WIXLIB

ADMINISTRATIVE COMPLIANCEASSESSMENT QUESTIONNAIREInternal Control Self-Assessment QuestionnairePURPOSE:As a Tufts University director, manager or administrator it is important to periodically determineif good business practices are being observed within your department. You may have been askedto complete this questionnaire as part of a scheduled internal audit or “Team Risk Assessment”that is being facilitated by Audit & Management Advisory Services. However, if yourorganization is not currently being audited, we encourage you to complete this questionnaire onyour own to independently evaluate the adequacy of various internal controls and businesspractices that support your responsibility area. Use your responses to determine which internalcontrols are effective or need to be strengthened.Specifically, completing the questionnaire will help to: Identify operating areas within your department where required business policies,administrative processes and regulatory compliance are important; Assess the adequacy of existing policies and procedures and other internal controls that aredesigned to ensure compliance in each of the identified areas; Raise awareness concerning certain efficiencies and cost saving opportunities that result fromcomplying with Tufts university-wide policies and procedures.We encourage you to engage your co-workers in brain-storming ways to address areaswhere you believe certain internal controls need to be improved.HOW TO COMPLETE THE ASSESSMENT QUESTIONNAIRE: Please complete the questionnaire below. Use the links to move more easily between thetable of contents and the questionnaire sections.If certain sections of the questionnaire do not apply to your organizational activities,leave them blank.If the questionnaire has been r equested of you b y AMAS, hit the “Email” button at theend of the questionnaire in order to automatically send it back with your responses to AMAS.If you a re c ompleting t he que stionnaire f or your ow n s elf- assessment, there is no ne ed t oforward it to AMAS; you may save a copy for your files.If you have an y questions related to the items covered in the self-assessment questionnaire,please c ontact S eth K ornetsky, t he D irector of Audit & M anagement A dvisory S ervices a textension 7-2068 or via email at seth.kornetsky@tufts.edu.

ADMINISTRATIVE COMPLIANCEASSESSMENT QUESTIONNAIRETable of Contents Organizational GovernanceFinancial Planning and MonitoringPersonnelBusiness Conduct PolicyReporting of Fraud/ Fraud IndicatorsInformation TechnologyInformation Confidentiality and Data PrivacyBank Accounts/ Petty CashCash Receipts/ RevenueTravel and Business ExpensesProcurement Cards (PCard)Procurement of Goods and ServicesRecords RetentionInventory ControlBuilding Safety & SecurityCompliance with Federal and State Governmental Regulations OSHA EPA A-21 Federally Funded Research Protection of Human Subjects Protection and Use of Animals Scientific Misconduct IRS HIPAA

ADMINISTRATIVE COMPLIANCESELF-ASSESSMENT QUESTIONNAIREInternal Control Assessment Questionnaire Provider InformationDepartment:Department rn to Table of ContentsA12345678ORGANIZATIONAL GOVERNANCEDoes your department/organization have a written missionstatement?Does management clearly communicate and demonstrateintegrity and other ethical values consistent with theUniversity’s business conduct policy?Does your department have an organizational chart thatdefines lines of authority and responsibility?Is the organizational chart up to date?Has your department documented all internal policies andprocedures that are related to performing all significantadministrative processes specific to your department ordivision’s operations?Are these policies and procedures reviewed and up to date?Do you believe that responsible persons in yourdepartment are sufficiently familiar with university-widepolicies related to personnel management, financialmatters, use of information and related technology, andregulatory compliance?Are administrators within your department aware of howto access on-line policies and procedures from HumanResources, Finance, Procurement, the Public Safety Office,Research Administration and other key areas of theUniversity?Return to Table of ContentsB12FINANCIAL PLANNING AND MONITORINGAre funding sources evaluated annually to assess thesustainability of current funding levels?Does the budget process include key members ofmanagement?

YES3456789101112NODoNotKnowCOMMENTAre one or more individuals in your departmentresponsible for reviewing the department’s monthlyPeopleSoft financial reports?Do these individuals know how to access the PeopleSofton-line financial folders that are made available monthly?Indicate how often the contents of these folders arereviewed: Monthly Every few months InfrequentlyDoes your department prepare an annual financial report?Are managers held accountable for financial performance?Are one or more individuals in your departmentresponsible for reviewing the department’s monthlyPeopleSoft financial reports?Do these individuals know how to access the PeopleSofton-line financial folders that are made available monthly?Indicate how often the contents of these folders arereviewed: Monthly Every few months InfrequentlyDoes your department prepare an annual financial report?Are managers held accountable for financial performance?Return to Table of ContentsC12345678PERSONNELAre up-to-date Position Description Questionnaires(PDQ’s) available for each employee in the organization?Are sufficient training opportunities provided to improveemployee work related competencies in accordance withthe @Work Program?Are responsibilities divided among staff members (so thatno single employee controls all steps of a financialtransaction) thereby maintaining appropriate segregation ofduties? (If inadequate segregation of duties does exist,please indicate the process or transaction affected in theComments section.)If segregation of duties is not practical, does supervisoryoversight exist at any level over these financialtransactions?Has the department established cross-training orcontingency plans for significant changes in personnel?Are Time Entry records pertaining vacation and sick leaveup to date?Are overtime hours, and other special work requirements(on-call, shift premium) reviewed and approved in advanceby the employee’s supervisor?Are annual performance evaluations given to departmentalemployees in accordance with the University Tufts@Workprogram?

YES9101213NODoNotKnowCOMMENTHave procedures been established to ensure thatterminating employees return all University ID cards, keys,laptops, purchasing/travel related credit cards, equipment,etc., and that appropriate systems administrators arenotified to remove all logon privileges to departmental andUniversity systems?Are PAFs completed promptly and submitted to the HRService Center for new hires and changes in employmentstatus?Are employees sufficiently trained to perform assignedroles and responsibilities to support payroll processing(time reported, on-line time entry, etc.)?Are payroll reports monitored to identify unapproved time,miscodings, etc.?Return to Table of ContentsD1234BUSINESS CONDUCT POLICYAre all department personnel aware of the University'sBusiness Conduct Policy and where to find it on the Tuftsweb page?Are all faculty and staff members in your department ororganization aware of the Tufts Conflict of Interest Policythat requires employees to avoid conflicts (or anyappearance of conflicts) between their personal interestsand those of the University?Do you know of any individual(s) in your department who,because of the nature of his or her position should be askedto complete an annual Conflict of Interest DisclosureStatement?Are all department personnel familiar with the policy onGifts, Entertainment & Gratuities?Return to Table of ContentsE1234REPORTING OF FRAUD/ FRAUD INDICATORSUntil completing this questionnaire did you know that anyinstances of suspected fraud should be reported to theDirector of Audit & Management Advisory Services orreported using Tufts’ reporting hotline (see below)? (Anythefts of cash or physical assets should be reported to theDirector of Public Safety Office/Campus Police.Have any unusual trends or discrepancies in departmentaccounts been recently detected?Are there any important financial reconciliations that arenot being routinely performed that should be?Are there any department assets (property, equipment,supplies, etc.) that you believe are not adequately protectedagainst theft or misuse?

YES56NODoNotKnowCOMMENTHave any missing numbers in sequences of numericallycontrolled documents been recently identified?Until completing this questionnaire were you aware that awebsite exists to report suspected instances of employeemisconduct and that it can be done anonymously? :https://secure.ethicspoint.com/domain/en/report custom.asp?clientid 7182.Access is also toll-free: (866)-384-4277Return to Table of ContentsF112345678910111213141516INFORMATION TECHNOLOGYAre all department personnel familiar with the TuftsInformation Technology Responsible Use Policy?Are all department workstations upgraded with the latestsecurity patches and virus protection?Is critical information backed-up and stored off-site?Is sensitive information protected by operatorID/password?Are all passwords adequately controlled and protectedfrom unauthorized use?Are passwords kept confidential (i.e., not shared or postedat work sites)?Are you aware of any “default” passwords that are stillbeing used for any IT applications rather than having beenchanged to more secure, personal passwords?Are computer applications logged-off when the user isgoing to be away from the terminal or PC for an hour ormore?Are computers and servers maintained in a secure area?Are laptop computers secured when not in use?Are electrical surge suppressers used on all computerequipment?Is each departmental server equipped with anUninterrupted Power Supply (UPS)?If a department has a critical information system that isconnected to an outside network, is it protected by afirewall?Is all software properly licensed using either a site orindividual licensing arrangement?Has a disaster recovery/business resumption plan beendeveloped should one of your critical information businesssystems fail or be destroyed?Has the disaster recovery/business resumption plan beentested/simulated and if so, when (indicate in Commentssection)?