The collection security guidelines provide internal controls designed to safeguard cash, checks and other types of tender received by departments. Some controls may not apply to every area but safeguards need to correspond to associated risk. Managers should ensure that their area is in compliance with this policy. Each collection area manager should develop a specific collection procedure document for their location specifying controls that are established. A copy of the procedures should be filed with the campus Controller’s Office and updated as necessary. New collection sites should request receipting approval from the Budget Office prior to collecting funds. Assistance in developing procedures and evaluating controls is available through the Controller’s Office.
Any additional site specific procedures should be documented.
- Collection Safeguards
- Reconciliation of Collections
- Cash Bags
- Safe and Revenue Repository Controls
- Billing / Receipt Adjustments
- Information Security
- Annual Access Review
- General Items
The following are practices that should be considered to secure funds received by a collection site. Funds received could be in the form of cash, checks, money orders, credit card payments, etc. These controls address the act of collection and provide initial assurances of security; however, each area should review its unique operation and assign the items that fit its needs.
- All funds received by the campus are to be deposited to appropriate University financial system accounts established and approved by the campus Controller’s Office and bank accounts established by the University Treasurer’s Office. Under no circumstance should a University unit hold or open a bank account for the purpose of accepting and/or disbursing funds that relate to University functions.
- Checks received by revenue-producing areas must be made payable to the University of Massachusetts (Name of the Operation). Immediately upon receipt, all checks should be endorsed "For Deposit Only - University of Massachusetts". The detailed deposit instructions can be found at this link http://www.umass.edu/bursar/document/deposit-slip. The Bursar’s Office should be contacted to obtain directions on the use of restrictive endorsement stamps for deposits.
- Checks, credit cards, order forms, etc., often contain personally identifiable information (PII) that must be protected under Massachusetts General Laws, Chapter 93H. Bank and credit card account numbers, Social Security numbers, and other data must be properly safeguarded. Refer to https://www.umassp.edu/treasurer/cash-management/merchant-services/ecommerce-compliance-resources for more information.
- Unless specifically approved otherwise by the Controller’s Office, checks should be accepted only for the exact amount of purchase. When possible, proper identification (driver’s license, student ID) should be obtained and written on the check.
- Receipts totaling $500 or more need to be deposited to the Bursar’s Office within 24 hours. Receipts totaling less than $500 need to deposited to the Bursar’s Office within 72 hours. Weekend receipts should be deposited on the first business day following the weekend. Any area that makes deposits less frequently than prescribed must obtain written approval from the Controller. Note; Cash Bags section Item #1. Below, “checks can be sent through campus mail”.
- Unattended cash/checks/money orders must be kept in a safe or secured locked area, and access to collection areas should be restricted. Funds should never be left unattended anywhere without being secured.
- There should be appropriate segregation of duties in the collection, deposit and reconciliation. Where possible, these functions should be completed by different people. At a minimum receipts should be verified by someone other than the person who collected the receipts.
- Operations that need revolving change funds should request the funds through the Controller’s Office for making change. Change funds should be drawn from and posted to the University’s financial system account as an advance. Change funds should not be obtained by using operational receipts. The amount of the change fund should be the amount necessary for operations and should be adjusted for cyclical conditions.
- Where possible, access to collection areas should be restricted. Keys and combinations to location should be safeguarded. Access should be documented and changed as necessary.
- Cash disbursements for materials, supplies, or personal services from the cash receipts or from change funds are prohibited. All expenditures must be made from approved accounts, following campus procurement policies.
- Payroll checks, personal checks, or checks made payable to the University or any unit of the University may not be traded for cash from collections or change funds.
Any time funds are being transferred internally or externally an acknowledgement/receipt should be produced. Unless the receipts are in a sealed bag, the funds should be counted in the presence of each person. In the case of a sealed bag, the acknowledgement should note that it was in a sealed bag at the time of transfer. The acknowledgement should indicate the amount transferred, date, and signature of both parties involved. This process is necessary to assign responsibility for funds being deposited or transferred.
Returned Checks: Checks returned for non-sufficient funds (NSF) should be posted to the financial system. Areas should attempt to recoup funds as soon as possible, requesting that replacement funds for NSF checks be in the form of cash, certified check, or money order.
The following processes are designed to verify that receipts are being handled properly by all areas of the collection process. These practices ensure funds under the control of the operation are being correctly received, deposited, recorded, and reconciled. The items stated provide a minimal level of monitoring to safeguard operation collections.
- Centralized deposit locations should verify with the intended collection area the appropriateness of the receipt. All checks should be endorsed 'For Deposit Only- University of Massachusetts' even when it is necessary to transfer the receipt to another department/area.
- All receipts should be recorded on a control document (receipt form, cash register, tickets register, meter, etc.) at the time of the transaction. Control documents should be reconciled to the amount to be deposited. Deposits should be reconciled to the ledger.
- Ideally, no more than one person should work from the same cash drawer. Minimally, each person collecting funds should have their own lockable cash drawers or method to establish accountability. Each drawer should be separately reconciled to the receipts recorded for that drawer.
- A record of cash overages and shortages should be maintained and regularly reviewed by a manager. Variances should be investigated by the manager and, if necessary, corrective action taken. Overages should not be held to apply against future shortages or for other purposes.
- The campus is responsible under State Internal Control legislation (Chapter 647) to report to the State Auditor’s Office any cash and/or property shortages, thefts, losses or variances. A loss occurs when funds were received but lost before being deposited or if funds in the control of the area are misplaced or misused. Each collection area is required to submit a monthly report to the campus Controller specifying any instances of such activity or to report there were no such occurrences. Reminders of the reporting requirement are issued via email by the Controller’s Office and replies to the email reminders may be used to report on the month’s activities.
- Any loss totaling more than $50 should be immediately reported in writing to the Controller explaining the situation and any actions taken to correct the situation. A monthly report of all instances is prepared by the Controller and forwarded to appropriate offices. Additional audit or review of the operation may result from such occurrences.
- Collection and change fund reconciliations should be done at least at the beginning and end of each shift, preferably not in view of the public.
- Manual journal entries to record cash or deposit corrections should be made in a timely manner.
- The collection site manager should conduct or review and keep records regarding collections and subsequent reporting and handling should be maintained for three years.
Cash bags are used by areas that have high levels of collections to deliver deposits to the Bursar’s Office teller window or drop box. Cash bags will be opened by the Bursar’s Office the next business day. Sealable single use deposit bags are an acceptable alternative to using lockable permanent bags.
- Whenever cash is transported from one building location to another, it should be in a locked bag and the bag should be concealed. Bag transfers must be properly noted in a logbook. When a deposit bag is released to another individual the following should be recorded in a log: bag number, date, time of pick up, and signatures of personnel releasing and accepting the bag. Checks can be sent through campus mail. However, cash can never be sent through campus mail. When sending checks through campus mail, departments should use a manila envelope rather than standard size envelopes.
- Bags are numbered and assigned to specific areas. Keys should be assigned by the collection site to specific individuals. If a bag becomes damaged, it should be returned to the Bursar’s Office for replacement.
- Each bag should contain the collections and a summary of the collections signed by the individual(s) responsible for the deposit. A confirmation of the deposit will be returned to the collection site. The confirmation should be matched to the site’s records of the deposit.
The following are guidelines that collection area managers should establish for any safes under their supervision. Receipts should be locked in a safe at all times except when being processed or transferred for deposit.
It is important that combinations or keys providing access to the safes or other secured locked areas be tightly controlled.
- The area collection manager must maintain the following information for each safe under his/her control: internal control number, location, custodian, date of last safe combination change, and listing of persons having access to the combination. The knowledge of safe combinations and number of keys should be limited to the least number of people possible.
- All safes must be kept locked except when cash is being taken out or being put into the safe.
- The custodian of the safe must have signatures of the persons who receive safe combinations or assigned keys.
- Each area is required to have procedures in place for accessing locked locations and periodically making combination changes for safes.
- All safe combinations and locks should be changed periodically. Safe combinations or locks should be changed whenever a person who had access to where funds are held leaves University employment or is transferred to another area.
At times, it is necessary to adjust an outstanding bill. Adjustments could be made to increase or decrease dollar amount, change customer information, or cancel a bill partially or completely. Adjustments should not be made to address collection issues or offset University payables. Once a bill is generated, it should only be changed through a formal adjustment process and documented properly. Where possible, personnel with collection responsibilities should be restricted from performing any billing adjustments or voiding receipts. In all cases, the reason for any adjustment should be documented and approved by the collection area manager.
All personally identifiable information (PII) should be kept securely in locked areas to prevent unauthorized access to information by persons internal or external to the University. PII can come in many forms including name, address, SS#, DOB, and bank/credit account information. Processed credit card receipts should not display customer information with entire account numbers. In such cases, information should be manually concealed until the process is deemed compliant with guidelines. Deposited checks should be shredded after 14 days. All personal information should be filed securely until destroyed and not kept longer than necessary.
Each year the Controller’s Office will conduct a review of software applications (applications not supported by A&F Systems) involved in revenue collection to ensure that user access is appropriate and current for each center. This review is part of the University's larger effort to comply with industry standards for system information security.
Unit administrators responsible for reviewing security access are contacted via email to query their software applications for access and review. Reviews should ensure access roles are appropriate to the user. Evidence that reviews have been completed should be maintained for three years.
- Unannounced reviews of a collection area's operation may be done at the discretion of University and/or campus adminstration.
- Inappropriated administration of University assets could result in disciplinary action by the campus against all individuals involved in the action. If an obvious theft has occurred, the University Police should be contacted immediately. Persons who suspect a misappropriation or other financial irregularity may have occurred should contact the campus Controller’s Office. For more information, see the Fraud Policy.