Wichita State University
Controls Assessment Tool
"CAT"
Internal Controls Self-Assessment

Stripe

The Controls Assessment Tool is intended for use by WSU departments that want to perform an internal controls self-assessment. The CAT is not all-inclusive, but it can serve as a guide to operations. If questions arise while you are completing the CAT, feel free to contact Chris Cavanaugh, Director of Internal Audit.

The key unit in the organizational structure of most all universities is the department and the department head (whether the chair, director, budget officer and/or principal investigator) is the key administrator. The CAT uses "department" and "department head" generically throughout.

Yes indicates a necessary control is in place. No indicates internal control could be improved and warrants management's attention.


A - Contracting

Section 1.04 of the WSU Policies and Procedures Manual, Execution of Contracts, provides guidance relative to contracts and contract processes. University contracts must be in writing and in the name of Wichita State University. Colleges, individual schools, divisions and departments shall not enter into contracts. The President, the Vice President for Academic Affairs and the Vice President for Administration and Finance are the only individuals authorized by Section 1.04 to contractually bind the university by the execution of a contract. The President, the Vice President for Academic Affairs and the Vice President for Administration and Finance may further delegate authority to execute contracts on behalf of the university with consideration given to the type of contract and the amount of revenue and expenses involved.

Risks
  • Noncompliance with Board of Regents and WSU policies and procedures
  • Noncompliance with federal and state laws and regulations
  • Contracts executed by unauthorized individuals or for unauthorized activities
  • Failure to specify all contract or project requirements
  • Personal responsibility for a contract
  • Contract default
YES  NO 
A-1  Are the department’s contractual obligations in writing and executed in compliance with Section 1.04 of the WSU Policies and Procedures Manual?

It is sometimes perceived that an "agreement" carries less legal authority than a "contract" and thus falls beyond the reach of the contracts policy. Any agreement or promise that purports to obligate the university to perform some responsibility or take some specific action is deemed to be a contract, regardless of the name of the document or the label attached to it. It is also incorrect to presume that if an agreement is not committed to writing, it is less than a contract.

A contract may not always be clearly labeled as such on the top of the first page. A non-exhaustive list of examples of contracts includes:
  • Agreements for the purchase or rental of goods or services
  • A sale, lease or donation of goods or services
  • Revenue-producing agreements
  • Agreements that set terms for acceptance of gifts
  • Assignment of the right of a person, group or agency to use WSU's name, marks or logo
  • Agreements required by hotel convention centers or other facilities
  • Performance or entertainment contracts
  • Letters of understanding or cooperation
  • Memoranda of understanding
  • Software maintenance agreements
  • Student or faculty exchange agreements
  • Study/travel abroad agreements
  • Affiliation/internship agreements
  • Clinical training agreements
  • Instruction agreements
  • Nondisclosure agreements
  • Settlement of disputes
  • Liability waivers
  • Licenses
A-2  Are contracts originating from your department executed by one of the three individuals with contracting authority or by a person with delegated contracting authority?

Section 1.04 specifies that the President, the Vice President for Academic Affairs and the Vice President for Administration and Finance may delegate authority to execute contracts. Delegation of contract authority will always 1) be in writing, 2) be granted to a specific person in a specific position, 3) identify the type of contract and related dollar limits and 4) expire when the person leaves the position specified. Aside from the three positions specifically identified, there are no positions with authority to execute contracts due solely to the nature of the position. This includes the other vice presidents, deans and department chairs. A delegation of authority does not include authority to further delegate.

A-3  Are contracts involving an expenditure of funds, either by or to WSU in an amount of $2,500 or more, approved by the General Counsel's Office prior to execution?

The $2,500 threshold specified in Section 1.04 applies regardless of contract authority. So even though a person may have delegated authority to sign certain contracts up to $10,000, contracts of $2,500 or more still require General Counsel's Office review and approval. The threshold applies to the total contract amount, e.g a three-year contract for $1,000 per year is a $3,000 contract.

A-4  Are payments of $1,000 or more for professional services supported by a written contract and executed in compliance with Section 1.04?

In the application of Section 1.04, the Purchasing Office has established a $1,000 threshold for professional services, i.e. payments of $1,000 or more for professional services must be supported by a written contract. Such services may be described in various ways including "consulting services," "speaker fee," "instructor fee" or "honorarium." Payments for services in amounts less than $1,000 can be paid from the vendor's invoice. A written contract reduces the likelihood of misunderstanding regarding the service to be provided, terms of payment or the vendor's responsibility for income tax obligations. The General Counsel's Office can provide assistance in the drafting of any contract. 

A-5  Are grants and contracts that require a commitment of WSU facilities or personnel reviewed by the Office of Research and Technology Transfer prior to execution?

The Office of Research and Technology Transfer administers grants and contracts prepared and awarded for research, training or other projects for which there are technical and/or fiscal reporting requirements, restrictions on the use of funds and commitment of facilities or personnel. Gifts that do not require commitments of facilities or personnel should be received and accounted for by the WSU Foundation. Examples of such gifts include financial support for student assistance, endowed chairs and professorships, endowed faculty development funds, lectureships and program series.


B - Financial Reports

The Office of Financial Operations and Business Technology maintains a centralized accounting system for WSU. This system contains a series of accounts that record the university's financial activities. One feature of the system is the financial reports available through Reporting Services. Regular review of departmental financial reports is important to ensure financial transactions are authorized, correct and properly recorded.

Risks
  • No budgetary control
  • Unauthorized transactions
  • Undetected errors
  • Misappropriation of funds
YES  NO
B-1  Are financial reports routinely reviewed and verified to transaction documents on a regular basis?

It's important that financial reports be reviewed and verified to ensure they accurately include all of the department's authorized transactions for both revenues and expenditures. The verification should also ensure that transactions related to other departments, or that are unauthorized, do not appear in your department's records. Finally, the process of verifying financial reports should include identification of transactions initiated by the department, but not yet recorded in the accounting system (transactions in the processing pipeline) so as to monitor the availability of department funds. We suggest reviewing transactions weekly. 

TIP - Most departments can simplify its process for tracking other operating expenditures (OOE) by utilizing Banner as the department's "online bank account." Record the department's expenditures on a declining-balance spreadsheet just as you would record items in the transaction register you keep with your personal checkbook. By maintaining a transaction register and making periodic comparisons to the department's remaining OOE budget in Banner, it's easier to identify or verify:

  • Whether transactions have been processed
  • That transaction amounts are correct
  • That the funding is correct
  • That all transactions have been accounted for
  • That transactions from other departments have not been posted in error
  • The remaining funds available
Periodic comparisons of your transaction register to Banner eliminate the need for a formal reconciliation at month-end because you have effectively been reconciling the department's account continuously.

B-2  Is the budget the department head’s best estimate of how the department’s funds will be expended during the year?

When preparing the initial budget for the year, do not simply repeat the previous year's budget allocations. Funds should be allocated to the various account codes based on past experience and what is expected for the upcoming year. The usefulness of financial reports as a monitoring tool is enhanced when the budget is the department head's best estimate of how funds will be expended.
 

B-3  Is a system in place to provide the department head with explanations of significant variances between budgeted and actual financial status? 

Budgets define the funds available to achieve departmental goals. Actual expenditures should be periodically compared to the budget to ensure funds are not misused. Significant variances from budgeted amounts should be investigated and the reason for the variance identified.
 


C - Cash Receipts

Cash receipts are vulnerable to loss, theft, misuse or misappropriation. The purpose of establishing proper procedures for handling cash receipts is to ensure they are deposited with the Office of Financial Operations and Business Technology and recorded in the appropriate department and account. "Cash receipts" includes currency, checks, credit card receipts and wire transfers received by mail or in person.

Risks
  • Lost or stolen cash and checks
  • Budget shortfall
  • Noncompliance with state tax regulations
  • Tax liabilities and penalties
  • Noncompliance with Payment Card Industry Data Security Standards (PCI DSS)
YES  NO 
C-1  Are textbooks and other class materials sold through the University Bookstore?

All textbook requisitions for WSU classes must be processed through the University Bookstore. To minimize cash handling in departments and to ensure sales tax is collected, other class materials (such as course packs or study guides) are best sold through the University Bookstore. 
 

C-2  Are incoming payments recorded in a cash receipts journal kept or are pre-numbered or cash register receipts issued?

Cash receipts records should be sufficient to provide an audit trail of the cash received and to provide evidence of what was received in case of a later dispute. Do not keep copies of checks and credit card receipts. The retention of banking data in departments increases risk to WSU should the data be lost or stolen. If these items are needed  later, the university cashiers will have the necessary copies or the cashiers can obtain them from the bank.

C-3  Are checks restrictively endorsed upon receipt with the phrase "For Deposit Only" to the account of Wichita State University?

To help prevent their diversion or unauthorized cashing, checks should be restrictively endorsed upon receipt.
 

C-4  Are cash receipts physically safeguarded against theft or loss?

Cash receipts are vulnerable to theft or loss. Cash receipts should be locked up in a secure location with limited access when the person responsible for them is not present.
 

C-5  Are cash receipts deposited timely with the Office of Financial Operations and Business Technology?

To minimize the risk of loss due to theft, cash receipts should be deposited promptly (within two business days) using a locking bag provided by the Office of Financial Operations and Business Technology. In periods of limited activity, deposits should be made at least weekly or whenever $100 or more has accumulated.
 

C-6  Are cash receipts deposited intact, with no cash retained as a change fund or for petty cash?

Cash receipts should be deposited intact with nothing held back for making change or to pay small expenses. Change funds are authorized only through the Accounts Receivable unit in the Office of Financial Operations and Business Technology. Change funds are never to be used for petty cash or employee check cashing or loans.
 

C-7  Are appropriate account codes and detail codes used for recording deposits?

Financial reports are more useful when revenues are properly classified and accompanied by an apt description. For example, checks received from the WSU Foundation are best deposited to account code R80073, Gifts-WSU Foundation. Accounts such as R80154, Miscellaneous Income, R80176, Salary Income from Other Entities or R80194, Recovery of Expenditures are less descriptive regarding the source of revenue.

C-8  Has a determination been made as to whether any cash receipts are subject to sales tax?

As a public educational institution, WSU is generally exempt from sales tax on its purchases. However, WSU is required to collect and remit sales tax on taxable sales. Sales made to students, the general public, businesses or not-for-profit organizations are generally subject to sales tax, even if the sales price is established on a cost-recovery basis and no profit is earned.

Examples of items subject to sales tax include admissions to performance and sporting events, food and beverages, clothing, course packs and school supplies. Examples of items that are not subject to sales tax include fees for educational programs, exam fees and reimbursements for lost or destroyed books or equipment.
 

C-9  Are amounts collected for sales tax deposited in account R80121, State Sales Tax?

Depositing sales tax in account R80121, State Sales Tax, will ensure that the Office of Financial Operations and Business Technology will report and remit the tax collected to the Kansas Department of Revenue. If your department regularly collects and remits sales tax, WSU's Accounts Receivable unit has likely provided for this on the departmental deposit form.

More information about sales tax can be found in our Audit Update newsletter - "Sales Tax Fundamentals"

C-10  Does the department accept payments by credit card?

If the answer to C-10 is no, skip Questions C-11 and C-12 and resume with C-13.

C-11  Does the department comply with the requirements of Section 13.14 of the WSU Policies and Procedures Manual, Security of Credit Card Data?

Key requirements of Section 13.14 include:
  1. All transactions that involve the transfer of credit card data must be performed on systems provided or approved by the university for this purpose. 
  2. No credit card numbers or any documentation containing credit card numbers or cardholder data shall be transmitted or stored in any personal computer or email account used by the department. 
  3. No paper documents, including but not limited to, paper receipts and handwritten notes, containing credit card numbers or cardholder data shall be stored by the department.
Electronic storage of credit card data is not permitted under any circumstances on any type of storage device. Permanent physical storage of credit card data is not permitted. Credit card data received on documents or forms must be removed from the form and destroyed within two business days.

C-12  Does the department have written procedures that address the collection and processing of credit card data?

To comply with PCI DSS, the Office of Financial Operations and Business Technology requires that each department have written credit card procedures that are specific to its operating environment. 

C-13  Is the recording of cash receipts periodically reviewed and verified for accuracy?

Though rare, errors occasionally occur and deposits may be recorded in a department or account code incorrectly. Cash receipts should be reviewed weekly to ensure they are accurately recorded and to provide prompt follow-up if necessary. It's also important to consider segregation of duties. One person should not be entrusted with all aspects of receiving, depositing and verifying cash receipts.

C-14  Does the department sell course packs?

A course pack is any collection of photocopied materials used for instruction, typically comprised of book excerpts, newspaper, magazine or journal articles and instructor-authored materials. If the answer to this question is no, skip Question 15. 

C-15  Are course packs prepared and sold in accordance with the following protocol?
  • All course pack materials are to be reproduced in compliance with Section 3.36 of the WSU Policies and Procedures Manual, and the university’s Copyright Guidelines (Supplement to WSU Policy Section 3.36).
  • All course pack materials are to be reproduced by Duplication Station in compliance with Section 15.03 of the WSU Policies and Procedures Manual, or by using the department’s copier.  
  • Material may be copied (at either Duplication Station or in the department) only where copying the material can reasonably be considered fair use or where there is a university license to copy the material or where there is permission to copy, which should be clearly set forth on the material to be copied.  
  • The General Counsel's Office is available for consultation regarding the application of federal copyright law to specific factual scenarios.
  • All reproduction costs are to be borne by the department.*
  • The University Bookstore is the preferred avenue for the sale of course packs.
  • If course packs are sold out of the department, sales proceeds are to be deposited no less than weekly into the department’s RU account and state sales tax must be accounted for.  
  • Under no circumstances should course packs be reproduced off campus.
  • Under no circumstances should an instructor retain the proceeds from course pack sales.

* Arrangements can also be made for the University Bookstore to bear the cost of reproduction at Duplication Station with the Bookstore retaining the subsequent sales proceeds.


D - Purchasing

The purchasing system’s goals are to achieve open, competitive and cost-effective buying while adhering to external funding source requirements for bidding, documentation and reporting, and timely payment to vendors for services and goods purchased. All payments require approval by university employees who have authority over the budgets being charged. Only reasonable and necessary expenditures in support of the university’s mission are permitted. Employees may not purchase goods or services for personal benefit through university channels, regardless of whether the university is reimbursed for such purchases.

Risks
  • Procurement fraud
  • Jeopardized relationships with vendors
  • Excessive processing costs
  • Inappropriate payment of sales tax
  • Lawsuits
YES  NO 
D-1  Are job responsibilities adequately segregated relative to the size of the department and the financial resources available?

Procedures that allow one person to control all aspects of a transaction increase the likelihood that unintentional errors will remain undetected and increase the opportunity for irregularities. One person should not have sole responsibility for initiating, executing and verifying transactions. This division of responsibility, or segregation of duties, serves as a deterrent to fraud. Segregation of duties may be difficult to achieve in small departments, underscoring the need for department heads to satisfy themselves that transactions appearing on financial reports have been authorized and are related to the department's objectives.
 

D-2  Does the department participate in the business procurement card program?

If the answer to D-2 is no, skip questions D-3 through D-8 and resume with D-9.
 

D-3  Is the procurement card used only by the person whose name is on the card?

Only the person whose name is on the business procurement card should use that card, i.e. the card is not a departmental credit card.
 

D-4  Does the cardholder ensure that sales tax is not assessed on purchases made with the business procurement card?

A tax exemption statement and statute number is printed on the back of the card. If the retailer requires a tax exempt form, contact the Purchasing Office.
 

D-5  Does the department card coordinator reconcile the monthly transaction log?

The department card coordinator should reconcile the transaction log to the monthly statement received from UMB Bank Kansas within five working days of receipt.
 

D-6  Are description lines on the monthly transaction log completed?

Though it may (sometimes) be clear from the receipt what was purchased, it’s not always clear how the item will be used, who will use it or how it relates to the department’s operations. Completing the description line for every transaction with this type of information can be helpful during the review and approval process and for future reference should there ever be a question about the purchase. 

D-7  When remitting the monthly transaction log to the Office of Financial Operations and Business Technology, is the log signed by both the cardholder and the department card coordinator?

Both the cardholder and the card coordinator must sign the monthly transaction log. If the card coordinator is unavailable and cannot sign the log when it is due, Procurement Officer Lisa Nettleton in the Purchasing Office can perform the review and sign as card coordinator.

D-8  Does the department budget officer review the monthly transaction log, including the written descriptions and the attached supporting documentation?

University procedures require that the monthly transaction log be signed by at least two different people (again illustrating the segregation of duties concept). Though not required, it’s best that the department budget officer also review and sign the monthly transaction log. The budget officer is responsible for and should be knowledgeable about all items charged to the department’s budget.

D-9  Are original signatures used to approve all transaction documents such as purchase requisitions, invoice control documents, procurement card transaction logs and payroll exception reports?

The use of signature stamps or the practice of signing another person's name, with or without initialing, are discouraged. Department heads are responsible for expenditures charged to accounts under their control.


E - Timekeeping and Payroll

Payroll expenditures are WSU’s single largest expense category. To ensure all payroll-related actions are consistent with university policies and procedures and federal and state laws, administrators responsible for payroll must be knowledgeable about payroll matters.

Risks
  • Fraud
  • Overpayments
  • Retroactive transactions
  • Personal and employer tax liabilities and penalties
  • Lawsuits
YES  NO 
E-1  Do faculty and exempt (from Fair Labor Standards Act) staff have a signed exception report for each pay period in which sick leave or vacation leave is used?

Each employee’s exception report (completed and signed in ink by the employee and the employee’s immediate supervisor) for every pay period in which sick leave or vacation leave is used should be kept for five years in compliance with the university's Records Retention Policy.
 

E-2  Does each nonexempt (subject to Fair Labor Standards Act) staff have a signed exception report for every pay period?

Each employee’s exception report (completed and signed in ink by the employee and the employee’s immediate supervisor) should be kept for five years in compliance with the university's Records Retention Policy.
 

E-3  Do hourly classified and student employees have a signed positive time report for every pay period worked?

Each employee’s positive time report for every pay period worked (completed and signed in ink by the employee and the employee’s immediate supervisor) should be kept for five years in compliance with the university's Records Retention Policy. This document may be referred to if an employee should question the amount of his or her paycheck.
 

E-4  Are exception reports and positive time reports reviewed and signed by supervisory personnel with direct knowledge of the actual time worked?

Exception reports and positive time reports should be completed and signed in ink by the employee and reviewed and signed in ink by supervisory personnel with direct knowledge that the work was actually performed before timekeeping data is entered into Banner. Accurate records are important to document compliance with the Fair Labor Standards Act and to account for benefit time.
 

E-5  Do nonexempt staff account for all time worked on exception reports or positive time reports?

All time worked must be accounted for through the university’s timekeeping system. "Desk drawer" time (compensatory time worked, but tracked outside the timekeeping system) is not permitted. Accurate records are important to document compliance with the Fair Labor Standards Act.

E-6  For employees who earn vacation leave, is time off taken over the holiday closedown period accounted for as either vacation or compensatory time?

Occasionally we encounter an employee or a department with the misconception that time off  during the holiday closedown period is bonus or extra time off provided by the university for which the employee does not need to take leave. This is incorrect. All time off must be accounted for in accordance with the leave policy applicable to each employee.
 

E-7  Does the timekeeper extract time at the beginning of each pay period and re-extract time at least once prior to the sign-off deadline for the pay period?

To “extract time” is to make ready the department’s timekeeping data via the PHATIME form in Banner and to “re-extract time” is to repeat the process with the PHATIME form. 

Timekeepers are asked to extract time at the beginning of each pay period. If this step is not completed early in the pay period, staff in Human Resources will be unable to assist should the timekeeper be unable to complete the payroll sign-off due to an unexpected absence, possibly resulting in incorrect pay for some employees. Time should also be re-extracted prior to the timekeeping completion deadline in the event a new employee has recently been assigned to the department. If an employee has been incorrectly assigned to a department, the timekeeper is to notify Human Resources via email at timekeeping@wichita.edu immediately.
 

E-8  Are exception reports and positive time reports reviewed for accuracy before data is entered into the payroll system?

Generally, the employee’s and the supervisor’s signatures on the report indicate that the hours reported are correct. However, the timekeeper (the person responsible for collecting the reports from employees and entering timekeeping data into Banner) should review the reports for possible reporting errors.
 

E-9  Are data on the exception reports and positive time reports audited against the “HRPAY Department Time Report" (HRPAY Report) by someone other than the person that enters timekeeping data into Banner?

The HRPAY Report recaps the timekeeping data entry for the pay period (the report is usually available through Reporting Services on the Friday after the Monday timekeeping sign-off). Good segregation of duties requires that the person who audits the HRPAY Report be someone other than the person who entered the timekeeping data for the pay period covered by the report. This audit procedure provides confirmation that the department's timekeeping data entry was correct.

The HRPAY Report should be printed so the person auditing the report can document their work with check marks, notes or other markings. To complete the department's timekeeping records, the audited HRPAY Report should be initialed and dated and retained with the exception and positive time reports for the pay period. Any discrepancies identified are to be reported immediately to Human Resources.
 

E-10  Does each completed exception and positive time report exhibit all of the attributes that follow?
  1. Employee's signature (attesting to hours worked and/or leave used) 
  2. Supervisor's signature (confirming hours worked and/or leave used)
  3. Timekeeper's initials and date (indicating time has been reviewed and entered)
  4. Auditor's initials and date (indicating that the employee's time has been verified to the HRPAY Department Time Report by someone other than the timekeeper)
  5. Budget Officer's signature (when authorizing extra hours paid)
E-11  Has the department's timekeeper attended timekeeping training in the past three years?

Human Resources periodically conducts two timekeeping training courses, a beginning course for new timekeepers and an advanced course titled "Department Time Entry, Section 2: Tips, Tricks and Traps." We suggest that the department timekeeper (and backup timekeeper) take the Tips, Tricks and Traps course at least once every three years to stay current and refresh skills.   

E-12  Does the backup (proxy) timekeeper enter timekeeping data on a regular schedule?

Backup timekeepers who do not do the data entry on a regular schedule often lose their timekeeping skills and don’t remember what to do when needed. In some departments, the timekeeper and backup timekeeper take turns doing the data entry and auditing the HRPAY Report. In other departments, they take turns doing different groups of employees on the same payroll. Regardless of the system used, it’s important for the backup to be as skilled as the primary timekeeper. One timekeeping error could potentially delay the entire payroll.
E-13  Do faculty submit an exception report to account for sick leave when ill and unable to teach?

Occasionally we encounter an employee or department with the misconception that faculty do not have to account for time off due to illness if only one class is missed or if another instructor covers the class. This is incorrect. Section 5.05 of the WSU Policies and Procedures Manual specifies:
“It will be the responsibility of each faculty member to report sick leave utilized to his or her departmental office on a biweekly basis. Sick leave should not be reported in increments of less than one-half day.”  

E-14  Is the work of graduate assistants monitored to ensure they are fulfilling the terms of their appointments?

Because they earn a set stipend and do not earn vacation or sick leave, university timekeeping procedures do not require exception reports or positive time reports for graduate assistants. However, some departments, particularly those employing several graduate assistants, have implemented a formal positive time reporting system within the department. This is an excellent approach for monitoring the work of graduate assistants.   

F - Information Technology

Information resources must be protected from destruction, unauthorized use or unauthorized revision. Users are responsible for the security of data to which they have access.

Risks
  • Unauthorized access to computers
  • Computer viruses
  • Destruction of critical data
  • Violation of software licensee agreements and possible fines
  • Loss of educational discounts on software
  • Lawsuits
YES  NO
F-1  Is software installed in compliance with its license requirements?

Generally, software is licensed to the individual or organization that purchased it and is authorized to be used only at one computer. Software purchased by the university is authorized for installation only on university computers. These general statements do not apply to network software or site license agreements. It is important to read each software package's copyright statement as there are various types of licenses available. It may be helpful for the department to maintain and keep current a list of computer software purchased or donated and record the computer on which the software is installed.
 

F-2  Are copies of important computer files made periodically and stored in a separate area or off-site location, or saved to a server maintained by University Computing?

You should periodically back up important files that are stored on your computer. This will allow easier recovery from a hard disk crash or a disaster that may destroy the computer. If data is being saved to a server maintained by University Computing, the servers are backed up each evening. If data is typically saved to your computer’s hard disk, the data should be backed up to another storage medium. In the event of a localized disaster such as fire or smoke in the office, the back-up medium should be stored at another location so it is not destroyed with the computer that has the original files.
 

F-3  Are passwords used to gain initial access to the department’s computers?

A password creates a barrier against potential information theft or corruption. Without password protection, an unauthorized user can be navigating from the desktop in a matter of seconds and potentially viewing or destroying important files, either intentionally or accidentally. Passwords should be at least six to eight characters with a combination of letters, numbers and special characters and should be kept confidential and not written in plain view on an employee’s desk.
 

F-4  Is anti-virus software used for computers and local area networks?

It is a good practice to check all incoming sources for computer viruses. A virus may destroy data or the hard disk immediately, or it may lie dormant before causing damage, in which case the virus can contaminate back-up systems before it is discovered. The best protection is to check all incoming sources with up-to-date anti-virus software.
 

F-5  Are obsolete and surplus computers disposed of in accordance with university policy?

WSU Policies and Procedures Manual Section 13.12, Disposal of Surplus Property, and Section 19.10, Retirement of Computing and Information Technology Resources, provide relevant guidance regarding the disposal of obsolete and surplus computer equipment. In particular:

  1. University property, regardless of cost, can be disposed of only after approval is obtained from the Office of Financial Operations and Business Technology, Property Control (Section 13.12, Item 3).
  2. All disposals of property must be documented on a Transfer of Property Form (Section 13.12, Item 4).
  3. No university computing and information technology resources may be forwarded to the Physical Plant Warehouse for salvage, sale or redistribution until and unless the University Computing and Telecommunications Services Department or departmental technical personnel has determined that all data, information and/or software has been permanently deleted (Section 19.10, Item 1).
  4. All university computing and information technology resources forwarded to the Physical Plant Warehouse for salvage, sale or redistribution shall be accompanied by a written statement that all data, information and/or software has been permanently deleted (Section 19.10, Item 2).
F-6  Are precautions taken to safeguard confidential information stored electronically on portable devices such as laptops and flash drives?

Devices with electronic data can be lost, stolen, or misplaced, which could result in unauthorized access to confidential information. Disclosure of student education records and confidential personal information could be particularly damaging to the university and our students. Possible precautions include:

  1. Avoid storing and/or transporting confidential information on portable devices to the extent possible.  
  2. Encrypt data stored on portable devices.
  3. Never leave portable devices unattended, even for a few minutes.
  4. Laptop computers left in a vehicle should not be visible. If possible, the laptop should be stored in a locked trunk.
  5. The loss or theft of portable devices containing confidential or sensitive information should be reported to the Chief Information Officer and the General Counsel as soon as the loss or theft is discovered (as well as the department chair and/or college dean and the University Police Department).

G - Student Education Records

Pursuant to federal law, we are responsible for ensuring the privacy of student education records and confidential personal information. Section 3.12 of the WSU Policies and Procedures Manual, Security and Confidentiality of Student Records and Files, clarifies our responsibilities in this regard. Employees are expected to maintain a clear understanding of the type of directory information that can be released without the student's consent.

Risks
  • Unauthorized access to student education records
  • Public disclosure of student education records
  • Violation of federal law
  • Violation of trust
  • Identity theft
  • Lawsuits
YES  NO 
G-1  Are department personnel familiar with the university's Security and Confidentiality of Student Records and Files Policy?

The security and confidentiality of all university records should be a matter of concern to WSU employees. Many employees (including student employees) are placed in a unique position of trust and obligation with reference to having access to student education records and files and the security and confidentiality of said records and files.
 

G-2  Does the department maintain student education records?

Student education records include, but are not limited to, academic evaluations, examinations, transcripts, test scores, scholarship applications, and general counseling and advising records. All students have records in one or more of the following offices: Undergraduate Admissions, International Admissions, Graduate School, Registrar, Financial Operations and Business Technology, Financial Aid, Student Health Services, Career Services and the dean's office of each college. Some academic departments maintain records separate from the school or college.

If the answer is no, skip the remaining questions in this section.
 

G-3  Are all requests for student education records that would be in the Registrar's Office file for the student, directed to the Registrar's Office?

Registrar's Office file information would include any information needed to verify enrollment, classes, grades, GPA, academic standing or graduation. WSU outsources most requests to the National Student Clearinghouse (NSC) which charges inquirers a fee; however, some people will sometimes go directly to a college or department office in order to avoid a fee. Only the Registrar's Office or the NSC should verify information maintained in Registrar's Office files (the Registrar's Office also charges a fee for these types of inquiries). Whenever a request for student education records is received, the first consideration should be whether the Registrar's Office has the information requested. In most all cases, it will.
 

G-4  Does the department have a designated person who has responsibility for student education records? 

One person (and a backup) in the department should be designated as the individual with primary responsibility for the maintenance and safeguarding of student education records. All inquiries related to the release of student education records should be directed to the department’s designated person, the Registrar’s Office or the General Counsel’s Office.

G-5  Have all department personnel with access to student education records completed the university's FERPA training?

Employees are expected to maintain a clear understanding of the type of education records that can be released without the student's consent and the Registrar's Office provides an online tutorial to facilitate this understanding. After first logging in to myWSU and then going to the Faculty/Staff tab, "FERPA Online Training" can be found among the items included in the Employee Toolbox. All personnel with access to student education records must complete the tutorial.   
 

G-6  Are student education records maintained in a secure environment?

File cabinets should be locked whenever authorized personnel are away from the area. Student education records should not be left on tables, desks or other areas open to third parties. Student education records should be removed and/or secured before leaving an unsecured work area. Computer monitors should be positioned so that a student's electronic record cannot be viewed by unauthorized persons.

More information about student education records can be found in our Audit Update newsletter - "Security of Student Education Records"