Section: 300-15
Effective: 02/29/2024
Supersedes: New
Next Review Date: 02/28/2027
Issuance Date: 02/29/2024
Issuing Office: Controller’s Offices for Campus, Health, & Foundation
SCOPE
This policy establishes UC San Diego’s procedures and standards regarding internal controls over financial transactions, responsibilities, and requirements for a system of internal controls. This applies to all staff of UC San Diego.
Internal controls are the processes that help ensure that the University’s business is carried out in accordance with the Standards of Ethical Conduct, University policies and procedures, applicable laws and regulations, and sound business practices. They help to promote efficient operations, accurate financial reporting, protection of assets, and responsible fiscal management.
Individual financial transactions roll up to the campus and the University of California system-wide financial statement reporting. Internal controls are necessary to ensure that the lowest level of transactions through the roll-up consolidation of those transactions are being reported accurately and appropriately.
DEFINITIONS
Control Deficiencies
Control deficiencies exist when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements in a timely manner. The materiality of the control deficiency is not just determined by the actual misstatement (i.e., the dollar amount of the error), but by the potential dollars that could also be incorrect. Examples of control deficiencies include but are not limited to:
● Lack of timeliness of cash deposits and account reconciliation.
● Lack of review and reconciliation of departmental expenditures.
● Lack of overdraft funds monitoring.
● Lack of physical inventory and equipment management.
● Lack of separation of duties.
Department Administrators
The dean, chair, or director (also known as Department Heads) of each school or department, while responsible for managing the department's financial resources, will normally delegate the overall administration of financial resources to a Department Administrator. The Department Administrator is responsible for establishing procedures to provide reasonable assurance that financial transactions are appropriate, accurately recorded, and comply with applicable laws, regulations, and internal policies and procedures.
Financial Reporting
Financial reporting is the consolidation of financial transactions into financial statements. Financial transactions are recorded in compliance with applicable financial reporting requirements, including, but not limited to Accounting Principles Generally Accepted in the United States of America (US GAAP), Governmental Accounting Standards Board (GASB) Statements, Cost Accounting Standards Board (CASB) Statements, and applicable policies, external regulations, and standards of the University and its campuses, foundations, and medical centers.
Financial Stewardship
Financial stewardship is the responsibility for managing University financial resources wisely, executing these duties with integrity and ethical conduct. These financial resources include time, monetary assets, people, and physical property. When University employees manage public resources efficiently, economically, and ethically, the result will be better achievement of the University's overall missions of teaching, research, and public service. Financial stewardship includes the responsibility for establishing and monitoring the system of internal control.
Internal Controls
Organizational plans and procedures implemented by management that provide reasonable assurance that organizational objectives will be achieved through effective and efficient operations, that University assets are safeguarded, that financial data is accurate and reliable, and that the University adheres to applicable laws, regulations, and internal policies and procedures
Materiality
Materiality is assessed by determining how much of a department’s financial information could be misstated, by error or fraud, without affecting the decisions of reasonable financial information users. Materiality is informed by management’s risk appetite and tolerance, considering quantitative as well as qualitative factors, which may include perceived reputational risk or compliance with regulations.
Risk Assessment
The Risk Assessment identifies and prioritizes risks based on their likelihood and the potential impacts on the department’s progress toward achieving its strategic objectives and priorities. Department Heads and delegated Department Administrators consider financial risks according to their established risk tolerance. Common financial risks include:
● Financial misstatements due to error or fraud.
● Misappropriation of financial and physical assets.
POLICY STATEMENT
The University of California has adopted the principles of internal controls published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.
This Policy is intended to foster the following internal control principles:
RESPONSIBILITIES
All members of the University community are responsible for internal controls.
Individuals entrusted with funds and resources are responsible for ensuring that adequate internal controls exist over the use and accountability of such funds. They are responsible for applying University policy and procedures to ensure the efficient and effective use of resources and to prevent and detect fraud in the areas in which they are involved. Those individuals must separate tasks among different people to reduce the risk of error and inappropriate or fraudulent actions. Proper separation of duties requires division of responsibility for recording, approving transactions, managing financial resources, and reviewing and reconciling data.
Individuals who have access to financial data and fail to adhere to the University’s policies and procedures may be subject to appropriate corrective action as provided in the applicable personnel policies.
Department Administrators
Department Administrators are responsible for ensuring that internal controls are established, properly documented, and maintained for activities within their jurisdiction and areas of responsibility.
Department Administrators are responsible for ensuring that members of their teams have adequate knowledge, skills, and abilities to function within, and contribute to, an effective internal control environment. This includes providing access to appropriate training on topics relevant to their job responsibilities.
Department Administrators are responsible for periodic review of departmental key controls and procedures to ensure that the general principles of internal control are in place and are being followed. Management is responsible for strengthening internal controls when weaknesses are detected, including addressing errors, omissions, inconsistencies, and exceptions. Department administrators and managers are responsible for taking prompt and effective corrective action on internal control findings, implementing remediation or action plans, and recommendations from internal and external auditors.
Department Administrators must communicate internal control weaknesses and corrective actions to those charged with governance over the school or department.
Controllers’ Offices
The Controllers’ offices at each of the entities—UC San Diego Foundation, UC San Diego, and UC San Diego Health—partner with Audit and Management Advisory Services (AMAS) to apply a risk-based approach during compliance assessments and through periodic reviews and monitoring of departments and their control activities, to ensure the system of internal controls at UC San Diego has been appropriately designed and operating effectively.
Audit and Management Advisory Services (AMAS)
Audit and Management Advisory Services (AMAS) is responsible for performing reviews and audits of internal controls across the University as requested by management, or as determined by AMAS, and for communicating any findings and recommendations to the appropriate levels of management.
PROCEDURES
Establish a System of Departmental Internal Controls
To establish and maintain a system of departmental internal controls, Department Heads or Department Administrators must do the following:
● Review key controls in Blink. Then use the provided checklist to understand the timing and extent of key controls that must be performed by all departments, regardless of size and complexity.
● Perform key controls and monitor them to ensure they are working as designed.
● Document evidence of review by someone other than the preparer (by signature on the documentation, e-mail, or checklist sign-off).
o A best practice is for the reviewer to be designated by the department’s leadership.
o If a key control is not applicable to the department, the department must proactively document that the key control is not applicable. For example, if a department does not have petty cash, the department must document that there is no petty cash and that the control activity is not applicable.
● Fix and follow up when a control deficiency or weakness is identified, and document timely corrective action.
● Retain evidence (i.e., documentation) of corrective action for audit purposes.
o Preferably in electronic format.
o See the UCOP Records Retention Schedule to determine how long to retain records.
● Department Heads and Department Administrators must also complete a risk assessment to identify any financial risks that warrant additional key controls from those described in Blink and the provided checklist.
Examples of Key Controls
Examples of key controls include, but are not limited to, the following:
● Implement separation of duties controls where duties are divided among different people to reduce the risk of error or inappropriate actions so that no one person has control over all aspects of any financial transaction.
● Make sure transactions are authorized by a person delegated approval authority when the transactions are consistent with policy and funds are available.
● Ensure records and transactions are routinely reviewed and reconciled, by someone other than the preparer or person who initiated the transaction, to determine that transactions have been properly processed.
● Ensure transactions are processed promptly and within any required timeframes.
○ For example, cost transfers on sponsored projects must be done in compliance with award terms and conditions, and regulations.
● Review asset, liability, expense, and revenue balances frequently to ensure accuracy during the fiscal year.
● Make sure that equipment, inventories, cash, and other property are secured physically, counted periodically, and compared with item descriptions shown on control records.
● Identify and document the process for onboarding and off-boarding employees and affiliates.
● Provide employees and affiliates with appropriate training and guidance to ensure they know how to carry out their job duties, are provided with an appropriate level of direction and supervision, and know the proper channels for reporting suspected improprieties.
● Ensure University and departmental policies and operating procedures are formalized and communicated to employees and other stakeholders.
○ Documenting policies and procedures and making them accessible helps provide day-to-day guidance and promotes continuity of activities during prolonged employee absences or turnover.
FORMS
Checklist for Internal Controls
RELATED INFORMATION
C. Regents Policy 1111: Policy on Statement of Ethical Values and Standards of Ethical Conduct
E. University of California Whistleblower Policy
F. UC Office of the President – Ethics, Compliance and Audit Services, Internal Controls
H. UC San Diego SAS 115 Overview Blink Webpage
I. UC San Diego Internal Controls Blink Webpage
J. UC San Diego Administrative Responsibilities Webpage
K. UC San Diego Delegations of Authority Webpage
L. UCOP Records Retention Schedule
M. Checklist for Departments With New Employees (ucsd.edu)
FREQUENTLY ASKED QUESTIONS (FAQ’S)
None.
REVISION HISTORY
02/29/2024 Policy issued.