping them in a
locked cabinet or drawer.

- Limiting access to payroll change forms

reduces the risk that fraudulent
authorization could be made by forging
authorized signatures and other
information.

Example Scenario: The payroll department

of City and County of San Francisco had
established a policy where :

- Access to payroll/personnel data files

containing sensitive or confidential
information (e.g., Social Security numbers,
deductions) should be restricted to the
fewest number of offices and employees
possible.

- Department managers shall provide

written instructions for the specific actions
required to submit and approve the weekly
timesheets for their units, including
appropriate levels of review and approval
(including supervisors signatures),
documentation, and instructions to prohibit
access and distribution of confidential
information contained in time records.

Threat if control is missing :Fraudulent

payroll authorization

7.) Is payroll distribution handled by

MC
employees who are not involved in the
hiring or firing of employees; the
approval of time and attendance; or
payroll preparation and data entry?

a.) Pay checks should be distributed by a

responsible employee who is not otherwise
connected with any of the steps of payroll
preparation.

- This will segregate the responsibility for

processing payroll information from the
distribution of payroll checks.

Example scenario: In small local

governments, employees can be required to
call for their checks at a central location. In
other governments like in San Francisco
where a large number of employees and
physical spread of work locations precludes
central distribution, checks should be given
out at the work station by someone who is
not responsible for time and attendance
reporting.

Threat if control is missing: Unauthorized

pay to fictitious employees.

8.) Do supervision/time-keeping
procedures and controls include the
following?

VC

a.) Using time clocks to record arrival and

departure times will provide additional
control over days and hours worked by
employees. Electronic time clocks can also
reduce manual processing of payroll data if
the time clock and payroll application are
compatible.

a.) Procedures for time keeping and

attendance records?

b.) Time clocks should be placed in an area

where their use can be observed by
supervisors. This will discourage
employees from clocking in or out for coworkers who are not actually present.

b.) Review and approval, by the

employee's supervisor, of hours
worked, overtime hours, and other
special benefits?

- With large numbers of employees or

where shift work is involved, an electronic
time clock system will help ensure that
employees are paid accurately for hours
and days worked. An electronic time clock
can also reduce data entry work if time
clock entries can be downloaded directly
into the payroll application.

c.) Placing the time clock in a position

where it can be observed by a
supervisor?

d.) Require the use of leave request forms

to document advance requests to use
accrued leave credits and to document
absences covered by the use of leave
credits.

d.) Review for completeness and for the

employee's supervisor's approval of
time cards or other time reports?

- Leave request forms provide an audit

trail on the use of accrued leave credits and
assist with the preparation of accurate gross
payroll amounts for individual employees.

c.) Require employees to document days

and hours worked and leave credits used on
either time sheets or time cards. Time
sheets and time cards should be reviewed
and approved by supervisory personnel
who have direct contact with the employee.

Example Scenario: In the local government

of San Francisco, the following procedures
are being followed with respect to
recording of time and attendance:

- The department management assign time

entry responsibilities to timekeepers for
payroll data collection, timesheet signature
and appropriate documentation of all time
reporting. A back-up timekeeper is also
appointed and trained.

- Completed timesheets is reviewed and

certified by the person having direct
supervision over employees, to indicate
that services were actually performed by
the persons listed and that days/hours
worked are accurate and justified. Only
after timesheets have been reviewed and
approved by such supervisory personnel
should timesheets be transmitted to
department payroll/personnel staff.

- Leave request documentation is used to

document advance requests to use accrued
leave and to document absences covered by
the use of such leave

Threat if control is missing: Lack of

appropriate time and attendance records
increases the likelihood that an employee
could be paid for time not worked or for
unauthorized absences.

Internal Control Questionnaire Payroll Cycle

1.) Are the employees who perform each of the

VC
following payroll functions independent of the other five
functions?
personnel and approval of
payroll changes
preparation of payroll
data

approval of payroll

signing of paychecks

distribution of paychecks

reconciliation of payroll
account

a.) Segregate payroll authorizations (hiring/ firing, pay rate setting, and other payroll changes) from
the preparation and processing of payroll records and checks.

- In a computerized payroll system, payroll changes should be entered into the system by the
personnel department or an employee who does not process the payroll register and checks.
- Segregating payroll authorizations from preparation duties reduces the risk of a single employee
establishing ghost employees, increasing hourly rates and salaries, or recording overtime not worked
without being detected.
Example Scenario: In the City and County of San Francisco, the Controllers Payroll and Personnel
Services Division disburses salaries and wages for approximately City 27,000 employees through
biweekly paychecks and direct deposits. To make this possible, the following City organizations and
department payroll/personnel staff work together to execute payroll duties:

Payroll & Personnel Services Division (PPSD) processes payroll data for employees of city
departments and ensures compliance with city, state, and federal tax, wage, and hour regulations.

Department Payroll Staff are responsible for administering the departments payroll and ensuring
that employees time information is submitted accurately to PPSD.
eMerge is a unit within the Controllers Office that manages and operates PeopleSoft, an integrated
system that provides human resources, benefits administration, and payroll services to the City's
active, retired, and future workforce.
Department of Human Resources (DHR) administers City-wide personnel policies and procedures,
negotiates and administers collective bargaining agreements with labor unions, and advises the Citys
other departments in these areas.
Civil Service Commission (CSC) oversees the merit system for the City by establishing rules and
policy related to the merit system; hearing appeals on examinations, eligibility lists, minimum
qualifications, classification, discrimination complaints, and future employment; and interpreting
rules and policies.
San Francisco Employees Retirement System (SFERS) secures, protects, and invests pension trust
assets, administers the mandated benefits programs, and provides promised benefits to active and
retired members of the system. And lastly,

Health Service System (HSS) creates contracts based on negotiations with health providers, which
offer eligible employees the opportunity to enroll themselves and eligible family members in medical,
dental, vision, and flexible spending account benefits.
Threat if control is missing: Fraud; theft of paychecks
*We will use the payroll procedures of City and County of San Francisco as the example scenario in each
internal control questions.