Internal Control Questionnaires

During the planning phase of an assurance audit, IACS may use an Internal Control Questionnaire (ICQ) to help evaluate internal controls in specific areas. By asking key questions, IACS often uses an ICQ as a starting point and then supplements it with other information gathering and control evaluation techniques, such as flowcharting and documentation review.

Below are three common ICQs that, together with IACS staff, audit clients may be use to help assess their operation.

This ICQ is used to evaluate internal controls associated with how revenue is generated, received, recorded, safeguarded, summarized, deposited, and reported.

Key Questions

  • Does the Unit have procedures which accurately record revenue from all sources: cash, check, credit card charge, internal charge, etc.?
  • Is separation of duties adequate?
  • Is cash adequately safeguarded?
  • Is there an adequate audit trail and reconciliation procedure for timely detection of shortages?
  • Is this data reconciled to the revenue that is posted to the Organization's Accounting System?

Critical Internal Controls

General

  • Documentation of every sale of goods or services with a cash register entry, a pre-numbered receipt form, an invoice, etc. Customers are issued a duplicate.
  • A method for accumulating revenue such as a point of sale (POS) system.
  • Balancing procedures, e.g., when cash registers are used.
  • Sales are reconciled to deposits.
  • Deposits are reconciled monthly to the Organization's accounting reports.
  • Accounting for pre-numbered forms.
  • Periodic management review of revenue data for trends such as: unexplained variations in sales or sales of certain product lines, changes in ratios such as inventory turnover or shrinkage, comparison of budgeted to actual revenue, etc.

Cash

  • Delegation of authority to receive cash to a specific person(s).
  • Cash receiving and cash accounting are separated.
  • Adequate physical security over cash (during both storage and transfer).
  • Timely deposits, made intact with no cash receipts retained, borrowed, or expended.
  • Validation of the deposit slips.
  • Comparison of credits on the Organization's accounting report with the validated deposit slips.
  • Cash shortages are identified, followed, and collected.
  • Cash overages are identified and deposited.
  • Adequate supervision over cashiers, including cash handling, cash register balancing, and monitoring overs and shorts.

Key Compliance Requirements

  • Requirement that the check be made out to Miami University, and be reviewed upon receipt for the following: payer's name, local address, and telephone number. Also, verification that the date is current, the written amount agrees with the numerical amount, and that the check is signed.
  • Cash receiving and refunding cash duties are separated and refunds are independently authorized.
  • Voided transactions are independently authorized by someone other than the person receiving the funds.
  • Refunds and voids processed through the system are reconciled to the above independent authorizations.
  • Cashiers do not have access to the total key of their registers.
  • Procedures prohibit check cashing.
  • Sales tax is collected and accounted for as required.
  • Written instructions are available describing procedures.

Significant Risk Areas

  • Revenues are not recorded.
  • The fact that revenues are not recorded is not detected.
  • Risk that theft will continue if not detected in a timely way.
  • Risk of loss due to inability to place blame because controls do not require one fund/one custodian.

This ICQ is used to evaluate internal controls associated with the confidentiality, integrity, and security of University payment card transactions.

Key Questions

  • How are credit card transactions made?
  • At which locations/sites are credit card transactions processed?
  • Are credit card numbers ever included in emails or attachments to emails?
  • Does the credit card number have to be shared with any other departments?
  • Do you distribute receipts outside the department? Why is this necessary? What information is included?
  • Are the credit card numbers maintained? Is it the full number? For how long?
  • Is credit card information stored in a customer database?
  • Is credit card information stored in an electronic spreadsheet?
  • Where are the physical and electronic records showing credit card numbers stored?
  • How long are they stored?
  • If so, is this on a University server? Has security been reviewed by IT Services?

Critical Internal Controls

  • Credit card transactions must be made in person, by telephone, by mail or via a secure University approved internet application.
  • Credit card information is not accepted via email and such information is not sent to another department via email.
  • Printed customer receipts that are distributed outside the department must show only the last four digits of the credit card number.
  • Any unit wanting to store payment card data needs written approval from both the Chief Investment Officer and the Information Security Officer to do so. With those approvals, electronic payment card data can be stored for up to 60 days. If the unit needs to store electronic payment card data for a longer period of time, approval from the Assistant Vice President responsible for the operations of the unit in question, the Chief Investment Officer, and the Information Security Officer allows the electronic payment card data to be stored up to 180 days.
  • Explicit written approval from the Information Security Officer is required to collect and/or store paper records containing payment card data. All such records must be stored in a secure fashion, and must be destroyed with either a cross cut shredder or a confetti shredder as soon as the data is no longer needed. These records cannot be stored for more than 15 days. If paper records are accidentally created containing payment card data, that data will be destroyed with either a cross cut shredder or a confetti shredder.
  • Group accounts and shared passwords are not allowed to access payment card data.
  • Applications that store, process, or transmit payment card data need approval from the Information Security Officer before they can be upgraded or patched.

Significant Risk Areas

  • Theft and unauthorized use of stolen credit card numbers.
  • Lack of compliance with legal requirements.
  • Bad publicity due to lack of stewardship.

This ICQ is used to evaluate internal controls associated with how inventory is physically safeguarded and secured, organized, current (not obsolete) and not excessive (based on the usage or sales), valued, and recorded.

Key Questions

  • Are adequate records kept of the movement of goods?
  • Does the Unit ever compare what they do have with what they should have?
  • Are physical safeguards over the inventory adequate for its nature?

Critical Internal Controls

  • Maintenance of perpetual records or other control records.
  • Periodic physical counts.
  • Balancing of physical count to control totals.
  • Purchasing controls (bids, approvals, limits).
  • Receiving reports, or other documents documenting incoming shipments of goods.
  • Receipts documenting sale of goods.
  • Various methods to control access to goods: security guards, locks, or a custodian.
  • Accounting techniques that count the goods in the proper period (cutoff).
  • Properly reflecting changes to inventory when sales, returns, etc. are made.
  • Adequate separation of duties.
  • Adequate management review and analysis of relevant data such as inventory turnover, shrinkage, markdown, and sales trends.

Significant Risk Areas

  • Loss of revenue through inventory shrinkage (theft of goods).
  • Loss of revenue through failure to recognize obsolescence, slow turnover, and low profit margins.
  • Loss from paying excessive prices for inventory.
  • Loss from poor purchasing decisions (i.e. materials were not needed, merchandise was not salable).
  • Loss of sales and/or purchase of excess inventory due to poor physical organization of goods.

Revenues and Receipts

This ICQ is used to evaluate internal controls associated with how revenue is generated, received, recorded, safeguarded, summarized, deposited, and reported.

Key Questions

  • Does the Unit have procedures which accurately record revenue from all sources: cash, check, credit card charge, internal charge, etc.?
  • Is separation of duties adequate?
  • Is cash adequately safeguarded?
  • Is there an adequate audit trail and reconciliation procedure for timely detection of shortages?
  • Is this data reconciled to the revenue that is posted to the Organization's Accounting System?

Critical Internal Controls

General

  • Documentation of every sale of goods or services with a cash register entry, a pre-numbered receipt form, an invoice, etc. Customers are issued a duplicate.
  • A method for accumulating revenue such as a point of sale (POS) system.
  • Balancing procedures, e.g., when cash registers are used.
  • Sales are reconciled to deposits.
  • Deposits are reconciled monthly to the Organization's accounting reports.
  • Accounting for pre-numbered forms.
  • Periodic management review of revenue data for trends such as: unexplained variations in sales or sales of certain product lines, changes in ratios such as inventory turnover or shrinkage, comparison of budgeted to actual revenue, etc.

Cash

  • Delegation of authority to receive cash to a specific person(s).
  • Cash receiving and cash accounting are separated.
  • Adequate physical security over cash (during both storage and transfer).
  • Timely deposits, made intact with no cash receipts retained, borrowed, or expended.
  • Validation of the deposit slips.
  • Comparison of credits on the Organization's accounting report with the validated deposit slips.
  • Cash shortages are identified, followed, and collected.
  • Cash overages are identified and deposited.
  • Adequate supervision over cashiers, including cash handling, cash register balancing, and monitoring overs and shorts.

Key Compliance Requirements

  • Requirement that the check be made out to Miami University, and be reviewed upon receipt for the following: payer's name, local address, and telephone number. Also, verification that the date is current, the written amount agrees with the numerical amount, and that the check is signed.
  • Cash receiving and refunding cash duties are separated and refunds are independently authorized.
  • Voided transactions are independently authorized by someone other than the person receiving the funds.
  • Refunds and voids processed through the system are reconciled to the above independent authorizations.
  • Cashiers do not have access to the total key of their registers.
  • Procedures prohibit check cashing.
  • Sales tax is collected and accounted for as required.
  • Written instructions are available describing procedures.

Significant Risk Areas

  • Revenues are not recorded.
  • The fact that revenues are not recorded is not detected.
  • Risk that theft will continue if not detected in a timely way.
  • Risk of loss due to inability to place blame because controls do not require one fund/one custodian.

Payment Card Data Security

This ICQ is used to evaluate internal controls associated with the confidentiality, integrity, and security of University payment card transactions.

Key Questions

  • How are credit card transactions made?
  • At which locations/sites are credit card transactions processed?
  • Are credit card numbers ever included in emails or attachments to emails?
  • Does the credit card number have to be shared with any other departments?
  • Do you distribute receipts outside the department? Why is this necessary? What information is included?
  • Are the credit card numbers maintained? Is it the full number? For how long?
  • Is credit card information stored in a customer database?
  • Is credit card information stored in an electronic spreadsheet?
  • Where are the physical and electronic records showing credit card numbers stored?
  • How long are they stored?
  • If so, is this on a University server? Has security been reviewed by IT Services?

Critical Internal Controls

  • Credit card transactions must be made in person, by telephone, by mail or via a secure University approved internet application.
  • Credit card information is not accepted via email and such information is not sent to another department via email.
  • Printed customer receipts that are distributed outside the department must show only the last four digits of the credit card number.
  • Any unit wanting to store payment card data needs written approval from both the Chief Investment Officer and the Information Security Officer to do so. With those approvals, electronic payment card data can be stored for up to 60 days. If the unit needs to store electronic payment card data for a longer period of time, approval from the Assistant Vice President responsible for the operations of the unit in question, the Chief Investment Officer, and the Information Security Officer allows the electronic payment card data to be stored up to 180 days.
  • Explicit written approval from the Information Security Officer is required to collect and/or store paper records containing payment card data. All such records must be stored in a secure fashion, and must be destroyed with either a cross cut shredder or a confetti shredder as soon as the data is no longer needed. These records cannot be stored for more than 15 days. If paper records are accidentally created containing payment card data, that data will be destroyed with either a cross cut shredder or a confetti shredder.
  • Group accounts and shared passwords are not allowed to access payment card data.
  • Applications that store, process, or transmit payment card data need approval from the Information Security Officer before they can be upgraded or patched.

Significant Risk Areas

  • Theft and unauthorized use of stolen credit card numbers.
  • Lack of compliance with legal requirements.
  • Bad publicity due to lack of stewardship.

Inventory for Resale

This ICQ is used to evaluate internal controls associated with how inventory is physically safeguarded and secured, organized, current (not obsolete) and not excessive (based on the usage or sales), valued, and recorded.

Key Questions

  • Are adequate records kept of the movement of goods?
  • Does the Unit ever compare what they do have with what they should have?
  • Are physical safeguards over the inventory adequate for its nature?

Critical Internal Controls

  • Maintenance of perpetual records or other control records.
  • Periodic physical counts.
  • Balancing of physical count to control totals.
  • Purchasing controls (bids, approvals, limits).
  • Receiving reports, or other documents documenting incoming shipments of goods.
  • Receipts documenting sale of goods.
  • Various methods to control access to goods: security guards, locks, or a custodian.
  • Accounting techniques that count the goods in the proper period (cutoff).
  • Properly reflecting changes to inventory when sales, returns, etc. are made.
  • Adequate separation of duties.
  • Adequate management review and analysis of relevant data such as inventory turnover, shrinkage, markdown, and sales trends.

Significant Risk Areas

  • Loss of revenue through inventory shrinkage (theft of goods).
  • Loss of revenue through failure to recognize obsolescence, slow turnover, and low profit margins.
  • Loss from paying excessive prices for inventory.
  • Loss from poor purchasing decisions (i.e. materials were not needed, merchandise was not salable).
  • Loss of sales and/or purchase of excess inventory due to poor physical organization of goods.