accounting controls Definition Methods and procedures which an organization's management institutes to (1) safeguard assets, (2) authorize transactions, (3) monitor disbursements, and (4) ensure the accuracy and validity of accounting records. See also segregation of duties. Whether or not your unit has ever been audited, you may have heard of Internal Controls. This brochure presents a brief, practical discussion of Internal Controls for the unit manager.
What are internal controls and why are they important? Internal controls are the methods employed to help ensure the achievement of an objective. They are tools used by managers everyday. •
Writing procedures to encourage compliance, locking your office to discourage theft, and reviewing your monthly statement of account to verify transactions are common internal controls employed to achieve specific objectives.
All managers, from the unit level to the President of the University, use internal controls to help assure that their units operate according to plan. And the methods they use-policies, procedures, organizational design, and physical barriers--constitute the internal control structure of the Indiana University. Most internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities. • •
•
A computer application which checks validity prevents the entry of an invalid account number. Reading and understanding University Human Resource policies, such as Work Hours [for PA Staff], helps prevent violations of the Federal Fair Labor Standards Act. [Human Resources Professional Staff Policy 2.14] A manager's review of purchases for propriety and validity prior to approval prevents inappropriate expenditures.
Detective controls are designed to identify an error or irregularity after it has occurred. • • •
An exception report detects and lists incorrect or invalid entries or transactions. A comparison of validated Cash Receipt Vouchers to monthly financial statements will detect deposits posted to erroneous accounts. The manager's review of long distance telephone charges will detect improper or personal calls that should not have been charged to the account.
Through careful design, the system of internal controls can help your unit operate more efficiently and effectively and provide a reasonable level of assurance that the processes and products for which you are responsible are adequately protected. •
Maintaining written procedures for manual processing will ensure that operations can continue in the event of computer failure.
Top of Page
What is the manager's responsibility? You, as managers, are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of your unit. To evaluate internal controls, first think about the following general objectives then identify your unit's specific objectives within these broad categories. •
• •
• •
Propriety of Transactions for all activity within accounts for which the manager is responsible [IU Financial Policy I-1: Role of Fiscal Officer, Account Manager, and Account Supervisor] Reliability and Integrity of Information for internal management decisions and external agency reports Compliance with Indiana University Policies and Government Regulations, including but not limited to: Human Resources, Financial, Purchasing, granting agencies, and state and federal government Safeguarding Assets, including physical objects and University data Economy and Efficiency of Operations to optimize the use of limited resources in accomplishing the mission of the unit and Indiana University
Next, identify what controls currently exist (or should be established) to reasonably assure the achievement of each specific objective for your unit. Top of Page
What is Internal Audit's responsibility? Internal Audit provides an independent evaluation of the adequacy of internal controls and reports the results to Indiana University administration and the Board of Trustees. Auditors look at how the internal controls, within an operation, work together to make up the internal control structure. The auditor gathers information about the mission and processes of the unit, discusses the major objectives with the manager, and identifies control points within each process where an error, irregularity, or inefficiency is likely to occur. The auditor documents existing controls at each significant control point, evaluates the adequacy of the controls to ensure achievement of the objective, and then tests the controls to verify they are working as described. Further discussions with the manager
focus on control risks, manager insights, and potential control enhancements. The greater the risk, the more extensive the control that is warranted. The auditor's evaluation includes an examination of the following internal control elements: Personnel - should be competent and trustworthy, with clearly established lines of authority and responsibility documented in written job descriptions and procedures manuals. • •
Organizational charts provide a visual presentation of lines of authority. Periodic updates of job descriptions ensures that employees are aware of the duties they are expected to perform.
Authorization Procedures - should include a thorough review of supporting information to verify the propriety and validity of transactions. Approval authority should be commensurate with the nature and significance of the transactions and in compliance with Indiana University policy. • •
Time records should be signed by the employee and supervisor with direct knowledge of the employee's work schedule. [IU Financial Policy IV-1] An account manager or fiscal officer may delegate signature authority only to an exempt employee or an appointed biweekly employee. [IU Financial Policy I-10]
Segregation of Duties - should reduce the likelihood of errors and irregularities. An individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping. •
Authorization for the assessment of class fees (Registrar) is segregated from the collection of those fees (Bursar).
Physical Restrictions - are the most important type of protective measure for safeguarding University assets, processes, and data. • • •
Safe combinations should be changed periodically and anytime a staff member knowing the combination terminates employment. Critical forms, such as custodial fund checkbooks, should be adequately secured. Alarm systems may be necessary to adequately protect large amounts of cash, other valuable assets, or sensitive data
Documentation and Record Retention - should provide reasonable assurance that assets are controlled and transactions are correctly recorded.
•
•
The Equipment Loan Form documents the authorized removal of equipment from campus and provides assurance that an individual has accepted responsibility for the item. [IU Financial Policy I-140] State Board of Accounts approval for all new or revised forms having a financial implication provides consistency and ensures that adequate transaction information is recorded. [IU Financial Policy I-100]
Monitoring Operations - is essential to verify that controls are operating properly. Reconciliation, confirmations, and exception reports can provide this type of information. • •
Biannual equipment inventories comply with granting agency regulations and provide assurance that assets physically exist and are available for use. Account managers, account supervisors, and fiscal officers must verify the propriety of transactions within their accounts. [IU Financial Policy I-1]
Top of Page
What can jeopardize internal controls? While many circumstances may compromise the effectiveness of your internal control structure, a few of the most common and serious of these warrant special mention: Inadequate Segregation of Duties - (Our most common audit finding) - Separating responsibility for physical custody of an asset from the related record keeping is a critical control. • • •
Persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable). The person who prepares the deposit should not post the receipts to the customer accounts. The person who prepares the payroll voucher should not distribute or have custody of the payroll checks.
Inappropriate Access to Assets - Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications. •
•
An employee who only needs to view computer information should be restricted to Read and File Scan access and should not be granted Write and Create access. Only authorized individuals should be issued keys for restricted areas.
Inadequate Knowledge of Indiana University Policies -The University is not a static environment--new policies and policy revisions are a part of our continual evolution. Many University policies are available electronically and printed copies can be supplied upon request by contacting the relevant University department. Managers must stay abreast of these changes and understand their responsibilities.
•
Fiscal Misconduct - "If any employee knows or suspects that other university employees are engaged in theft, fraud, embezzlement, fiscal misconduct or violation of university financial policies, it is their responsibility to immediately notify the Internal Audit department or the appropriate campus police department." [IU Financial Policy I-30]
Form Over Substance - Controls can appear to be well designed but still lack substance, as is often the case with required approvals. •
The account manager's signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance.
Control Override - Exceptions to established policies are sometimes necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited. •
Thorough documentation and approval of all exceptions will help management ensure the availability of a clear explanation for unusual transactions or events. A periodic review of these exceptions also helps to identify the need for policy or procedural changes.
Inherent Limitations - There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any system is the element of human error (misunderstandings, fatigue, and stress). •
A manager who encourages employees to take earned vacation time can improve operations through cross training while enabling employees to overcome or avoid stress and fatigue.
Top of Page
How much do internal controls cost? The cost of implementing a specific control should not exceed the expected benefit of the control. • •
The potential loss of a computer printer may justify the cost of a door lock but not an alarm system. Computer screen savers with passwords are inexpensive, effective methods of protecting sensitive data on a computer.
Sometimes there is no out-of-pocket cost to establish an adequate control. A realignment of duty assignments may be all that is necessary to accomplish the objective. •
•
Checks received in the mail are immediately separated from supporting documentation for restrictive endorsement and deposit. The supporting documentation is given to a different employee (with a copy of the check, if needed) for crediting the payment or filling an order. Voided receipts are approved by someone (preferably a manager) other than the person preparing receipts.
A well-designed internal control structure can enhance operations by improving your unit's overall efficiency and effectiveness, as well as, reducing the risk of loss or theft. •
A bank lock box establishes accountability and restricts access to cash, in addition to streamlining operations by providing immediate deposits and (possibly) electronic application updates.
In analyzing the pertinent costs and benefits, managers should also consider the possible ramifications for Indiana University at large and attempt to identify and weigh the intangible as well as the tangible consequences. •
It may be difficult to determine the cost of poor public relations and lost goodwill if an ex-employee steals cash because the manager did not change the safe combination or retrieve University keys upon the employee's termination.
Top of Page
Help Internal controls should reduce the risks associated with undetected errors or irregularities, but designing and establishing effective internal controls is not a simple task and cannot be accomplished through a short set of quick fixes. However, we hope that this brochure has helped to explain the basic internal control concepts and have given you some ideas for improving your unit's controls. We can also supply an internal control video and booklet and/or you can request one of our auditors to give a demonstrations upon request. This video was designed specifically for colleges and universities and is suitable for individual, group, or staff meeting viewing. Last revised October 2003 Top of Page For further advice and assistance in designing internal controls appropriate for your operation, you may contact Kathleen McNeely with Financial Management Services, at (812) 855-3377 or e-mail
[email protected].
Other Internal Audit materials include: • • • •
Internal Audit Functions, Services, and Scheduling (brochure) The Audit Process How We Work With You (brochure) Protecting Departmental Computing Resources (brochure) Internal Controls (video and booklet)
Internal Controls Reporting Regulations vary a great deal around the world. However, there is a clear trend toward requiring greater transparency in financial reporting and more accountability to investors coming from the European Union’s Company Law Directives, the Sarbanes-Oxley Act in the US, and comparable initiatives in other jurisdictions. CEOs and CFOs of listed companies are being held more accountable for the integrity of their financial statements and the effectiveness of internal controls. Directors and audit committees are taking on greater responsibility for overseeing management and for the relationship with the external auditor. In the near future investors will see new reports from management and auditors about whether adequate internal control over financial reporting is in place. This information is important to investors because good internal control over financial reporting is one of the most effective deterrents to fraud and a key factor in preventing financial misstatements. r isk management and internal controls Risk management and internal controls can create competitive advantage according to "The future of risk management and internal controls". It points out the many challenges of aligning and coordinating these roles and tasks — and provides questions you can apply to start the improvement process. If you missed the Thought Center webcast “A balanced approach to risk and performance,” watch the archive in video format. New thinking on internal control Effective internal control means a company is working well. When implemented and working effectively they improve information reliability, improving decision making and driving competitive advantage. Our new report, "From compliance to competitive edge" looks at how non-SEC regulated companies are investing in internal control, what the drivers of that investment are, and the difference it can make to business performance.
Internal Control Definition of Internal Control: Internal control is the process, effected by an entity's Board of Trustees, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a. Reliability of financial reporting, b. Effectiveness and efficiency of operations, and c. Compliance with applicable laws and regulations. Types of Internal Controls: 1. Detective: Designed to detect errors or irregularities that may have occurred. 2. Corrective: Designed to correct errors or irregularities that have been detected. 3. Preventive: Designed to keep errors or irregularities from occurring in the first place. Limitations of Internal Controls: No matter how well internal controls are designed, they can only provide reasonable assurance that objectives have been achieved. Some limitations are inherent in all internal control systems. These include: 1. Judgment: The effectiveness of controls will be limited by decisions made with human judgment under pressures to conduct business based on the information at hand. 2. Breakdowns: Even well designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes. Errors may also result from new technology and the complexity of computerized information systems. 3. Management Override: High level personnel may be able to override prescribed policies and procedures for personal gain or advantage. This should not be confused with management intervention, which represents management actions to depart from prescribed policies and procedures for legitimate purposes. 4. Collusion: Control systems can be circumvented by employee collusion. Individuals acting collectively can alter financial data or other management information in a manner that cannot be identified by control systems. Internal Control Objectives Internal Control objectives are desired goals or conditions for a specific event cycle which, if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur. They are conditions which we want the system of internal control to satisfy. For a control objective to be effective, compliance with it must be measurable and observable.
Internal Audit evaluates Mercer's system of internal control by accessing the ability of individual process controls to achieve seven pre-defined control objectives. The control objectives include authorization, completeness, accuracy, validity, physical safeguards and security, error handling and segregation of duties. •
Authorization
The objective is to ensure that all transactions are approved by responsible personnel in accordance with specific or general authority before the transaction is recorded. •
Completeness
The objective is to ensure that no valid transactions have been omitted from the accounting records. •
Accuracy
The objective is to ensure that all valid transactions are accurate, consistent with the originating transaction data and information is recorded in a timely manner. •
Validity
The objective is to ensure that all recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management's general authorization. •
Physical Safeguards & Security
The objective is to ensure that access to physical assets and information systems are controlled and properly restricted to authorized personnel. •
Error handling
The objective is to ensure that errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management. •
Segregation of Duties
The objective is to ensure that duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing the transaction. A well designed process with appropriate internal controls should meet most, if not all of these control objectives. Major Components:
1. Control environment: Factors that set the tone of the organization, influencing the control consciousness of its people. The seven factors are (ICHAMPBO): I - Integrity and ethical values, C - Commitment to competence, H - Human resource policies and practices, A - Assignment of authority and responsibility, M - Management's philosophy and operating style, B - Board of Director's or Audit Committee participation, and O - Organizational structure. 2. Risk Assessment Risks that may affect an entity's ability to properly record, process, summarize and report financial data: Changes in the Operating Environment (e.g. Increased Competition) New Personnel New Information Systems Rapid Growth New Technology New Lines, Products, or Activities Corporate Restructuring Foreign Operations Accounting Pronouncements 3. Control Activities Various policies and procedures that help ensure those necessary actions are taken to address risks affecting achievement of entity's objectives (PIPS): P - Performance reviews (review of actual against budgets, forecasts) I - Information processing (checks for accuracy, completeness, authorization) P - Physical controls (physical security) S - Segregation of duties 4. Information and communication Methods and records established to record, process, summarize, and report transactions and to maintain accountability of related assets and liabilities. Must accomplish: a. Identify and record all valid transactions. b. Describe on a timely basis. c. Measure the value properly. d. Record in the proper time period. e. Properly present and disclose. f. Communicate responsibilities to employees.
5. Monitoring Assessment of the quality of internal control performance over time. What can happen when Internal Controls are weak or non-existent? When we recommend improving controls within a department, we often hear three basic arguments for not implementing our recommendations: 1. There is not enough staff to have adequate segregation of duties. 2. It is too expensive. 3. The employees are trusted and controls are not necessary. These arguments represent pitfalls to unsuspecting management. Each argument is in itself a problem that needs to be resolved. 1. The problem of not having enough staff or other resources should be discussed with your supervisor. In most cases, compensating controls can be implemented in situations where one person has to do all of the business-related transactions for a department. 2. If implementing a recommended control seems too expensive, be sure to consider the full cost of a fraud that could occur because of the missing control. In addition to any funds that may be lost, consider the cost of time that would have been spent by the department during the time of an investigation of the matter, and the cost of hiring a new employee. Fraud is always expensive and the prevention of fraud is worth the cost. 3. Finally consider the issue of trust. Most employees are trustworthy and responsible, which is an important factor in employee relations and departmental operations. However, it is also the responsibility of administrators to remain objective. Experience shows that it is often the most trusted employees who are involved in committing frauds. Departments conducting research are good examples of areas where sound internal controls are needed. Research departments that have grants and contracts with outside sponsors are at risk that inappropriate charges will be posted to the project account, perhaps affecting current or future funding. Each department not only has the responsibility to ensure that all of their transactions are have been processed properly, but also to ensure that other researchers are not "hiding" improper transactions in the department's accounts. Internal Controls are to be an integral part of any organization's financial and business policies and procedures. Internal controls consists of all the measures taken by the organization for the purpose of; (1) protecting its resources against waste, fraud, and inefficiency; (2) ensuring accuracy and reliability in accounting and operating data; (3) securing compliance with the policies of the organization; and (4) evaluating the level of performance in all organizational units of the organization. Internal controls are simply good business practices. Responsibility
Everyone within the University has some role in internal controls. The roles vary depending upon the level of responsibility and the nature of involvement by the individual. The Kansas Board of Regents, President and senior executives establish the presence of integrity, ethics, competence and a positive control environment. The directors and department heads have oversight responsibility for internal controls within their units. Managers and supervisory personnel are responsible for executing control policies and procedures at the detail level within their specific unit. Each individual within a unit is to be cognizant of proper internal control procedures associated with their specific job responsibilities. The Internal Audit role is to examine the adequacy and effectiveness of the University internal controls and make recommendations where control improvements are needed. Since Internal Auditing is to remain independent and objective, the Internal Audit Office does not have the primary responsibility for establishing or maintaining internal controls. However, the effectiveness of the internal controls are enhanced through the reviews performed and recommendations made by Internal Auditing. Elements of Internal Control Internal control systems operate at different levels of effectiveness. Determining whether a particular internal control system is effective is a judgement resulting from an assessment of whether the five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring - are present and functioning. Effective controls provide reasonable assurance regarding the accomplishment of established objectives. Control Environment The control environment, as established by the organization's administration, sets the tone of an institution and influences the control consciousness of its people. Leaders of each department, area or activity establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include: • • • • •
Integrity and ethical values; The commitment to competence; Leadership philosophy and operating style; The way management assigns authority and responsibility, and organizes and develops its people; Policies and procedures.
Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed.
Because economics, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change. Objectives must be established before administrators can identify and take necessary steps to manage risks. Operations objectives relate to effectiveness and efficiency of the operations, including performance and financial goals and safeguarding resources against loss. Financial reporting objectives pertain to the preparation of reliable published financial statements, including prevention of fraudulent financial reporting. Compliance objectives pertain to laws and regulations which establish minimum standards of behavior. The process of identifying and analyzing risk is an ongoing process and is a critical component of an effective internal control system. Attention must be focused on risks at all levels and necessary actions must be taken to manage. Risks can pertain to internal and external factors. After risks have been identified they must be evaluated. Managing change requires a constant assessment of risk and the impact on internal controls. Economic, industry and regulatory environments change and entities' activities evolve. Mechanisms are needed to identify and react to changing conditions. Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Control activities usually involve two elements: a policy establishing what should be done and procedures to effect the policy. All policies must be implemented thoughtfully, conscientiously and consistently. Information and Communication Pertinent information must be identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities. Effective communication must occur in a broad sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. Monitoring Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. Ongoing monitoring occurs in the ordinary course of operations, and
includes regular management and supervisory activities, and other actions personnel take in performing their duties that assess the quality of internal control system performance. The scope and frequency of separate evaluations depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported immediately to top administration and governing boards. Internal control systems change over time. The way controls are applied may evolve. Once effective procedures can become less effective due to the arrival of new personnel, varying effectiveness of training and supervision, time and resources constraints, or additional pressures. Furthermore, circumstances for which the internal control system was originally designed also may change. Because of changing conditions, management needs to determine whether the internal control system continues to be relevant and able to address new risks. Components of the Control Activity Internal controls rely on the principle of checks and balances in the workplace. The following components focus on the control activity: Personnel need to be competent and trustworthy, with clearly established lines of authority and responsibility documented in written job descriptions and procedures manuals. Organizational charts provide a visual presentation of lines of authority and periodic updates of job descriptions ensures that employees are aware of the duties they are expected to perform. Authorization Procedures need to include a thorough review of supporting information to verify the propriety and validity of transactions. Approval authority is to be commensurate with the nature and significance of the transactions and in compliance with University policy. Segregation of Duties reduce the likelihood of errors and irregularities. An individual is not to have responsibility for more than one of the three transaction components: authorization, custody, and record keeping. When the work of one employee is checked by another, and when the responsibility for custody for assets is separate from the responsibility for maintaining the records relating to those assets, there is appropriate segregation of duties. This helps detect errors in a timely manner and deter improper activities; and at the same time, it should be devised to prompt operational efficiency and allow for effective communications. Physical Restrictions are the most important type of protective measures for safeguarding University assets, processes and data. Documentation and Record Retention is to provide reasonable assurance that all information and transactions of value are accurately recorded and retained. Records are to be maintained and controlled in accordance with the established retention period and properly disposed of in accordance with established procedures.
Monitoring Operations is essential to verify that controls are operating properly. Reconciliations, confirmations, and exception reports can provide this type of information. Internal Control Limitations There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limited inherent in any system is the element of human error, misunderstandings, fatigue and stress. Employees are to be encouraged to take earned vacation time in order to improve operations through crosstraining while enabling employees to overcome or avoid stress and fatigue. The cost of implementing a specific control should not exceed the expected benefit of the control. Sometimes there is no out-of-pocket costs to establish an adequate control. A realignment of duty assignments may be all that is necessary to accomplish the objective. In analyzing the pertinent costs and benefits, managers also need to consider the possible ramifications for the University at large and attempt to identify and weigh the intangible as well as the tangible consequences. Internal controls should reduce the risks associated with undetected errors or irregularities, but designing and establishing effective internal controls is not always a simple task and cannot always be accomplished through a short set of quick fixes. However, we hope this chapter has helped to explain the basic internal control concepts and given you some ideas for improving your department's controls. Introduction This chapter outlines the policies, responsibilities and procedures for reporting and resolving instances of known or suspected fiscal fraud or related misconduct. The procedures are established to protect the assets and interests of the University, ensure a coordinated approach toward resolution of fiscal fraud or related misconduct and encourage compliance with University policy and State and Federal laws and regulations. Policy on Fraud Kansas State University will investigate any reported fraudulent or related misuse of University resources or property. Any individual found to have engaged in fraudulent or related misconduct, as defined in this policy, is subject to disciplinary action by the University, which may include dismissal or expulsion, as well as prosecution by appropriate law enforcement authorities. Definition of Fraud Fraud and related misconduct prohibited by this policy generally involves a willful or deliberate act or failure to act with the intention of obtaining an unauthorized benefit. Such acts include, but are not limited to:
• • • • • •
making or altering documents or computer files with the intent to defraud purposely inaccurate financial reporting misappropriation or misuse of University resources, such as funds, supplies or other assets improper handling or reporting of money transactions authorizing or receiving compensation for goods not received or services not performed authorizing or receiving compensation for hours not worked.
It shall also be a violation of this policy for any University employee or student to make a baseless allegation of fraudulent conduct that is made with reckless disregard for truth and that is intended to be disruptive or to cause harm to another individual or individuals. Responsibilities Kansas State University administrators and all levels of management are responsible for preventing and detecting instances of fraud and related misconduct and for establishing and maintaining proper internal controls that provide security and accountability for the resources entrusted to them. Administrators are also expected to recognize risks and exposures inherent in their area of responsibility, and be aware of indications of fraud or related misconduct. Responses to such allegations or indicators should be consistent. The Internal Audit Office will work in consultation with University Attorneys, administrators, law enforcement and/or other levels of management in instances where fraud or related misconduct is suspected. The Internal Audit Office is also available to assist administrators with ensuring that proper internal preventative measures are in place. Reporting Fraud Anyone with reasonable basis for believing fraudulent or related misconduct has occurred should report such incidents to the Internal Audit Office or the University Police. Any individual suspected of fraud or related misconduct is not to be confronted. University employees are not to initiate investigations on their own because such actions can compromise any ensuing investigations. In those instances where the Internal Audit Office investigation indicates the probability of criminal activity, the investigation will be turned over to the University police or other appropriate law enforcement agency. Whistleblower Act The following is the State of Kansas Whistleblower Act which is listed in K.S.A. 75-2973 (1995 Supplement). 75-2973. Communications by state employees with legislators, legislative committees and others; prohibiting certain acts by supervisors and appointing authorities; appeal to state civil
service board; posting copy of act; disciplinary action defined; officers and employees in unclassified service may bring civil action for relief. (a) No supervisor or appointing authority of any state agency shall prohibit any employee of the agency from discussing the operation of the agency, either specifically or generally, with any member of the legislature. (b) No supervisor or appointing authority of any state agency shall: 1. Prohibit any employee of the agency from reporting any violation of state or federal law or rules and regulations to any person, agency or organization; or 2. require any such employee to give notice to the supervisor or appointing authority prior to making any such report. (c) This section shall not be construed as: 1. Prohibiting a supervisor or appointing authority from requiring that an employee inform the supervisor or appointing authority as to legislative requests for information to the agency or the substance of testimony made, or to be made, by the employee to legislators on behalf of the agency; 2. permitting an employee to leave the employee's assigned work area during normal work hours without following applicable rules and regulations and policies pertaining to leaves, unless the employee is requested by a legislator or legislative committee to appear before a legislative committee; 3. authorizing an employee to represent the employee's personal opinions as the opinions of a state agency; or 4. prohibiting disciplinary action of an employee who discloses information which: (A) The employee knows to be false or which the employee discloses with reckless disregard for its truth or falsity, (B) the employee knows to be exempt from required disclosure under the Open Records Act or (C) is confidential under any other provision of law. (d) Any officer or employee who is in the classified service and has permanent status under the Kansas Civil service Act may appeal to the State Civil Service Board whenever the officer or employee alleges that disciplinary action was taken against the officer or employee in violation of this act in any court of law or administrative hearing. The appeal shall be filed within 30 days of the alleged disciplinary action. Procedures governing the appeal shall be in accordance with subsections (f) and (g) of K.S.A. 75-2949 and amendments thereto and K.S.A. 75-2929d through 75-2929g and amendments thereto. If the board finds that disciplinary action taken was unreasonable, the board shall modify or reverse the agency's action and order such relief for the employee as the board considers appropriate. If the board finds a violation of this act, it may require as a penalty that the violator be suspended on leave without pay for not more than 30
days or, in cases of willful or repeated violations, may require that the violator forfeit the violator's position as a state officer or employee and disqualify the violator for appointment to or employment as a state officer or employee for a period of not more than two years. The decision of the board in such cases may be appealed by any party pursuant to law. (e) Each state agency shall prominently post a copy of this act in locations where it can reasonably be expected to come to the attention of all employees of the agency. (f) As used in this section "disciplinary action" means any dismissal, demotion, transfer, reassignment, suspension, reprimand, warning of possible dismissal or withholding of work. (g) Any officer or employee who is in the unclassified service who alleges that disciplinary action has been taken against such officer or employee in violation of this section may bring a civil action for appropriate injunctive relief, or actual damages, or both within 90 days after the occurrence of the alleged violation. A court, in rendering a judgment in an action brought pursuant to this act, shall order, as the court considered appropriate, reinstatement of the officer or employee, the payment of back wages, full reinstatement of fringe benefits and seniority rights, actual damages, or any combination of these remedies. A court may also award such officer or employee all or a portion of the cost of litigation, including reasonable attorney fees and witness fees.