accounting controls

Definition

Methods and procedures which an organization's management institutes to (1) safeguard assets,
(2) authorize transactions, (3) monitor disbursements, and (4) ensure the accuracy and validity of
accounting records. See also segregation of duties.

Whether or not your unit has ever been audited, you may have heard of Internal
Controls. This brochure presents a brief, practical discussion of Internal Controls for the
unit manager.

What are internal controls and why are they important?

Internal controls are the methods employed to help ensure the achievement of an
objective. They are tools used by managers everyday.

• Writing procedures to encourage compliance, locking your office to discourage

theft, and reviewing your monthly statement of account to verify transactions are
common internal controls employed to achieve specific objectives.

All managers, from the unit level to the President of the University, use internal controls
to help assure that their units operate according to plan. And the methods they use--
policies, procedures, organizational design, and physical barriers--constitute the internal
control structure of the Indiana University.

Most internal controls can be classified as preventive or detective. Preventive controls

are designed to discourage errors or irregularities.

• A computer application which checks validity prevents the entry of an invalid

account number.
• Reading and understanding University Human Resource policies, such as Work
Hours [for PA Staff], helps prevent violations of the Federal Fair Labor Standards
Act. [Human Resources Professional Staff Policy 2.14]
• A manager's review of purchases for propriety and validity prior to approval
prevents inappropriate expenditures.

Detective controls are designed to identify an error or irregularity after it has occurred.

• An exception report detects and lists incorrect or invalid entries or transactions.

• A comparison of validated Cash Receipt Vouchers to monthly financial
statements will detect deposits posted to erroneous accounts.
• The manager's review of long distance telephone charges will detect improper or
personal calls that should not have been charged to the account.
Through careful design, the system of internal controls can help your unit operate more
efficiently and effectively and provide a reasonable level of assurance that the
processes and products for which you are responsible are adequately protected.

• Maintaining written procedures for manual processing will ensure that operations
can continue in the event of computer failure.

Top of Page

What is the manager's responsibility?

You, as managers, are responsible for ensuring that internal controls are established
and functioning to achieve the mission and objectives of your unit. To evaluate internal
controls, first think about the following general objectives then identify your unit's
specific objectives within these broad categories.

• Propriety of Transactions for all activity within accounts for which the manager
is responsible [IU Financial Policy I-1: Role of Fiscal Officer, Account Manager,
and Account Supervisor]
• Reliability and Integrity of Information for internal management decisions and
external agency reports
• Compliance with Indiana University Policies and Government Regulations,
including but not limited to: Human Resources, Financial, Purchasing, granting
agencies, and state and federal government
• Safeguarding Assets, including physical objects and University data
• Economy and Efficiency of Operations to optimize the use of limited resources
in accomplishing the mission of the unit and Indiana University

Next, identify what controls currently exist (or should be established) to reasonably
assure the achievement of each specific objective for your unit.

Top of Page

What is Internal Audit's responsibility?

Internal Audit provides an independent evaluation of the adequacy of internal controls

and reports the results to Indiana University administration and the Board of Trustees.
Auditors look at how the internal controls, within an operation, work together to make up
the internal control structure. The auditor gathers information about the mission and
processes of the unit, discusses the major objectives with the manager, and identifies
control points within each process where an error, irregularity, or inefficiency is likely to
occur.

The auditor documents existing controls at each significant control point, evaluates the
adequacy of the controls to ensure achievement of the objective, and then tests the
controls to verify they are working as described. Further discussions with the manager
focus on control risks, manager insights, and potential control enhancements. The
greater the risk, the more extensive the control that is warranted.

The auditor's evaluation includes an examination of the following internal control

elements:

Personnel - should be competent and trustworthy, with clearly established lines of

authority and responsibility documented in written job descriptions and procedures
manuals.

• Organizational charts provide a visual presentation of lines of authority.

• Periodic updates of job descriptions ensures that employees are aware of the
duties they are expected to perform.

Authorization Procedures - should include a thorough review of supporting

information to verify the propriety and validity of transactions. Approval authority should
be commensurate with the nature and significance of the transactions and in
compliance with Indiana University policy.

• Time records should be signed by the employee and supervisor with direct
knowledge of the employee's work schedule. [IU Financial Policy IV-1]
• An account manager or fiscal officer may delegate signature authority only to an
exempt employee or an appointed biweekly employee. [IU Financial Policy I-10]

Segregation of Duties - should reduce the likelihood of errors and irregularities. An

individual should not have responsibility for more than one of the three transaction
components: authorization, custody, and record keeping.

• Authorization for the assessment of class fees (Registrar) is segregated from the
collection of those fees (Bursar).

Physical Restrictions - are the most important type of protective measure for
safeguarding University assets, processes, and data.

• Safe combinations should be changed periodically and anytime a staff member

knowing the combination terminates employment.
• Critical forms, such as custodial fund checkbooks, should be adequately
secured.
• Alarm systems may be necessary to adequately protect large amounts of cash,
other valuable assets, or sensitive data

Documentation and Record Retention - should provide reasonable assurance that

assets are controlled and transactions are correctly recorded.
 • The Equipment Loan Form documents the authorized removal of equipment from
campus and provides assurance that an individual has accepted responsibility
for the item. [IU Financial Policy I-140]
• State Board of Accounts approval for all new or revised forms having a financial
implication provides consistency and ensures that adequate transaction
information is recorded. [IU Financial Policy I-100]

Monitoring Operations - is essential to verify that controls are operating properly.

Reconciliation, confirmations, and exception reports can provide this type of information.

• Biannual equipment inventories comply with granting agency regulations and

provide assurance that assets physically exist and are available for use.
• Account managers, account supervisors, and fiscal officers must verify the
propriety of transactions within their accounts. [IU Financial Policy I-1]

Top of Page

What can jeopardize internal controls?

While many circumstances may compromise the effectiveness of your internal control
structure, a few of the most common and serious of these warrant special mention:

Inadequate Segregation of Duties - (Our most common audit finding) - Separating

responsibility for physical custody of an asset from the related record keeping is a
critical control.

• Persons who can authorize purchase orders (Purchasing) should not be capable
of processing payments (Accounts Payable).
• The person who prepares the deposit should not post the receipts to the
customer accounts.
• The person who prepares the payroll voucher should not distribute or have
custody of the payroll checks.

Inappropriate Access to Assets - Internal controls should provide safeguards for

physical objects, restricted information, critical forms, and update applications.

• An employee who only needs to view computer information should be restricted

to Read and File Scan access and should not be granted Write and Create
access.
• Only authorized individuals should be issued keys for restricted areas.

Inadequate Knowledge of Indiana University Policies -The University is not a static

environment--new policies and policy revisions are a part of our continual evolution.
Many University policies are available electronically and printed copies can be supplied
upon request by contacting the relevant University department. Managers must stay
abreast of these changes and understand their responsibilities.
 • Fiscal Misconduct - "If any employee knows or suspects that other university
employees are engaged in theft, fraud, embezzlement, fiscal misconduct or
violation of university financial policies, it is their responsibility to immediately
notify the Internal Audit department or the appropriate campus police
department." [IU Financial Policy I-30]

Form Over Substance - Controls can appear to be well designed but still lack
substance, as is often the case with required approvals.

• The account manager's signature attests to the accuracy of the payroll voucher
information, but if the account manager does not have assurance that the
supporting time records are accurate, the approval process lacks substance.

Control Override - Exceptions to established policies are sometimes necessary to

accomplish a specific task, but can pose a significant risk if not effectively monitored
and limited.

• Thorough documentation and approval of all exceptions will help management

ensure the availability of a clear explanation for unusual transactions or events. A
periodic review of these exceptions also helps to identify the need for policy or
procedural changes.

Inherent Limitations - There is no such thing as a perfect control system. Staff size
limitations may obstruct efforts to properly segregate duties, which requires the
implementation of compensating controls to ensure that objectives are achieved. A
limitation inherent in any system is the element of human error (misunderstandings,
fatigue, and stress).

• A manager who encourages employees to take earned vacation time can

improve operations through cross training while enabling employees to
overcome or avoid stress and fatigue.

Top of Page

How much do internal controls cost?

The cost of implementing a specific control should not exceed the expected benefit of
the control.

• The potential loss of a computer printer may justify the cost of a door lock but not
an alarm system.
• Computer screen savers with passwords are inexpensive, effective methods of
protecting sensitive data on a computer.
Sometimes there is no out-of-pocket cost to establish an adequate control. A
realignment of duty assignments may be all that is necessary to accomplish the
objective.

• Checks received in the mail are immediately separated from supporting

documentation for restrictive endorsement and deposit. The supporting
documentation is given to a different employee (with a copy of the check, if
needed) for crediting the payment or filling an order.
• Voided receipts are approved by someone (preferably a manager) other than the
person preparing receipts.

A well-designed internal control structure can enhance operations by improving your

unit's overall efficiency and effectiveness, as well as, reducing the risk of loss or theft.

• A bank lock box establishes accountability and restricts access to cash, in

addition to streamlining operations by providing immediate deposits and
(possibly) electronic application updates.

In analyzing the pertinent costs and benefits, managers should also consider the
possible ramifications for Indiana University at large and attempt to identify and weigh
the intangible as well as the tangible consequences.

• It may be difficult to determine the cost of poor public relations and lost goodwill
if an ex-employee steals cash because the manager did not change the safe
combination or retrieve University keys upon the employee's termination.

Top of Page

Help

Internal controls should reduce the risks associated with undetected errors or
irregularities, but designing and establishing effective internal controls is not a simple
task and cannot be accomplished through a short set of quick fixes. However, we hope
that this brochure has helped to explain the basic internal control concepts and have
given you some ideas for improving your unit's controls. We can also supply an internal
control video and booklet and/or you can request one of our auditors to give a
demonstrations upon request. This video was designed specifically for colleges and
universities and is suitable for individual, group, or staff meeting viewing.

Last revised October 2003

Top of Page

For further advice and assistance in designing internal controls appropriate for your
operation, you may contact Kathleen McNeely with Financial Management Services, at
(812) 855-3377 or e-mail kmcneely@indiana.edu.
Other Internal Audit materials include:

• Internal Audit Functions, Services, and Scheduling (brochure)

• The Audit Process How We Work With You (brochure)
• Protecting Departmental Computing Resources (brochure)
• Internal Controls (video and booklet)

Internal Controls Reporting

Regulations vary a great deal around the world. However, there is a clear trend toward requiring
greater transparency in financial reporting and more accountability to investors coming from the
European Union’s Company Law Directives, the Sarbanes-Oxley Act in the US, and comparable
initiatives in other jurisdictions.

CEOs and CFOs of listed companies are being held more accountable for the integrity of their
financial statements and the effectiveness of internal controls. Directors and audit committees are
taking on greater responsibility for overseeing management and for the relationship with the
external auditor.

In the near future investors will see new reports from management and auditors about whether
adequate internal control over financial reporting is in place. This information is important to
investors because good internal control over financial reporting is one of the most effective
deterrents to fraud and a key factor in preventing financial misstatements.

r isk management and internal controls

Risk management and internal controls can create competitive advantage according to "The
future of risk management and internal controls". It points out the many challenges of aligning
and coordinating these roles and tasks — and provides questions you can apply to start the
improvement process. If you missed the Thought Center webcast “A balanced approach to risk
and performance,” watch the archive in video format.

New thinking on internal control

Effective internal control means a company is working well. When implemented and working
effectively they improve information reliability, improving decision making and driving
competitive advantage. Our new report, "From compliance to competitive edge" looks at how
non-SEC regulated companies are investing in internal control, what the drivers of that
investment are, and the difference it can make to business performance.
Internal Control
Definition of Internal Control:

Internal control is the process, effected by an entity's Board of Trustees, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in
the following categories:
a. Reliability of financial reporting,
b. Effectiveness and efficiency of operations, and
c. Compliance with applicable laws and regulations.

Types of Internal Controls:

1. Detective:
Designed to detect errors or irregularities that may have occurred.
2. Corrective:
Designed to correct errors or irregularities that have been detected.
3. Preventive:
Designed to keep errors or irregularities from occurring in the first place.
Limitations of Internal Controls:
No matter how well internal controls are designed, they can only provide reasonable assurance
that objectives have been achieved. Some limitations are inherent in all internal control
systems. These include:
1. Judgment:
The effectiveness of controls will be limited by decisions made with human judgment under
pressures to conduct business based on the information at hand.
2. Breakdowns:
Even well designed internal controls can break down. Employees sometimes misunderstand
instructions or simply make mistakes. Errors may also result from new technology and the
complexity of computerized information systems.
3. Management Override:
High level personnel may be able to override prescribed policies and procedures for personal
gain or advantage. This should not be confused with management intervention, which represents
management actions to depart from prescribed policies and procedures for legitimate purposes.
4. Collusion:
Control systems can be circumvented by employee collusion. Individuals acting collectively can
alter financial data or other management information in a manner that cannot be identified by
control systems.
Internal Control Objectives
Internal Control objectives are desired goals or conditions for a specific event cycle which, if
achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will
occur. They are conditions which we want the system of internal control to satisfy. For a control
objective to be effective, compliance with it must be measurable and observable.
Internal Audit evaluates Mercer's system of internal control by accessing the ability of individual
process controls to achieve seven pre-defined control objectives. The control objectives include
authorization, completeness, accuracy, validity, physical safeguards and security, error handling
and segregation of duties.

• Authorization

The objective is to ensure that all transactions are approved by responsible personnel in
accordance with specific or general authority before the transaction is recorded.

• Completeness

The objective is to ensure that no valid transactions have been omitted from the accounting
records.

• Accuracy

The objective is to ensure that all valid transactions are accurate, consistent with the originating
transaction data and information is recorded in a timely manner.

• Validity

The objective is to ensure that all recorded transactions fairly represent the economic events that
actually occurred, are lawful in nature, and have been executed in accordance with management's
general authorization.

• Physical Safeguards & Security

The objective is to ensure that access to physical assets and information systems are controlled
and properly restricted to authorized personnel.

• Error handling

The objective is to ensure that errors detected at any stage of processing receive prompt
corrective action and are reported to the appropriate level of management.

• Segregation of Duties

The objective is to ensure that duties are assigned to individuals in a manner that ensures that no
one individual can control both the recording function and the procedures relative to processing
the transaction.
A well designed process with appropriate internal controls should meet most, if not all of these
control objectives.

Major Components:
1. Control environment:
Factors that set the tone of the organization, influencing the control consciousness of its people.
The seven factors are (ICHAMPBO):

I - Integrity and ethical values,

C - Commitment to competence,
H - Human resource policies and practices,
A - Assignment of authority and responsibility,
M - Management's philosophy and operating style,
B - Board of Director's or Audit Committee participation, and
O - Organizational structure.

2. Risk Assessment
Risks that may affect an entity's ability to properly record, process, summarize and report
financial data:

Changes in the Operating Environment (e.g. Increased Competition)

New Personnel
New Information Systems
Rapid Growth
New Technology
New Lines, Products, or Activities
Corporate Restructuring
Foreign Operations
Accounting Pronouncements

3. Control Activities
Various policies and procedures that help ensure those necessary actions are taken to address
risks affecting achievement of entity's objectives (PIPS):

P - Performance reviews (review of actual against budgets, forecasts)

I - Information processing (checks for accuracy, completeness, authorization)
P - Physical controls (physical security)
S - Segregation of duties

4. Information and communication

Methods and records established to record, process, summarize, and report transactions and to
maintain accountability of related assets and liabilities. Must accomplish:
a. Identify and record all valid transactions.
b. Describe on a timely basis.
c. Measure the value properly.
d. Record in the proper time period.
e. Properly present and disclose.
f. Communicate responsibilities to employees.
5. Monitoring
Assessment of the quality of internal control performance over time.

What can happen when Internal Controls are weak or non-existent?

When we recommend improving controls within a department, we often hear three basic
arguments for not implementing our recommendations:

1. There is not enough staff to have adequate segregation of duties.

2. It is too expensive.
3. The employees are trusted and controls are not necessary.

These arguments represent pitfalls to unsuspecting management. Each argument is in itself a

problem that needs to be resolved.

1. The problem of not having enough staff or other resources should be discussed with your
supervisor. In most cases, compensating controls can be implemented in situations where
one person has to do all of the business-related transactions for a department.
2. If implementing a recommended control seems too expensive, be sure to consider the full
cost of a fraud that could occur because of the missing control. In addition to any funds
that may be lost, consider the cost of time that would have been spent by the department
during the time of an investigation of the matter, and the cost of hiring a new employee.
Fraud is always expensive and the prevention of fraud is worth the cost.
3. Finally consider the issue of trust. Most employees are trustworthy and responsible,
which is an important factor in employee relations and departmental operations.
However, it is also the responsibility of administrators to remain objective. Experience
shows that it is often the most trusted employees who are involved in committing frauds.

Departments conducting research are good examples of areas where sound internal controls are
needed. Research departments that have grants and contracts with outside sponsors are at risk
that inappropriate charges will be posted to the project account, perhaps affecting current or
future funding. Each department not only has the responsibility to ensure that all of their
transactions are have been processed properly, but also to ensure that other researchers are not
"hiding" improper transactions in the department's accounts.

Internal Controls are to be an integral part of any organization's financial and business policies
and procedures. Internal controls consists of all the measures taken by the organization for the
purpose of; (1) protecting its resources against waste, fraud, and inefficiency; (2) ensuring
accuracy and reliability in accounting and operating data; (3) securing compliance with the
policies of the organization; and (4) evaluating the level of performance in all organizational
units of the organization. Internal controls are simply good business practices.

Responsibility
Everyone within the University has some role in internal controls. The roles vary depending
upon the level of responsibility and the nature of involvement by the individual. The Kansas
Board of Regents, President and senior executives establish the presence of integrity, ethics,
competence and a positive control environment. The directors and department heads have
oversight responsibility for internal controls within their units. Managers and supervisory
personnel are responsible for executing control policies and procedures at the detail level within
their specific unit. Each individual within a unit is to be cognizant of proper internal control
procedures associated with their specific job responsibilities.

The Internal Audit role is to examine the adequacy and effectiveness of the University internal
controls and make recommendations where control improvements are needed. Since Internal
Auditing is to remain independent and objective, the Internal Audit Office does not have the
primary responsibility for establishing or maintaining internal controls. However, the
effectiveness of the internal controls are enhanced through the reviews performed and
recommendations made by Internal Auditing.

Elements of Internal Control

Internal control systems operate at different levels of effectiveness. Determining whether a

particular internal control system is effective is a judgement resulting from an assessment of
whether the five components - Control Environment, Risk Assessment, Control Activities,
Information and Communication, and Monitoring - are present and functioning. Effective
controls provide reasonable assurance regarding the accomplishment of established objectives.

Control Environment

The control environment, as established by the organization's administration, sets the tone of an
institution and influences the control consciousness of its people. Leaders of each department,
area or activity establish a local control environment. This is the foundation for all other
components of internal control, providing discipline and structure. Control environment factors
include:

• Integrity and ethical values;

• The commitment to competence;
• Leadership philosophy and operating style;
• The way management assigns authority and responsibility, and organizes and develops its
people;
• Policies and procedures.

Risk Assessment

Every entity faces a variety of risks from external and internal sources that must be assessed. A
precondition to risk assessment is establishment of objectives, linked at different levels and
internally consistent. Risk assessment is the identification and analysis of relevant risks to
achievement of the objectives, forming a basis for determining how the risks should be managed.
Because economics, regulatory and operating conditions will continue to change, mechanisms
are needed to identify and deal with the special risks associated with change.

Objectives must be established before administrators can identify and take necessary steps to
manage risks. Operations objectives relate to effectiveness and efficiency of the operations,
including performance and financial goals and safeguarding resources against loss. Financial
reporting objectives pertain to the preparation of reliable published financial statements,
including prevention of fraudulent financial reporting. Compliance objectives pertain to laws and
regulations which establish minimum standards of behavior.

The process of identifying and analyzing risk is an ongoing process and is a critical component
of an effective internal control system. Attention must be focused on risks at all levels and
necessary actions must be taken to manage. Risks can pertain to internal and external factors.
After risks have been identified they must be evaluated.

Managing change requires a constant assessment of risk and the impact on internal controls.
Economic, industry and regulatory environments change and entities' activities evolve.
Mechanisms are needed to identify and react to changing conditions.

Control Activities

Control activities are the policies and procedures that help ensure management directives are
carried out. They help ensure that necessary actions are taken to address risks to achievement of
the entity's objectives. Control activities occur throughout the organization, at all levels, and in
all functions. They include a range of activities as diverse as approvals, authorizations,
verifications, reconciliations, reviews of operating performance, security of assets and
segregation of duties.

Control activities usually involve two elements: a policy establishing what should be done and
procedures to effect the policy. All policies must be implemented thoughtfully, conscientiously
and consistently.

Information and Communication

Pertinent information must be identified, captured and communicated in a form and time frame
that enables people to carry out their responsibilities. Effective communication must occur in a
broad sense, flowing down, across and up the organization. All personnel must receive a clear
message from top management that control responsibilities must be taken seriously. They must
understand their own role in the internal control system, as well as how individual activities
relate to the work of others. They must have a means of communicating significant information
upstream.

Monitoring

Internal control systems need to be monitored - a process that assesses the quality of the system's
performance over time. Ongoing monitoring occurs in the ordinary course of operations, and
includes regular management and supervisory activities, and other actions personnel take in
performing their duties that assess the quality of internal control system performance.

The scope and frequency of separate evaluations depend primarily on an assessment of risks and
the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be
reported upstream, with serious matters reported immediately to top administration and
governing boards.

Internal control systems change over time. The way controls are applied may evolve. Once
effective procedures can become less effective due to the arrival of new personnel, varying
effectiveness of training and supervision, time and resources constraints, or additional pressures.
Furthermore, circumstances for which the internal control system was originally designed also
may change. Because of changing conditions, management needs to determine whether the
internal control system continues to be relevant and able to address new risks.

Components of the Control Activity

Internal controls rely on the principle of checks and balances in the workplace. The following
components focus on the control activity:

Personnel need to be competent and trustworthy, with clearly established lines of authority and
responsibility documented in written job descriptions and procedures manuals. Organizational
charts provide a visual presentation of lines of authority and periodic updates of job descriptions
ensures that employees are aware of the duties they are expected to perform.

Authorization Procedures need to include a thorough review of supporting information to verify

the propriety and validity of transactions. Approval authority is to be commensurate with the
nature and significance of the transactions and in compliance with University policy.

Segregation of Duties reduce the likelihood of errors and irregularities. An individual is not to
have responsibility for more than one of the three transaction components: authorization,
custody, and record keeping. When the work of one employee is checked by another, and when
the responsibility for custody for assets is separate from the responsibility for maintaining the
records relating to those assets, there is appropriate segregation of duties. This helps detect errors
in a timely manner and deter improper activities; and at the same time, it should be devised to
prompt operational efficiency and allow for effective communications.

Physical Restrictions are the most important type of protective measures for safeguarding
University assets, processes and data.

Documentation and Record Retention is to provide reasonable assurance that all information and
transactions of value are accurately recorded and retained. Records are to be maintained and
controlled in accordance with the established retention period and properly disposed of in
accordance with established procedures.
Monitoring Operations is essential to verify that controls are operating properly. Reconciliations,
confirmations, and exception reports can provide this type of information.

Internal Control Limitations

There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to
properly segregate duties, which requires the implementation of compensating controls to ensure
that objectives are achieved. A limited inherent in any system is the element of human error,
misunderstandings, fatigue and stress. Employees are to be encouraged to take earned vacation
time in order to improve operations through crosstraining while enabling employees to overcome
or avoid stress and fatigue.

The cost of implementing a specific control should not exceed the expected benefit of the
control. Sometimes there is no out-of-pocket costs to establish an adequate control. A
realignment of duty assignments may be all that is necessary to accomplish the objective. In
analyzing the pertinent costs and benefits, managers also need to consider the possible
ramifications for the University at large and attempt to identify and weigh the intangible as well
as the tangible consequences.

Internal controls should reduce the risks associated with undetected errors or irregularities, but
designing and establishing effective internal controls is not always a simple task and cannot
always be accomplished through a short set of quick fixes. However, we hope this chapter has
helped to explain the basic internal control concepts and given you some ideas for improving
your department's controls.

Introduction

This chapter outlines the policies, responsibilities and procedures for reporting and resolving
instances of known or suspected fiscal fraud or related misconduct. The procedures are
established to protect the assets and interests of the University, ensure a coordinated approach
toward resolution of fiscal fraud or related misconduct and encourage compliance with
University policy and State and Federal laws and regulations.

Policy on Fraud

Kansas State University will investigate any reported fraudulent or related misuse of University
resources or property. Any individual found to have engaged in fraudulent or related misconduct,
as defined in this policy, is subject to disciplinary action by the University, which may include
dismissal or expulsion, as well as prosecution by appropriate law enforcement authorities.

Definition of Fraud

Fraud and related misconduct prohibited by this policy generally involves a willful or deliberate
act or failure to act with the intention of obtaining an unauthorized benefit. Such acts include, but
are not limited to:
 • making or altering documents or computer files with the intent to defraud
• purposely inaccurate financial reporting
• misappropriation or misuse of University resources, such as funds, supplies or other
assets
• improper handling or reporting of money transactions
• authorizing or receiving compensation for goods not received or services not performed
• authorizing or receiving compensation for hours not worked.

It shall also be a violation of this policy for any University employee or student to make a
baseless allegation of fraudulent conduct that is made with reckless disregard for truth and that is
intended to be disruptive or to cause harm to another individual or individuals.

Responsibilities

Kansas State University administrators and all levels of management are responsible for
preventing and detecting instances of fraud and related misconduct and for establishing and
maintaining proper internal controls that provide security and accountability for the resources
entrusted to them. Administrators are also expected to recognize risks and exposures inherent in
their area of responsibility, and be aware of indications of fraud or related misconduct.
Responses to such allegations or indicators should be consistent.

The Internal Audit Office will work in consultation with University Attorneys, administrators,
law enforcement and/or other levels of management in instances where fraud or related
misconduct is suspected. The Internal Audit Office is also available to assist administrators with
ensuring that proper internal preventative measures are in place.

Reporting Fraud

Anyone with reasonable basis for believing fraudulent or related misconduct has occurred should
report such incidents to the Internal Audit Office or the University Police. Any individual
suspected of fraud or related misconduct is not to be confronted. University employees are not to
initiate investigations on their own because such actions can compromise any ensuing
investigations.

In those instances where the Internal Audit Office investigation indicates the probability of
criminal activity, the investigation will be turned over to the University police or other
appropriate law enforcement agency.

Whistleblower Act

The following is the State of Kansas Whistleblower Act which is listed in K.S.A. 75-2973 (1995
Supplement).

75-2973. Communications by state employees with legislators, legislative committees and

others; prohibiting certain acts by supervisors and appointing authorities; appeal to state civil
service board; posting copy of act; disciplinary action defined; officers and employees in
unclassified service may bring civil action for relief.

(a) No supervisor or appointing authority of any state agency shall prohibit any employee of the
agency from discussing the operation of the agency, either specifically or generally, with any
member of the legislature.

(b) No supervisor or appointing authority of any state agency shall:

1. Prohibit any employee of the agency from reporting any violation of state or federal law
or rules and regulations to any person, agency or organization; or
2. require any such employee to give notice to the supervisor or appointing authority prior
to making any such report.

(c) This section shall not be construed as:

1. Prohibiting a supervisor or appointing authority from requiring that an employee inform

the supervisor or appointing authority as to legislative requests for information to the
agency or the substance of testimony made, or to be made, by the employee to legislators
on behalf of the agency;
2. permitting an employee to leave the employee's assigned work area during normal work
hours without following applicable rules and regulations and policies pertaining to leaves,
unless the employee is requested by a legislator or legislative committee to appear before
a legislative committee;
3. authorizing an employee to represent the employee's personal opinions as the opinions of
a state agency; or
4. prohibiting disciplinary action of an employee who discloses information which:

(A) The employee knows to be false or which the employee discloses with reckless
disregard for its truth or falsity,

(B) the employee knows to be exempt from required disclosure under the Open Records
Act or

(C) is confidential under any other provision of law.

(d) Any officer or employee who is in the classified service and has permanent status under the
Kansas Civil service Act may appeal to the State Civil Service Board whenever the officer or
employee alleges that disciplinary action was taken against the officer or employee in violation
of this act in any court of law or administrative hearing. The appeal shall be filed within 30 days
of the alleged disciplinary action. Procedures governing the appeal shall be in accordance with
subsections (f) and (g) of K.S.A. 75-2949 and amendments thereto and K.S.A. 75-2929d through
75-2929g and amendments thereto. If the board finds that disciplinary action taken was
unreasonable, the board shall modify or reverse the agency's action and order such relief for the
employee as the board considers appropriate. If the board finds a violation of this act, it may
require as a penalty that the violator be suspended on leave without pay for not more than 30
days or, in cases of willful or repeated violations, may require that the violator forfeit the
violator's position as a state officer or employee and disqualify the violator for appointment to or
employment as a state officer or employee for a period of not more than two years. The decision
of the board in such cases may be appealed by any party pursuant to law.

(e) Each state agency shall prominently post a copy of this act in locations where it can
reasonably be expected to come to the attention of all employees of the agency.

(f) As used in this section "disciplinary action" means any dismissal, demotion, transfer,
reassignment, suspension, reprimand, warning of possible dismissal or withholding of work.

(g) Any officer or employee who is in the unclassified service who alleges that disciplinary
action has been taken against such officer or employee in violation of this section may bring a
civil action for appropriate injunctive relief, or actual damages, or both within 90 days after the
occurrence of the alleged violation. A court, in rendering a judgment in an action brought
pursuant to this act, shall order, as the court considered appropriate, reinstatement of the officer
or employee, the payment of back wages, full reinstatement of fringe benefits and seniority
rights, actual damages, or any combination of these remedies. A court may also award such
officer or employee all or a portion of the cost of litigation, including reasonable attorney fees
and witness fees.