Wichita State University
Controls Assessment Tool
"CAT"
Internal Controls Self-Assessment

Stripe

The Controls Assessment Tool is designed to aid WSU departments in performing an internal controls self-assessment. Should you have questions, feel free to contact Chris Cavanaugh, Director of Internal Audit. The CAT serves as a guide and is not all-inclusive.

The key unit in the organizational structure of a university is the department, and the department head (whether a chair, director, budget officer or principal investigator) is the key administrator. The CAT uses department head generically throughout.

Yes indicates a necessary control is in place. No indicates internal control could be improved and warrants attention.


A - Contracting

Section 1.04 of the WSU Policies and Procedures Manual, Execution of Contracts, provides guidance relative to contracts and contract processes at WSU. University contracts must be in writing and in the name of Wichita State University. Colleges, individual schools, divisions and departments shall not enter into contracts. The President, Provost and Senior Vice President, and the vice presidents on the President's Executive Team are the only persons authorized by Section 1.04 to contractually bind the university by the execution of a contract. The President, Provost and Senior Vice President, and aforementioned vice presidents may further delegate authority to execute contracts on behalf of the university with consideration given to the type of contract and dollar amount involved.

Risks
  • Noncompliance with Board of Regents and WSU policies and procedures
  • Noncompliance with federal and state laws and regulations 
  • Contracts executed by unauthorized persons or for unauthorized activities
  • Failure to specify all contract or project requirements
  • Omission of warranties or quality assurances
  • Transfer of liability or risk to the university
  • Personal responsibility for a contract
  • Contract default
YES  NO 
A-1  Are the department’s contractual obligations in writing and executed in compliance with Section 1.04 of the WSU Policies and Procedures Manual?

It is sometimes perceived that an "agreement" carries less legal authority than a "contract" and thus falls beyond the reach of the contracts policy. Any agreement or promise that purports to obligate the university to perform some responsibility or take some specific action is deemed to be a contract, regardless of the name of the document or the label attached to it. It is also incorrect to presume that if an agreement is not committed to writing, it is less than a contract.

A contract may not always be clearly labeled as such. A non-exhaustive list of examples of contracts includes:
  • Agreements for the purchase or rental of goods or services
  • A sale, lease or donation of goods or services
  • Revenue-producing agreements
  • Agreements that set terms for acceptance of gifts
  • Assignment of the right of a person, group or agency to use WSU's name, marks or logo
  • Agreements required by hotel convention centers or other facilities
  • Performance or entertainment contracts
  • Letters of understanding or cooperation
  • Memoranda of understanding
  • Software maintenance agreements
  • Student or faculty exchange agreements
  • Study/travel abroad agreements
  • Affiliation/internship agreements
  • Clinical training agreements
  • Instruction agreements
  • Nondisclosure agreements
  • Settlement of disputes
  • Liability waivers
  • Licenses
A-2  Are contracts originating from your department signed by a person with contracting authority or delegated contracting authority?

Section 1.04 specifies that the President, Provost and Senior Vice President, and the vice presidents on the President's Executive Team may delegate authority to execute (sign) contracts. Delegation of contract authority will always 1) be in writing, 2) be granted to a specific person in a specific position, 3) identify the type of contract and related dollar limits, and 4) expire when the person leaves the position specified. Aside from the positions specifically identified, there are no positions with authority to execute contracts due solely to the nature of the position, including deans and department heads. Delegated authority does not include authority to further delegate.

A-3  Are contracts reviewed by the General Counsel's Office prior to execution?

Regardless of dollar amount, contract review by the General Counsel's Office prior to execution is advisable and suggested. This advice especially pertains to vendor contracts which may omit warranties or quality assurances, or attempt to shift liability or risk to the university.

A-4  Are payments of $1,000 or more for professional services supported by a written contract and executed in compliance with Section 1.04?

In the application of Section 1.04, the Purchasing Office has established a $1,000 threshold for professional services, i.e. payments for services in amounts less than $1,000 can be paid from the vendor's invoice. Payments of $1,000 or more for services must be supported by a contract. Professional services may be described in various ways including consulting services, speaker fee, instructor fee or honorarium. A written contract reduces the likelihood of misunderstanding regarding the service to be provided, terms of payment or the vendor's responsibility for income tax obligations. The General Counsel's Office can provide assistance in drafting any contract. 

A-5  Are grants and contracts that require a commitment of WSU facilities or personnel reviewed by the Office of Research and Technology Transfer prior to execution?

Research and Technology Transfer administers grants and contracts prepared and awarded for research, training or other projects for which there are technical or fiscal reporting requirements, restrictions on the use of funds and commitment of facilities or personnel. Gifts that do not require commitments of facilities or personnel should be received and accounted for by the WSU Foundation. Examples of such gifts include financial support for student assistance, endowed chairs and professorships, endowed faculty development funds, lectureships and program series.


B - Financial Reports

Financial Operations maintains a centralized accounting system for WSU. This system contains a series of accounts that record the university's financial transactions. One feature of the system is the financial reports available through Reporting Services. Regular review of departmental financial reports is important to ensure transactions are authorized, correct and properly recorded.

Risks
  • Undetected errors
  • No budgetary control
  • Unauthorized transactions
  • Unexpected financial shortfall
YES  NO
B-1  Are financial reports routinely reviewed and verified to transaction documents?

It's important that financial reports be reviewed and verified to ensure they accurately include all of the department's authorized transactions for both revenues and expenditures. The verification should also ensure that unauthorized transactions, or transactions recorded in error, do not appear in your department's records. Finally, the process of verifying financial reports should include identification of transactions initiated by the department, but not yet recorded in the accounting system (still in the processing pipeline) to better monitor the availability of department funds. We suggest reviewing financial reports weekly. 

TIP - Recording transactions in a simple declining-balance spreadsheet (similar to a checkbook register), and using the spreadsheet to make comparisons to financial reports available through Reporting Services, makes it easier to identify or verify:

  • Whether transactions have been processed
  • That transaction amounts are correct
  • That the funding is correct
  • That all transactions have been accounted for
  • That transactions from other departments have not been posted in error
  • The remaining funds available
Periodic review and verification eliminates the need for a full reconciliation at month-end because it's been done during the course of the month.

B-2  Is the budget the department head’s best estimate of how the department’s funds will be expended during the year?

When preparing the initial budget for the year, do not simply repeat the previous year's budget allocations. Funds should be allocated to the various account codes based on past experience and what's expected for the coming year. The usefulness of financial reports as a monitoring tool is enhanced when the budget is the department head's best estimate of how funds will be expended.
 

B-3  Is a system in place to provide the department head with explanations of significant variances between budgeted and actual financial status? 

Budgets define the funds available to achieve departmental goals. Actual expenditures should be periodically compared to budgeted amounts to ensure funds are expended as planned and not misused. Significant variances should be investigated with the reason for the variance identified.
 


C - Cash Receipts

Cash receipts are vulnerable to loss, theft, misuse or misappropriation. Establishing proper procedures for handling cash receipts ensures they are deposited with Financial Operations and recorded in the appropriate department and account. "Cash receipts" includes currency, checks, credit card receipts and wire transfers received electronically, by mail or in person.

Risks
  • Misappropriation of assets, lost or stolen cash and checks
  • Unexpected financial shortfall
  • Noncompliance with state tax regulations, tax liabilities and penalties
  • Compromised credit card numbers
  • Noncompliance with Payment Card Industry Data Security Standards (PCI DSS)
  • Sales for personal gain and copyright violations
YES  NO 
C-1  Are textbooks and other class materials sold through the University Bookstore?

All textbook requisitions for WSU classes must be processed through the University Bookstore. To minimize cash handling in departments and ensure sales tax is collected, other class materials (such as course packs or study guides) are best sold through the University Bookstore. 
 

C-2  Are incoming payments recorded in a journal or are pre-numbered or cash register receipts issued?

Cash receipts records should be sufficient to provide an audit trail of payments received in case of later dispute.

C-3  Are checks restrictively endorsed upon receipt with the phrase "For Deposit Only" to the account of Wichita State University?

To help prevent their diversion or unauthorized cashing, checks should be restrictively endorsed upon receipt.
 

C-4  Are cash receipts physically safeguarded against theft or loss?

Cash receipts should be held in a secure location until they can be deposited.
 

C-5  Are cash receipts deposited timely with Financial Operations?

To minimize the risk of loss due to theft, cash receipts should be deposited promptly (within two business days) using a locking bag provided by Financial Operations. In periods of limited activity, deposits should be made at least weekly or whenever $100 or more has accumulated.
 

C-6  Are cash receipts deposited in full, with no cash held back to use as a change fund or as petty cash?

Cash receipts should be deposited in full with nothing held back for making change or paying expenses. Change funds are authorized only through the Accounts Receivable unit in Financial Operations. Change funds are never to be used for petty cash or employee check cashing or loans.
 

C-7  Are appropriate account codes and detail codes used for recording deposits?

Financial reports are more useful when revenues are properly classified and accompanied by an apt description. For example, checks received from the WSU Foundation are best deposited to account code R80073, Gifts-WSU Foundation. Other account codes such as those for miscellaneous income, internal income or recovery of expenditures are less descriptive or specific.

C-8  Has a determination been made as to whether any cash receipts are subject to sales tax?

As a public educational institution, WSU is generally exempt from sales tax on its purchases. However, WSU is required to collect and remit sales tax on taxable sales. Sales made to students, the general public, businesses or not-for-profit organizations are generally subject to sales tax, even if the sales price is set on a cost-recovery basis and no profit is made.

Examples of items subject to sales tax include admissions to performance and sporting events, food and beverages, clothing, course packs and school supplies. Examples of items not subject to sales tax include fees for educational programs, exam fees, and reimbursements for lost or destroyed books or equipment.
 

C-9  Are amounts collected for sales tax deposited in account R80121, State Sales Tax?

Depositing sales tax in account R80121, State Sales Tax, ensures Financial Operations will report and remit your tax collections to the Kansas Department of Revenue. If your department regularly collects and remits sales tax, the Accounts Receivable unit in Financial Operations has likely provided a line for sales tax on your departmental deposit form.
          

    C-10  Is the recording of cash receipts periodically reviewed and verified for accuracy?

Deposits may occasionally be recorded in a wrong department or fund due to a coding or transposition error. Cash receipts should be reviewed weekly to ensure they are accurately recorded and to allow prompt follow up, if necessary. It's also important to consider segregation of duties. One person should not be entrusted with all aspects of receiving, depositing and verifying cash receipts.

C-11  Does the department accept payments by credit card?

If your answer to C-11 is no, skip questions C-12 and C-13 and resume with C-14.

C-12  Does the department comply with the requirements of Section 13.14 of the WSU Policies and Procedures Manual, Security of Credit Card Data? (Skip if C-11 is no.)

Key requirements of Section 13.14 include:
  1. All transactions that involve the transfer of credit card data must be performed on systems provided or approved by the university for this purpose. 
  2. No credit card numbers or any documentation containing credit card numbers or cardholder data shall be transmitted or stored in any personal computer or email account used by the department. 
  3. No paper documents, including but not limited to, paper receipts and handwritten notes, containing credit card numbers or cardholder data shall be stored by the department.
Electronic storage of credit card data is not permitted under any circumstances on any type of storage device. Permanent physical storage of credit card data is not permitted. Credit card data received on documents or forms must be removed from the form and destroyed within two business days.

C-13  Does the department have written procedures that address the collection and processing of credit card data? (Skip if C-11 is no.)

To comply with PCI DSS, Financial Operations requires that each department have written credit card procedures that are specific to its operating environment. 

C-14  Does the department sell course packs?

A course pack is any collection of photocopied materials used for instruction, typically comprised of book excerpts, newspaper, magazine or journal articles and instructor-authored materials. If your answer to C-14 is no, skip question C-15. 

C-15  Are course packs prepared and sold in accordance with the following protocol? (Skip if C-14 is no.)
  • All course pack materials are to be reproduced in compliance with Section 3.36 of the WSU Policies and Procedures Manual, and the university’s Copyright Guidelines (Supplement to WSU Policy Section 3.36).
  • All course pack materials are to be reproduced by Duplication Station in compliance with Section 15.03 of the WSU Policies and Procedures Manual, or by using the department’s copier.  
  • Material may be copied (at either Duplication Station or in the department) only where copying the material can reasonably be considered fair use or where there is a university license to copy the material or where there is permission to copy, which should be clearly set forth on the material to be copied.  
  • The General Counsel's Office is available for consultation regarding the application of federal copyright law to specific factual scenarios.
  • All reproduction costs are to be borne by the department.*
  • The University Bookstore is the preferred avenue for the sale of course packs.
  • If course packs are sold out of the department, sales proceeds are to be deposited no less than weekly into the department’s RU account and state sales tax must be accounted for.  
  • Under no circumstances should course packs be reproduced off campus.
  • Under no circumstances should an instructor retain the proceeds from course pack sales.

* Arrangements can also be made for the University Bookstore to bear the cost of reproduction at Duplication Station with the Bookstore retaining the subsequent sales proceeds.


D - Purchasing

The purchasing system’s goals are to achieve open, competitive and cost-effective buying while adhering to external funding source requirements for bidding, documentation and reporting, with timely payment to vendors for goods and services purchased. All payments require approval by university employees who have authority over the budgets being charged. Only reasonable and necessary expenditures in support of the university’s mission are permitted. Employees may not purchase goods or services for personal benefit through university channels, regardless of whether the university is reimbursed.

Risks
  • Procurement fraud
  • Excessive processing costs
  • Jeopardized relationships with vendors
  • Misappropriation of assets, bad publicity
YES  NO 
D-1  Are job responsibilities adequately segregated relative to the size of the department and the financial resources available?

Procedures that allow one person to control all aspects of a transaction increase the likelihood that unintentional errors will remain undetected and increase the opportunity for irregularities. One person should not have sole responsibility for initiating, executing and verifying transactions. This division of responsibility, or segregation of duties, serves as a deterrent to fraud. Segregation of duties may be difficult to achieve in small departments, underscoring the need for department heads to satisfy themselves that transactions appearing on financial reports have been authorized and are related to the department's objectives.
 

D-2  Is an original signature always used to approve transaction documents such as purchase requisitions, invoice control documents, procurement card transaction logs and payroll exception reports?

The use of signature stamps or the practice of signing another person's name, with or without initialing, is discouraged. Department heads are responsible for expenditures charged to accounts under their control.
 

D-3  Does the department participate in the business procurement card program?

If your answer to D-3 is no, skip the remaining questions in this section and resume with Section E.
 

D-4  Is the procurement card used only by the person whose name is on the card?

Only the person whose name is on the procurement card should use that card, i.e. the card is not a departmental credit card.
 

D-5  Does the cardholder ensure that sales tax is not assessed on purchases made with the procurement card?

A tax exemption statement and statute number is printed on the back of the card. If the retailer requires a tax exempt form, contact the Purchasing Office.
 

D-6  Does the department card coordinator reconcile the monthly transaction log?

The department card coordinator should reconcile the transaction log to the monthly statement received from UMB Bank Kansas within five working days of receipt.. 

D-7  Are description lines on the monthly transaction log completed?

Though it may be clear from the receipt what was purchased, it’s not always clear how the item will be used, who will use it or how it relates to the department’s operations. Completing the description line for each transaction with apt details can be helpful during the budget officer's review and approval process and for future reference should there ever be a question about the purchase.

D-8  When remitting the monthly transaction log to Financial Operations, is the log signed by both the cardholder and the department card coordinator?

Both the cardholder and the card coordinator are to sign the monthly transaction log. If the card coordinator is unavailable and cannot sign the log when it is due, BPC Program Administrator Robby Murray in the Purchasing Office can perform the review and sign as card coordinator.

D-9  Does the department budget officer review the monthly transaction log, including the written descriptions and accompanying receipts?

University procedures specify that the monthly transaction log be signed by at least two different people (again illustrating the segregation of duties concept). Though not required, it’s best that the department budget officer also review and sign the monthly transaction log. The budget officer is responsible for and should be knowledgeable about all items charged to the department’s budget.


E - Timekeeping and Leave Reporting

Payroll is the university's single largest expense category. To ensure all payroll-related actions are consistent with university policies and procedures and federal and state laws, administrators responsible for payroll must be knowledgeable about timekeeping and leave reporting processes.

Risks
  • Payroll errors or fraud
  • Retroactive transactions
  • Tax liabilities and penalties
  • Investigations and lawsuits
YES  NO 
E-1  Do faculty and exempt staff (exempt from the Fair Labor Standards Act) staff have a signed exception report for every pay period in which sick leave or vacation leave is used?

An exception report should be completed and signed in ink by the employee and the employee’s immediate supervisor for every pay period in which sick leave or vacation leave is used.
 

E-2  Does each nonexempt staff (staff that are subject to the Fair Labor Standards Act) staff have a signed exception report for every pay period?

An exception report should be completed and signed in ink by the nonexempt employee and the employee’s immediate supervisor for every pay period, even if there are no exceptions to report.
 

E-3  Does temporary nonexempt staff and student employees (both regular and work-study) have a signed positive time report for every pay period worked?

A positive time report for every pay period worked should be completed and signed in ink by the employee and the employee’s immediate supervisor. This document may be referred to should an employee should question the amount of his or her paycheck.
 

E-4  Are exception reports and positive time reports reviewed and signed by supervisory personnel with direct knowledge of the actual time worked?

Before timekeeping data is entered into Banner, exception reports and positive time reports should first be completed and signed in ink by the employee and then reviewed and signed in ink by the supervisor with direct knowledge of the work performed. Accurate records are important to document compliance with the Fair Labor Standards Act (FLSA) and account for time off.
 

E-5  Do nonexempt staff account for all time worked on exception reports or positive time reports?

All time worked must be accounted for through the university’s timekeeping system. Unrecorded compensatory time (extra hours worked, but accounted for outside the timekeeping system) is not permitted. Accurate records are important to document compliance with FLSA.

E-6  For employees who earn vacation leave, is time off taken over the holiday closedown period accounted for as either vacation or compensatory time?

We occasionally encounter an employee or a department with the misconception that time off during the holiday closedown period is bonus or extra time off provided by the university for which the employee does not need to take leave. This is incorrect. All time off must be accounted for in accordance with the leave policy applicable to each employee.
 

E-7  Does the timekeeper extract time at the beginning of each pay period and re-extract time at least once prior to the sign-off deadline for the pay period?

To extract time is to make ready the department’s timekeeping data via the PHATIME form in Banner and to re-extract time is to repeat the process with the PHATIME form. 

Timekeepers are asked to extract time at the beginning of each pay period. If this step is not completed early in the pay period, staff in Human Resources will be unable to assist should the timekeeper be unable to complete the payroll sign-off due to an unexpected absence, possibly resulting in incorrect pay for some employees. Time should also be re-extracted prior to the timekeeping completion deadline in the event a new employee has recently been assigned to the department. If an employee has been incorrectly assigned to a department, the timekeeper is to notify Human Resources via email at timekeeping@wichita.edu immediately.
 

E-8  Are exception reports and positive time reports reviewed for accuracy before data is entered into the payroll system?

Generally, the employee’s and the supervisor’s signatures on the report indicate that the hours reported are correct. However, the timekeeper (the person responsible for collecting the reports from employees and entering timekeeping data into Banner) should review the reports for possible reporting errors.
 

E-9  Are data on the exception reports and positive time reports audited against the HRPAY Department Time Report by someone other than the person that entered timekeeping data into Banner?

The Department Time Report recaps the timekeeping data entry for the pay period (the report is usually available through Reporting Services on the Friday after the Monday timekeeping sign-off). Good segregation of duties requires that the person who audits the Department Time Report be someone other than the person who entered the timekeeping data for the pay period covered by the report. This audit procedure provides assurance that the department's timekeeping data entry was correct. Any discrepancies identified are to be reported immediately to Human Resources.
 

E-10  Does each completed exception and positive time report exhibit all of the attributes that follow?
  1. Employee's signature (attesting to hours worked or leave used) 
  2. Supervisor's signature (with knowledge of hours worked or leave used)
  3. Timekeeper's initials and date (indicating who reviewed and entered the data)
  4. Timekeeping auditor's initials and date (indicating who audited the data entry)
  5. Budget Officer's signature (when authorizing extra hours paid)
  6. Retained for five years in accord with the university's Records Retention Policy
    E-11  Does the backup timekeeper enter timekeeping data on a regular schedule?

Backup timekeepers who don't do timekeeping data entry on a regular schedule often lose their timekeeping skills and struggle when called upon. 

E-12  Has the department's timekeeper attended timekeeping training in the past three years?

Human Resources periodically conducts two timekeeping training courses, a beginning course for new timekeepers and an advanced course titled "Department Time Entry, Section 2: Tips, Tricks and Traps." We suggest that the department timekeeper take the Tips, Tricks and Traps course at least once every three years to stay current and refresh skills. The course is worthwhile for anyone who has a role in timekeeping and leave reporting.

E-13  Is the HRPAY Leave Balance Report periodically reviewed by the department head or timekeeper?

Periodic review of the Leave Balance report can be helpful in identifying possible timekeeping and leave reporting issues.  

E-14  Do faculty submit an exception report to account for sick leave when ill and unable to teach? Omit if your department has no faculty.

Occasionally we encounter an employee or department with the misconception that faculty do not have to account for time off due to illness if only one class is missed or if another instructor covers the class. This is incorrect. Section 5.05 of the WSU Policies and Procedures Manual specifies:
“It will be the responsibility of each faculty member to report sick leave utilized to his or her departmental office on a biweekly basis. Sick leave should not be reported in increments of less than one-half day.”  

E-15  Is the work of graduate assistants monitored to ensure they are fulfilling the terms of their appointments? Omit if your department has no graduate assistants.

Because they earn a set stipend and do not earn vacation or sick leave, university timekeeping procedures do not require exception reports or positive time reports for graduate assistants.    

F - Information Technology

Users of information technology resources are responsible for the security of data to which they have access, which must be protected from unauthorized use, revision or destruction. Section 19.01 of the WSU Policies and Procedures Manual, Acceptable Use, provides detailed guidance regarding the use of the university's information technology resources.

Risks
  • Unauthorized access to computers
  • Compromised personal or student information
  • Loss of critical data or creative works
  • Violation of software license agreements
  • Loss of educational discounts on software
  • Lawsuits and bad publicity
YES  NO
F-1  Is software installed in compliance with its license requirements?

Generally, software is licensed to the individual or organization that purchased it and is authorized to be used only on one computer. Software purchased by the university is authorized for installation only on university computers. These general statements do not apply to network software or site license agreements. It is important to read each software package's copyright statement as there are various types of licenses available. It may be helpful for the department to maintain and keep current a list of computer software purchased and record the computer on which the software is installed.
 

F-2  Are copies of important computer files made periodically and stored in a separate area or off-site location, or saved to a server maintained by Information Technology Services (formerly University Computing)?

You should periodically back up important files that are stored on your computer. This will allow easier recovery from a hard disk crash or a disaster that may destroy the computer. If data is being saved to a server maintained by Information Technology Services, the servers are backed up each evening. If data is typically saved to your computer’s hard disk, the data should be backed up to another storage medium. In the event of a localized disaster such as fire or smoke in the office, the back-up medium should be stored at another location so it is not destroyed with the computer that has the original files.
 

F-3  Are passwords used to gain initial access to the department’s computers?

A password creates a barrier against potential information theft or corruption. Without password protection, an unauthorized user can be navigating from the desktop in a matter of seconds and potentially viewing or destroying important files, either intentionally or accidentally. Passwords should be at least eight characters with a combination of letters, numbers and special characters and should be kept confidential and not written down.
 

F-4  Is antivirus software used for computers and local area networks?

It is a good practice to check all incoming sources for computer viruses. A virus may destroy data or the hard disk immediately, or it may lie dormant before causing damage, in which case the virus can contaminate back-up systems before it is discovered. The best protection is to check all incoming sources with up-to-date antivirus software.
 

F-5  Are obsolete and surplus computers disposed of in accordance with university policy?

WSU Policies and Procedures Manual Section 13.12, Disposal of Surplus Property, and Section 19.10, Retirement of Computing and Information Technology Resources, provide relevant guidance regarding the disposal of obsolete and surplus computer equipment. In particular:

  1. University property, regardless of cost, can be disposed of only after approval is obtained from the Office of Financial Operations and Business Technology, Property Control (Section 13.12, Item 3).
  2. All disposals of property must be documented on a Transfer of Property Form (Section 13.12, Item 4).
  3. No university computing and information technology resources may be forwarded to the Physical Plant Warehouse for salvage, sale or redistribution until and unless Information Technology Services or departmental technical personnel has determined that all data, information and/or software has been permanently deleted (Section 19.10, Item 1).
  4. All university computing and information technology resources forwarded to the Physical Plant Warehouse for salvage, sale or redistribution shall be accompanied by a written statement that all data, information and/or software has been permanently deleted (Section 19.10, Item 2).
F-6  Are precautions taken to safeguard confidential information stored electronically on portable devices such as laptops and flash drives?

Devices with electronic data can be lost, stolen or misplaced, which could result in unauthorized access to confidential information. Disclosure of student education records and confidential personal information could be particularly damaging to the university and our students. Possible precautions include:

  1. Avoid storing and/or transporting confidential information on portable devices to the extent possible.  
  2. Encrypt data stored on portable devices.
  3. Never leave portable devices unattended, even for a few minutes.
  4. Laptop computers left in a vehicle should not be visible. If possible, the laptop should be stored in a locked trunk.
  5. The loss or theft of portable devices containing confidential or sensitive information should be reported to the Chief Information Officer and the General Counsel as soon as the loss or theft is discovered (as well as the department chair and/or college dean and the University Police Department).

G - Student Education Records

Pursuant to federal law, we are responsible for ensuring the privacy of student education records and confidential personal information. Section 3.12 of the WSU Policies and Procedures Manual, Security and Confidentiality of Student Records and Files, clarifies our responsibilities in this regard. Employees are expected to maintain a clear understanding of the type of directory information that can be released without the student's consent.

Risks
  • Unauthorized access to student education records
  • Public disclosure of student education records
  • Violation of federal law
  • Violation of trust
  • Identity theft
  • Lawsuits
YES  NO 
G-1  Are department personnel familiar with the university's Security and Confidentiality of Student Records and Files Policy?

The security and confidentiality of all university records should be a matter of concern to WSU employees. Many employees (including student employees) are placed in a unique position of trust and obligation in regard to having access to student education records and files and the security and confidentiality of said records and files.
 

G-2  Does the department maintain student education records?

Student education records include, but are not limited to, academic evaluations, examinations, transcripts, test scores, scholarship applications, and general counseling and advising records. Students will have records in one or more of the following offices: Undergraduate Admissions, International Admissions, Graduate School, Registrar, Financial Operations, Financial Aid, Student Health Services, Career Services and the dean's office of each college. Some academic departments maintain records separate from the school or college.

If your answer to G-2 is no, skip the remaining questions in this section.
 

G-3  Are all requests for student education records that would be in the Registrar's Office file for the student, directed to the Registrar's Office?

Registrar's Office file information would include any information needed to verify enrollment, classes, grades, GPA, academic standing or graduation. WSU outsources most requests to the National Student Clearinghouse (NSC) which charges inquirers a fee; however, some people will sometimes go directly to a college or department office in order to avoid a fee. Only the Registrar's Office or the NSC should verify information maintained in Registrar's Office files (the Registrar's Office also charges a fee for these types of inquiries). Whenever a request for student education records is received, the first consideration should be whether the Registrar's Office has the information requested. In most all cases, it will.
 

G-4  Does the department have a designated person who has responsibility for student education records? 

One person (and a backup) in the department should be designated as the individual with primary responsibility for the maintenance and safeguarding of student education records. All inquiries related to the release of student education records should be directed to the department’s designated person, the Registrar’s Office or the General Counsel’s Office.

G-5  Have all department personnel with access to student education records completed the university's FERPA training?

Employees are expected to maintain a clear understanding of the type of education records that can be released without the student's consent, and the Registrar's Office provides an online tutorial to facilitate this understanding. All employees are expected to complete the online tutorial, and new employees must complete the tutorial within 30 days of beginning employment, as specified in Section 3.12.

To access the tutorial, after first logging in to myWSU, go to the Faculty/Staff tab. "FERPA Online Training" can be found among the items included in the Employee Toolbox.    
 

G-6  Are student education records maintained in a secure environment?

File cabinets should be locked whenever authorized personnel are away from the area. Student education records should not be left on tables, desks or other areas open to third parties. Student education records should be removed and/or secured before leaving an unsecured work area. Computer monitors should be positioned so that a student's electronic record cannot be viewed by unauthorized persons.