Security Review to the Rescue! By Kristie Newby, MBA, CFE
A
s internal auditors in higher education, our work focuses on a variety of organizational functions. In academics, we examine areas such as financial aid, scholarships and bursar operations. In research, we scrutinize things such as grant compliance, radiation safety and legal issues with animal and human interaction. In athletics, we inspect issues related to NCAA compliance, tickets, scholarships and camps. However, in auditing these areas, we may not be performing all due diligence in regard to the entirety of risks faced by these functions. Staff can overlook or fail to implement the key internal controls necessary to address security concerns, particularly in areas experiencing turnover. A security review is a proactive tool that examines current internal control structure in areas where cash is present and evaluates security concerns related to institution assets and employees.
So what can we do to ensure these controls are in place and operating appropriately, and providing the right kind of coverage to mitigate these risks? A security review is a proactive tool that examines current internal control structure in areas where cash is present and evaluates security concerns related to institution assets and employees. A security review can be performed in any department or auxiliary that receives payments, such as the bursar, food court, athletics ticket office or university veterinary clinic business office. What are the key components of a security review? A complete security review will involve examination of the following areas:
• Current policies and procedures • Vault • Key security • Alarm systems • Closed Circuit Television (CCTV) systems • Cash drawers • Over/Short policies and procedures • Robbery preparations • Segregation of duties • General operations
ABOUT THE AUTHOR
Kristie Newby, MBA, CFE, has more than 21 years of experience in financial accounting, senior level auditing in banking and higher education and federal government financial management. She may be contacted at kristie.newby@okstate. edu.
CURRENT POLICIES AND PROCEDURES When reviewing current policies and procedures, you should first ask management for a copy of its manual – management should be able to provide access to these policies and procedures, and if the department lacks these materials, it should understand the associated risks. After familiarizing yourself with the official departmental policies and procedures, evaluate the policies and procedures for common sense and consistency. Make notes during your reading for further questions during interviews and list any risks that are created by existing policies and procedures or risks that are not adequately addressed. KEY PERSONNEL INTERVIEWS After reading the policies and procedures manual, it is time to perform interviews. Be sure that key personnel are interviewed separately. By doing so, this will encourage these individuals to provide information more easily, as the presence of management can affect an individual’s willingness to speak freely. Key personnel to be interviewed include the department head,
25 COLLEGE & UNIVERSITY AUDITOR
head cashier and other departmental staff as appropriate, including newly hired personnel. New staff members may be able to ask interesting questions about why a procedure is performed in a certain manner, while long-tenured personnel may be in a habit of doing what has always been done. When you interview personnel, attempt to put the individual at ease by explaining at the beginning of each interview that you are there to help.
When you interview personnel, attempt to put the individual at ease by explaining at the beginning of each interview that you are there to help. Ask them to describe their duties using open-ended questions, such as, “How does this process work?” Do not interrupt them during their answers, but be sure to take notes for follow-up questions. Ask if they have any questions or concerns about how the department operates. Inquire as to what they might change if they were in charge.
Once they have finished speaking, clarify any statements that appear to conflict with the department’s official policies and procedures to determine how operations are actually performed. Summarize each interview via a written memo with specific details and document your understanding of general departmental operations from all interviews in a separate working paper. VAULT A physical walk-through of the department will help identify additional risk areas. The first area to examine, if present, is the vault. Observe the vault’s physical location. Is it at the front of the operational area, in view of customers? Is it in a location where most departmental staff work, or otherwise accessible? The vault should be in a secure location out of the public eye and in an area where only authorized personnel are allowed. Next, observe the vault’s locking mechanism. Strong vault security can be accomplished with a key/ combination lock, as it provides dual control with minimal effort, assuming that the key and combination are maintained separately (that is, generally, no one individual should have possession of both the key and the combination). If a combination is utilized, ask when it was last changed. The combination should always be changed following the separation of any employee who had knowledge of the combination. Ask when the vault is counted and by whom. It should be counted at least daily in the presence of at least two employees. Inquire as to how the vault count is documented, and how count forms are maintained. Counts should be documented on a count sheet, signed by both staff members present for the count, and kept in a secure location for preferably six months. Ensure that surprise vault counts are performed, by someone without vault access, on a regular basis. Finally, perform a vault cash count in the presence of departmental personnel, compare to the expected balance and evaluate the amount of cash being held in the vault in comparison to the department’s cash flow needs. KEY SECURITY Another important area to examine is key security. As you walk through the department, inquire about the location of keys to the office and cabinets containing sensitive information. Is a key box utilized? Keep in mind during this part of the review that appropriate key security may be different for each department/location and can be possibly accomplished without a key box, but that poor key security can result in quick losses with no clear suspect. As an example, at a financial institution I audited, a head teller lost her keys to the bank but failed to report this out of concern for her job security. A week later, the branch’s ATM was completely emptied of its contents, and $130,000 was lost with no forced entry to the building or the ATM. An inside job was suspected because the branch’s CCTV tape was taken from the manager’s office during the theft, but this was never verified due to a lack of evidence. An alarm system is not always necessary, but during the walkthrough, talk to management about the necessity and/or feasibility of one.
ALARM SYSTEM An alarm system is not always necessary, but during the walk-through, talk to management about the necessity and/or feasibility of one. If one is already present, ask who has the access code, and whether it is different for each staff member. Inquire if and how often the system is tested to ensure functionality. It is prudent to test the alarm system at least once per month. Ask departmental personnel to perform a test to demonstrate the working status of the alarm system. 26 COLLEGE & UNIVERSITY AUDITOR
CLOSED CIRCUIT TELEVISION Just as with alarm systems, CCTV systems are not always necessary, but may be appropriate for some cash handling areas. Discuss the need for and feasibility of a CCTV system with management. If such a system is present, ensure the system is working and that its images are of a high quality. Evaluate the area’s physical structure to see if the number of cameras and their placement effectively capture relevant activity. If the department manager does not already have a dedicated monitor with It is also recommended that active images, determine whether such a monitor would be appropriate. Inquire as to how the images are saved, and for what length of time. It is best to have images saved images from the CCTV system for at least three months and maintained out of physical proximity to the CCTV are transmitted to the campus system so that they are not altered, erased or stolen, as in my earlier example. It is police department, who can also recommended that images from the CCTV system are transmitted to the campus police department, who can actively monitor the activity. actively monitor the activity. CASH DRAWERS If the department accepts cash payments, they most likely will have cash drawers. During the walkthrough, determine how the cash drawers are secured overnight and who has access to them. I always recommend cash drawers have locking lids, with the keys given only to the corresponding cashier and management. Ask when cash drawer counts are performed and by whom. They should be performed at least daily and in the presence of at least two employees. Inquire how the counts are documented, and how the count forms are maintained. Cash counts should all be documented on a count sheet, and kept for at least six months. Just as with a vault, be sure that someone without cash drawer access performs a surprise cash drawer count on a regular basis. Finally, perform an unannounced cash count of the drawers in the presence of departmental personnel, compare to expected balances, and evaluate the appropriateness of the cash drawer limit in comparison to anticipated cash flow needs. OVER/SHORT POLICIES AND PROCEDURES As you perform your walk-through, ask cashiers what they do if their drawer is over/short at end of day. I’ve interviewed cashiers who tell me that if they are over or short by a small amount (usually a dollar or less), they will simply add or remove funds to balance their drawer! Ask whether they document overages/ shortages on a form or log. Are the overages/shortages tracked by teller? Ask management if they monitor overages/shortages to determine potential trends. The use of these logs can help management determine the need for additional cashier training, or possible mishandling of funds. As internal auditors, we should encourage university management to perform the due diligence necessary to protect the institution’s employees.
ROBBERY PREPARATIONS Although departments are not banks, we should not neglect consideration of the risks of robbery. As internal auditors, we should encourage university management to perform the due diligence necessary to protect the institution’s employees. Does the department have height markers? Are they strategically placed and at the proper height? I know that checking for proper height placement sounds absurd, but during one audit, I discovered that I was 6 feet 11 inches tall, despite measuring 5 feet 7 inches on a normal day! Height markers are only an effective tool when they are accurate.
Does the department have panic buttons? Panic buttons can be important, as they can be used not only in the event of a robbery, but also in any event during which an employee wishes to contact the police with a non-audible alert. Does the department have a plan detailing assigned duties for each staff member in the event of a robbery? Having such a plan with forms and pre-assigned duties can assist in panic situations, as staff members have clear direction on what they should do. Does management perform robbery training on a consistent basis? Depending on the department, such training should be provided at least quarterly, as frequent training helps employees learn and display consistent, informed behavior in the event of a robbery. SEGREGATION OF DUTIES During the walk-through, listen for any possible issues related to a lack of segregation of duties. Many staff members want to structure their operations in a way that provides such controls, but just don’t know how. You may discover the opportunity to provide such guidance. 27 COLLEGE & UNIVERSITY AUDITOR
GENERAL PROCEDURES As you perform the security review, remember that you should not expect the department to mirror every other department in regard to security and internal controls. Each department has its own operational processes and related needs. For example, some departments will have night drop boxes, while others don’t. It is crucial that you tailor your security review to meet departmental operations. When performed properly, Although our work often focuses on other areas and risks, it is important to consider the a security review fosters a basic security needs for those departments that handle cash as part of their normal business activities. When performed properly, a security review fosters a win-win environwin-win environment in all ment in all areas of higher education. It serves as a proactive step in deterring fraud, areas of higher education. creates a partnership between internal audit and management, strengthens relationships and enhances rapport, helps initiate a different mind-set in departmental personnel and protects university assets and staff members. n
28 COLLEGE & UNIVERSITY AUDITOR