RMAS
RMAS Home
Financial, Operational & Compliance
Information Systems
Insurance
Ask a Question
FAQs
Best Practices & Resources
Compliance Hotline
Tools You Can Use
   Brochures
   Training
   Presentations
   Operations Self-Assessment
Site Map
Contact Us


Search tips

Best Practices & Resources

Resources University Policies
Office for Financial Policy Web site
University Office of the CIO Web site

Financial & Operational Best Practices
Account Reconciliations
Cash Receipts
PCard
Petty Cash
Preparing for an External Audit
Restricted Current-use Gifts Processing
Student Organizations – Finance
Travel & Reimbursement

Information Systems Resources
Identity Management
Software Licensing
Change Control
Credit Card Transactions
Desktop User Tips
Security Best Practices

Insurance Best Practices
Automobiles
Alcohol/Liquor Liability
Builder's Risk
Personal Property
Claims
Contracts/Agreements
Equipment/Contents

Financial & Operational Best Practices

Account Reconciliations
Reconciliation is the process of comparing the local unit's financial transactions to the general ledger. Reconciliation reduces the risk of inaccurate financial reporting. Local units should reconcile all transactions each month including payroll, web voucher, PCard, accounts receivable, cash receipts and journals. Monthly reconciliations should be documented and reviewed and approved by local unit management.

Cash Receipts - University Policy

Risks commonly associated with cash receipts:

  • Cash and check receipts are subject to misappropriation if not adequately controlled.

Best practices include:

  • Separation of duties, employees receiving and depositing cash and checks should not approve Credit Vouchers
  • Maintain log of cash and checks received, including copies of checks
  • Provide receipts to the payer, whenever possible
  • Restrictively endorse checks "For deposit only-Harvard University Local Unit Name" upon receipt
  • Establish a process for a supervisor to approve all Credit Vouchers
  • Safeguard cash and checks in a locked area prior to deposit
  • Make frequent deposits (at least weekly)
  • Obtain receipt for cash deposited directly with the bank
  • Maintain copies of Credit Vouchers in sequential order
  • Review and reconcile detailed listings to copies of Credit Vouchers each month

PCard - PCard Manual
The Purchasing Card (PCard) program was implemented in 1997 as a cost effective method to purchase and pay for small dollar transactions. The intent was to pay vendors faster and reduce University administrative costs.

Risks commonly associated with PCard:

  • Inappropriate use of the PCard, including non-University business purchases
  • Incorrect financial accounting for transactions

Cardholders should:

  • Attend training and sign a cardholder agreement outlining their responsibilities
  • Keep the card in a safe location at all times
  • Use the card for Harvard business purposes only
  • Notify vendors of the University’s tax exemption
  • Edit transactions in the settlement system each week by including business purpose and appropriate general ledger coding
  • Obtain receipts and submit them to the reviewer each week
  • Review monthly statement from GE Capital and reconcile transactions

Cardholders should not:

  • Share their card with other employees
  • Make personal purchases
  • Split transactions with the vendor
  • Purchase restricted commodities including out-of-town travel and meals, unincorporated vendors and gifts over $75

Reviewers should:

  • Review all transactions prior to the weekly PCard sweep
  • Ensure spending is in support of University business and in compliance with policies and procedures
  • Ensure cardholders have provided adequate documentation to support business purpose
  • Check general ledger coding for accuracy
  • Compare detailed listings to the settlement system to detect unreviewed transactions
  • Maintain receipts in compliance with University record retention policies
  • Collect cards from terminated employees and notify/send cut up card to tub and central PCard administrators

Petty Cash - University Policy
The purpose of a petty cash fund is to provide cash to business units sufficient to cover minor expenditures. The use of petty cash funds should be limited to reimbursement of staff members and visitors for small expenses, generally not to exceed $25, such as taxi fares, postage, office supplies, etc. Wherever possible, local units should use the PCard instead of petty cash.

Risks commonly associated with Petty Cash

  • Petty Cash is the most liquid asset of an organization and is easily misappropriated if business processes and controls are not established.

Best practices include:

  • Generally petty cash funds for orgs (local units) should be set up in amounts ranging between $50 to $100 per fund. Petty cash funds for tub centrals may be set up in amounts exceeding $100
  • Petty cash funds are not to be used as an operating fund (e.g., petty cash funds should not be used to pay invoices for goods or services, to pay salaries or wages or to make advances or loans)
  • One employee should be assigned responsibility as custodian of the fund. The tub financial dean or equivalent must approve custodians
  • Custodians should maintain a Petty Cash Log including receipts for each disbursement. All disbursements should state business purpose, reimbursee and date
  • Petty Cash Log should be complete - petty cash on-hand plus receipts should always equal the original petty cash fund
  • Custodians should replenish the fund when cash balance is low
  • Prior to replenishing the fund, the custodian should make sure that cash on-hand plus receipts equals the original balance of the fund.
  • A supervisor or manager should approve the replenishment request
  • Custodians should close inactive petty cash funds
  • Local petty cash custodians are responsible for safeguarding petty cash funds and maintaining receipts and detail records to support all transactions
  • Local unit management should perform unannounced petty cash audits 
  • Petty cash funds should be maintained in a secure, area such as a locked drawer or small safe

Preparing for an External Audit
These tips are specifically for sponsor audits or other external audits, but they may also be used for guidance to prepare for an internal audit.

Planning & Preparation

  • Designate an audit liaison person within your organization who will act as the auditors’ main contact. This should be an experienced person with strong project management and communication skills.
  • Send a general communication to faculty and staff stating that if the auditors contact them directly, they should notify the liaison.
  • Have the liaison develop a list of contacts who must be kept informed of the audit progress
  • Have the liaison develop a list of people who can provide support on technical issues and gathering documentation
  • If necessary, schedule and conduct a general training session with individuals who may be asked to participate in the audit either to produce documents, be interviewed by the auditors or participate in findings discussions
  • Contact auditors and set up entrance conference. Clarify the purpose of the audit and ask that audit requirements be in writing.
  • Alert the internal audit department (RMAS) of the upcoming audit
  • Make necessary arrangements for the audit team – meeting rooms, preliminary interview schedule, entrance conference specifics including attendees

Entrance Conference

  • Develop a list of questions to discuss in the meeting including
    • Purpose of the audit, including audit objectives and scope
    • Audit process including awards to be included and sampling techniques
    • Auditors and their experience
    • Timelines including beginning and end of fieldwork and expected report date
    • Communication process
  • Consider giving the auditor(s) a tour
  • Determine staffing and space requirements, including whether the auditor will need internet access during fieldwork; arrange forauditor on site space; modify meeting room needs as necessary

Fieldwork

  • Obtain the list of requested records and develop an approach for pulling the information on a timely basis. Give a target date for providing records to the auditors
  • Review the records prior to submission to the auditor. Consider if the records provide the necessary support. Anticipate what questions the records may provoke.
  • Maintain a list of all records provided to the auditor
  • Meet with auditors at least weekly to learn of the status of the audit and potential issues that are identified.
  • Verify the facts on which issues are based; perform re-calculations and review source documents, if necessary
  • Communicate at least weekly with those within the organization who need status updates
  • Liaison should attend meetings between faculty/non-financial staff and external auditors unless the auditor or faculty insist otherwise
  • Set up exit interview

Exit Interview

  • Ask for a copy of each finding or draft report prior to the interview
  • Based on the nature of the issues, ask representatives from other groups to participate, e.g. general counsel, internal audit, office of sponsored programs, controllers office, etc.
  • Agree on valid findings; negotiate those findings where the facts are not representative of the control weakness
  • Discuss with the auditor the disposition of the audit issue, i.e. verbal comment, report item, management letter
  • Escalate any disputed issues to supervisors.

Audit Report

  • Ask for the final draft report for review
  • Draft management responses and circulate to management for approval
  • Understand the follow-up process
  • Perform a post-audit evaluation to determine weaknesses in the process and potential changes to approach in the future

Restricted Current-use Gifts Processing

Establish New Funds

  • Obtain written terms signed by the donor
  • Review gift terms by school finance office
  • Review gift criteria for FASB 117 flag
  • Review gift for gift vs. grant criteria
  • Review Chart Security Maintenance Application (CSMA) new fund request form for accuracy
  • Timely submission of documents and forms to Central and RSO for fund set up
  • Maintain donor terms in central school/tub file
  • Distribute gift terms to departments responsible for spending

Safeguard Check Receipts

  • Restrictively endorse checks upon receipt
  • Establish check receipts log
  • Secure checks held overnight in locked drawer or safe
  • Forward checks to RSO at least weekly
  • Use of courier to send checks/donor terms to RSO

Process Check Receipts

  • Establish policies and processing metrics
  • Maintain copy of postmark date on envelope for calendar year-end cut-off
  • Date stamp checks upon receipt
  • Process check batches in Advance at least weekly
  • Review Advance Batch Proof Report for accuracy prior to submission to RSO
  • Reconcile receipts to general ledger

Maintain Donor Terms

  • Establish central school file for donor terms
  • Communicate donor terms to responsible departments
  • Establish department file for donor terms

Monitor Donor Terms for Compliance

  • School-level review for deficits and large unexpended balances
  • Department-level review for deficits and large unexpended balances
  • Understand donor terms and manage spending in accordance with terms

Stewardship

  • Establish process to thank donors for gift or pledge
  • Send donor thank you letters on a timely basis
  • Establish school-wide stewardship plan
  • Identify/monitor donor funds that require periodic reporting
  • Send donor reports on a timely basis

Student Organizations - Finance
Student organizations are responsible for establishing controls surrounding their financial processing.

Budgeting

  • Prepare budget at beginning of term
  • Set realistic targets; budgeted income should equal or exceed expenses
  • Document assumptions used to determine budgeted income and expenses
  • Format should be consistent with financial reporting format
  • Obtain approval of the final budget from management and board

Financial Reporting

  • List income and expenses by major category
  • Format should be consistent with budget format
  • Compare current year actual results to budget and prior year’s actual results
  • Prepare financial reports throughout the semester and share with management/board

Cash Receipts

  • Restrictively endorse checks “for deposit only, organization name” upon receipt
  • Secure checks and cash in a locked area prior to deposit
  • Make frequent deposits, at least weekly
  • Maintain cash receipts log and record receipts in the checkbook
  • Reconcile cash receipts log to bank statement each month

Paying Bills

  • Establish process to review and pay bills by check at least monthly, don’t pay with cash
  • Review vendor invoices and receipts prior to payment
  • Ensure that two officers sign all checks
  • Maintain copies of vendor invoices and receipts after payment
  • Record checks in the checkbook on a timely basis
  • Reconcile all checks written to bank statement each month

Bank Reconciliation

  • Reconcile bank balance to checkbook balance each month
  • Document all reconciling items
  • Resolve errors identified
  • Obtain officer and board approval for the reconciliation

Contracts

  • Review draft contracts early in the process
  • Refer to Student Organization Handbook for standard contract terms
  • Send draft contract to Harvard College Student Activities Office for review

Roles and Responsibilities

  • Separation of duties: two officers should handle all key financial duties
  • Establish an officer transition plan; document key duties and maintain copies of budgets, financial reports, contracts, bank statements,checkbook, copies of paid invoices, etc.

Travel & Reimbursement - University Policies
Employee travel and reimbursement transactions must be managed to meet operational needs and compliance requirements. Travel expenses must comply with University policies and procedures. These policies should be applied consistently to all travelers.

Employee reimbursement transactions must also comply with IRS accountable plan rules regarding substantiation and timing. Certain expenses are personal in nature and are not reimbursable or are reimbursable only when specific criteria are met and financial dean or equivalent approval is obtained. University Policy

Risks commonly associated with travel and reimbursement:

  • Allocating Harvard assets for personal expenses
  • Non-compliance with terms of sponsored awards
  • Incurring excessive costs if the traveler does not use preferred vendors

Best practices include:

  • Local units should contact your tub finance office to arrange Travel and Reimbursement Policy training
  • Employees should comply with University Travel and Reimbursement Policies
  • Frequent travelers should use the Corporate Card (AMEX)
  • Travelers should book airline travel through the Harvard Travel Center or one of Harvard’s preferred travel agencies
  • Local units should have a process to approve employee travel and reimbursements
  • Reimbursements must be submitted within 60 days from date of expenditure. Exceptions require approval of the financial dean or equivalent.
  • Travel expense reports should be reviewed for accuracy and reasonableness including accurate coding of transactions
  • Original receipts and other supporting documentation must be submitted for all transactions greater than or equal to $75. Tubs may set a lower dollar threshold.
  • Support for meals should included a detailed bill from the restaurant
  • Missing Receipt Affidavits must be competed where applicable and signed by both the traveler and approver Business purpose must be documented and include who incurred the expense, what the expense entailed, why this is a Harvard expense, when the expense occurred, and where the trip took place
  • Travelers do not use first class travel without prior written approval from the President, Dean or Vice President
  • Travel advance requests should be necessary and reasonable
  • Travel advances should be settled in a timely manner
  • Administrators should review and reconcile detailed listings monthly

Information Systems Resources

Identity Management 
 Identity management is a critical element for information security. It involves granting unique ids to all users of a information system and the appropriate access in accordance with their job roles and responsibilities. In addition, it requires that access is removed when access is no longer required in a timely manner.

Authentication methods chosen should prevent unauthorized access to an account. Adhering to secure password procedures will help reduce the compromise of user accounts on the University’s systems.

Since today's computing technology environments are increasingly interconnected (networked), and sophisticated password cracking programs are freely available to anyone, the compromise of any single computer system or account through the revelation or theft of a single password can place whole communities of data in jeopardy. Adopting and abiding by secure password procedures have become a vital and shared computer responsibility.

For additional information regarding identity management, visit the Harvard University Information Security and Privacy section on Passwords and the Enterprise Security Policy.

Software Licensing  
A good software management program includes keeping track of the organization's software use and documentation and providing training and awareness to staff on software use and copyright laws. By closely monitoring the organization's software use and documentation the organization is better able to control software costs, increase interoperability and productivity, and monitor compliance with copyright laws. For more information on software management, see the Harvard University Enterprise Licensing Web site.

Change Control  
Change Control is the process that management uses to identify, document and authorize changes to an IT environment. It minimizes the likelihood of disruptions, unauthorized alterations and errors.
The change control procedures should be designed with the size and complexity of the environment in mind. For example, applications that are complex, maintained by large IT Staffs or represent high risks require more formalized and more extensive processes than simple applications maintained by a single IT person. In all cases there should be clear identification of who is responsible for the change control process.

A change control process should consider the following elements:

  • Change Request Initiation and Control - Requests for changes should be standardized and subject to management review. Changes should be categorized and prioritized and specific procedures should be in place to handle urgent matters. Change requestors should be kept informed about the status of their request.

  • Impact Assessment - A procedure should be in place to ensure that all requests for change are assessed in a structured way for all possible impacts on the operational system and its functionality.

  • Control and documentation of Changes - Changes to production systems should be made only by authorized individuals in a controlled manner. Where possible a process for rolling back to the previous version should be identified. It is also important to document what changes have been made. At a minimum a change log should be maintained that includes:

    • A brief functional description of the change
    • Date the change was implemented
    • Who made the change
    • Who authorized the change (if multiple people can authorize changes)
    • What technical elements were affected by the change e.g., program modules, database tables or fields, screens and forms

  • Documentation and Procedures - The change process should include provisions that whenever system changes are implemented, the associated documentation and procedures are updated accordingly.

  • Authorized Maintenance - Staff maintaining systems should have specific assignments and their work monitored as required. In addition, their system access rights should be controlled to avoid risks of unauthorized access to production environments.

  • Testing and User signoff - Software is thoroughly tested, not only for the change itself but also for impact on elements not modified.
    Consider developing a standard suite of tests for your application as well as creating a separate test environment.
    The standard test suite will help identify if core elements of an application were inadvertently affected. Maintaining this suite will make it less likely you will forget to test some feature in the future. The separate test environment will minimize disruptions to the production environment. Another important aspect of testing is that you test with transactions for which you know the correct results. Business owners of the systems should be responsible for signing off and approving changes being made.

  • Testing Environment - Ideally systems should have at least three separate environments for development, testing and production. The test and production environments should be as similar as possible, with the possible exception of size. If cost prohibits having three environments, testing and development could take place in the same environment; but development activity would need to be closely managed (stopped) during acceptance testing. In no case should untested code or development be in a production environment.

  • Version Control - Control should be placed on production source code to ensure that only the latest version is being updated. Otherwise previous changes may be inadvertently lost when a new change is moved into production. Version control may also help in being able to effectively back out of a change that has unintended side affects.

  • Emergency Changes - Emergency situations may occur that requires some of the program change controls to be overridden such as granting programmers access to production. However, at least a verbal authorization should be obtained and the change should be documented as soon as possible.

  • Distribution of Software - As a change is implemented, it is important that all components of the change are installed in the correct locations and in a timely manner.

  • Hardware and System Software Changes - Changes to hardware and system software should also be tested and authorized before being applied to the production environment. They should also be documented in the change log.

If a vendor supplies patches, they should be reviewed and assessed for applicability and potential impact to determine whether their fixes are required by the system.

Credit Card Transactions  
Harvard units are increasingly accepting credit cards either over the web or via fax or telephone. Unfortunately that allows these units to be perfect targets for bankcard fraud. Scamsters are taking advantage of the fact that they can operate anonymously. They know that many of the credit card features that prevent fraud in the physical world do not apply in the card-not-present environment. We must understand that there is a greater need for protection against fraud exposure and associated losses. This is primarily because card-not-present merchants can be held financially responsible for a fraudulent transaction, even if the card Issuer has approved it. For information on securing credit card transactions, see the Harvard University Information Security and Privacy Web site.

Desktop User Tips 
Additional resources and useful tips may be found on the UIS Support Services Web site. at

What does an Information Systems audit entail?  
The purpose of an audit is to evaluate the system controls that deal with security, access, user management and data integrity.

Insurance Best Practices

Automobiles  

  • University-owned vehicles can only be used for business purposes and cannot be used for personal use. An authorized driver must be an employee of the University, at least 21 years old and must possess valid and applicable licenses.

  • Departments should have written policies for use of personal vehicles for business purposes. (Employee's insurance primary and not all losses/costs are reimbursable).

  • Use the University Corporate Rate with preferred rental agencies whenever possible because this rate includes all necessary liability insurance.

  • Any University location selling liquor must be specifically listed on the Liquor Policy in order to be insured or must use a caterer with Liquor Liability Insurance (need to obtain proof of insurance).

  • Employees need to adhere to applicable laws pertaining to not serving minors and not serving those intoxicated at business functions where alcohol is dispensed.

  • Departments undergoing Capital Project Renovations or high exposure renovations must arrange Builder's Risk Insurance for the period of construction/renovation.

  • All contractor's must provide a Certificate of Insurance evidencing General Liability, Workers' Compensation and Automobile Liability Insurance.

  • Inform employees that the University is not responsible for personal property brought into the workplace.

  • Educate employees about procedures to follow in the event someone is injured on the premises.

  • Provide training to employees to respond to emergency situations involving property damage to University buildings.

  • Prior to signing, have all major contracts and written agreements reviewed by the Insurance Department and Office of the General Counsel for appropriate wording for indemnification and hold-harmless clauses.

  • Take necessary precautions to protect University property from loss using appropriate storage and security methods.

   
Privacy Policy | Copyright © 2008 President and Fellows of Harvard College