Internal Audit Department University of Virginia
Mailing Address:
P.O. Box 400190
Charlottesville, VA
Physical Address:
1001 N. Emmet St.
Carruthers Hall, 2nd Floor
Charlottesville, VA 22904

Top 10 things that you can do to keep you and your employees out of trouble:

10. Passwords

Employees should make sure to set passwords which aren’t easy to guess and are changed regularly. For example, ITS recommends that passwords be at least 6 characters long, not be a word that’s in a dictionary or a proper name, are a mixture of lowercase, uppercase, digits and punctuations, and not have more than 2 characters repeated in a row. Of particular importance is to make sure you don’t post these passwords, and especially don’t share them with anyone, including your boss.

9. Long distance calls

Make sure any long distance phone calls relate only to University business. Even if an employee makes a personal call and reimburses it, this causes a lot of extra work for the University in the fact that we have to collect the money, work up the deposit, make the deposit, record it in the Integrated System, and make sure everything reconciled. Those three 20 minute phone calls that were just made and reimbursed to the University at a cost of $3 ended up costing us quite a bit more to process. Not only is using the University’s phone system for personal calls against policy, it could put the University’s tax exempt status for long distance calls in jeopardy by using it for personal reasons.

8. Proper Use of University Assets

  1. Side businesses – If you or one of your employees have a business on the side that you make money at, don’t use University resources, including time, phone, mail, computer, or e-mail to conduct this business. You can use your personal mobile phone, but you are limited to conducting this business during your own time and not on state time.
  3. Pornography and Other Uses of the Computer – All employees should be advised to not even think about looking at it or downloading it on a University computer. If an employee is caught, we will do our best to see that the employee is terminated. If it is child pornography, being terminated will be the least of the employee’s worries since it just became a criminal case. Employees should also be sure that they don’t use University computers and systems to illegally download music and video files.

7. Segregation of duties

Don’t have one person handle all aspects of a transaction – recording, accounting, and reconciling. Have at least two, with a preference for three, people involved in transaction processing.

6. Safeguarding of Assets

Make sure assets – including data! – that are stored in your area are properly safeguarded. Cash should be properly secured at all times in a locked location accessible by as few people as possible. Paper records containing student, employee, or patient-related information should be properly secured and shouldn’t be left in an open area unattended. Make sure documents containing such information are properly disposed of by shredding it. Of course, may sure that you do this in accordance with record retention policies. Logical data should be properly stored and safeguarded through use of firewalls and properly backed up servers. This data should not be downloaded to a personal computer, but especially never a laptop. (Refer to recent incident at the Veterans Administration.)

5. Review of Reconciliations and Expenditures

If you have responsibilities related to the monthly project reconciliations, make sure you meet the deadlines, include the proper support, and obtain the necessary reviews and signatures. Your oversight responsibility isn’t limited to just the monthly project review, but even goes a step deeper to encompass your review of timesheets, travel vouchers, petty cash expenditures, and P-Card expenditures. Make sure you pay attention to what you are signing.

4. Know the policies of the University

If you aren’t sure of the answer then call the policy owner and ask for an interpretation, or even call the Audit Department. “We’re here to help you!”

3. Document, document, document

If you are having problems with an employee, make sure you keep good records. If someone is switching their time around with your permission, keep a record or document it in an e-mail. If something is a little unusual or different about a transaction, add a note to it if it will explain it better. If someone questions things several years down the road and a note is available to help explain the circumstance, your life will be much easier.

2. Pay attention to what your employees are doing

MBWA without hovering (ex: timesheets at ABC where the supervisor was having the employees record the exact time they were coming in each morning, leaving and coming back from lunch, and leaving for the day. However, the supervisor never left her office to observe her employees and see if the times being recorded were accurate. One of the best internal controls you can have is your observation of the activities going on around you.

1. Tone at the top

Your behavior sends a message to your employees. One of your best management tools is to set a good example. If the boss or supervisor doesn’t care or doesn’t do the right things, then the employees won’t care or do the right things.

Additional Considerations

We would like for you to use the Audit Department as a resource if you have questions or if you have noticed something that just doesn’t look right to you. We can help you look at your processes and make suggestions that will help you not only improve your controls but also assist in making your processes more efficient and effective.

There are a few things that we would like to draw your attention if you suspect wrongdoing either in your area or elsewhere at the University:


  1. University policy – alert your manager and then either you or your manager alert the Audit Department.
  3. If you want to remain anonymous, please call the Audit Department on our non-traceable number 924-4110. If you do not want to call the Audit Department, then call the State’s Fraud, Waste, and Abuse Hotline at 1-800-723-1615.
  5. Be prepared to support your suspicions. Ex: If you think an employee is coming in late and leaving early, be prepared to give us dates and times. Be specific. Try to identify other people who could corroborate the information you provide to Audit.