Internal Control Checklist Effective Date: November 27, 2006

TABLE OF CONTENTS

ITEM PAGE

Introduction 1

Control Environment 2

Budgeting, Accounting and Financial Reporting 3

Collections, Deposits and Cash Funds 4

Asset Management 5

Payroll 6

Human Resource Management 7

Purchasing and Disbursements 8

Contracts and Grants 9

Information Technology 10

University of Florida 2
Internal Control Checklist Effective Date: November 27, 2006

INTRODUCTION

The objective of the Internal Control Checklist is to provide the campus community with a tool for evaluating their internal
control structure and general compliance, while also promoting effective and efficient business practices. The effective
utilization of this checklist will strengthen controls, improve compliance, and eliminate many potential audit comments.

QUESTIONS AND ANSWERS

What is Internal Control?
Internal control in its broader sense is defined as a process affected by an organization’s board of directors,
management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in
the following categories:

 Effectiveness and efficiency of operations

 Reliability of reporting
 Compliance with applicable rules, laws and regulations

Internal Control components include Control Environment, Risk Assessment, Control Activities, Information and
Communication and Monitoring.

Most of the time the emphasis is on common control activities which may include the following:

 Segregation of functional responsibilities to create a system of checks and balances.

 A system of authorization and record procedures adequate to provide reasonable accounting control over
assets, liabilities, revenues, and expenditures.
 Development of policies and procedures for prescribing and documenting the business and control processes.
This should consist of a well thought out strategy and be reviewed and adjusted periodically to reflect changes
in the business and control environment.

Are there policies or principles established by the University of Florida regarding internal controls and
financial management?

The University of Florida and its governing board adopted the Guiding Principles of Financial Management and Internal
Control Principles (Attached). These may be accessed electronically at
http://fa.ufl.edu/uco/internal-control-principles.asp
http://fa.ufl.edu/uco/guiding-principles-financial-management.asp

What is legal/managerial compliance?

For purposes of this document, legal and managerial compliance is simply intended to refer to compliance with the
various laws, rules, policies, directives, and procedures that prescribe the guidelines and parameters that we must
operate within. Some of these are self-imposed to ensure effective business and/or control practices. Legal and
managerial compliance requirements which govern how we operate include, but are not limited to the following:

Federal Constitution, Laws, and Regulations

Florida Constitution, Statutes, and Administrative Code

University of Florida 3
Internal Control Checklist Effective Date: November 27, 2006

University of Florida Board of Trustee Policies, Resolutions, and By-laws

University of Florida Finance and Accounting Directives and Procedures
University Controller Memoranda
Departmental Polices and Procedures

How can I operate more efficiently?

There is no pat answer to this question. Obviously, skilled, well-informed and motivated faculty and staff is an important
ingredient to an effective operation. Staff should be provided adequate training opportunities and understand what is
expected of them. Good lines of communications are important.

With the fast pace of changes in technology, coupled with changes in regulatory compliance requirements and staff
turnover, it is usually useful to review the various processes from time to time asking why the various tasks are being
performed and determining if the tasks add any value to the process, or if there is a better way to accomplish them.

Examining crises that have occurred in the past is often a useful way of preventing them in the future. Reviewing the
structure or operations of similar organizations may also provide ideas on how to improve your organization.

How do I use the checklist?

The checklist is simply a tool similar to what most auditors might use if they were performing a review of your
department’s internal controls. The checklist should be completed by management accountable for the particular
business process. While “no” responses would normally indicate a potential weakness, this could be off-set by
“compensating” controls within the unit. It is difficult to make a statement regarding a particular control based on the
response to just one question. Most internal control procedures are simply based on “common sense”, i.e., the person
having custody of the asset, such as cash, should not be solely responsible for accounting for it; no one person should
be able to complete a requisition/payment transaction or personnel/payroll transaction from beginning to end without an
appropriate monitoring or oversight. Incompatible duties should be segregated for a check and balance; laws and
University policies and directives are expected to be followed. Despite the fact that many internal controls are a simple
matter of common sense, taking the time to periodically use this checklist to review the control processes can be a
valuable tool in the process and help document your due diligence. The complete set of checklists are available
electronically at:

http://fa.ufl.edu/uco/internal-control-checklist.pdf

What do we do if we identify potential control deficiencies or we have questions?

Risks associated with potential control deficiencies may differ from unit to unit. The unit management is the first channel
to address the implications of the deficiencies. Other resources may include the Controller’s Office ([email protected]) and
the Office of Audit and Compliance Review ([email protected]).

Remember, we all play a part in the University’s internal control system!

University of Florida 4
Internal Control Checklist Effective Date: November 27, 2006

UNIVERSITY OF FLORIDA INTERNAL CONTROL PRINCIPLES

(These Internal Control Principles were adopted by the University of Florida, Audit Committee of the Board of
Trustees.)

University administrators and managers are charged with the responsibility for establishing a network of processes
with the objective of controlling the operations of the University of Florida in a manner which provides the board of
trustees reasonable assurance that:

 Data and information published either internally or externally is accurate, reliable, complete, and timely.

 The actions of administrators, officers, and employees are in compliance with the University’s policies,
standards, plans and procedures, and all relevant laws and regulations.

 The University’s resources (including its people, systems, data/information bases, and client goodwill) are
adequately protected.

 Resources are acquired economically and employed effectively; quality business processes and
continuous improvement are emphasized.

 The University’s internal controls promote the achievement of plans, programs, goals, and objectives.

Controlling is a function of management and is an integral part of the overall process of managing operations.
As such, it is the responsibility of managers at all levels of the University to:

 Identify and evaluate the exposures to loss relating to their particular sphere of operations.

 Specify and establish policies, plans, and operating standards, procedures, systems, and other disciplines
to be used to minimize, mitigate, and/or limit the risks associated with the exposures identified.

 Establish practical controlling processes that require and encourage administrators, officers, and
employees to carry out their duties and responsibilities in a manner that achieves the control objectives
outlined above.

 Maintain the effectiveness of the controlling processes established and foster continuous improvement to
these processes.

The internal audit activity is charged with the responsibility for ascertaining that the ongoing processes for controlling
operations throughout the organization are adequately designed and are functioning in an effective manner. The
University of Florida Office of Audit and Compliance Review (OACR) is responsible for reporting to management
and the Committee on Audit and Operations of the Board of Trustees on the adequacy and effectiveness of the
organization’s systems of internal control, together with ideas, counsel, and recommendations to improve the
systems.

The Committee on Audit and Operations is responsible for monitoring, overseeing, and evaluating the duties and
responsibilities of management, the internal audit activity, and the external auditors as those duties and

University of Florida 5
Internal Control Checklist Effective Date: November 27, 2006

responsibilities relate to the organization’s processes for controlling its operations. The Committee is also
responsible for determining that all major issues reported by the internal audit activity, the external auditor, and other
outside advisors have been satisfactorily resolved. Finally, the Committee is responsible for reporting to the full
board significant matters pertaining to the University’s internal control structure.

University of Florida 6
Internal Control Checklist Effective Date: November 27, 2006

UNIVERSITY OF FLORIDA
GUIDING PRINCIPLES OF FINANCIAL MANAGEMENT

(These Guiding Principles were adopted by the University of Florida, Board of Trustees at their September, 2006
meeting.)

Scope:

The University is committed to conducting business in a fiscally responsible manner under the highest ethical standards.
The University will adopt the following principles:

Principles of Financial Management:

 Maintain accounting records in accordance with Generally Accepted Accounting Principles (G.A.A.P.) which
provide full-disclosure of compliance with stewardship responsibilities of the university.

 Maintain an internal control environment which enhances sound business practices and clearly defines roles,
responsibilities and accountability.

 Ensure that applicable laws, regulations and donor or sponsor requirements or restrictions are complied with
and that documentation standards provide assurances of such compliance.

 Provide accurate and relevant managerial financial reports. Standardized and cost center specific reports will
be available as management tools for employees with delegated budgetary responsibilities. Higher level
reports will be provided to those employees with broader level fiscal responsibilities

 Utilize appropriate budgetary controls applicable to fund source (i.e. state appropriations, auxiliary operations,
sponsored research projects) to monitor variances and provide explanations of deviations.

 Maintain appropriate levels of financial transaction reviews and approvals by university personnel responsible
for budgetary entities.

 Involve both internal and external parties to provide periodic independent oversight of university financial
activities. Such parties shall include accounting professionals within the university, internal and external
auditors, and governing bodies as appropriate.

 Ensure all employees are aware of their responsibility to report suspected fraudulent or other dishonest acts
and deviations from the Principles of Financial Management to their supervisor, appropriate administrator or the
University’s Office of Audit and Compliance Review.

University of Florida 7
Internal Control Checklist Effective Date: November 27, 2006

CONTROL ENVIRONMENT

Department …………………………………………………………………………………………………………………………
Preparer(s) ……………………………………........ Date ……………………………………………………………

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 1. Are appropriate faculty and staff members familiar with Board of Trustee Policies
( http://www.trustees.ufl.edu/policies/) , Finance and Accounting Directives and
Procedures (http://fa.ufl.edu/uco/handbook/handbook.asp?doc=1.4.9), and other
relevant operating and compliance requirements and guidelines?

□ □ □ □ 2. Does management demonstrate the importance of integrity and ethical values

including the statement of core values to faculty and staff and are they familiar with
the code of Ethics for Public Officers and Employees, Chapter 112 Part III, Florida
Statutes?

□ □ □ □ 3. Is good communication, collaboration, and team effort stressed?

□ □ □ □ 4. Is management open to employee suggestions to improve productivity, service,

and quality?

□ □ □ □ 5. Do management and employees have the knowledge, training, and skills

necessary to perform their jobs adequately and continue to take advantage of on-
going training opportunities?

□ □ □ □ 6. Has management established a mission statement, set goals, and developed plans
to meet its objectives?

□ □ □ □ 7. Are plans and performance periodically assessed?

□ □ □ □ 8. Are the unit’s performance targets realistic and attainable?

□ □ □ □ 9. Does integrity of financial and operational results take priority over reporting
acceptable performance targets?

□ □ □ □ 10. Is the unit’s organizational structure and lines of authority clearly understood by
employees?

□ □ □ □ 11. Are employee job descriptions, desk procedures, and other internal operating
procedures current?

□ □ □ □ 12. Has the unit maintained an acceptable employee turnover rate?

□ □ □ □ 13. Does employee morale appear to be at an acceptable level?

□ □ □ □ 14. Does the unit have the time, tools, and resources to effectively accomplish its
mission and objectives?
* NS – Not Sure * N/A – Not Applicable

University of Florida 8
Internal Control Checklist Effective Date: November 27, 2006

CONTROL ENVIRONMENT

□ □ □ □ 15. Has the unit established any benchmarks with peers to measure its resource use
and outcomes?

□ □ □ □ 16. Are records maintained in accordance with guidelines issued by the Office of the
Provost? http://www.aa.ufl.edu/aa/records/records_management_coordinators.htm

□ □ □ □ 17. Does the unit have a business continuation plan that addresses the absence of key
employees and backup procedures for key business processes?
* NS – Not Sure * N/A – Not Applicable

Comments:
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………

University of Florida 9
Internal Control Checklist Effective Date: November 27, 2006

BUDGETING, ACCOUNTING, AND FINANCIAL REPORTING

Department …………………………………………………………………………………………………………………………
Preparer(s) ……………………………………........ Date ……………………………………………………………

TRAINING

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 1. Are fiscal staff familiar with appropriate sections of Finance and Accounting
Directives and Procedures (i.e. 1.4.2, 3, and 4)?
http://fa.ufl.edu/uco/handbook/handbook.asp?doc=1.4

□ □ □ □ 2. Have fiscal staff been appropriately trained in the use of the accounting system,
including the chart of accounts and edits?

□ □ □ □ 3. Have fiscal staff been appropriately trained in the use of the systems reports and
reporting tools?

□ □ □ □ 4. Do fiscal staff possess basic accounting skills and knowledge necessary to

adequately perform their responsibilities?

□ □ □ □ 5. Do fiscal staff understand the rules associated with different fund types (E&G
Appropriations, Grants, Agency, Auxiliary, Direct Support Organizations, etc.)?

RECONCILIATIONS

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 6. Are departmental ledgers reviewed and reconciled to supporting documentation at

least monthly?

□ □ □ □ 7. Are the staff performing the reconciliation separate from the staff initiating and
finalizing transactions?

□ □ □ □ 8. Are reconciling differences, negative balances, and/or unsupported transactions

investigated and corrected timely?

□ □ □ □ 9. Does higher level management review the reconciled ledgers and appropriate
supporting documentation and appropriately document its review in a timely
manner?
* NS – Not Sure * N/A – Not Applicable

University of Florida 10
Internal Control Checklist Effective Date: November 27, 2006

BUDGETING, ACCOUNTING, AND FINANCIAL REPORTING

FUNDS MANAGEMENT

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 10. Are funds for large purchases, travel, etc. encumbered and set aside ahead of time
to ensure that funds will be available when payment is due?

□ □ □ □ 11. Are financial reports comparing budgeted balances with actual financial activity
generated and reviewed by appropriate management?

□ □ □ □ 12. If fund or cost center deficits are anticipated, are appropriate levels of management
notified timely and appropriate corrective action taken?
* NS – Not Sure * N/A – Not Applicable

Comments:
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………

University of Florida 11
Internal Control Checklist Effective Date: November 27, 2006

COLLECTIONS, DEPOSITS AND CASH FUNDS

Department …………………………………………………………………………………………………………………………
Nature of Cash Funds/Collections …………………………………………………………………………………
Preparer(s) ……………………………………........ Date …………………………………………………………...

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 1. Are staff members responsible for cash handling and deposits familiar with Finance
and Accounting Directives and Procedures on cash handling and deposits
(1.4.11)? http://fa.ufl.edu/uco/handbook/handbook.asp?doc=1.4.11

□ □ □ □ 2. Are the collection and deposit preparation functions segregated from the
accounting functions, including general ledger and accounts receivable
maintenance?

□ □ □ □ 3. Has each cash collection point been approved to receive cash collections and or
maintain petty cash change funds?

□ □ □ □ 4. Are receipts issued or mail logs receipts recorded immediately for all forms of
collections received and at the earliest point of collection?

□ □ □ □ 5. Are cash register tapes or official University receipt forms (obtained from Treasury
Management) issued each time a cash collection (including collection by check or
credit card) is received over the counter?

□ □ □ □ 6. Are pre-numbered receipts mail logs and cash register readings independently
controlled, accounted for, and compared to a validated deposit documentation by
an individual with no cash handling responsibilities?

□ □ □ □ 7. Are all copies of voided receipt forms and cash register voids retained and
accounted for and/or approved and documented?

□ □ □ □ 8. Are all collections required to be made payable to the proper payee, “University of
Florida,” or the appropriate direct support organization party to the transaction?

□ □ □ □ 9. Are checks required to be restrictively endorsed upon receipt?

□ □ □ □ 10. Are responsibilities for monies fixed at all times? (This would include prohibiting
cash handlers from working out of the same cash drawer and requiring
documentation of transfers of collections among employees.)
* NS – Not Sure * N/A – Not Applicable

University of Florida 12
Internal Control Checklist Effective Date: November 27, 2006

COLLECTIONS, DEPOSITS AND CASH FUNDS

□ □ □ □ 11. Are cash drawers or cash boxes secured when the cash custodian leaves his/her
workstation?

□ □ □ □ 12. Do cash registers have sufficient built-in control features to prevent the operator
from backing out transactions without supervisory approval or resetting the cash
register readings?

□ □ □ □ 13. Are overages and shortages properly documented and appropriately explained?

□ □ □ □ 14. Are deposits made timely?

□ □ □ □ 15. Are receipts and deposits reconciled at least monthly with departmental ledgers?

□ □ □ □ 16. Are funds physically stored in a safe or equally secure place?

□ □ □ □ 17. Is knowledge of safe combinations or access to keys restricted to employees with a

need-to-know or need-to-access, and is the combination/keys to the safe changed
when there are changes to the staff that have knowledge of the safe combination
or who have had access to the safe keys?

□ □ □ □ 18. Is the petty cash fund periodically counted by surprise?

□ □ □ □ 19. Are deposits transmitted in locked bank bags?

□ □ □ □ 20. Are staff and faculty prohibited from making loans from cash funds and from
cashing personal checks from cash funds?

□ □ □ □ 21. Are duties related to accounts receivable delegated so that no one individual can
collect funds, update receivable records, and reconcile accounts receivable
details?

□ □ □ □ 22. Are accounts receivable billings issued at least monthly, or as required by an

agreement?

□ □ □ □ 23. Are accounts receivable aged regularly with older accounts receiving appropriate
follow-up?

□ □ □ □ 24. Is the write-off of delinquent accounts in compliance with University policy?

□ □ □ □ 25. Are cases of suspected fraud or theft brought to the attention of Campus Police,
the Insurance Coordinator in Environmental Health and Safety, and Office of Audit
and Compliance Review immediately upon discovery?
* NS – Not Sure * N/A – Not Applicable

University of Florida 13
Internal Control Checklist Effective Date: November 27, 2006

COLLECTIONS, DEPOSITS AND CASH FUNDS

□ □ □ □ 26. Does unit management periodically review data showing trends regarding the
status of receivable balances and take appropriate action if needed?

□ □ □ □ 27. Are sales taxes collected and properly remitted when appropriate? Please refer to
University Tax Services website for any questions (http://fa.ufl.edu/tax/)?

□ □ □ □ 28. If revenues are possibly subject to Unrelated Business Income Taxes, has the
University Tax Administration Office of Finance and Accounting been notified?

□ □ □ □ 29. If the department accepts credit cards for payment, is the department following
Finance and Accounting Directives and Procedures on credit cards (1.4.11.12)?
This requires compliance with the Payment Card Industry Data Security Standards
(PCIDDS). These standards address appropriate security measures needed in
place to secure customer information, i.e. credit card numbers, etc. and may be
found at the Visa Customer Information Security Program (CISP) website:
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.ht
ml

* NS – Not Sure * N/A – Not Applicable

Comments:
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………

University of Florida 14
Internal Control Checklist Effective Date: November 27, 2006

ASSET MANAGEMENT

Department …………………………………………………………………………………………………………………………
Preparer(s) ……………………………………........ Date ……………………………………………………………

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 1. Are department property custodians familiar with the appropriate section of Finance
and Accounting Directives and Procedures (1.4.9)?
http://fa.ufl.edu/uco/handbook/handbook.asp?doc=1.4.9

□ □ □ □ 2. Are Property Identification Decals placed in an easily scanned spot and maintained
to make taking of inventory easier?

□ □ □ □ 3. Is surplus equipment secured until properly surveyed and approved for removal by
Asset Management?

□ □ □ □ 4. Are equipment surveys and transfers recorded and submitted to Asset

Management as soon as possible?

□ □ □ □ 5. Is the surplus property website viewed or warehouse visited prior to making new
equipment purchases? http://fa.ufl.edu/am/surplus/

□ □ □ □ 6. Are all work areas and storerooms appropriately secured to deter unauthorized
entry?

□ □ □ □ 7. Are “attractive” items such as laptops, projectors, tools, and cameras, kept in a
secure location when not being used?

□ □ □ □ 8. Is furniture/equipment properly constructed at the University accounted for and

included on the property records, when appropriate?

□ □ □ □ 9. Is the use of property off-campus properly accounted for and documented with an
off-campus certification form?

□ □ □ □ 10. Is a control file maintained with the decals and descriptions of property which
cannot have the decals affixed?

□ □ □ □ 11. Is Asset Management notified when you receive government

furnished equipment or donated equipment?

□ □ □ □ 12. When moving equipment from one location to another within your department, is
Asset Management notified in a timely manner using the on-line “Movement of
Property” form on Asset Management’s web site?

□ □ □ □ 13. When transferring equipment to a different department or project, is an on-line

“Report of Transfer” form completed in a timely manner?
* NS – Not Sure * N/A – Not Applicable

University of Florida 15
Internal Control Checklist Effective Date: November 27, 2006

ASSET MANAGEMENT

□ □ □ □ 14. Are adequate procedures in place to facilitate the annual inventory, including
procedures to resolve discrepancies in a timely manner?

□ □ □ □ 15. Is Asset Management notified of any errors or discrepancies on the equipment

inventory report in a timely manner?

□ □ □ □ 16. Is Campus Police notified immediately of any stolen or missing property?

□ □ □ □ 17. Are vehicle use records maintained for the use of University owned vehicles?

□ □ □ □ 18. Is vehicle use limited to personnel with valid driver’s licenses and is this verified?

□ □ □ □ 19. Are only appropriate employees allocated keys to the office and building?

□ □ □ □ 20. Is the building secure and after hours access limited to appropriate employees?

□ □ □ □ 21. Is a Property Update Document for equipment purchases completed and forwarded
to Asset Management?
* NS – Not Sure * N/A – Not Applicable

Comments:
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………

University of Florida 16
Internal Control Checklist Effective Date: November 27, 2006

PAYROLL

Department …………………………………………………………………………………………………………………………
Preparer(s) ……………………………………........ Date ……………………………………………………………

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 1. Are staff members with responsibility for payroll familiar with the Finance and
Accounting Directives and Procedures relating to Payroll (section 1.4.15)?
http://fa.ufl.edu/uco/handbook/handbook.asp?doc=1.4.15

□ □ □ □ 2. Have employees charged with payroll and distribution responsibilities been

appropriately trained?

□ □ □ □ 3. Are the duties of approving job actions and approval of time segregated from the
duties of distribution of the paychecks?

□ □ □ □ 4. Are time and labor entries approved by the dean, director, unit head, or other
supervisor who has supervisory responsibilities over the persons whose time
and/or payment is being approved?

□ □ □ □ 5. Does the payroll processor review the preliminary pay lists to ensure that
employees will be paid correctly?

□ □ □ □ 6. Does management review, sign, and date the Final Pay Lists to document that
faculty and staff are paid according to wage contracts and terminated employees
are not paid?

□ □ □ □ 7. Is the Final Pay List reviewed in a timely manner so Payroll can be notified by the
appropriate deadlines of any advices requiring EFT cancellation?

□ □ □ □ 8. Are over or underpayments dealt with promptly?

□ □ □ □ 9. Are payroll distributions properly approved and made timely and accurately?

□ □ □ □ 10. Are lump sum payments and other types of additional pay properly documented?

□ □ □ □ 11. Are unclaimed pay checks returned to University Payroll Services after seven
days?

□ □ □ □ 12. For employees required to maintain time cards for time worked, do the time records
reflect the actual hours/minutes worked rather than the hours scheduled to work?

□ □ □ □ 13. Have procedures been implemented to ensure that overtime and compensatory
time hours worked are appropriate and approved in advance by an employee’s
supervisor?

□ □ □ □ 14. Are payroll checks and earning statements properly secured prior to delivery?
* NS – Not Sure * N/A – Not Applicable

University of Florida 17
Internal Control Checklist Effective Date: November 27, 2006

PAYROLL

□ □ □ □ 15. Is appropriate identification and authorization required if paychecks or earning

statements are to be provided to individuals other than the employee? Additionally,
if the employee is unknown to the paycheck distributor, is appropriate identification
required before the pay check is released?
* NS – Not Sure * N/A – Not Applicable

Comments:
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………

University of Florida 18
Internal Control Checklist Effective Date: November 27, 2006

HUMAN RESOURCE MANAGEMENT

Department …………………………………………………………………………………………………………………………
Preparer(s) ……………………………………........ Date ……………………………………………………………

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 1. Have employees with HR administrative responsibilities attended training programs

that are specific to their roles in the organization.
http://www.hr.ufl.edu/policies/default.htm

□ □ □ □ 2. Are hiring practices reflective of the University's non-discrimination policy?

□ □ □ □ 3. Are the completed Recruitment Summaries being submitted prior to hire?

□ □ □ □ 4. Are the education and/or verification(s) and past work experience of the new
employee(s), including faculty, verified and documented?

□ □ □ □ 5. Are the appropriate criminal background checks being performed when required by
position?

□ □ □ □ 6. Are I-9's being processed within three days of date of hire?

□ □ □ □ 7. Is the visa status of foreign national employees validated on a quarterly basis?

□ □ □ □ 8. Do new employees attend new employee orientation?

□ □ □ □ 9. Do new employees complete sexual harassment training within six months of date
of hire?

□ □ □ □ 10. Are duties relating to processing and approving personnel actions segregated?

□ □ □ □ 11. In addition to the central Human Resource Services file, does the unit maintain
personnel files that include current job descriptions and performance appraisals?

□ □ □ □ 12. Are personnel records maintained in accordance with retention schedules and
access to confidential records limited to those with a “need to know”?

□ □ □ □ 13. Are performance evaluations submitted on a timely basis with Human Resource
Services?

□ □ □ □ 14. Are employees who are covered by the Fair Labor Standards Act (non-
exempt/hourly employees) compensated for overtime worked?

□ □ □ □ 15. Are unit procedures in place to ensure that student employees do not work more
than 20 hours a week and do not work during scheduled classes without
documentation that the class has been canceled?
* NS – Not Sure * N/A – Not Applicable

University of Florida 19
Internal Control Checklist Effective Date: November 27, 2006

HUMAN RESOURCE MANAGEMENT

□ □ □ □ 16. Are unit procedures in place to ensure that leave taken is properly approved and
recorded?

□ □ □ □ 17. Have supervisors and other staff members responsible for HR been properly
trained on the Family and Medical Leave Act (FMLA)?

□ □ □ □ 18. Are procedures in place to ensure awareness and compliance with the University’s
policy for reporting outside employment activities, and any potential conflicts of
interest and nepotism?

□ □ □ □ 19. Are terminations of appointments for employees separating from the University
processed timely and the exit checklist reviewed?
http://www.hr.ufl.edu/forms/managers/checklist.pdf
* NS – Not Sure * N/A – Not Applicable

Comments:
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………

University of Florida 20
Internal Control Checklist Effective Date: November 27, 2006

PURCHASING AND DISBURSEMENTS

Department …………………………………………………………………………………………………………………………
Preparer(s) ……………………………………........ Date ……………………………………………………………

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 1. Are staff responsible for requisition/purchasing and vendor payments and travel
familiar with the Purchasing and Disbursement Sections of the Finance and
Accounting Directives and Procedures (1.4.12,13, and14) ?
http://fa.ufl.edu/uco/handbook/handbook.asp?doc=1.4

□ □ □ □ 2. Are the duties for initiating requisitions, receiving purchased items, processing of
invoices for payment, and reconciliation of the departmental ledger separated
between two or more employees?

□ □ □ □ 3. Are contracts and leases approved by all appropriate parties prior to the effective
date of the contract?

□ □ □ □ 4. Does management review charges recorded on the departmental ledger and

inquire about unfamiliar charges?

□ □ □ □ 5. Is management’s review of the departmental ledger, reconciliation, and supporting

documentation appropriately documented?

□ □ □ □ 6. Do unit procedures ensure that the best combination of quality, total price, and
delivery are evaluated when acquiring goods or services?

□ □ □ □ 7. Are purchase requisitions initiated and approved by employees specifically

authorized to perform this task?

□ □ □ □ 8. Are vendor invoices processed timely?

□ □ □ □ 9. Are all invoices independently reviewed for completeness, accuracy, compliance

with university directives, and agreement to supporting documentation (receiving
reports and purchase orders) before approval for payment?

□ □ □ □ 10. Do invoices receive appropriate supervisory approval before payment?

□ □ □ □ 11. Are appropriate discounts offered being taken?

□ □ □ □ 12. If the invoice inappropriately included taxes, were they deducted prior to payment?

□ □ □ □ 13. Are encumbrances and disbursements reconciled with the departmental ledger?

□ □ □ □ 14. Are returned purchases controlled in such a manner to ensure that the department
receives the credit or refund due the department?
* NS – Not Sure * N/A – Not Applicable

University of Florida 21
Internal Control Checklist Effective Date: November 27, 2006

PURCHASING AND DISBURSEMENTS

□ □ □ □ 15. Are vendor invoices and travel reimbursements controlled in such a manner as to
prevent duplicate payment?

□ □ □ □ 16. Does the Dean, Director, or Department Head approve (by signature) the issuance
of purchasing cards?

□ □ □ □ 17. Does the department generate “Monthly Paid Charges” reports for each cardholder,
obtain supporting receipts, and cardholder’s signature?

□ □ □ □ 18. Are purchasing card transactions authorized by an Approver, reconciled timely, and
signed by the cardholder?

□ □ □ □ 19. Does department management periodically review a list of departmental

cardholders and their limits to determine if changes need to be made?

□ □ □ □ 20. Are originators adequately trained to ensure proper posting of travel related data?

□ □ □ □ 21. Does the department create an “Authorized Approver Request Form” to authorize a
designee to approve travel?

□ □ □ □ 22. Does the approver verify that a Travel Authorization was created before the travel
occurred?

□ □ □ □ 23. Are Travel Authorizations compared to the traveler’s budget balance to ensure that
the traveler is still within the limits of his/her budget?

□ □ □ □ 24. Are requests for travel reimbursements and related expenses submitted through
the Travel and Expense module rather than the Accounts Payable Module?

□ □ □ □ 25. Are travel advances made and approved through the Travel and Expense Module?

□ □ □ □ 26. Are travel advances settled timely?

□ □ □ □ 27. Are telephone bills reviewed and appropriately certified as to business use only?

□ □ □ □ 28. Is a periodic review made of telephone lines and equipment to ensure that such
telephone lines and equipment is needed?

□ □ □ □ 29. Is the use of copy machines limited to official business use only?

□ □ □ □ 30. Are maintenance agreements reviewed periodically, especially before they are
renewed, to ensure that the equipment the maintenance agreement is intended to
cover is still owned and used by the unit and that it is still in the unit’s best interest
to continue to carry the maintenance coverage?
* NS – Not Sure * N/A – Not Applicable

University of Florida 22
Internal Control Checklist Effective Date: November 27, 2006

PURCHASING AND DISBURSEMENTS

□ □ □ □ 31. Are the purchase, storage, and issuance of supplies properly controlled to prevent
over-purchasing, pilferage, deterioration, and damage?
* NS – Not Sure * N/A – Not Applicable

Comments:
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………

University of Florida 23
Internal Control Checklist Effective Date: November 27, 2006

CONTRACTS AND GRANTS

Department …………………………………………………………………………………………………………………………
Preparer(s) ……………………………………........ Date ……………………………………………………………

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 1. Are staff members responsible for contracts and grants familiar with the Finance
and Accounting Directives and Procedures relating to contracts and grants?
(http://fa.ufl.edu/uco/handbook/handbook.asp?doc=1.4.5) Also, are staff familiar
with the Division of Sponsored Research (DSR) handbook at
http://rgp.ufl.edu/research/handbook/researcher_handbook/

□ □ □ □ 2. Have staff and faculty been provided sufficient training to understand the special
requirements of expending contract and grant funds, effort reporting, and in general
ensuring compliance with grant or contract terms and Federal regulations. See
Research Administrator Training website at http://apps.rgp.ufl.edu/research/training/

□ □ □ □ 3. Are appropriate procedures in place to ensure that all technical and progress reports
are prepared by employees directly involved with the grant program or contract and
are submitted to the sponsor or contractor in accordance with the terms of the
agreement?

□ □ □ □ 4. Are there policies and procedures to address circumstances when an award has not
yet been accepted by the University (ex: set up of temporary accounts), excess
funds remain after completion of a project, and charges are in excess of allowed
amounts?

□ □ □ □ 5. Are costs directly charged to a grant or used as cost sharing reviewed to assure
they are reasonable, allocable, consistently treated, and meet any restrictions that
apply?

□ □ □ □ 6. Do fixed price contracts include all relevant expenditures?

□ □ □ □ 7. Are unit procedures in place to ensure travel is an allowable expense under sponsor
terms, charged at allowable rates, and benefits the grant charged?

□ □ □ □ 8. Are salaries of administrative and clerical staff and non-salary administrative items
charged directly to a grant or sponsored project only if such services and expenses
are explicitly budgeted for in the grant and CAS exemption received?

□ □ □ □ 9. Is biweekly payroll distribution managed to assure that employee payroll is charged

to sponsored projects consistent with employee’s activities rather than budget or
availability of funds?

□ □ □ □ 10. Are payroll charges appropriately distributed and reported for employees whose
compensation exceeds the NIH salary cap or other budgetary restrictions?
* NS – Not Sure * N/A – Not Applicable

University of Florida 24
Internal Control Checklist Effective Date: November 27, 2006

CONTRACTS AND GRANTS

□ □ □ □ 11. Are unit procedures in place to ensure that faculty and staff effort is reported
accurately and timely? Is documentation available to support the use of a suitable
means of verification?

□ □ □ □ 12. Is committed effort and assignments reviewed to verify that individual PIs are not
“overcommitted” to current projects and report at least a minimum level of effort on
his/her contract(s) or grant(s)?

□ □ □ □ 13. Does the unit monitor if there are significant changes in an employee’s committed
research activities? If applicable, is there a process to ensure these changes are
reported to the Division of Sponsored Research (DSR)?

□ □ □ □ 14. Are polices and procedures in place to ensure payroll or other expenditure transfers
are appropriate, approved, and processed timely and include required supporting
documentation?

□ □ □ □ 15. Are subgrants/subcontracts to other organizations routed to DSR on the basis of

properly completed and approved sub-award proposals?

□ □ □ □ 16. Are disbursements to subgrantees/subcontractors approved by Principal

Investigators (PI) based on properly completed reports or billings?

□ □ □ □ 17. Except for capital grants, are purchases of fixed assets made prior to the end of the
grant so the fixed assets can be used in accomplishment of the project objectives?

□ □ □ □ 18. Are unit procedures in place to ensure expenditures are not charged after the grant
period, and assist core Contract and Grant offices with the timely closeouts of
awards?

□ □ □ □ 19. Where projects require cost sharing or matching, does the unit compare regularly
accumulated cost shared amounts with grant cost sharing requirements to see it has
met its cost sharing goals?

□ □ □ □ 20. Is there a control in place to ensure that expenses reported for purposes of cost
sharing are not already charged directly to other sponsored projects unless
specifically granted permission by both sponsors?

□ □ □ □ 21. Are grant summary reports reviewed and reconciled to supporting documentation
periodically to verify that balances agree to amounts reported in myUFL?
* NS – Not Sure * N/A – Not Applicable

Comments:
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………

University of Florida 25
Internal Control Checklist Effective Date: November 27, 2006

INFORMATION TECHNOLOGY

Department …………………………………………………………………………………………………………………………
Preparer(s) ……………………………………........ Date ……………………………………………………………

Note: While probably every unit uses information technology, the size and scope of such use can vary dramatically.
Therefore, a fairly standard internal control checklist was used below, which may be more comprehensive or less than
what is deemed needed depending on the unit’s IT operation. Please keep this in mind while attempting to use this
checklist.

5
YES NO *NS *N/A CHECKLIST QUESTION

□ □ □ □ 1. Are appropriate faculty and staff members familiar with the Office of Information
Technology Guidelines? UF IT Policies and Standards
http://www.it.ufl.edu/policies/ ; Basic Security Guidelines for Network Administrators
http://infosec.ufl.edu/admins/guidelines.shtml ; Protect and Educate
http://infosec.ufl.edu/athome/

□ □ □ □ 2. Has a unit IT risk assessment been conducted within the past three years?

□ □ □ □ 3. Have key IT positions been classified as positions of special trust?

□ □ □ □ 4. Does a business continuation plan exist which identifies critical activities, backup
files, programs, and alternative processing sites?

□ □ □ □ 5. Have change management procedures been established, including patch

management, for portable computers, workstations, and servers?

□ □ □ □ 6. Are system security and application access logs enabled and reviewed
periodically?

□ □ □ □ 7. Are backups of operating systems, critical data, and key software programs made
on a regular basis and stored at an off-site location?

□ □ □ □ 8. Is access to the production systems authorized and documented through the use of
standard forms or emails?

□ □ □ □ 9. Are strong passwords for all production systems (interval change, minimum length,
lock out, etc.) in place?

□ □ □ □ 10. Are documented procedures in place for removing access to all production systems
when an employee leaves the unit?

□ □ □ □ 11. Is sensitive and restricted data managed by the unit (on networks, personal
computers, and back up media), classified and protected by restricted access,
encryption, or other controls?
* NS – Not Sure * N/A – Not Applicable

University of Florida 26
Internal Control Checklist Effective Date: November 27, 2006

INFORMATION TECHNOLOGY

□ □ □ □ 12. Do policies provide for all personnel with a need to access critical applications
(mainframe, networks, and personal computers) to have individual accounts and
passwords and are they prohibited from sharing those passwords?

□ □ □ □ 13. Are records of all software licensing agreements managed by the unit properly
maintained?

□ □ □ □ 14. Has the university policy on acceptable use of computer resources been effectively
communicated to all employees including new hires?

□ □ □ □ 15. Is antivirus software installed, operating and being updated for all computing
resources (laptops, desktops, servers, etc)?

□ □ □ □ 16. Is system administrator access to the production systems restricted and based on
need?
* NS – Not Sure * N/A – Not Applicable

Comments:
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………

University of Florida 27