Definition
A control is any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization's objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures.
Controls can generally be classified as preventive, detective, compensating or steering. Preventive controls are designed to avoid errors or irregularities. Detective controls are designed to identify errors or irregularities after they have occurred so corrective action can be taken. Compensating controls are designed to provide reasonable assurance where resource limitations preclude the implementation of more direct controls. Steering controls (i.e. policies) are designed to guide actions towards the desired objectives.
Control Elements
Control activities are designed to meet specific risk-reduction objectives and generally fit within the following categories:
Documentation - All policies and procedures should be formally documented to ensure they are applied consistently by all staff and that the unit will not suffer unnecessarily by the departure of knowledgeable employees. Management decisions and financial transactions should be documented to provide reasonable assurance that University assets are adequately controlled and transactions are correctly recorded. Documentation should be retained in accordance with University policies.
Authorization – Approval authority should be commensurate with the nature and significance of the transactions and in compliance with University policy. Approval should only be given following a thorough review of supporting information to verify the propriety, accuracy and validity of transactions. Authorizations and delegations of signing authority should be documented in writing.
Reconciliations and Reviews – These should be performed at regular intervals by senior unit personnel to ensure that controls are operating effectively and to uncover any errors or irregularities. Managers and supervisors should reconcile and review AMS Statement of Accounts and/or FIS Management and Payroll Distribution Reports at least monthly for accuracy, correct account classification, compliance with applicable policies/procedures and propriety. Principal Investigators should perform the same function using Monthly PI Reports.
Personnel – Competence and integrity should be stressed for all employees. They should be adequately trained and supervised and receive written position descriptions to document their assigned authority and responsibility.
Access Restrictions – Access to physical assets and records should be physically restricted to only those who are authorized and require access. Access to electronic information and processes should be further restricted by the appropriate use of passwords and restricted user account profiles. These measures limit the risk of asset misappropriation, tampering or other misuse.
Segregation of Duties – At a minimum, to prevent errors and irregularities individuals should not have responsibility for more than one of the three components of a transaction: initiation, processing and reconciliation. Where staffing levels permit, it is preferable to segregate all three components.
Designing an Effective Control Environment
Control procedures should be established for every business process to minimize the potential risks to the achievement of unit objectives.
It is the responsibility of management to ensure that appropriate controls are implemented and functioning to support achievement of unit objectives. When determining which controls should be implemented, the cost of the control should not exceed the expected benefit of having it in place. In some cases, it may be necessary to implement compensating controls to address inherent limitations within the unit (e.g. where staffing levels are inadequate for a full segregation of incompatible duties, a unit may establish a compensating periodic trend analysis to identify unusual activity). Examples of recommended control procedures are provided below in the section 'Recommended Controls By Business Process'.
It is the responsibility of the Internal Audit Department to provide independent evaluations of the adequacy and effectiveness of key controls during the course of audit reviews and to report the results, including recommendations for improvement, to the unit head(s), their direct report(s), the Audit Committee of the Governing Council and other parties as appropriate.
Recommended Controls by Business Process
This section contains lists of suggested control procedures for quick reference purposes only. In all cases, University Policies and Procedures and all applicable sponsor, donor and legal requirements must also be adhered to. Please contact your divisional administrators, the Financial Services Department or the Internal Audit Department if you require assistance with implementing an effective system of controls.
The business processes are:
A. Organization and Accounting
These controls are designed to provide reasonable assurance that the unit’s high-level control environment is functioning effectively.
- the workflow, distribution of responsibilities, levels of supervision and accountability and reporting and review responsibilities are designed to support the unit’s objectives
- unit objectives and individual employee roles for achieving them are communicated to all unit employees
- the most recent version of all University policies and procedures are made available to the staff who require them
- staff, including the individual(s) responsible for financial administration including account reconciliations and budgeting, are adequately trained to perform their duties
- staff are adequately supervised
- individual work loads are reasonable, distributed and peak periods are provided for
- duties are revolved when vacations are taken or unexpected absences occur
- backup for each position is provided by appropriately trained staff
- the unit head has attended training for the administrative role through the Provost’s Office or Human Resources
- a system is in place to ensure annual Accountability Reports and Conflict of Interest reporting is completed by all relevant faculty and staff
- signing authority has been delegated in writing to the appropriate level(s) and includes stated dollar and transaction type limits
- all employees are aware of the procedure and their responsibility for reporting suspected incidences of financial impropriety
- there is an adequate segregation of incompatible duties considering staffing resources (e.g. transaction initiation, processing and reconciliation duties are handled by different personnel)
- the unit head reviews monthly AMS Statement of Accounts and/or FIS Management and Payroll Distribution Reports
- principal investigators review the Monthly PI Reports for their funds each month
- backup documents are reconciled monthly to the AMS Statement of Accounts, Payroll Distribution Reports and Monthly PI Reports
- FIS manual reserves are created at the start of the fiscal year for significant commitments that are not automatically encumbered (e.g. contracts for services or significant stipend teaching requirements for the Winter session)
- if the unit uses a shadow accounting system (e.g. ACCPAC, spreadsheet ledgers) for planning, control or decision-making, it is reconciled to FIS statements monthly by someone independent of the person(s) maintaining the shadow accounting system
- financial documents are secured with access restricted only to those individuals who require it
- appropriate employee(s) within the department are responsible for ensuring compliance to: University policies and procedures (e.g. travel, purchasing, payroll etc.), research grant and award terms and Trust terms
- all research grant and contract accounts and budgets are established by Research Services
- charitable donations receipts are not issued to any individual who donates to, and has authorization to approve expenditures from, a trust fund
- expendable restricted fund balances that are not encumbered or required for at least one full fiscal quarter are committed to the Expendable Funds Investment Pool to earn interest
- research funds that are unspent at the end of a grant term are dealt with in accordance with the granting agency’s requirements
- the unit does not use bridge financing to permit expenditures before grants or awards are approved
B1. Revenue and Recoveries
These controls are essential to ensure that sales/recoveries billings will be complete, accurate, timely and recorded in the proper accounts. In addition, late billings increase the risk of customer default on payment.
- formally documented procedures for sales and recoveries
- contracts or agreements to provide goods and services are approved by the unit head or an authorized designate
- the unit records accruals for applicable sales in advance of year-end cutoff
- standard price lists with appropriate rates for internal versus external customers
- external customer prices include all indirect costs in addition to direct costs
- recovery rates from students are pre-approved by the Office of the Vice-Provost Academic Operations
- prices are reviewed whenever there is a significant change in costs or market conditions and at least annually
- the unit recovers for long distance and photocopy charges from grants for direct costs only
- the unit recovers from staff for long-distance/photocopy charges and other nontrivial uses of University assets for personal use
- a proportionate share of benefits is recovered for salary recoveries
- records for all recoverable charges incurred are maintained and reviewed to ensure all charges are billed
- recoveries are credited to the accounts from which the expenses were incurred
- invoicing is completed as soon as goods/services are delivered
- the unit follows procedures to prevent duplicate billing
- official University invoices are sequentially pre-numbered by the unit and used for all external sales
- the numerical continuity of University invoices is regularly verified by a supervisor
- HST is invoiced where applicable and recorded in FIS correctly
- responsibilities for accounts receivable maintenance and cash collections are performed by different employees where a shadow accounts receivable system is in use
- the unit follows procedures for granting and suspending customer credit
- where applicable, an aged accounts receivable listing is reviewed at least monthly by the unit head or a designated manager
- old and outstanding accounts receivable items are followed up
- the unit follows procedures to write-off uncollectible amounts and deny future credit to defaulting customers
- if there is a shadow accounts receivable system, it is determined to be necessary by the unit head and is reconciled to FIS monthly by someone independent of maintaining the system
B2. Cash Handling
Cash and cheques are an organization’s most liquid assets and therefore at greatest risk of misuse. Controls for handling these assets are necessary to ensure timely deposit and prevent misappropriation.
- formally documented procedures for cash handling
- cash is recorded upon receipt (e.g. cash register, cash log, etc.)
- where cash registers are used, cashiers receive individual cash floats which are independently counted and reconciled to the cash register tapes on a daily basis
- cash register drawers are locked under the control of individual cashiers when they are away from their registers
- cash register refunds or void transactions are authorized by a supervisor/manager who does not have cash handling duties
- pre-numbered receipts are issued to customers where cash register or credit/debit card customer receipts are not automatically generated
- the numerical continuity of pre-numbered receipts is verified monthly by someone who does not handle cash or issue receipts
- customers are instructed to make cheques payable to "University of Toronto”
- cheques are restrictively endorsed upon receipt
- deposits are made the sooner of weekly or upon reaching $500
- funds awaiting deposit are stored in a secure location
- cash receipts are deposited intact, with no amount retained, expended or commingled with petty cash funds
- cash logs / meter readings / cash register records are reconciled to deposit slips and FIS statements
- cash collection, deposit preparation and accounts receivable maintenance are performed by different individuals
- cash handling, transaction recording and reconciliation to FIS statements are performed by different individuals
- donations cheques are forwarded to Donations Management with the appropriate processing form
B3. Point-of-Sale Systems (credit/debit cards)
These controls are designed to prevent the loss of assets due to error or misappropriation and to protect customers from misuse of their credit cards or breaches of their confidentiality.
- point-of-sale systems are configured to require a supervisor/manager password authorization to process refunds and void transactions
- credit card refunds are processed only by crediting the original card so that service charges are recovered
- credit/debit card sales transactions are reconciled to point-of-sale system totals report(s) at least daily by a supervisor who does not process transactions
- point-of-sale system daily totals reports are reconciled to FIS Statement of Accounts or Management Reports at least monthly by a supervisor/manager independent of transaction processing
- point-of-sale system terminals are kept in a secure location and staff log off when away from them
- all records containing credit card details are kept in a secure area with access restricted to only those employees who require it
C1. Purchasing
Business Board of the Governing Council approved revisions to the University of Toronto Procurement Policy on April 28, 2020. The Policy, which includes the Supply Chain Code of Ethics and Approval Authority Schedule governs the acquisition of goods and services, including construction, consulting services and information technology with University funds from all sources, including the operating, research, capital and ancillary funds and all other funds held in trust, at its disposal. In addition to applicable legislation, regulations, domestic and international trade agreements, the University is also bound by requirements of funding agencies, to the extent that those requirements comply with applicable legislation, regulations, domestic and international trade agreements.
C2. Purchasing Card
The PCard is a University authorized credit card assigned to authorized full-time faculty and staff responsible for the purchase of low value goods and services up to specified amounts, and for University business only. Charges are paid directly by the University on the assumption that purchases have been reconciled against monthly statements and have been approved for payment. The use of the PCard for personal purchases is not permitted.
D1. Expense Claims
The purpose of these controls is to ensure that expenditures are cost-effective, relate to approved University business only and are in compliance with all applicable University, sponsor and legal requirements.
- accountable advances and expense reimbursements are only used when other forms of payment are unavailable
- expense reimbursements are only processed for University faculty, staff, visitors or students
- accountable advances are approved by the unit head and recorded against a University employee number
- accountable advance requests are processed no more than 2 weeks prior to the requirement for funds
- accountable advances are only used for the purposes for which they are requested
- expense reimbursements and accountable advances are settled within three weeks of the activity and are recorded within the appropriate fiscal reporting period
- expense reimbursements and accountable advance settlements are reviewed and approved by the person to whom the claimant reports
- expense reimbursements and accountable advance settlements are supported with original documents and receipts
- claims for electronic airfare tickets are supported with the email notification and the boarding pass as verification
- the business purpose of claimed expenses is described in sufficient detail on claim forms
- where expenses relate to conference attendance, conference documentation indicating the location, dates and conference purpose are included with expense claims
- signed explanations are provided by claimants for any situation in which they did not comply with all policy requirements
- outstanding accountable advances are followed up at least monthly
- expenses meet all terms and requirements of the funding source (e.g. research grants)
- payments to individuals for services rendered are not processed via expense claims
D2. Travel Expenses
These controls are designed to ensure that expenditures are cost-effective, reasonable and relate to approved University business only.
- the most economical travel options are selected
- employees are encouraged to make travel arrangements through Avenue Travel and air travelers request the lowest available fare at the time of booking
- travel expenses comply with all terms and conditions of the funding source (e.g. research grants)
- expenses are approved by the person to whom the traveler reports
- kilometric rates for the use of a rental car or privately owned vehicle are normally ineligible for round trip journeys exceeding 500km
- the maximum rate for accommodation with friends or relatives while on University business is $20 per night
- air travel within North America receives prior one-up approval
- air travel outside North America receives prior written approval obtained by written request from a Principal, Dean, Director or Chair
- airfare does not exceed economy rates by the most direct route
- business class airfare is used only for flights over 4 hours in duration with one-up approval received in advance of booking the flight
- where visitors are reimbursed for airfare and require the original ticket for return air travel, the ticket stub indicates that it was reimbursed by the University
- spousal travel expenses are only reimbursed if a specific business purpose is served
- the accommodation expense reimbursed to an employee when accompanied by a spouse is the most economical rate charged by the establishment for a single occupancy
- entertainment expenses are only reimbursed if incurred for a required, specific business purpose and are pre-approved if for other than the cost of meals and beverages in a hotel dining room or restaurant for the entertainment of a guest
- meal and entertainment expenses are paid by the most senior University attendee when entertaining other University employees
- ineligible expenses include: parking/traffic fines, personal travel insurance, credit card service/late charges and payments to individuals for services rendered
- expenses that are claimed only if specifically incurred and necessary for authorized travel include: passport or visa costs, traveler’s medical insurance and excess baggage costs
- Travel Cards (American Express) are only issued to fulltime appointed academic or administrative staff members and with the approval of a Principal, Dean, Academic Director or Chair (or higher)
- Travel Cards are used only by the cardmember and only for University approved expenditures
E. Human Resources / Payroll
These controls are designed to ensure that human resource and payroll activities are fair, equitable, consistent, accurate, confidential, timely and in compliance with all University, sponsor, collective agreement and legal requirements.
- the unit head reviews payroll distributions monthly
- payroll distributions are agreed to the FIS Statement of Accounts or Management Reports monthly
- the unit head and/or business officer know all employees by sight
- annual performance reviews are completed for nonunionized administrative staff
- principal investigators complete performance reviews for all nonunionized staff
- position descriptions clearly and accurately define the authority and responsibility of administrative staff and employees have signed and received a copy
- attendance records are maintained for nonacademic personnel
- principal investigators maintain attendance records for lab staff and research assistants
- employee vacation credits are periodically reviewed to identify significant accumulations
- vacation credits in excess of standard policy limits are approved by the unit head
- there are no employees who decline to ever take vacation or other leaves
- personnel files are secured and accessible only to authorized staff
- faculty and staff are informed of the Policies on Conflict of Interest and the procedures for disclosure and all known potential conflicts of interest have been addressed with the unit head
- new hires are approved by the unit head or authorized designate
- activity reports are completed annually by faculty
- academic research and study leaves are administered in accordance with the Guidelines on Research and Study Leaves
- new hires are approved by the unit head or authorized designate
- all references are checked prior to extending offers of employment
- all salary or hourly increases are in accordance with University policies and collective agreements
- overtime / stipend payments are in accordance with University policies and collective agreements
- formal time reporting procedures are followed for casual staff
- supervisors are aware when employees are absent
- supervisors record the hours worked for casual staff who are not on time sheets
- casual staff time sheets are reviewed and approved by supervisors and signed by employees
- any changes recorded on time sheets (e.g. hourly rates) are initialed by the employee and approved by the supervisor
- time sheets and payroll forms are agreed to the monthly payroll distribution
- casual employees are not working fulltime hours for extended periods of time (e.g. as defined in collective agreements)
- parttime employment forms are completed where appropriate (e.g. for parttime teaching)
- the unit follows procedures for distributing cheques and handling unclaimed cheques for employees paid by cheque
- a formal exit procedure is used for departing employees to ensure all University-owned property (e.g. laptops, keys, p-cards) is returned and computer access is cancelled
F. Accountability Reports
[under construction]
G. Information Technology
These controls are designed to ensure the safeguarding of computer assets, information assets and information privacy.
- LAN policies and procedures are formally documented
- a LAN Administrator and trained backup have been designated
- an up-to-date inventory list of computer hardware is maintained including model and serial numbers
- an up-to-date inventory list of software, licenses and the number of users is maintained
- users have signed declarations stating they will not copy, install or use illegal copies of software on University equipment and will not make unauthorized copies of any University-owned files or software
- servers, wiring closets and computer rooms are locked under the control of the LAN Administrator
- hardware devices (e.g. workstations, printers, scanners) are in secure locations
- hardware devices in unsecured areas are secured to desktops (e.g. bolted down)
- access to computers with AMS access is secured to prevent unauthorized use
- the unit follows University procedures for sign-out and approval of assets (e.g. laptop or desktop computers) used away from University property
- hardware cabling has been arranged to avoid causing injury or damage
- the unit head or approved designate authorizes LAN userids and periodically reviews access profiles
- users are aware of security requirements, policies and procedures
- passwords are not displayed during logon
- user accounts are disabled within 3-6 unsuccessful login attempts
- LAN passwords expire and must be changed at least every 60 days
- a timeout feature requires a password to reestablish a LAN session following a period of inactivity
- audit/event logs are reviewed regularly by the LAN Administrator for violation and access reporting and follow-up
- ‘Smart Cards’ or other devices are used to control dialup access
- users are reminded to update their operating systems regularly (e.g. Windows Update)
- virus detection and removal procedures are performed regularly
- a formal disaster recovery plan has been developed and approved by the unit head
- the disaster recovery plan is tested periodically and the tests are documented
- alternate user procedures have been documented in case of a prolonged shut-down
- the unit runs full and periodic backups and users are informed of the procedures and schedule
- backup data is stored in a secure area away from the file server
- uninterruptible power supplies (UPS) are used to protect servers and allow for a controlled shut-down in the event of a power failure
- redundancy features are used to avoid downtime for systems requiring high availability (e.g. redundant power supplies, duplexed or mirrored hard-drives)
- AMS access privileges are limited to only what is required by staff to perform their duties
- access to AMS is reviewed on a regular basis (at least quarterly)
- changes to AMS access are approved by the unit head or official designate
- security and confidentiality is emphasized to employees who access AMS
- SecurID cards are securely stored and are not shared
- users do not share or maintain within the unit a written copy of any userids or passwords
- users log out of AMS when away from their computers
- AMS and LAN access are removed immediately for staff that are no longer employed by the unit
H. Health & Safety
The purpose of these controls is to minimize the risk of illnesses, injuries, University liabilities and to ensure compliance with all applicable University, federal, provincial and municipal regulations.
- a copy of the University Health and Safety Policy and the Occupational Health and Safety Act (OHSA) are posted in a conspicuous location(s) in the workplace
- a Health and Safety Coordinator has been appointed
- a joint health and safety committee has been established, meets at least quarterly and documents meeting minutes
- the joint health and safety committee has at least one worker and one management member certified by the Workplace Safety and Insurance Board
- the health and safety committee inspects the workplace in accordance with OHSA requirements (i.e. at least part of the workplace is inspected monthly and the entire workplace is inspected at least annually)
- workers who work with or in proximity to hazardous chemicals have completed training in compliance with OHSA and WHMIS requirements
- Material Safety Data Sheets are readily available for all hazardous materials present in the workplace
- appropriate personal protective equipment has been identified and provided to employees
I.Goods Inventory (Stores)
These controls are designed to safeguard assets against loss, damage or misappropriation.
- inventory is physically secured against theft or damage with access restricted to only those who require it
- purchases to replenish the goods inventory are initiated and authorized by someone independent of inventory custody
- a goods inventory list is maintained
- detailed records are maintained and verified by regular physical inventory counts as required for controlled substances (e.g. alcohol, drugs) that are regulated under the Excise Act and the Food and Drugs Act
- inventory is valued at the lesser of cost (original purchase price) or market (current replacement price)
- an inventory system is in place to update the inventory records either perpetually (at the time of each addition or removal) or periodically (by recording accumulated additions and removals)
- inventory records are verified at least annually by a physical inventory count conducted by someone independent of inventory custody
- significant discrepancies between the inventory records and the physical count are investigated by the unit head or an authorized designate who is independent of inventory custody
- inventory shrinkage is reviewed at least annually by the unit head or an authorized designate who is independent of inventory custody
- inventory movement is reviewed regularly to identify slow-moving or unnecessary goods to prevent reorders and overstocking
- obsolete goods are written off following one-up approval
- hazardous materials are disposed of in accordance with OHSA and University policies and procedures
J1. Imprest Expenditure Bank Accounts
The purpose of these controls is to ensure that imprest expenditure bank account funds are properly established, maintained, safeguarded and used for only authorized University purposes.
- cheques are pre-numbered and access to unused cheques is physically restricted to the custodian
- deposits to the imprest expenditure bank account are made by the Financial Services Department only
- cheques are never used for loans, advances, expense reimbursements, petty cash reimbursements or personal expenses
- cheques are not used to make payments to individuals for services (other than personal services that are very small, nonrecurring and where the unit is reasonably certain the recipient will not receive $500 or more from the University within the calendar year)
- cheques are never made payable to the bearer or cash
- cheques are signed by two designated signatories and never pre-signed
- reimbursements are reviewed and approved at least one level up from the custodian and supported with original receipts
- reimbursements are processed in time to record expenses within the fiscal period in which they were incurred
- the custodian completes the Imprest Expenditure Bank Account Reconciliation Report monthly
- cheque signing, transaction recording and reconciliation to FIS and bank statements are performed by different personnel
J2. Petty Cash
These controls are designed to ensure that petty cash funds are properly established, maintained, safeguarded and protected against misuse.
- the custodian stores petty cash in a locked, metal cash box
- all petty cash funds are established through the Financial Services Department (FSD)
- petty cash is replenished regularly to avoid shortages and record expenses within the fiscal period in which they were incurred
- petty cash is never replenished or supplemented from sources other than reimbursements from FSD
- individual petty cash expenditures do not exceed $100
- petty cash is never used for loans, advances, expense reimbursements, personal expenses or to cash cheques
- petty cash is not used to make payments to individuals for services (other than personal services that are very small, nonrecurring and where the unit is reasonably certain the recipient will not receive $500 or more from the University within the calendar year)
- petty cash reimbursements are approved at least one level up from the custodian and are supported with original receipts
- petty cash is reconciled to monthly FIS statements by someone other than the custodian
- petty cash is counted periodically and agreed to records by someone other than the custodian
- cash custody, transaction recording and reconciliation to FIS statements are performed by different personnel
- unspent Fund petty cash funds are closed and returned to the Fund at the end of the grant period
Last updated: May 31, 2010