UNIVERSITY OF MISSISSIPPI MEDICAL CENTER. Internal Control Plan

Transcription

1 UNIVERSITY OF MISSISSIPPI MEDICAL CENTER Internal Control Plan December 2012

2 TABLE OF CONTENTS Introduction 3 Control Environment 4 Mission Governance Organizational Structure Strategic Planning Process Compliance Program Personnel Internal Audit Internal Control Officer Financial Statements Vice Chancellor s Statement of Support for Internal Controls Risk Assessment 9 Control Activities 10 Information and Communication 11 Monitoring 13 Appendix 14 2

3 Introduction This is the internal control plan for the University of Mississippi Medical Center (UMMC). This plan is prepared in accordance with the requirements of the State of Mississippi Department of Finance and Administration, Office of Fiscal Management (DFA-OFM). The purpose of this plan is to provide assurance that assets are safeguarded, that applicable statutes, rules and regulations are being followed and that objectives of management are being met. This plan is formatted in accordance with guidelines recommended by the DFA-OFM and therefore is divided into the following five sections: Control environment: This section describes the overall attitude, awareness and actions of management regarding the internal control system and its importance to the institution. This section describes the institution s mission, governance and organizational structure, strategic planning process, compliance program, personnel policies and auditing function. Also included in this section is the Vice Chancellor s statement of support for internal controls. Risk Assessment: This section lists the revenue and expenditure transaction cycles pertinent to the institution s fiscal operations and the approach to assessing risks in these areas. This section also references the most recent risk assessment performed. Control Activities: This section documents the control activities of significant revenue and expenditure transaction cycles. Internal control questionnaires used to document these control activities are also referenced in this section. Information and communication: This section describes the various information and communication activities used to identify, capture and communicate relevant financial and non-financial information in a form and timeframe that enables employees to carry out their responsibilities. Monitoring: This section describes the process for monitoring the functioning of the internal control system, including the procedures for responding to audit findings and recommendations. 3

4 Control Environment The University of Mississippi Medical Center (UMMC) is the health sciences campus of The University of Mississippi. UMMC was created by law in 1950 by the Mississippi Legislature, and opened on July 1, UMMC functions as a separately funded, semi-autonomous unit responsible to the Chancellor of the University of Mississippi and through him, to the Board of Trustees of State Institutions of Higher Learning (IHL Board). The IHL Board governs all state universities in Mississippi. The chief executive officer of UMMC is the Vice Chancellor for Health Affairs. Following is a description of UMMC s internal control environment, including a description of the institution s mission, governance structure, organizational structure, strategic planning process, compliance program, personnel policies and internal audit function. A statement of support of internal controls by the Vice Chancellor for Health Affairs is also included. Mission UMMC s comprehensive mission statement can be found on page two of the UMMC Five-Year Strategic Plan located at: This comprehensive mission statement includes UMMC s vision, mission, operating principles and statement of purpose. Governance Structure The IHL Board maintains legal authority and operating control over UMMC as the academic health sciences campus of the University of Mississippi, as granted by the Mississippi State Constitution of 1890 and the Mississippi Code of 1972, The IHL Board delegates management and control of UMMC to the Institutional Executive Officer (IEO) in accordance with IHL Board Policies and Bylaws section The IEO for UMMC is the Vice Chancellor for Health Affairs. The Vice Chancellor is charged with implementing IHL Board policies and the administration and operation of UMMC and for keeping its expenditures strictly in compliance with the budgetary authorizations of the IHL Board and within the limitations provided therein. 4

5 Organizational Structure UMMC is required by the IHL Board to maintain an organizational chart identifying academic positions down to the department head level, and non-academic positions down to two levels below the Vice Chancellor for Health Affairs. A copy of this organizational chart can be found on the Internal Control Office website: Strategic Planning Process Each year UMMC publishes a Five-Year Strategic Plan that includes its vision, mission, operating principles and statement of purpose. The Plan also includes UMMC s goals, significant external factors that may affect performance and internal management systems utilized to evaluate performance. A copy of the Five Year Strategic Plan can be found on the UMMC website at: Compliance Program UMMC has implemented a compliance program to develop effective internal controls that promote adherence to applicable federal and state laws; program requirements of federal, state, and private health plans; and institutional ethical business policies. The implementation of the compliance program significantly advances the prevention of fraud, waste and mismanagement while furthering UMMC s mission of providing education, research and patient services. The compliance program applies to the entire UMMC work-force, including all UMMC employees, physicians, students, sub-contractors and volunteers. A copy of the UMMC Compliance Plan can be found at: Overall responsibility for implementing and managing the compliance program is delegated by the Vice Chancellor for Health Affairs to the UMMC Compliance Committee. The Compliance Committee includes representatives from all areas of UMMC. The Compliance Committee has delegated limited authority to several sub-committees to carry out compliance activities and has delegated the day-to-day operations to the Office of Integrity and Compliance. Following is a list of the compliance sub-committees covering each of the areas of compliance: Hospital Compliance responsible for overseeing compliance efforts and monitoring the billing processes of the University Hospitals and Clinics. Physician Practice Plan Compliance responsible for physician based compliance activities. This includes internal coding and billing audits of Medicare compliance for all physician based departments. Research Compliance responsible for monitoring research activities to ensure compliance with federal, state and institutional regulations. This includes audits of IRB record keeping, research billing and documentation of investigational drug administration. 5

6 Nursing, HRP, Dental Schools and Graduate Studies Practice Plan Compliance responsible for monitoring and auditing the documentation, coding and billing activities of the Nursing, Dental, Health Related Professions and Graduate schools. Health Insurance Portability and Accountability Act Compliance responsible for conducing audits to ensure information remains confidential. Clinical Documentation Compliance responsible for reviewing, analyzing and seeking clarification of physician medical record documentation to ensure accuracy in coding, decrease risk of fraud and optimize third party reimbursement. Holmes County Compliance extension of the Hospital compliance subcommittee responsible for audits performed to ensure that the Lexington Hospital abides by federal and state regulations and all third party payer requirements. University Rehabilitation Compliance - responsible for auditing clinical documentation on a retrospective bases to ensure medical necessity of inpatient rehabilitation admissions. Also responsible for developing and maintaining accurate measures to evaluate appropriateness of admission and initiate improvement efforts when opportunities are identified. University Services Compliance responsible for the monitoring of Human Resources, Internal Audit, Campus Police, Physical Facilities, Information Services, Property Control, Purchasing, Receiving and Postal Services, and Academic Information Services. The Office of Integrity and Compliance consists of 20 staff members who carry out the day to day compliance activities for the oversight compliance sub-committees above. All new employees are required to receive compliance education and training before they begin their work at UMMC as a part of new employee orientation. A part of this compliance education and training is to introduce the compliance program. In addition, all employees are required to complete annual web-based compliance training offered in October and November of each year. Failure to complete this training by November 30 th results in disciplinary action. Annual compliance training requires employees to review presentations on the following topics and pass a test of knowledge on these topics as a condition of employment: Compliance Code of Conduct HIPPA Information Security Harassment Conflicts of Interest Declaring Conflicts of Interest Annual compliance training also requires each individual to report any conflicts of interest. Personnel 6

7 UMMC maintains a sound internal control environment by hiring qualified, competent individuals; ensuring these individuals are properly trained; ensuring employees know their responsibilities; and providing employees with the authority to perform the tasks they are assigned. UMMC maintains a Faculty and Staff Handbook which can be found on the UMMC website at: This handbook, along with other important policies and standards of conduct are communicated to all new employees during new employee orientation. Hiring of employees It s the policy of UMMC to maintain a safe, healthy, and secure environment for its students, faculty, staff and patients. UMMC attempts to employ only those applicants who are materially free of faulty personal history and behavior through the utilization of background investigations. Accordingly, background investigations are conducted on each prospective employee to include previous employment, education, licensing and certifications, criminal, credit, and personal references. In addition, faculty and residents must successfully complete a drug screen. Employee Performance evaluations Employees are evaluated after the first 90 days of employment and again each year thereafter. Employee Training One of the purposes of employee evaluations is to identify areas where additional training is needed. UMMC allows paid leave for its employees to attend training, conferences, seminars and any other professional development activities deemed necessary to perform their work proficiently. Many departments have in-service training programs to help their employees qualify for better jobs. Internal Audit The Office of Internal Audit reports directly to the IHL Board. The mission statement, statement of objectives, services provided, and policies and procedures of the Office of Internal Audit can be found on the UMMC website at: A listing of internal audit staff and their qualifications are also listed on the webpage. Following is the mission/statement of objectives: The Internal Audit department shall provide objective and professional evaluations of the University of Mississippi Medical Center activities to assist administration in determining that university policies and procedures are followed in accordance with stated objectives as well as determining that UMMC is in compliance with public laws and regulations. The Internal Audit department will assist administration in improving operating efficiency and strengthening internal controls. The department shall evaluate and appraise the organization's system of internal controls to ensure that all information is properly, promptly and accurately processed and that university 7

8 assets are properly safeguarded. The scope of activities shall include reviews of accounting, administrative and operational controls. The internal audit activity shall contribute to the institution's governance process by evaluating the processes through which values and goals are established, the accomplishment of goals is monitored, accountability is ensured, and values are preserved. The Internal Audit department will perform special studies as requested by administration. The department will supplement the work of the State Department of Audit and other external auditors and coordinate efforts with those groups. In carrying out this mission, the Internal Audit department will be given access to all records, personnel, and physical properties relevant to the performance of audits. Any instances in which records, personnel, or physical properties relevant to an audit are not made available will be reported to the Vice Chancellor. In order to fulfill its responsibilities, the Internal Audit department should be independent; therefore, the department will report to the Vice Chancellor. Because objectivity is essential to the audit function, the Internal Audit department's responsibilities are staff and advisory. The department has no authority or responsibility over the activities they audit; these remain with line management. The department will report deficiencies noted during their reviews and follow up with appropriate personnel to ensure that necessary corrective actions are taken. These communications will be to those individuals who can ensure that the results are given due consideration. The Director of Internal Audit will report to the Vice Chancellor any matters of significance that require that level of attention. Internal audits will be performed in accordance with UMMC policies, Standards for the Professional Practice of Internal Auditing as issued by the Institute of Internal Auditors, and sound business practices. Internal Control Officer UMMC has appointed an Internal Control Officer responsible for coordinating UMMC s effort of evaluating internal controls through use of risk assessments. Other functions include reviewing State and independent audit findings and recommendations of internal controls and supporting UMMC departments in the improvement of internal control activities. The Internal Control Officer is not a member of the Office of Internal Audit. The Internal Audit Department is responsible for examining the adequacy and effectiveness of UMMC s internal controls and make recommendations where control improvements are needed. Financial Statements Each year, an independent audit is conducted on the financial statements of the aggregate component units of the State of Mississippi Institutions of Higher Learning System. UMMC is one of those component units. This audit is conducted in accordance with auditing standards generally 8

9 accepted in the United States, and the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States. The IHL Audited Financial Statements includes: Management s Discussion and Analysis (management letter); statement of net assets; statement of revenues, expenses and changes in net assets; and statement of cash flows. Vice Chancellor s Statement of Support for Internal Controls The Vice Chancellor s statement of support for internal controls can be found in Appendix A of this internal control plan. Risk Assessment In accordance with DFA guidance, UMMC performs and annual risk assessment of fiscal transactions cycles pertinent to its operations to determine those areas with the highest risk or most vulnerable to fraud, waste and mismanagement. Following are the transaction cycles that have been identified: Revenue cycles o Tuition and fees o Patient revenue o Auxiliary operations o Sales and services of educational activities o Grants and contracts o Gifts o Investment income Expenditure cycles o Payroll o Purchasing and disbursements o Financial-aid Cost Allocations Human resources Property control Cash and investments management Budget management Debt management Financial reporting Risk ranking factors are applied to each transaction cycle to identify those with the greatest risk. Following are the risk ranking factors prescribed by DFA and the weighting applied to each in assessing risk for each transaction cycle: Materiality (40%) Magnitude of dollars relative to the institution as a whole associated with that type of transaction Impact of Ineffective Operations (20%) Impact of poor quality, untimely service, inaccurate data or other adverse activity 9

10 Sources of Input (10%) the number of different sources inputting data into the area s information system Degree of Automation (10%) the degree to which the area relies on automated processing of information and changes in automated systems. Known problems (10%) Known internal internal control weaknesses such as separation of duties or adverse prior audit findings. Results of Prior Audits (10%) deficiencies and internal control comments included in prior financial and compliance audits. For each transaction cycle a rating from 1 to 5 is assigned to each of the above risk factors where 1 is essentially no risk, 2 is little risk, 3 is average risk, 4 is high risk and 5 is maximum risk. The ratings assigned are then weighted by the percentages shown above to determine an overall measurement of risk for each transaction cycle. A rating of low, average or high risk is assigned to the transaction cycle. These risk assessments are updated on an annual basis. In addition, internal control questionnaires were developed from those provided by the DFA-OFM to further assess areas of greater risk. The results of the initial risk assessment and internal control questionnaires can be found in Appendix B and C of this plan. Control Activities Control activities are policies or procedures implemented to mitigate risk. In accordance with DFA guidance, we focused on significant fiscal processes for assessing control activities. Accordingly, the following transaction cycles were identified and determined to be the most significant and have the highest level of risk for fraud, waste and mismanagement based on the results of the risk assessment performed: Student tuition and fees Patient revenue Grants and contracts Payroll Purchasing and Disbursements Property Control Financial aid Control activities are classified into one of the following eight categories: 10

11 Authorization provide reasonable assurance that all transactions are within the limits set by policy or that exceptions to policy have been granted by the appropriate officials. Review and approval encompass a variety of computer and manual controls that provide reasonable assurance that all accounting information has been correctly captured Reconciliation provide reasonable assurance of the accuracy of financial records through periodic comparison of source documents to data recorded in the accounting system. Physical security over assets provide reasonable assurance that assets are safeguarded and protected from loss or damage due to accident, natural disaster, negligence, or intentional acts of fraud, theft, or abuse. Segregation of duties reduce risk of error and fraud by requiring that more than one person completes a particular fiscal process Education, training and coaching reduce the risk of error and inefficiency in operations by ensuring that personnel have the proper education and training to perform duties effectively. Performance planning and evaluation establish key performance indicators for the agency that may be used to identify unexpected results or unusual trends in data, which could indicate situations that require further investigation and/or corrective action. This includes reviews of actual performance versus budget, forecasts, and prior periods. Control activities are is linked to one of the following five control objectives: Strategic provide reasonable assurance that program goals and objectives are met Operational make the most effective and efficient use of fiscal resources and other assets Reporting provide reasonable assurance of the integrity and reliability of financial reporting Compliance enhance compliance with applicable laws and regulations Stewardship safeguard assets or reduce fraud, waste, and abuse in the use of assets Control activities are documented in Appendix D of this plan. This format for documenting control activities is an adjunct to such documentation as may exist in policies and procedure manuals and other guides. Given the number of transaction cycles, documenting internal control activities in this format for all areas of the institution will be a significant undertaking for the institution and will be accomplished by the internal control office during the course of their normal schedule and will be undertaken with a view toward the overall risks associated with each cycle as identified in the Risk Assessment section of the plan. Future internal control plans will include assessments and control activities of newly documented cycles and updates to previously documented cycles. Information and Communication 11

12 Information and communication is the identification, capture, exchange of information in a form and time frame that enable people to carry out their responsibilities, and are essential to effecting control. Information systems produce reports containing operational, financial, and compliance-related information that management utilized to manage and control the organization. Formal information and communication systems include sophisticated computer technology to staff meetings to provide input and feedback data relative to operations, financial reporting, and compliance objectives. Informal information and communication systems include conversations with customers, suppliers, regulators and employees that provide critical information needed to identify risks and opportunities. Following is a list of information and communication activities employed by UMMC: Information system applications to process transactions for all transaction cycles. See Appendix E for a list of these information system applications. Adequate source documentation to support amounts and items reported Recordkeeping system is established to ensure that accounting records and documentation retained for the time period required by applicable requirements; such as provisions of laws, regulations, contracts or grant agreements applicable to specific programs. Reports provided timely to managers for review and appropriate action. Reconciliations and reviews that ensure accuracy of reports Established internal and external communication channels including but not limited to: o Cabinet meetings o Staff meetings o Compliance meetings o Monthly, quarterly and annual external reporting (e.g., IHL and State Auditor) Employees duties and responsibilities communicated Channels of communication for people to report suspected improprieties established, such as the compliance hot line. This internal control plan is communicated and can be found on the UMMC Internal Control Office website: Financial administration policies and procedures which address internal control issues include the following and can be found on the UMMC Comptroller s website Budget Travel Accounts Payable Financial reporting Grants and contracts Student accounting and cashier operations Financial aid processing Payroll processing booklet Property Control 12

13 Red flags rule Tax reporting Monitoring Monitoring is the process that assesses the quality of internal control performance overtime. Management s role in monitoring the internal control system is critical to its effectiveness. Following are monitoring activities that take place at UMMC: Management review of internal and external reports Audit testing performed by the Office of Internal Audit and the Office of Integrity and Compliance for compliance with Federal, State and IHL System requirements. Management reviews of internal and external audit results and corrective action plans. Follow up on audit findings to determine cause and corrective action necessary Annual risk assessments performed by the internal control officer Management focuses their monitoring activities on high-risk areas. Internal control systems are monitored during the course of internal audits, are routinely subject to assessment by external audit entities, and also in connection with audits performed by institution internal auditors including, but not limited to, the periodic review of transactions or basic sampling techniques to provide a reasonable level of confidence that controls are functioning. In addition, once every year, UMMC s Executive Officer (Vice Chancellor for Health Affairs) and the Chief Financial Officer certify to the Department of Finance and Administration that the institution s internal controls have been evaluated and any material weaknesses have been corrected. Plans to correct weaknesses will also be communicated. 13

14

15 APPENDI B Risk Assessment (Updated December 2012) Risk Ranking Factors and Weighting Impact of Ineffective Sources of Degree of Known Prior Materiality Operations Input Automation Problems Audits Overall Transaction Cycles 40% 20% 10% 10% 10% 10% Risk Revenue Cycles: Student Accounting Average Patient Revenue Average Auxiliary operations Low Sales of educational activities Low Grants and Contracts Average Gifts Low Investment Income Low Disbursement Cycles: Payroll Average Accounts Payable Average Construction payments Low Financial Aid Average Cost Allocations: Service Area allocation Low Indirect cost rates Low Purchasing/Supply Chain Average Property Control High Cash/Investment Management Low Budget Management Low Debt Management Low Financial Reporting Low Low Average High

16 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 1 - Integrity and Ethical Values 1.1 The Code of Conduct and other policies regarding acceptable business practice, conflicts of interest, and standards of ethical behavior are comprehensive and relevant and address matters of significance. 1.2 Employees understand acceptable and unacceptable behavior as defined by the institution's code of conduct and know what to do when they encounter improper behavior 1.3 Management frequently and clearly communicates the importance of integrity and ethical behavior. 1.4 Management demonstrates a commitment to integrity and ethical behavior by example. 1.5 Employees are generally inclined to do the "right thing" when faced with pressures to cut corners with regard to policies and procedures. 1.6 Management addresses and resolves violations of behavioral and ethical standards consistently, timely and equitably in accordance with the institution's code of conduct. 1.7 Consequences of violating the code of conduct is an effective deterrent to unethical behavior 1.8 Management prohibits exceptions to policies and procedures, except where specific guidance has been provided. 1.9 Performance targets are reasonable and realistic and do not create undue pressure to achieve short-term results. 1.1 Ethics are included in criteria used to evaluate individual performance Institution has adequate fidelity/surety bond coverage for key administrative and accounting personnel UMMC identifies related employees and asserts that no conflict of interest exists. Related employees have job assignment that minimize opportunities for collusion UMMC has a process to identify and prevent significant related-party transactions 2 - Management's Philosophy 2.1 Institution has a written mission, philosophy or code of conduct, or at a minimum, the Vice Chancellor provides a statement that confirms his or her support of internal controls. 2.2 The mission statement clarifies functional goals or objectives and provides insight into management's beliefs, attitudes and operating style. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Section 1 - Control Environment Additional Comments UMMC Code of Conduct, Conflict of Interest policy and compliance plan clearly outline what is considered to be ethical behavior and acceptable and unacceptable business practices. UMMC employees are required to complete annual compliance training on-line annually. This includes testing of knowledge on ethics and proper behavior. UMMC provides an environment in which ethical behavior is expected. Expectations for ethical behavior and what is considered ethical behavior is covered in the institution's compliance plan (code of conduct). These are required to be read by all employees upon initial orientation, and continuously on an annual basis. Employees are tested on their knowledge of these principles. Due to the agency's commitment to the Code of Ethics, employee's are generally inclined to do the "right thing". When violations occur, they are referred to the Office of Integrity and Compliance for resolution so that they can be handled in a consistently, timely, and equitable manner. UMMC's workforce is informed that failure to comply with the requirements of the compliance program, which includes the code of conduct (ethics) may result in disciplinary action up to and including termination. This along with UMMC's commitment to its code of conduct is an effective deterrent to unethical behavior. Management seeks enforcement of policies and procedures. Violations are addressed immediately. UMMC addresses current performance objectives in its Five-Year Strategic Plan, which is updated annually. The plan lists performance effectiveness objectives for each major division of the institution (schools and hospital). These are agreed upon between executive administration and the divisions, thus representing reasonable and realistic goals for achievement as perceived by both parties. Ethical behavior is a critical component of an individual, department or division's successful performance. The Principals of UMMC's Code of Conduct are taught to every employee and re-introduced to them through annual compliance training. While "Is the employee ethical?" is not included as a criteria included in the employee annual evaluations, it is understood, it serves as a foundation upon which each of the criteria are measured. Agency is an agency of the State of Mississippi which is afforded protection under the Tort Claims Act. Agency's conflict of interest policy not only covers the employee but also extends to family members. All employees must self certify annually that no conflict of interest exists. Employees are required to report any business relationships with vendors, contractors and other third parties UMMC does business with. Every employee completes a statement to this effect annually during mandatory compliance training and testing. UMMC's mission statement and statement of purpose is included in its Five-Year Strategic Plan. UMMC's Code of Conduct is included in the UMMC Compliance Plan. In addition, UMMC's Executive Officer (Vice Chancellor for Health Affairs) has written a memorandum expressing his support of the importance of internal controls, which is a part of our Internal Control Plan UMMC's Five-Year Strategic Plan, published in August of 2012, includes goals and performance objectives for each of its divisions.

17 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 2.3 Executive management has provided staff with an understanding and awareness of the benefits of effective internal controls. 2.4 The mission statement mentions safeguarding State's assets and ensuring the proper use of State resources. 2.5 The institution maintains a written personnel policies or standard operating procedures in addition to those published by State Personnel Board (PSB). 3 - Organizational Structure 3.1 The institution's organizational structure is appropriate to carry out its mission and manage its activities 3.2 Management treats each division as an integral part of the institution's overall operations 3.3 The current organizational structure facilitates the flow of information both up and down divisions and across divisions and functions. 3.4 Reporting relationships provide managers with the information appropriate to their responsibility and authority 3.5 Managers have ready access to senior management in addressing significant issues. 3.6 The organizational structure in each division provides adequate supervisory and management oversight 3.7 Management periodically evaluates the organizational structure in light of changes in the scope, nature or extent of operations 3.8 The agency has the appropriate number of people and resources allocated to key functions and activities. 3.9 Employees do not work excessive overtime and do not fulfill the responsibility of more than one employee The assignment of authority and responsibility within the institution is expressed in the form of an organizational chart The university internal auditor reports directly to the board or commission. 4 - Management's Commitment to Professional & Technical Competence 4.1 Job descriptions (and other documents that define key position duties and responsibilities) are current, accurate and understandable. 4.2 There is a mechanism in place to keep the job descriptions current, accurate and understandable. 4.3 Job knowledge/skill requirements realistically match the organization and position's needs. 4.4 Management has the specialized knowledge, experience, and training required to perform their duties and does not rely extensively on technical specialists or outside consultants. 4.5 Employees are properly trained and are capable of performing jobs within each division. 4.6 Employees are committed to excellence in performing their jobs. 4.7 Individual performance targets focus on both the long and short-term and address a broad spectrum of criteria (e.g., quality, productivity, leadership, teamwork and self- 5 - Assignment of Authority and Responsibility 5.1 Management designates who is responsible for committing to financial or contractual obligations through a formal delegation of authority. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments The need for internal controls over institutional (State) assets is addressed throughout the institution's compliance plan, code of conduct, mission and philosophy. These are communicated during orientation and annually in compliance training and testing. The mission statement does not mention safeguarding state resources, but the Vice Chancellor's affirmation of internal controls includes statements accordingly Institutional policies and procedures are maintained on the institutions policy directory at: [email protected] The IHL Board requires UMMC to keep current organizational charts on file with the Board Office. These identify management down to department level. The criticality and purpose of each division is expressed in the UMMC Five-Year Strategic Plan. All departments and programs report up to their division leadership and ultimately to the Vice Chancellor. Evaluating of organizational structure and its effectiveness is an ongoing process from top management down through the department This is determined at the department level, and any inadequate resources are addressed annually by department/division heads. Employees are not required to work overtime. Departmental managers must approve and excessive overtime is monitored UMMC maintains an organizational charge that defines the levels of authority and responsibility down to department heads, as required by the IHL Board. UMMC also maintains a current organizational chart on each of its division (e.g., school and Hospital) The UMMC Internal Auditor reports directly to the IHL Board of Trustees' Office of Internal Audit. Supervisors are responsible for reviewing job descriptions for each of their positions to make sure they are current, accurate and understood by the employee. This is done for new employees and annually during performance evaluations See answer for question #1. Experience and education qualifications of job applicants are screened by human resources as well as the hiring manager to match candidates' skills with positions and department's needs. Consultants are hired to assist management in the performance of functions they or other employees are not skilled or do not have the resources to perform, including but not limited to recruiting of high level management positions and implementation of electronic data Employees are hired based on qualifications for education and experience. Once hired, employees are trained on the job for specific duties and responsibilities. Institution maintains an environment that fosters a relatively high level of moral and a team concept that aids in the commitment to the institution's goals and objectives. Long and short-term goals and performance objectives for each division are written and published in the institution's Five-Year Strategic Plan. Assignment of authority is addressed in the UMMC Policy for Signature Authority, maintained by our Legal Department, which uses this to determine proper authority to obligate UMMC.

18 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 5.2 Specific limits are established for certain types of transactions and delegations are clearly communicated and understood by employees. 5.3 Job descriptions for personnel include specific references to control related responsibilities 5.4 Management accepts responsibility for information generated and on reported results. 5.5 Managers at all levels Within the institution are appropriately empowered to correct problems and implement improvements. 5.6 The current level of delegation of duties balances empowerment and getting the job done with management involvement and authority levels. 5.7 The university has formed an external audit committee or assigned an audit committee type function within the 5.8 The university governing board approves the minutes of all transactions of major importance. 5.9 Final minutes of institutions meetings are signed by the chairman and secretary. 6 - Human Resource Standards 6.1 Existing personnel policies and procedures facilitate recruiting and developing competent and trustworthy personnel necessary to achieve the agency's objectives. 6.2 New employees are made aware of their responsibilities and management's expectations. 6.3 Supervisory personnel meet periodically with employees to review job performance and discuss opportunities for improvement. 6.4 Performance appraisals adequately address internal control responsibilities and set forth criteria for integrity and ethical behavior. 6.5 Management takes the appropriate remedial action for departures from approved policies and procedures. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A 6.6 Recruitment and selection process for new employees require investigation of background and references. 6.7 Employees take periodic vacations and their work is performed by other employees. Section 2 - Risk Assessment 7 - Risk Assessment Tools 7.1 Formal or informal mechanisms exist to inform management of events that are considered risks (i.e., events that may adversely affect the achievement of agency-wide or division objectives. 7.2 Management assesses inherent risk for each event or combination of events that represent a risk, consider both likelihood and impact, and develops a risk response. 7.3 Once a risk response is developed for each risk, management considers residual risk. 7.4 Management uses an appropriate blend of quantitative or qualitative techniques across the various divisions/functions such that sufficient consistency exists to assess risk agency- 7.5 The process used to analyze risks is clearly understood and includes estimating the significance or risks and assessing the likelihood of their occurrence. 8 - Risk Response 8.1 The process used to analyze risks is clearly understood and includes determining steps needed to mitigate risks. Additional Comments The IHL Board Policy established certain limits requiring IHL Board approval (e.g., land acquisitions over $100,000 and contracts over $250,000). These and other delegations of authority are addressed in the UMMC Policy for Signature Authority. UMMC has an internal audit staff which reports directly to the institution's governing board (IHL Board). See comments for question no. 2 above. Minutes of the institution's governing board (IHL Board) are signed by appropriate Officers and are published on the IHL Board Office Website. The institution has an existing posting policy which outlines how the department heads work in conjunction with Compensation to ensure the requirements are set before the posting and hiring process begins. This process is indicated during new employee orientation and through the efforts of each supervisor within each department. Evaluations are performed within the first 90 days of employment and annually for employees through the manager/employment section in Lawson. This is up to each department to outline and monitor. These issues are addressed and vetted through established processes in collaboration with management and the respective HR Business Partner and/or our Employee Relations staff. These are performed through established procedures through our background division in HR. Every FTE has access to vacation/personal time off and each department is responsible for the coverage during these absences. UMMC considers the findings of external and internal audits when identifying risks. These are reported to management and are immediately resolved. In addition, an internal process of risk assessment is coordinated by the institution's Internal Control Officer through the use of risk assessments and internal control questionnaires. Identified and documented through risk self-assessments and internal control questionnaires. See comments in 7.2 above See comments in 7.2 above See comments in 7.2 above UMMC considers the findings of external and internal audits when identifying risks. These are reported to management and are immediately resolved. In addition, an internal process of risk assessment is coordinated by the institution's Internal Control Officer through the use of risk assessments and internal control questionnaires.

19 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Additional Comments 8.2 In determining risk response, management considers the See comments in 8.1 above effects of potential responses on risk likelihood and impact because a response may affect the likelihood and impact 8.3 Management considers the relative costs and benefits of See comments in 8.1 above alternative risk response options 8.4 When considering cost-benefit relationships, management See comments in 8.1 above looks at risks as interrelated and pools the agency's risk reduction and risk sharing responses. 8.5 UMMC's risk response considerations are not limited solely to See comments in 8.1 above reducing identified risks, but also include consideration of new opportunities. 8.6 Once management has selected a response, management See comments in 8.1 above determines whether an implementation plan is needed. 8.7 If an implementation plan is needed, management establishes See comments in 8.1 above the necessary control activities to ensure the risk response is carried out. 8.8 The institution evaluates risk from an institution-wide See comments in 8.1 above 9 - System Risk Assessment Risk assessments are performed and documented regularly and Risk assessments are performed only annually at this time, rather 9.1 whenever systems, facilities or other conditions change. than when systems, facilities or other conditions change. 9.2 Risk assessments consider data sensitivity and integrity. Final risk determinations and managerial approvals are Annual risk assessments and internal control certifications are kept 9.3 documented and kept on file. on file with the ICO. Section 3 - Control Activities 10 - Fiscal Processes 10.1 Appropriate policies and procedures have been developed and These policies have been made available on the UMMC Intranet. implemented for each major fiscal process Appropriate and timely actions are taken on exceptions to policies and procedures Policies and procedures identify how processes are to be performed and monitored and who is responsible for carrying them out Control activities described in policy and procedure manuals are actually applied the way they are intended to be applied and clearly relate to designated risks Management clearly assigns responsibilities for training and monitoring of internal controls Controls are in place to provide reasonable assurance that management decisions are properly carried out Supervisory personnel with appropriate responsibilities, organizational experience, and knowledge of the organization's affairs periodically review and document the functioning and overall effectiveness of controls Appropriate criteria are established to evaluate controls 10.9 Responsibilities have been assigned in a manner that precludes any individual from processing data transactions in their entirety or from maintaining records from transactions in which the individual participated Effective procedures have been established for the routine verification of the accuracy of data when it is entered, processed, generated, distributed, or transferred Individuals have appropriately segregated responsibility for control over assets and data and the processing of transactions Effective contingency plans have been developed and document3ed to deal with service interruptions if they occur Periodic tests of contingency and disaster recovery plans take place to make sure they are current, operational, and effective. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Training on and monitoring of internal controls is not assigned to any one employee. Employees are trained on internal controls as a part of their initial on the job training. Internal controls are monitored by accounting supervisors as well as by reports on internal audits. No periodic formal training on internal controls exist. These duties have been assigned to the institution's internal control officer. Internal controls are evaluated as a part of the annual independent audit of the institution as a part of the independent audit on the IHL System. Other than this, an internal control plan describing the assessment of risks and internal controls to medicate those risks is currently under development. Duties and responsibilities have been segregated and access security is in place to prohibit this. document matching of purchase orders, invoices and receiving reports exist to verify accuracy of data and to prohibit clerical errors. See questionnaire on segregation of duties Back up generators and backup and recovery of data plans in place by the institution's physical facilities and the division of information systems. The Division of Information Systems tests back up and recovery of data in information systems.

20 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Appropriate controls are implemented with the implementation of new information systems Accounting Administration 11.1 Institution has adequate detailed accounting policies and procedures 11.2 Accounting policies and procedures are updated timely 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments Currently designing new electronic data system which will span HR, benefits, grants and contracts, purchasing, supply chain, accounting, payroll, DIS, and others areas. Development includes integrating internal controls. Policies are updated periodically and published on the accounting website accessible to all employees. Updated policies and procedures are sent to the institution's internal control officer for updating and publishing Policies and procedures are made available to appropriate personnel Published on the institutions intranet, available for all employees Principal accounting officer has adequate authority over accounting personnel and records. CFO and Controller has control over these Medical Center encourages employees to obtain certifications CFO, Controller, Assistant Controllers and other accounting in their functional areas. personnel maintain CPA certificates with continuing education paid by the institution. Internal Auditors maintain certifications as well Medical Center encourages employees to attend training Accounting management attends governmental auditing and courses or seminars for continuing education in their accounting continuing education and professional development 12 - Journal Entries 12.1 The preparation and approval of journal entries are segregated Journal entries are prepared and approved by different individuals 12.2 Journal entries are adequately explained and supported Journal entries include description and back-up documentation 12.3 Supporting documentation is reviewed to ensure journal entry is coded correctly Authorized individuals approve and sign all journal entries 12.5 Written journal entry processing procedures are maintained. Various individuals are authorized to approve journal entries 12.6 Cash receipt and disbursement function is segregated from journal e entry function 13 - General Ledger 13.1 Access to g/l and related records is restricted to those who are assigned g/l responsibilities Responsibilities for maintaining g/l and custody of assets are segregated Segregation of Duties 14.1 Incompatible duties have been identified and policies implemented to segregate those duties Access controls have been established to enforce segregation of duties The agency exercises control over personnel activities through the use of formal operating procedures, supervision and 15 - Security Management Program 15.1 The institution has developed a plan that clearly describes the institution-wide security program and policies and procedures that support it Senior management has established a structure to implement and manage the security program throughout the agency, and security responsibilities are clearly defined Effective security related personnel policies have been implemented 15.4 Management monitors the security program's effectiveness and periodically assesses the appropriateness of security and compliance with them If weaknesses in the security program are identified, corrective actions are promptly and effectively implemented and tested, and they are continually monitored Information technology policies and procedures are in accordance with ITS policies, standards and guidelines Access Control There are separation of duties from purchasing, receiving and payment of bills and inspection and tagging of equipment items. Controls are in place to insure separation of duties. The buyer in purchasing places the order, receiving issues a receiving report and A/P processes the payment. In our A/P system (Lawson) the system uses a 3 way match or 4 way match if equipment is involved before payment is released to the vendor. Accounts Payable personnel follow up on all unmatched invoices and orders outstanding. The outstanding purchase order register is delivered via an LBI dashboard report in Lawson to all of the department heads for their review of their access outstanding to systems orders. is controlled centrally and approved by appropriate personnel All personnel activities are processed through and approved by the institutions human resources department. The security program is new at UMMC and some of the responsibilities are still being defined. The security program is new at UMMC and some of the responsibilities are still being defined. The security program is new at UMMC and some of the responsibilities are still being defined. The security service continues to identify security weaknesses and addresses those as they are discovered.

21 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 16.1 Information resources are classified by their criticality and sensitivity Information resources owners have identified authorized users, and their access to the information has been formally authorized Physical and logical controls have been established to prevent or detect unauthorized access. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments See UMMC Data Classification Policy Access to the University's accounting systems is controlled by the General accounting office. Employees seeking access must fill out an request for access from, which must be approved by supervisor and approved by the Accounting office prior to granting access. Levels of access are approved based on job responsibilities. We have full disc encryption (Win-Magic, AKA SecureDoc) primarily for laptop computers that maintain or store protected health information (PHI) or other confidential or sensitive data. UMMC has a data encryption and laptop encryption polity at: Information system access is monitored and violations are investigated with disciplinary action is taken Policies are in place to prevent sharing of employee passwords. See Sect of the UMMC Information Policy 17 - Application Software Development and Change Control Information system processing features and program 17.1 modifications are properly authorized All new or revised software is thoroughly tested and approved. Access to the University's accounting systems is controlled by the General accounting office. Employees seeking access must fill out an request for access from, which must be approved by supervisor and approved by the Accounting office prior to granting access. Levels of 17.2 access are approved based on job responsibilities. Procedures have been established to ensure control of software 17.3 inventories, labeling, access restrictions System Software Controls Most general office applications such as Microsoft Office 18.1 Access to software is based on job responsibilities, and access authorization is documented. applications (e.g., excel, word, PowerPoint) and Adobe Acrobat, are not always issued based on documented job responsibilities. These are available to most UMMC employees per a supervisor's approval. However, software applications that provide access to data proprietary data of the Medical Center is granted based on the position and approved by supervisors, and granting of access is documented Access to and use of system software is controlled and monitored 18.3 Institution controls changes made to system software 18.4 Policies and practices are in place which will not allow an employee to load personal software on servers or employee workstations Service Continuity 19.1 The criticality and sensitivity of computerized operations have been assessed and prioritized, and supporting resources have been identified damage and service interruptions are prevented or minimized by use of back-up as well as environmental controls, staff training and hardware maintenance and management Management has developed and documented a comprehensive contingency plan Disaster recovery plan is being developed Contingency plan is tested periodically, and adjustments made. Once implemented, the Disaster recovery plan will be tested periodically (at least annually) Appropriations, Allotments and Transfers 20.1 Appropriated funds are NOT expended for unauthorized purposes Budget vs. actual expenditures are reported to management on a routine basis. Monthly, quarterly and annually Unexpected variances in budget vs. actual expenditures are investigated and appropriate and timely corrective action taken if required Monitoring of appropriation authority is conducted on a regular basis to ensure obligations can be met Cash Receipts - Deposits - Non-Hospital 21.1 Are receipts issued or mail log receipts recorded immediately for all forms of collections received and at the earliest point of collection

22 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 21.2 Deposit policies and procedures are in accordance with federal and state requirements, clearly stated and systematically communicated through manuals, handbooks or other media All deposits are properly and accurately recorded and accounted for in a timely manner All collections are required to be made payable to the proper payee (UMMC) or the appropriate direct support organization party to the transaction 21.5 Checks are required to be restrictively endorsed upon receipt 21.6 Receipt logs and cash register readings are independently controlled, accounted for and compared to validated deposit documentation by an individual with no cash handling responsibilities 21.7 The collection and deposit preparation functions are segregated from the accounting functions, including general ledger and accounts receivable maintenance Cash receipt functions are segregated from cash disbursement 21.9 NSF checks are delivered to someone independent of processing and recording of cash receipts Receipts are controlled by cash register, pre-numbered receipts, or other equivalent means if payments are made in Receipts are accounted for and balanced to collections on a daily basis Receipts and deposits are reconciled at least monthly with departmental ledgers Deposits are transmitted in locked bank bags A secured and fireproof area exist for protecting cash receipts not yet deposited. Access to this area is restricted to authorized persons only. The secured area is locked when not Cash receiving function is centralized to the extent possible Cashiers are prohibited from cashing personal checks Bank balances in excess of FDIC limit are adequately secured Cash drawers, if applicable are balances on a daily basis Supervisors conduct periodic surprise cash drawer audits System security classes are consistent with segregation of Procedures are in place to document when receipt of funds should be recorded as refunds of expenditures or prior year revenue Cases of suspected fraud or theft are brought to the attention of Campus Police, Compliance and other appropriate personnel immediately upon discovery Department is in compliance with the Payment Card Industry Data Security Standards addressing appropriate security measures needed in place to secure customer information (i.e., credit card numbers etc.) A summary statement regarding the overall soundness of the internal controls over the receipting function is included in the institution's internal control plan 22 - Cash Receipts - Deposits - Hospital 22.1 Are receipts issued or mail log receipts recorded immediately for all forms of collections received and at the earliest point of collection 22.2 Deposit policies and procedures are in accordance with federal and state requirements, clearly stated and systematically communicated through manuals, handbooks or other media All deposits are properly and accurately recorded and accounted for in a timely manner All collections are required to be made payable to the proper payee (UMMC) or the appropriate direct support organization party to the transaction 22.5 Checks are required to be restrictively endorsed upon receipt Cashiers stamp immediately 22.6 Receipt logs and cash register readings are independently controlled, accounted for and compared to validated deposit documentation by an individual with no cash handling responsibilities 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments Employees are told during orientation and reminded each year during compliance training to report any suspicion of fraud or theft and are told a hotline number to call to report. Department Policy and Procedure Manual provided to each employee with Master Copy maintained by the Manager of Patient Financial Services. All cash receipts are deposited to the bank on the same day received.

23 APPENDI C 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 22.7 The collection and deposit preparation functions are segregated from the accounting functions, including general ledger and accounts receivable maintenance Cash receipt functions are segregated from cash disbursement Additional Comments All disbursements must be processed through A/P after obtaining required approvals. A/P and Patient Accounting are different departments. Listing of returned checks provided to Security Check (outside vendor) for follow-up NSF checks are delivered to someone independent of processing and recording of cash receipts Receipts are controlled by cash register, pre-numbered receipts, or other equivalent means if payments are made in Receipts are accounted for and balanced to collections on a Cash drawers are balanced at completion of shift and reconciled by daily basis. Manager Receipts and deposits are reconciled at least monthly with Hospital Finance reconciles monthly with departmental ledger. departmental ledgers Deposits are transmitted in locked bank bags A secured and fireproof area exist for protecting cash receipts For the Health System, a fire-proof safe is located in RCM Office. not yet deposited. Access to this area is restricted to authorized persons only. The secured area is locked when not Cash receiving function is centralized to the extent possible Cashiers are prohibited from cashing personal checks Departmental policy prohibits cashing of personal checks Bank balances in excess of FDIC limit are adequately secured UMMC Accounting maintains treasury responsibilities and ensures that all state requirements are met regarding bank balances Deposits into clearing funds are in accordance with approved use of such funds by the DFA and State Treasury Cash drawers, if applicable are balances on a daily basis Cash drawers are balanced at completion of shift and reconciled by Manager Supervisors conduct periodic surprise cash drawer audits The Department of Internal Audit makes regular petty cash audits System security classes are consistent with segregation of Procedures are in place to document when receipt of funds should be recorded as refunds of expenditures or prior year revenue Cases of suspected fraud or theft are brought to the attention of Campus Police, Compliance and other appropriate personnel immediately upon discovery Department is in compliance with the Payment Card Industry Data Security Standards addressing appropriate security measures needed in place to secure customer information (i.e., credit card numbers etc.) A summary statement regarding the overall soundness of the internal controls over the receipting function is included in the institution's internal control plan 23 - Accounts Receivable - Non-Hospital 23.1 Accounts receivable policies and procedures are clearly stated, and systematically communicated through manuals or other media All receivable transactions are properly and accurately recorded, aged and accounted for in the institution's accounting 23.3 Billings are timely and accurately recorded and documented on the date the revenue transaction is completed or on the nearest billing cycle date All collections on accounts receivable are deposited and the source and date of payment are recorded in a timely manner Responsibilities for billing for services and fees are adequately segregated from those for collection and accounting Responsibilities for maintaining detailed accounts receivable records are adequately segregated from those for collection, deposit, and general ledger posting Adjustments, write-offs and discharges are properly authorized, documented, and made in accordance with established policies, procedures and legal requirements Uncollected accounts are periodically reviewed and collection actions taken in accordance with established policies procedures and legal requirements Account balances are aged periodically and reviewed by an official not involved in cash receipts and disbursements. All miscellaneous receipts are reviewed and entered by management level accounting / finance personnel.

24 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Recorded balances of receipts and accounts receivable and related transaction activity are periodically substantiated and evaluated Receivables are recorded promptly upon the completion of the acts which entitle the agency to collect the amounts owed it Records of receivables are strictly guarded. Access to these records, as well as physical protection of them, is required Receivable amounts are reviewed periodically for credit Clerical accuracy of billing invoices are independently verified by persons other than the preparer Billings are prompt and statements are sent to all patients on a regular basis Controls are in place to ensure prompt follow-up of past due receivables Adequate files are maintained on all accounts that have been written off to avoid violation of the provision in the constitution which prohibits the forgiveness of debts owed to Voided billings (tuition & fees voided after registration canceled) are retained on file Accounts Receivable - Hospital 24.1 Accounts receivable policies and procedures are clearly stated, and systematically communicated through manuals or other media All receivable transactions are properly and accurately recorded, aged and accounted for in the institution's accounting system Billings are timely and accurately recorded and documented on the date the revenue transaction is completed or on the nearest billing cycle date All collections on accounts receivable are deposited and the source and date of payment are recorded in a timely manner Responsibilities for billing for services and fees are adequately segregated from those for collection and accounting Responsibilities for maintaining detailed accounts receivable records are adequately segregated from those for collection, deposit, and general ledger posting Adjustments, write-offs and discharges are properly authorized, documented, and made in accordance with established policies, procedures and legal requirements Uncollected accounts are periodically reviewed and collection actions taken in accordance with established policies procedures and legal requirements Account balances are aged periodically and reviewed by an official not involved in cash receipts and disbursements Recorded balances of receipts and accounts receivable and related transaction activity are periodically substantiated and evaluated Receivables are recorded promptly upon the completion of the acts which entitle the agency to collect the amounts owed it Records of receivables are strictly guarded. Access to these records, as well as physical protection of them, is required Receivable amounts are reviewed periodically for credit balances 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments Department policy and procedure manual provided to each employee with master copy maintained by manager. All accounts receivable accounts are reconciled monthly to subsidiary ledger reports. Aging computations are tested annually during independent audit. Patient room charges are posted nightly to the patient's account. Charges for diagnostic testing and other procedures are posted daily after the services have been performed, except in cases where additional information is required to properly code or otherwise charge the patient. Late charges exists but are monitored for reason and Cash appropriate receipts are billing. deposited to bank on day of receipt. See comments for no. 6 below Patient Accounting Software is utilized by the Health System and controls exist to limit access to certain parts of the system. The Department of PFS is organized in a way to segregate these functions within different personnel as much as possible. Hospital Finance is responsible for verifying daily deposits to the bank statement and reconciling the bank statement and the accounts receivable on the general ledger. The majority of all adjustments are from insurance data files that are posted from electronic files. These adjustments are supported by hard copy registers that are stored in Patient Accounting. These adjustments are reviewed in the aggregate as part of the monthly close. Other adjustments are supported by policies and procedures in place in Patient Accounting. Weekly pre-list of accounts meeting criteria for collection agency proceedings is reviewed and approved by Director of PFS, Senior Director and CFA. Monthly aging reviews are performed by Health System Finance as part of the financial close. Additional Executive Meetings are held monthly to assess progress on past-due balances and overall aging. Patient accounts receivable on the G/L is reconciled monthly to the System Receivable Reports. Differences are investigated and resolved timely. Records of Misc. receivables are maintained and reviewed monthly for accuracy and collectability. Access controls exist over the Patient Accounting software system as well as to the physical areas that patient sensitive information is processed/stored. Credit balances are reviewed by PFS regularly. Accounting reclasses to Accounts Payable monthly.

25 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Clerical accuracy of billing invoices are independently verified by persons other than the preparer Billings are prompt and statements are sent to all patients on a regular basis Controls are in place to ensure prompt follow-up of past due receivables Adequate files are maintained on all accounts that have been written off to avoid violation of the provision in the constitution which prohibits the forgiveness of debts owed to Voided billings are retained on file Purchasing 25.1 All purchases are made in accordance with State and Federal laws and regulations including, but not limited to, directives of the DFA Office of Purchasing and Travel Procurement Manual, Information Technology Services Procurement and Procedures Handbook, State Personnel Board Policy and Procedures Manual and the Personal Service Contract Procurement regulations Only persons knowledgeable in federal and state purchasing laws and regulations are allowed to procure goods and 25.3 The Executive Director and all staff authorized as purchasing agents are aware of penalties associated with improper and fraudulent purchases cited in Mississippi Code Annotated (1972) Section and All purchasing staff is encouraged to participate in the Mississippi Association of Government Purchasing/Property Agents so that they may stay current with changes to purchasing laws and regulations 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments Charge master for patient charges has restricted access. Health System has a dedicated director in charge of reviewing billable services and pricing. Set parameters exists on the timing of the mailing of patient statements generated by the system. The statements vary based on the financial class and age of the patient account. Executive level meetings are held monthly to assess patient balances > 60 days past due. Patient Accounting has set policies in place for collector follow-up on past due accounts. Every transaction is recorded to the patient account. Notes are maintained on the patient's record. Pharmacy and facilities personnel may not be familiar with all State and Federal Laws. The Executive Director and all Purchasing staff in the Purchasing department (Supply Chain) are aware of the penalties but, Pharmacy and Facilities staff are reminded annually. All buyers, managers and directors of the Purchasing Department are members of MAGPA. Staff in Pharmacy and Facilities are not members Procurement is centralized within the institution. Centralized within the Purchasing (i.e. Supply Chain) Dept All employees are required to read and be knowledgeable in the Ethics in Public Contracting section of the DFA Office of There has not been an effort in the past that requires ALL employees at UMMC to be knowledgeable in the Ethics in Public Contracting. Purchasing and Travel Procurement Manual. However, all employees know the UMMC Code of Conduct, which includes principles of conflicts of interest and the acceptance of gratuities. Also, the Purchasing Officers are aware of the ethics section of the Procurement Manual Procedures are in place to prevent splitting of purchase orders made to avoid solicitation of bids or advertising for bids Purchase of equipment, supplies, materials, or services, the cost of which are to be paid by the institution are made only by written purchase order duly signed by the official authorized to do so Employees have been made aware that if a purchase is made without valid and approved purchase order (when one is required by law or regulations), it is not an obligation of the Procedures are in place to periodically examine open purchase orders to determine if they should be adjusted or closed Procedures are in place to electronically submit purchase orders to be paid out of funds appropriated for any fiscal year by June 30 or the date specified by DFA Procedures are in place to ensure that proper expenditure object codes are used on purchase order documents and that all other required purchase order fields are populated with correct accounting codes Procedures are in place whereby vendors are notified on a timely basis (before service begins or goods are shipped) that a purchase order cannot be issued to them unless they first have a vendor number in CAS. UMMC uses advanced EDI functionality for whenever possible to electronically transmit purchase orders for medical supplies (up to 150 per day). Electronic signature authorizations are used for EDI orders. Most other orders are transmitted via facimile or placed verbally with a supplier. Pharmacy utilizes a whoesaler to provide order platform for a majority of its transactions; all other orders are facilitated by the Purchasing Department This is not a part of new hire orientation. new term for "object code" = "account" in Lawson Purchasing and accounting staff coordinate vendor assignments in CAS (beginning / Lawson ERP), the procurement system used by UMMC (beginning , UMC began utilizing Lawson for purchase order functionality - procedures are still in-place).

26 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Additional Comments Procedures are in place to consolidate orders in order to take Functionality of new ERP software system (Lawson) enhances our advantage of quantity discounts. ability to systematically consolidate orders Procedures are in place to insure budget authority exists prior to solicitation for procurement Procedures are in place to ensure that only authorized UMMC now utilizes Lawson (beginning ); which, requires employees request purchasing staff to procure goods and authorized "requesters" who are authorized to request goods and services and that such request are through written services for their areas Procedures are in place to ensure that segregation of duties exist between purchasing, receiving and payment of goods and services Procedures are in place which allow information pertaining to Now resides in the Contract Administration Department the results of any bid to be reviewed on the premises of the agency in accordance with Section of the DFA Office of Purchasing and Travel Procurement Manual and the institutions open records policy Procedures are in place whereby claims are filed promptly for goods damaged in shipment Procedures are in place to ensure that SAAS security profiles UMMC is not under SAAS; however, the same procedures are in are consistent with segregation of duties place for our current system (Lawson) A summary memo regarding the soundness of the internal controls over the purchasing function is included in the institution's internal control plan Purchasing staff are aware of the legal definition of an emergency as set forth in Section (f) of the Mississippi Code. Before an emergency purchase is declared, it is determined that the emergency which necessitates the purchase meets the legal definition Purchasing staff are aware of the legal definition of an emergency as set forth in Section (f) of the Mississippi Code. Before an emergency purchase is declared, it is determined that the emergency which necessitates the purchase meets the legal definition Documentation of the emergency purchase, including a Documentation is submitted via the P1 process description and price of the goods or services purchased, and nature of the emergency is submitted to the IHL Board and placed on its minutes At the earliest possible date following each emergency The filing with DFA is facilitated via the purchasing department; the purchase, the institution files with DFA a statement explaining filing does include "a statement explaining the conditions and the conditions and circumstances of the emergency which circumstances " from the Executive Officer. details a description of the events leading up to the situation and the negative impact to the entity if the purchase was made following the statutory purchasing requirements. A certified copy of the minutes of the IHL Board meeting is also filed (if applicable). In an emergency situation, even though the State Law does not require it, the purchasing staff is urged to seek competition UMMC has developed an emergency purchasing plan should a The emergency plan includes critical medical devices; which are not disaster occur. The plan includes items that may be needed sourced via State contract' the majority of these acquisitions are during an emergency that are already on state contract, with 24 sourced via different contracting options. This plan also includes all hour seven days a week supplier contacts, pre-arranged credit necessary contact information, both internal and vendor. plans, generic request for emergency quotes form, and generic services contract to be used during an emergency All buildings leased or occupied for emergency purposes are Currently no buildings are leased or otherwise occupied for approved by the Bureau of buildings, as well as, the Tort emergency purposes. Claims Board Emergency purchases of information technology equipment, software or services are submitted to ITS on the ITS Emergency Purchase Form Emergency purchasing rules are followed for contractual Our institution does not report through this entity. services as defined in the Personal Service Contract Review Board procedures manual Internal control procedures for Procurement Cards have been adopted. UMMC does not have a purchasing card program Internal control procedures are in compliance with Procurement Card contract provisions UMMC does not have a purchasing card program Payments to procurement card vendors are made by due date UMMC does not have a purchasing card program 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A

27 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Additional Comments Purchase logs and statements are reconciled with vendor UMMC does not have a purchasing card program statements prior to receipt of next procurement card vendor statement Reconciled statements are reviewed and approved in writing by cardholder's supervisor. UMMC does not have a purchasing card program Unaccepted goods or services are documented and purchaser takes appropriate corrective action with vendor. UMMC does not have a purchasing card program Original payment processing documents are maintained on UMMC does not have a purchasing card program 26 - Cash Disbursements - Expenditures 26.1 Responsibilities for initiating a purchase are separate from approving a payment Invoice processing and accounts payable functions are adequately segregated from general ledger functions Policies are in place to ensure compliance with State's prompt A/P policy includes "Mississippi law requires that interest be added to payment law. payments made more than 45 days after the receipt of goods or the receipt of the invoices, whichever is later" Payment processing documents are retained on file for the required retention period Procedures are in place to ensure disbursement is used only for authorized purposes; and that laws, rules and regulations governing the disbursement are followed The responsibility for disbursement procedures are clearly documented and assigned to specific personnel Controls are established to assure that all payments are made on a timely basis and in accordance with P.O.s and contracts Invoice numbers are recorded on payment vouchers to ensure that duplicate payments are not made Vendor invoices are received in a central location Responsibilities for receiving goods and services are adequately segregated from approving payments CAS security classes for cash disbursement function are in agreement with adequate segregation of duties Procedures are in place for adequate audit of all expenditures for compliance with State and Federal regulations Procedures are in place to ensure adequate, sufficient documentation is collected as support for each payment Procedures are in place whereby management periodically examines expenditure reports in order to monitor purchases Controls are in place to ensure sufficient funds are available before the approval of payment vouchers Procedures are in place to ensure payment of prior year claims is in accordance with Section , Miss. Code Ann. (1972) and MAAAPP manual sub-section Cash Disbursements - Receiving Reports 27.1 Unaccepted goods or services is documented on the receiving report and appropriate corrective action is taken with vendor Purchase orders and invoices are compared to the receiving report prior to approval and payment Personnel who authorize receiving reports cannot also authorize payments Cash Disbursements - Petty Cash 28.1 Responsibility for petty cash account is to be vested in only one person Petty cash bank statement is delivered unopened, directly to person performing reconciliation 28.3 Someone other than the cashier or authorizing official reconciles the monthly petty cash bank statement Interest earned on petty cash checking account is deposited in accordance with State rules and regulations 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Expenditures are approved by multiple layers within accounting and finance and budget offices, including the departmnent head, comptroller, CFO and budget officer. The levels of approval are based on amount of purchase and the type of p urchase. Also, department heads receive their reports on-line that show the expenditures for their accounting units and activities. Each department has their own responsible Petty Cash Custodian, approved by the Comptroller, who signs for petty cash and is responsible for any petty cash issued by the UMMC Cashier. Departments are limited to $100 per day for petty cash impress fund. There is no separate bank account for petty cash There is no separate bank account for petty cash There is no separate bank account for petty cash

28 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Additional Comments 28.5 Petty cash account is in name of institution. There is no separate bank account for petty cash 28.6 All checks are serially pre-numbered and imprinted with "Petty Cash Fund" and the name of the institution. There is no separate bank account for petty cash 28.7 Checks are only signed upon presentation of satisfactory documentary evidence that the disbursement is proper. There is no separate bank account for petty cash 28.8 Check register lists every check issued and provides date issued, check number, name of payee, amount and account There is no separate bank account for petty cash 28.9 When monthly bank statements are received, the register is updated to reflect the checks that have been paid by the bank. There is no separate bank account for petty cash Cancelled checks are carbon copies of checks and bank statements are maintained for audit. There is no separate bank account for petty cash Spoiled checks are marked "VOID" and signature line obliterated or mutilated. There is no separate bank account for petty cash Voided checks are filed in numerical sequence with cancelled checks. There is no separate bank account for petty cash Receipts for all disbursements accompany the request for reimbursement Surprise reconciliations of cash box (if applicable) are The department petty cash custodian audits the fund at the end of conducted each month and report any shortages or overages.internal audit personnel randomly conduct audits of the petty cash funds and report back to management Petty cash blank checks are secured and locked with access only available to responsible employee and supervisor. There is no separate bank account for petty cash Procedures ensure patty cash funds are not used for cashing checks or otherwise advancing funds to any officer or There is no separate bank account for petty cash 29 - Travel 29.1 Procedures are in place to ensure travel is done in accordance with State Travel Policy Rules and Regulations and DFA manual 29.2 All employees subject to travel are provided with a copy of the Travel Manual and periodically the institution offers training classes to review the manual with employees Mileage reimbursement rates are provided and maximum daily meal reimbursements rates are provided in accordance with latest DFA directive A travel waiver form is completed and faxed to DFA prior to making any reservations or commitments that deviate from standard travel procedures Procedures are in place to ensure that employees understand that they can only rent a vehicle in lieu of a personal automobile for official business within the State if such rental is less expensive than the current mileage calculation. Employees are also to understand that an intermediate rental car is normally the largest rental that will be reimbursed Processes are in place whereby the institution utilizes the appropriate State contract vendor for cars rented inside and outside the State Management understands that they are responsible for ensuring compliance with Section , Mississippi Code of 1972 by providing internal controls over employee travel Management has designated an employee to serve as a departmental travel coordinator within the institution for the purpose of monitoring employee compliance with the State Travel Rules and Regulations, serving as a liaison with the State Travel Director's office, booking travel reservations for employees, and other travel related assistance as requested by 29.9 the Procedures employee. are in place to ensure travel reimbursement requests are submitted immediately upon their return from travel and any travel advance is settled. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A The UMMC Travel Policy adequately addresses State Travel Policy Rules and Regulations. The policy is posted on the UMMC website accessible to all employees. Training classes are not given, but Travel Policy and Procedure manual is posted on the web for all employees and is linked to the Travel Request Form so that employees can refer before completing a travel request. UMMC Travel Policy is updated for each change in DFA policy. DFA no longer requires UMMC to send them a waiver. IHL universities are exempt from having to send. A rental car approval form must be filled out by the traveler, with the justification for using a rental car and a comparison of the costs of the rental car from the State contract vendor versus the cost of other form of transportation. This form must be approved by the department head and CFO before it's approved for reimbursement. This is published in the travel policies. Any exceptions are approved by the Associate Vice Chancellor - James Michael Lightsey. Often departments within UMMC have personnel who compile travel requests and reimbursements for employees who travel in the department to ensure Travel policies and regulations are followed. Otherwise, the Accounting Office has personnel who's full time job is to review and process travel requests and reimbursements, but they do not assist in making travel reservations. UMMC policy states that travel reimbursement forms must be submitted within 30 days of return from travel. s are sent to employees who have not filed timely telling them to file. If an amount is owed by the traveler, includes a statement that if not filed by the mandated time,the amount is deducted from the traveler's payroll check.

29 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Employees are made aware that only one travel advance can be outstanding and that all travel advances must be settled within ten (10 ) working days after the end of the month in which the travel was completed or their paycheck will be held until the advance is settled Employees are informed that they are to exercise the same care incurring expenses as would a prudent person traveling for personal reasons. Travel for business should be conducted at a minimum cost for achieving the success of the mission Employees are informed that if they choose to drive in lieu of flying they must compare the total cost of flying with the total cost of driving. They will only be reimbursed for driving if it is less expensive than flying or if the agency head justifies that it is in the best interest of the institution for employee to drive. No justification is required if costs are held to the lowest unrestricted air fare Employees are informed that any bonus or promotional gratuity received as a result of official state travel shall be used to offset or reduce thee cost of subsequent official state travel Employees are informed that if a member of their family or other non-ummc employee travels with them, the employee shall claim reimbursement at the single hotel/motel rate only Procedures are in place to cancel corporate Amex cards immediately upon employee termination Procedures are in place to review the Amex statement sent to the institution reporting corporate card use by employees and to counsel with employee with outstanding overdue amounts. Procedures are in place to cancel any corporate Amex card misused by an employee Procedures are in place to ensure travel reimbursement requests are verified, checked for compliance and approved before submitted to DFA Procedures are in place to ensure employee is not reimbursed for travel between home and regular place of work Procedures are in place to govern the use of State-owned vehicles in accordance with and , Miss. Code Ann. (1972) and in the use of Fuelman cards (if applicable) Inter-Agency Transactions 30.1 Before processing Inter-Agency Transactions (IAT), the institution ensures that the IAT is properly completed by the originating agency or returns the IAT to that agency An individual authorized on the agency's signatory from approves interagency transfers Cash Disbursements for Construction 31.1 Actual expenditures are compared to planned amounts by 31.2 Capital outlay plans are updated to reflect approved change orders affecting the original budget 31.3 Total of budgeted items at all levels does not exceed the amount fixed for the project plus any change order 32 - Fixed Assets 32.1 Access to the fixed asset system is limited to those individuals who need the access to perform their job 32.2 Fixed assets are only acquired for use in furthering the institution's programs and missions All assets within the required capitalization or control limits are recorded in the Fixed Asset System in a timely manner Proper stewardship and control over assets is carried out, including periodic inventories 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree Additional Comments Travel advances for out-of-state travel only are allowed. Travelers who do not settle their advance within 60 days of return from trip may be subject to a payroll deduction, and no further advances will be issued for one-year. 5 - Strongly disagree Not Applicable - N/A Department heads are responsible for notifying their employees of this. The travel policy also states coach tickets and limits the amounts for rental cars, meals, etc. Policy states "under no circumstances may the traveler keep a bonus or other promotional gratuity for personal use" Included in travel policy Activity is monitored by Accounting personnel. Cards can be deactivated at anytime due to misuse or termination of an employee. American Express cards can be applied for through the Accounting Department's Travel section. These cards are in the name of the employee, who is obligated for any charges on these accounts. Not required to be submitted to DFA UMMC does not process IATs See comments above. Each department head appoints a designated "Property Officer" for his/her department. Property Control Office assigns that person with security and password access to Lawson Asset Mgmt., the Medical Center's fixed asset electronic record system. Property officers can access the assets assigned to their department to perform their inventory. Department heads periodically review their equipment needs and access if equipment needs to be replaced. They must obtain necessary approvals to replace equipment through the normal budget process. Property officers are required to perform annual physical inventories and report any missing items or other discrepancies to the Property Control Office.

30 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 32.5 Financial records and reports properly reflect fixed asset balances 32.6 Assets are reasonably protected from theft. Any theft of a fixed asset item is immediately reported to proper authorities Internal procedures are documented in writing 32.8 Proper segregation of duties is maintained between recording of fixed assets in the Asset Management System and the purchase and disposal of fixed assets Reports required of the State Property Office are prepared adequately and timely Employees are informed of their fiduciary duty regarding fixed assets provided for their use Employees are informed that State assets cannot become their personal property even if such assets are deemed obsolete or not repairable Fixed asset purchases are in accordance with Section of the Miss Code Annotated (1972) Record keeping procedures exist that account for assets not required to be reported to the State Property Office Non-capitalized assets are safeguarded against damage or theft Appropriate detail is maintained to reconcile fixed asset expenditures in the general ledger with the fixed asset system Purchases are in place to ensure proper recording of donated assets (if applicable) All fixed asset schedules are completed in accordance with DFA instructions and submitted timely Clear audit trails from source documents are provided for all agency fixed asset transactions All transactions involving additions, renovations, and repairs are evaluated on a case-by-case basis to determine whether costs should or should not be entered in the fixed asset system Costs to be entered into the fixed asset system are properly referenced against the underlying original asset A realistic useful life is assigned to all depreciable assets when reporting addition to the State Property Office Asset acquisition costs, acquisition date and useful life are properly recorded so that accurate depreciation is calculated All assets are periodically reviewed as to proper status of available, unavailable or surplus. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments Costs for purchased items and FMV for donated items are recorded on the GL and reconciled to property control records, library records and accounting and physical facility work orders. Items reported missing during annual physical inventory require an affidavit with the information as to why the item is missing (disposal, transfer or theft). The affidavit is to be sent to Campus Policie within 30 days of notice of missing. Theft is reported to Campus Police immediately upon notice of the item missing. Property Control Office Policy and Procedure Manual is posted on the Property Control web-page on the UMMC intranet. Purchase orders are issued for equipment and other capital assets. Invoices are paid by accounting with appropriate documentation of receiving reports issued by receiving. A list of all equipment paid is provided to property control on a monthly basis for property control personnel for proper tagging of all equipment items. Property officers are assigned for all departments on campus that inventory the equipment on hand in their department. At any given time the property officer can pull a list of their departmental inventory in Lawson Asset Mgmt. There is separation of duties between the dept, accounting, receiving and property control. No assets are purchased or disposed of without this documentation. Property Control maintains the property records and reconciles them to the accounting general ledger and makes appropriate corrections as necessary. The UMMC Code of Conduct, Principle #7 "Protection of Assets" addresses this. The Code of Conduct is presented to every new employee during orientation and required to be read annually by all employees during annual compliance training and testing. The UMMC Code of Conduct includes the statement "All employees are expected to refrain from converting assets of the organization to personal use employees are prohibited from the unauthorized use or taking of UMMC equipment, supplies, materials or services. Obsolete items are transferred to surplus property. All purchases are made in strict compliance with the law. Non-capitalized property is accounted for under separate account. Other than that, no procedures are in place to account for these noninventoriable items. All property is safeguarded, regardless of whether it is recorded on the financial statements. Costs for purchased items and FMV for donated items are recorded on the general ledger and reconciled to property control records, library records and accounting and physical facility work orders. Property Control obtains this information from the individual or organization donating the item to UMMC. This information is provided and is attached to the donation form and routed for all required approvals before being recorded. All required reports are submitted by their due date. Each report is prepared in accordance with DFA guidelines. Purchasing, Accounting and Property Control all review transactions for this purpose. Useful life for Hospital fixed assets is determined by the AHA guidelines. Cost, date and useful life are recorded in accordance with AHA guidelines for Hospital fixed assets. This is an ongoing process facilitated by Protégé asset management software application.

31 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively All surplus items, which are sold or transferred, are properly recorded as disposals and reported correctly and timely to State Property Office Obsolete or broken assets are discarded in accordance with directives of the State Property Officer All transfers of assets are adequately documented including signature of receiving party. Transfers are only made to other governmental entities Adequate segregation of duties exists between asset physical control and disposal approval Stolen property is reported to security immediately and removed from inventory Assets purchases with federal grant funds conform to state and federal rules and regulations Cost principles and administrative requirements pertaining to federally funded assets are followed Controls are in place to exclude the depreciating on capitalized fixed assets purchased with federal grant funds and on surplus property from the indirect cost pool The grantor is notified (if required) when capitalized assets acquired with grant funds are no longer used in the grant program Maintenance of Assets 33.1 Maintenance costs of assets (owned or rented) are periodically reviewed and analyzed Maintenance contracts are current and cover only assets approved by management Maintenance costs are not incurred for assets covered under comparable warranties Warranty expirations are reviewed so maintenance can be continued, when and where necessary Maintenance contracts are terminated when cost is determined excessive in relation to cost to replace asset Capital Leases 34.1 Loan application, use, accounting and reporting, and repayment policies and procedures are in accordance with state requirements, and are clearly stated and systematically communicated through manuals handbooks or other media All loan transactions are properly and accurately recorded and accounted for in CAS and LEA Required reports are accurately prepared and submitted by the due date All lessee/loan information is properly reported to DFA in the agency GAAP packet process In preparing the institution's budget request, amounts needed to pay principal and interest are properly budgeted in subsidies All lessees are properly classified as either operating or capital 34.7 Files of active lessees are maintained in the finance department 35 - Indirect Cost Recovery 35.1 Unallowable costs are not charged to federal awards 35.2 Organizational structure has been reviewed to determine the appropriate indirect cost or cost allocation plan methodology 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments Maintenance costs are monitored by departmental management. However, there is no systematic centralized institution-wide process of reviewing maintenance costs. Controled by department management as well as purchasing (i.e., supply chain). Purchasing approves maintenance contracts, and therefore will not approve if the asset is already covered under an existing contract Supply chain's contract management system allows them to notify department when maintenance contract is ending, so it can be renewed or not. This is a function of the department in determining the best course of action. However, there is no centralized systematic review of warranties to assess cost vs. benefit analysis institution wide. All Capital Leases are financed by First Southwest Leasing Co. Capital Leases are paid to IHL, who inturn pays First Southwest. These are reported in the Long Term Debt section of our audited financial statements. The Operating Leases are also recorded in the Operating Lease note in the audited financial statements. The policies and procedures are recorded in the Records Management Policies and Procedures Manual. All transactions are recorded in the Lawson computer system. Data is compiled from the Lawson computer system and reconciled to the Operating Lease contracts and the Capital Lease amortization schedules before being included in the financial statements. All capital and operating leases are approved by IHL and reported in the agency GAAP packet. The amounts necessary to pay the annual cost of the Operating and Capital Leases are included in the budgeting process and funds are encumbered at the beginning of each fiscal year to ensure the individual departments have the resources available to cover the expenses throughout the fiscal year. State guidelines are used to determine if the equipment being purchased through the lease-purchase process should be capitalized before the request is sent to IHL. Operating Leases consist of Kept in Records management area of the Comptroller's Office by Joan Howard and are recorded in the Lawson computer system. Senior financial leadership reviewed this in 2011 and determined appropriate changes.

32 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively An indirect cost rate proposal or allocation plan has been 35.3 prepared according to requirements set forth in OMB Circular A-21, Cost Principles for Educational Institutions Completed indirect cost rate proposal has been submitted 35.4 negotiated and approved by the cognizant agency in a timely manner. The approved indirect cost rate or amount has been applied 35.5 against grant awards Federal Grant Compliance 36.1 Controls are in place to ensure that all purchases made with federal funds are in accordance with OMB Circular A Procedures are in place to ensure only staff has security access to grantor draw down system Tracking system monitors expenditures against grant awards 36.4 Procedures are in place to ensure that uniform policies, procedures and regulations exist regardless of the funding 36.5 Procedures are in place so that cost are not to be included to meet cost sharing or matching requirement, if already included as match on another federal grant except as specifically provided by federal law or regulation All costs charged to federal projects are reasonable Procedures are in place to ensure accurate and timely reporting to federal grantor and that adequate supporting documentation exists to support reports 36.8 Procedures are in place to ensure draw down of federal funds are in accordance with award draw down schedule, if appropriate 36.9 Procedures are in place to ensure that no alcoholic beverages are purchased with federal funds Procedures are in place to ensure that compensation for employees engaged in work on federal awards will be considered reasonable to the extent that it is consistent with that paid for similar activities of the government. In cases where the kinds of employees required for federal awards are not found in the other activities of government, compensation is considered reasonable to the extent that it is comparable to that paid for similar work in the labor market in which the employing government competes for the kind of employees involved. Where employees are expected to work solely on a single federal award or cost objective, charges for their salaries and wages are supported by periodic certifications that the employees worked solely on that program for the period covered by the certification. These certifications are prepared at least semi-annually and are signed by the employee or supervisory official having first hand knowledge of the work performed Where employees by the employee. work on multiple grants or activities, a distribution of their salaries or wages is supported by personnel activity reports or equivalent documentation unless a substitute system has been approved by the cognizant federal agencies Staff are adequately trained on federal grant requirements, including training updates on changes to federal grant circulars and requirements. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Additional Comments F&A rate proposal was submited to the DCA in January 2012 with assistance from Huron Consulting Group, experts in the field. F&A rate proposal was submited to the DCA in January 2012 (Due by March 31, 2012) but has yet to be negotiated. The approved rates are applied to those applicable grants from the Federal Government. Some grantors do not pay the full organized research rate. Drawdown requests are prepared by Accountant II, funds are drawn down visa the internet by the Accountant II or the Assistant Comptroller. If the assistant comptroller draws funds, the Comptroller approves the transaction prior to the draw. UMMC has an automated accounting system to ensure expenditures post to the proper grant account. Each grant award is assigned a specific account number to ensure proper tracking of expenditures. Grants and contract accounting reviews all expenditures and reports submitted to sponsors to document cost share and/or match to ensure they are not used on multiple grants/agreements. expenditures are reviewed to ensure the expenditure is reasonable, allocable, consistently treated and allowable. Written policy exists that establishes responsibility and provides the procedures for periodic monitoring, verification, and reporting of program progress and accomplishments. Tracking system reminds staff when reports are due. Supervisory review of reports are performed to assure accuracy and completeness of data included in reports. Accounting system schedules payments for accounts payable and requests for funds from Treasury to avoid time lapse between draw down of funds and actual disbursements of funds. Appropriate level of management is responsible for supervisory review of cash management activities. Compensation of employees is approved and monitored by human resources, which makes sure compensation is consistent with prevailing rates in the market-place based on the position. UMC utilizes Personnel Activity Reports (PAR) to document effort contributed by employees. Effort certification is required on a monthly basis for all employees working on federal and nonfederal sponsored projects. Although not required, teaching schedules, workload counts, or other documentation are used to substantiate the hours reported on the time and effort reports UMC utilizes Personnel Activity Reports (PAR) to document effort contributed by employees. Effort certification is required on a monthly basis for all employees working on federal and nonfederal sponsored projects. Although not required, teaching schedules, workload counts, or other documentation are used to substantiate the hours reported on the time and effort reports Procedure manuals are available to faculty and staff. Those responsible for monitoring grant awards are provided training by the Grants and Contracts Accounting Office.

33 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively Additional Comments Procedures are in place to ensure compliance with each federal agency's codification of the grants management common rule for which they are awarded funds Procedures are in place to ensure compliance with appropriate Procedures are in place to ensure compliance with OMB circulars A- requirements for each grant administered pursuant to grant 21, A-110 and A-133 award document and to requirements applicable to the grant under A-133 Compliance Supplement. Section 4 - Information and Communication 37 - Information 37.1 Information systems provide information to appropriate personnel so they can carry out their operating, reporting and compliance responsibilities Reports are adequate and contain sufficient and meaningful information 37.3 Mechanisms exist for identifying emerging information needs 37.4 An information technology plan has been developed that is linked to achieving the institution's objectives and the plan is modified as needed to meet new objectives Communication 38.1 Management clearly and effectively communicates employee's Currently the institution's Internal Control Officer is tasked with internal control and risk assessment duties and responsibilities evaluating internal controls and assessing risk with each transaction and these roles and responsibilities are uniformly understood cycle. A formal plan whereas risk is assessed and controls are evaluated and put in place to mitigate risk is being developed Communication channels exist for employees to effectively communicate up, down and across the institution Reports are provided to the appropriate personnel with the appropriate level of detail on a timely basis Procedures are in place to identify emerging technologies, establish priorities, and provide feedback on system performance. DIS 38.5 A clear communication channel is available to report suspected improprieties Personnel who report suspected improprieties are provided Addessed with all employees during orientation and annually in feedback and are immune from reprisals. compliance training Mechanisms are in place for employee's to recommend improvements Good employees suggestions are acknowledged by providing No tangible awards are given, although employees suggestions are incentives or other meaningful recognition. acknowleged by management informally Changes in objectives and strategies are communicated timely and effectively to all affected personnel. Annually in strategic plan Outside parties understand the institution's ethical and behavioral standards and expectations regarding dealings with Management is receptive to comments by internal and external auditors regarding control deficiencies or suggestions for process improvement. Appropriate actions are taken and Section 5 - Monitoring 39 - Monitoring 39.1 Management has established performance measures and receives reports of results against those measures Personnel responsible for reports are required to "sign-off" on their accuracy and integrity and are held accountable if errors are discovered In the event known control breakdowns or deficiencies, controls that should have prevented or detected problems are reassessed and modified as appropriate Controls most critical to mitigating high priority risks are evaluated with appropriate frequency Evaluations of internal controls are performed for major strategy changes, major acquisitions or dispositions, or operations and methods of processing financial information are 39.6 An appropriate level of documentation is developed to facilitate the understanding of how your internal control system works Employees are provided with sufficient control and compliance training sessions and feedback opportunities. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Personnel are held accountable, although no formal sign-off is documented on the report. Not considered necessary. Internal controls are evaluated annually This is included in UMMC's Internal Control Plan posted on the institution's website at: Annual Compliance Training and testing.

34 APPENDI C UNIVERSITY OF MISSISSIPPI MEDICAL CENTER INTERNAL CONTROL & RISK ASSESSMENT QUESTIONNAIRE (UPDATED DECEMBER 2012) # This control is implemented & operating effectively 39.8 Control deficiencies are identified by on-going monitoring activities Control deficiencies are identified during independent evaluations of internal control system Internal control deficiencies are reported to responsible person and their supervisor Policy is in place that explains what deficiencies should be reported to senior management, board and to control agencies Senior management ensures response to reported control deficiencies are followed up Audit and compliance reporting procedures are timely and effective. 1 - Strongly agree 2 - Agree 3 - Somewhat agree 4 - Somewhat disagree 5 - Strongly disagree Not Applicable - N/A Totals for Columns 1 through Totals for Columns 1 through 5 (multiplied by scale) Sum of scores in columns 1 through Total number of applicable questions 370 Risk Rating (Sum Total /Number of questions) Low Risk Moderate Risk High Risk Additional Comments

35 APPENDI D CONTROL ACTIVITIES - STUDENT TUITION AND FEES OBJECTIVES: The general objectives of the internal control system as it relates to Student Tuition and Fees are as follows: Stewardship - To ensure the assessment and collection of all tuition and fees charged to students Reporting - To ensure the proper and prompt recording of all tuition and fees collected Stewardship - To ensure refunds of excess financial aid are made to students. Compliance - To ensure compliance with federal, state, IHL or institutional laws, regulations or policies. CONTROL ACTIVITIES Type of Control Control Activity Control Objective Authorization Review and approval Segregation of Duties All charges for tuition, fees and insurance are added to the student's account prior to the beginning of the academic term; bills are ed on the last day of each month and due on the 15th day of the following month. Monthly billing statement is ed to the student's account Holds are placed on student accounts that are past due prohibiting student from receiving services. The collection and deposit preparation functions are segregated from the accounting functions, including general ledger and accounts receivable maintenance. To ensure the assessment and collection of all charges to students. To ensure the assessment and collection of all charges to students. To ensure the proper and prompt recording of all tuition and fees collected. 16

36 CONTROL ACTIVITIES - STUDENT TUITION AND FEES Type of Control Control Activity Control Objective Segregation of Duties Authorization Authorization Physical security over assets Physical security over assets Segregation of duties and Review and Approval Cash receipt functions are segregated from cash disbursement Receipts are issued to the student immediately for all payments of tuition and fees that reflect the amount and type of charge and student's account credited. Policies and procedures regarding billing, payments, financial aid payments to students and tuition refunds are in accordance with federal and state requirements and are communicated to students via handbook and All collections are required to be made payable to the UMMC. Checks are required to be strictly endorsed upon receipt Receipt logs and cash register readings are independently controlled, accounted for and compared to validated deposit documentation by an individual with no cash handling To ensure the proper and prompt recording of all tuition and fees collected. To ensure refunds of excess financial aid are made to students. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure compliance with all federal, state, IHL or institutional laws, regulations or policies To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. Segregation of Duties NSF checks are delivered to someone independent of processing and recording of cash receipts. To ensure the proper and prompt recording of all tuition and fees collected.

37 CONTROL ACTIVITIES - STUDENT TUITION AND FEES Type of Control Control Activity Control Objective Physical security over assets Reconciliation Reconciliation Physical security over assets Physical security over assets Physical security over assets Physical security over assets Physical security over assets Reconciliation & Physical Security over Assets Review and approval & Physical Security over Assets Receipts are controlled by pre-numbered receipts if payments are made in person Receipts are accounted for and balanced to collections on a daily basis. Receipts and deposits are reconciled at least monthly with departmental ledgers. Deposits are transmitted in locked bank bags A secured and fireproof area exist for protecting cash receipts not yet deposited. Access to this area is restricted to authorized persons only. The secured area is locked when Cash receiving function is centralized to the extent possible Cashiers are prohibited from cashing personal checks Bank balances in excess of FDIC limit are adequately secured Cashier drawer is balanced on a daily basis Supervisors conduct periodic surprise cash drawer audits To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected.

38 CONTROL ACTIVITIES - STUDENT TUITION AND FEES Type of Control Control Activity Control Objective Segregation of Duties Physical security over assets Education, Training and Coaching; Physical Security over Assets Physical security over assets Student accounting staff are assigned SAP security classes based on responsibilities consistent with segregation of duties Cases of suspected fraud or theft are brought to the attention of Campus Police and/or Office of Integrity and Compliance immediately upon discovery. Employees are told during orientation and reminded each year during compliance training to report any suspicion of fraud or theft and are told a hotline number to call to report. Department is in compliance with the Payment Card Industry Data Security Standards addressing appropriate security measures needed in place to secure customer information (i.e., credit card numbers etc.) To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure the proper and prompt recording of all tuition and fees collected. To ensure compliance with all federal, state, IHL or institutional laws, regulations or policies To ensure compliance with all federal, state, IHL or institutional laws, regulations or policies

39 CONTROL ACTIVITIES - PATIENT REVENUE OBJECTIVES: Stewardship - Provide accurate and timely billing, customer service, eligibility and collections to ensure optimal reimbursement on behalf of patients of the University of Mississippi Health Care Reporting - To ensure accurate and prompt recording of patient service charges and collections Compliance - To ensure compliance with applicable federal and state regulations, and institutional policies and procedures. CONTROL ACTIVITIES: Type of Control Control Activity Control Objective Authorization Education, training and coaching Authorization Physical security over assets Physical security over assets Segregation of duties Cash receipts are deposited to the bank on the same day received. The UMMC patient revenue department policy and procedure manual is provided to each employee with master copy maintained by the Manager of Patient Financial Services. Cash receipts are deposited to the bank on the same day received and reconciled by accounting All payments are required to be made payable to the UMMC or University Physicians. Cashiers stamp (endorse) checks immediately for deposit. Cash receipts and source documents are reconciled and balanced on a daily basis and reviewed and approved by manager. To ensure accurate and prompt recording of patient service charges and collections To ensure compliance with applicable federal and state regulations, and institutional policies and To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections

40 CONTROL ACTIVITIES - PATIENT REVENUE Type of Control Control Activity Control Objective Segregation of duties Segregation of duties Segregation of duties Review and approval Reconciliation Reconciliation Physical security over assets Each of the functions of patient billing, collection of patient bills, and accounting (recording in general ledger) are segregated. Disbursements are processed through account's payable after obtaining required approvals. Accounts payable and Patient Accounting separate different departments. A listing of returned checks is provided to Security Check (outside vendor) for follow-up. Patient receipts are pre-numbered and match to entry into system. Cash drawers are balanced at completion of shift and reconciled by Manager. Hospital Finance reconciles monthly with departmental ledger. Locked bank bags are picked up by armored carrier to deliver to bank daily. To ensure accurate and prompt recording of patient service charges and collections To provide accurate and timely billing, eligibility and collections to ensure optimal reimbursement on behalf of patience of the To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections

41 CONTROL ACTIVITIES - PATIENT REVENUE Type of Control Control Activity Control Objective Physical security over assets Authorization Physical security over assets Physical security over assets Reconciliation Physical security over assets Review and Approval Physical security over assets For the Health System, a fire-proof safe is located in RCM Office. Hospital payments are received from patients at central location in the University Hospital. Departmental policy prohibits cashing of personal checks. UMMC Accounting maintains treasury responsibilities and ensures that all state requirements are met regarding bank balances. Cash drawers are balanced at completion of shift and reconciled by Manager. Appropriate access to system is approved by manager. Once approved, the appropriate security/access is given based on person's responsibilities. All miscellaneous receipts are reviewed and entered by management level accounting / finance personnel. All employees are made aware of the Compliance Hot Line to call if they suspect any occurrence of fraud or theft. To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure accurate and prompt recording of patient service charges and collections To ensure compliance with applicable federal and state regulations, and institutional policies and

42 CONTROL ACTIVITIES - PATIENT REVENUE Type of Control Control Activity Control Objective Physical security over assets UMMC patient revenue cycle is PCI compliant. To ensure compliance with applicable federal and state regulations, and institutional policies and

43 OBJECTIVES: CONTROL ACTIVITIES - GRANTS AND CONTRACT ACCOUNTING Compliance - To ensure Federal awards are expended only for allowable activities and that the cost of goods and services charged to Federal awards are allocable and in accordance with applicable cost principles. Operational - To ensure draw down of Federal cash is only for valid and immediate needs Stewardship - To ensure proper records are maintained for equipment acquired with Federal awards, equipment is adequately safeguarded and maintained, disposition or encumbrances of any equipment or real property is in accordance with Federal requirements and that the Federal award agency is appropriately compensated for its share of any property sold or converted to non-federal use. Compliance - To ensure matching and effort requirements are met using only allowable funds or costs which are properly calculated and valued. Reporting - only valid financial transactions are recorded accurately and in compliance with grant agreement. CONTROL ACTIVITIES: Type of Control Control Activity Control Objective Segregation of duties and authorization Authorization; Review and approval Review and approval Review and approval Drawdown requests are prepared by Accountant II. Funds are drawn down via the internet by Accountant II or Assistant Comptroller. If the assistant comptroller draws funds, the Comptroller approves the transaction prior to the draw. Each grant award is assigned a specific account number in the accounting system to ensure proper tracking of expenditures. Grants and contract accounting reviews all expenditures and reports submitted to sponsors to document cost share and/or match to ensure they are not used on multiple expenditures are reviewed to ensure the expenditure is reasonable, allocable, consistently treated and allowable. Compliance and stewardship Compliance and Reporting Reporting Compliance

44 CONTROL ACTIVITIES - GRANTS AND CONTRACTS ACCOUNTING Type of Control Control Activity Control Objective Review and approval and reconciliation Review and approval Authorization Authorization and reporting Education, training and coaching Education, training and coaching Review and approval Written policy exists that establishes responsibility and provides the procedures for periodic monitoring, verification, and reporting of program progress and accomplishments. Tracking system reminds staff when reports are due. Supervisory review of reports are performed to assure accuracy and completeness of data included in reports. Accounting system schedules payments for accounts payable and requests for funds from Treasury to avoid time lapse between draw down of funds and actual disbursements of funds. Appropriate level of management is responsible for supervisory review of cash management activities. Compensation of employees is approved and monitored by human resources, which makes sure compensation is consistent with prevailing rates in the market-place based on the position. UMMC utilizes Personnel Activity Reports to document effort contributed by employees. Effort certification is required on a monthly basis for all employees working on federal and nonfederal sponsored projects. Although not required, teaching schedules, workload counts, or other documentation are used to substantiate the hours reported on the time and effort Procedure manuals are available to faculty and staff. Those responsible for monitoring grant awards are provided training by the Grants and Contracts Accounting Office. Procedures are in place to ensure compliance with OMB circulars A-21, A-110 and A-133 Management reviews and approves all financial reports before submission to grantor Reporting Operational Compliance Reporting and Compliance Compliance Compliance Reporting

45 CONTROL ACTIVITIES - GRANTS AND CONTRACTS ACCOUNTING Type of Control Control Activity Control Objective Reconciliation Education, training and coaching Review and Approval Review and Approval Physical security over assets Physical security over assets Financial activity is reconciled to the accounting system on a regular basis; reconciliations are reviewed Staff are trained on completing federal financial reports and allowable costs under the terms of the grant. Federally funded assets are identified in the fixed asset management system protégé by acquisition method. Any transfers or dispositions of equipment purchased form grants or contracts requires approval by grants and contracts accounting Property ID Tags are affixed to all equipment. The ID is in Protégé which accounts for the assets pay source, location, acquisition date, cost, condition and disposition data. 100% physical inventory of equipment is done annually in September & October. Reporting Compliance and Reporting Stewardship Stewardship Stewardship Stewardship

46 CONTROL ACTIVITIES - PAYROLL OBJECTIVES: Reporting - To ensure that the human resources function is separate from the payroll function Reporting - To ensure payroll payments are properly authorized Reporting - To ensure payroll payments are accurately calculated and recorded Reporting - To ensure payroll payments agree with time sheets submitted and approved Reporting - To ensure the correct withholdings and deductions are remitted timely. Compliance - To ensure payroll information is kept confidential CONTROL ACTIVITIES: Type of Control Control Activity Control Objective Segregation of duties Reconciliations Authorization Authorization Segregation of duties The duties of preparing personnel forms, entering payroll transactions, approving payroll entries and distributing checks are segregated Accounts are verified for correct payroll expenditures Documentation for approval of appointments, terminations and changes in status or pay grade of employee are obtained. timely preparation and submission of complete, authorized appointment and payroll documents Shift workers use of time clocks to record their time upon entering and leaving work Time is entered by authorized department personnel appointed by Department head. After time is entered and before payment, all time is verified by the employee's supervisor. To ensure human resources function is separate from payroll function To ensure payroll payments are accurately calculated and recorded To ensure payroll payments are properly authorized To ensure payroll payments are properly authorized To ensure payroll payments agree with time-sheets submitted and approved To ensure payroll payments are properly authorized; accurately calculated and recorded and agree with time sheets submitted and approved

47 CONTROL ACTIVITIES - PAYROLL Type of Control Control Activity Control Objective Authorization and segregation of duties Physical safeguard over assets Reconciliation Review and approval and management reconciliations Education, Training and Coaching Review and approval Personnel actions reports are prepared on all new employees by the department. PAR is approved by department head, budget office and Human resources before Human Resources adds the employee into the payroll system. System access controls are employed. Must be approved by department head and security access to system is assigned. Reconciliation of IRS reported income to payroll files management reviews reconciliations Training, knowledgeable staff and management review Time cards are completed and signed by hourly employees. Supervisor verifies accuracy and signs the time sheet. Supervisor submits time sheet directly to the person who enters the time into the Lawson system. To ensure payroll payments are properly authorized and the human resources and payroll functions are segregated. To ensure payroll information is kept confidential To ensure correct withholdings are remitted timely To ensure payroll payments are accurately calculated and recorded To ensure payroll payments are accurately calculated and recorded To ensure payroll payments are accurately calculated and recorded

48 OBJECTIVES: CONTROL ACTIVITIES - PURCHASING AND DISBURSEMENTS Strategic - To ensure the institution receives the highest quality goods and services for the best value to carry out its mission at the best value for the institution. Compliance - To ensure purchases are in accordance with State laws, regulations and procurement rules. Operational - To ensure only requested goods and services are accepted Reporting - To ensure that purchases and payments are properly authorized, executed and recorded. Operational - To ensure payments are for goods and services ordered and received Reporting - To ensure that goods and services are paid from the correct budget CONTROL ACTIVITIES Type of Control Control Activity Control Objective Education, training and coaching Education, training and coaching Purchasing officers must be familiar with State laws and regulations before they can purchase goods and services for UMMC, including the DFA Office of Purchasing and Travel Procurement Manual, Information Technology Services Procurement and Procedures Handbook, State Personnel Board Policy and Procedures Manual and the Personal Service Contract Procurement regulations. During initial training all buyers are made aware of penalties associated with improper and fraudulent purchases cited in Mississippi Code Annotated (1972) Section and through initial training. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules.

49 CONTROL ACTIVITIES - PURCHASING AND DISBURSEMENTS Type of Control Control Activity Control Objective Education, training and coaching Authorization Education, training and coaching Review and approval Authorization. Education, training and coaching. Review and approval Authorization All buyers and managers of the Purchasing Department are members of MAGPPA to keep current with laws and regulations and educate on the best practices for purchasing agents. Procurement is centralized within the institution. All employees are required to read the UMMC Code of Conduct upon employment. The Code of Conduct includes principles of conflicts of interest and the acceptance of gratuities. Purchasing officers are made aware of the ethics section of the Procurement Manual through on the job training. Purchases are reviewed to prevent splitting of purchase orders made to avoid solicitation of bids or advertising for bids. Employees are told that if purchases are made without valid and approved purchase order (when one is required by law or regulations), it is not an obligation of the State. Open purchase orders are periodically reviewed to determine if they should be adjusted or closed. Purchase orders are submitted to be paid out of funds appropriated for current fiscal year by June 30th. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure UMMC receives the highest quality goods and services for the best value in order to carry out To ensure purchases and payments are properly authorized, executed and recorded. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure that payments are made for goods and services ordered and received. To ensure that goods and services are paid from correct budget

50 CONTROL ACTIVITIES - PURCHASING AND DISBURSEMENTS Type of Control Control Activity Control Objective Review and approval Authorization Education, training and coaching Authorization Authorization Segregation of duties Review and approval Review and approval Accounting and purchasing office reviews purchase orders to ensure proper expenditure object codes and account numbers are used. A purchase order cannot be issued unless the vendor has a valid vendor number in the system. Purchasing staff are urged to consolidate orders in order to take advantage of quantity discounts. Procedures are in place to insure budget authority exists prior to solicitation for procurement. UMMC uses CATALYST, CAS and INS, all of which require authorized "requesters" who are authorized to request goods and services for their areas. purchasing, receiving and payment of goods and services are conducted by separate departments. Information pertaining to the results of any bid are open to be reviewed on the premises in accordance with Section of the DFA Office of Purchasing and Travel Procurement Manual and the institutions open records Claims of damaged goods in shipment are promptly reported to supply chain. To ensure purchases and payments are properly authorized, executed and recorded. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure UMMC receives the highest quality goods and services for the best value in order to carry out To ensure that goods and services are paid from correct budget To ensure purchases and payments are properly authorized, executed and recorded. To ensure purchases and payments are properly authorized, executed and recorded. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure UMMC receives the highest quality goods and services for the best value in order to carry out

51 CONTROL ACTIVITIES - PURCHASING AND DISBURSEMENTS Type of Control Control Activity Control Objective Segregation of duties Performance planning and evaluation Education, training and coaching Review and approval Review and approval Review and approval Security profiles (i.e., classes) are assigned based on responsibilities and are consistent with segregation of duties. A summary memo regarding the soundness of the internal controls over the purchasing function is included in the institution's internal control plan. Purchasing staff are made aware of the legal definition of an emergency as set forth in Section (f) of the Mississippi Code. Before an emergency purchase is declared, it is determined that the emergency which necessitates the purchase meets the legal Documentation of the emergency purchase, including a description and price of the goods or services purchased, and nature of the emergency is submitted to the IHL Board and placed on its minutes. When an emergency purchase is made the Supply Chain files with DFA a statement explaining the conditions and circumstances of the emergency which details a description of the events leading up to the situation and the negative impact to the entity if the purchase was made following the statutory purchasing requirements. A certified copy of the minutes of the IHL Board meeting is also filed (if Supply Chain staff are asked to seek competition even for emergency purchases. To ensure purchases and payments are properly authorized, executed and recorded. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure UMMC receives the highest quality goods and services for the best value in order to carry out

52 CONTROL ACTIVITIES - PURCHASING AND DISBURSEMENTS Type of Control Control Activity Control Objective Authorization Review and approval Segregation of duties Segregation of duties Segregation of duties Segregation of duties Review and Approval Review and Approval UMMC has developed an emergency purchasing plan should a disaster occur. The plan includes critical medical devices; which are not sourced via State contract. The majority of these acquisitions are sourced via different contracting options. The plan also includes all necessary contact information, both internal and Emergency purchases of information technology equipment, software or services are submitted to ITS on the ITS Emergency Purchase Form. Those responsible for initiating purchase requests are separate from approval and from those who record the transactions Invoice processing and accounts payable functions are adequately segregated from general ledger functions. Responsibilities for requisitioning, purchasing, receiving and payment are separated into their own departments Receiving department records receipt of goods in the system and forwards any receiving report to accounts payable. Purchases can only be authorized by those the designated with the department head or signature authority over the department/account. Furniture and equipment must be tagged by property control before payment can be released by Accounts Payable. Receipt of all goods or services require approval by requestor before payment to vendor can be released. To ensure UMMC receives the highest quality goods and services for the best value in order to carry out its mission. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure purchases and payments are properly authorized, executed and recorded To ensure purchases and payments are properly authorized, executed and recorded. To ensure purchases and payments are properly authorized, executed and recorded. To ensure purchases and payments are properly authorized, executed and recorded. To ensure purchases and payments are properly authorized, executed and recorded. To ensure payment is for goods and services ordered and received.

53 CONTROL ACTIVITIES - PURCHASING AND DISBURSEMENTS Type of Control Control Activity Control Objective Review and approval Review and approval Any changes in amount of a purchase orders require the same approvals as the original purchase order. Invoices are reviewed are matched with a valid purchase order and sent directly to accounts payable who verifies all supporting documentation (e.g., receiving report) for pay To ensure purchases and payments are properly authorized, executed and recorded. To ensure payment is for goods and services ordered and received. To ensure purchases and payments are properly authorized, executed and recorded. Authorization Quotes received are maintained by purchasing To ensure UMMC receives the highest quality goods and services for the best value in order to carry out Reconciliation Physical security over assets Review and approval Invoice numbers are recorded on payment vouchers to ensure duplicate payments are not made. Purchase requisitions, vouchers, invoices, receiving reports and any related paper work for payment are scanned into Legato (imaging software) and kept for several years. Meets State record retention regulations. Invoices are reviewed and interest is calculated and added to payments more than 45 days beyond the receipt of goods or services. A Notice of Interest (example shown in Section 7.0) will be sent to the department advising that an invoice has been paid after the time period allowed by law. The department will be given the opportunity to provide a valid dispute. If the department fails to provide a valid dispute, the vendor will be paid a late-payment interest charge according to law. To ensure payment is for goods and services ordered and received. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules. To ensure purchases are in accordance with applicable State laws, regulations and procurement rules.

54 CONTROL ACTIVITIES - PURCHASING AND DISBURSEMENTS Type of Control Control Activity Control Objective Review and approval Review and approval All purchase request must be approved and signed by the department head, budget officer, accounting for funds availability, grants and contracts if from a grant account and general accounting for proper account coding and appropriateness of expenditure All vendor invoices are received in one central location To ensure purchases and payments are properly authorized, executed and recorded. To ensure purchases and payments are properly authorized, executed and recorded.

55 CONTROL ACTIVITIES - PROPERTY CONTROL OBJECTIVES: Strategic - To ensure all property acquisitions, transfers, deletions or adjustments are accurately accounted for and recorded in the proper period. Operational - To ensure a clear audit trail exists on all fixed asset purchases transactions Compliance - To ensure all Federal and State laws and regulations, and IHL and institutional policies and procedures are followed regarding additions, transfers, deletions or other adjustments to property. Operational - To ensure proper segregation of duties between recording of fixed assets in the asset management system and the purchasing and disposal of fixed assets. Stewardship - To ensure all property is adequately safeguarded CONTROL ACTIVITIES: Type of Control Control Activity Control Objective Authorization Review and Approval Physical Security Over Assets Each department head appoints a property officer, who is approved by the UMMC Property Control Department, to account for their equipment. Property Control grants property officer access to the asset management system Protégé to manage their inventory. All furniture and equipment to be capitalized are tagged with number by the Property Control Department and added to inventory before invoice can be paid. Daily reports showing equipment awaiting inspection and tagging are generated and reviewed by Property Control. All department property officers are required to perform annual self-audit of their equipment inventory and submit results to the Property Control Department. To ensure all property is adequately safeguarded To ensure all acquisitions are accurately accounted for and recorded in the proper period. To ensure State laws and regulations and institutional policies and procedures are followed regarding additions, transfers, deletions or other To ensure all property is adequately safeguarded

56 CONTROL ACTIVITIES - PROPERTY CONTROL Type of Control Control Activity Control Objective Reconciliation Physical Security over Assets Education, Training and Coaching Segregation of Duties Costs for purchased items and FMV for donated items are recorded on the general ledger and reconciled to property control records. Items reported missing during annual physical inventory require an affidavit with the information as to why the item is missing (disposal, transfer or theft). The affidavit is to be sent to Campus Policies within 30 days of notice of missing. Theft is reported to Campus Police immediately upon notice of the item Property Control Office Policy and Procedure Manual is posted on the Property Control webpage on the UMMC intranet. Purchase orders are issued for equipment and other capital assets. Invoices are paid by accounting with appropriate documentation of receiving reports issued by receiving. A list of all equipment paid is provided to property control on a monthly basis for property control personnel for proper tagging of all equipment items. Property officers are assigned for all departments on campus that inventory the equipment on hand in their department. At any given time. The property officer can pull a list of their departmental inventory in protégé. There is separation of duties between the dept, accounting, receiving and property control. No assets are purchased or disposed of without this documentation. Property Control maintains the property records and reconciles them to the accounting general ledger and makes appropriate corrections as necessary. To ensure all acquisitions are accurately accounted for and recorded in the proper period. To ensure all property is adequately safeguarded Communicate policies and procedures are communicated to staff and documented in writing Ensure proper segregation of duties between recording of fixed assets in the fixed asset system and the purchase and disposal of fixed assets.

57 CONTROL ACTIVITIES - PROPERTY CONTROL Type of Control Control Activity Control Objective Review and Approval Education, Training and Coaching Education, Training and Coaching Review and Approval Review and Approval Review and Approval Inventory statements are prepared by Property Control and are sent to the State Auditor's Office on the 15th of every month showing any additions and deletions from inventory. These reports are also provided to the CFO, Comptroller and Assistant Comptroller for The UMMC Code of Conduct addresses the fiduciary duty employees have when it comes to UMMC property provided for their use. This is presented to new employees during orientation and required to be read annually by all employees during annual compliance training All employees must read the UMMC Code of Conduct which includes the statement "All employees are expected to refrain from converting assets of the organization to personal use employees are prohibited from the unauthorized use or taking of UMMC equipment, supplies, materials or services. Obsolete items are transferred to surplus All purchases are approved by general accounting, budget office, grant accounting (if applicable) to make sure item is in accordance with State law. Non-capitalized property is accounted for under separate object (expense) code, placed on the purchase request by the department and approved by accounting. A Donated Equipment Form is required to be completed by the department who is receiving the donated equipment. The form is routed for approval by department head, accounting, finance and budget before being sent to accounting for accounting personnel to post to the general ledger to record the donated To ensure State laws and regulations and institutional policies and procedures are followed regarding additions, transfers, deletions or other To ensure all property is adequately safeguarded To ensure all property is adequately safeguarded To ensure State laws and regulations and institutional policies and procedures are followed regarding additions, transfers, deletions or other To ensure all acquisitions are accurately accounted for and recorded in the proper period. To ensure all acquisitions are accurately accounted for and recorded in the proper period.

58 CONTROL ACTIVITIES - PROPERTY CONTROL Type of Control Control Activity Control Objective Physical Security Over Assets (documents) Review and Approval Review and Approval Review and Approval Review and Approval Review and Approval Review and Approval All source documents are attached to the original purchase request and scanned and imaged into the institution's imaging software Purchasing, Accounting and Property Control all review transactions to make sure the appropriate object code (expense account) is charged for items that should be added to property inventory. The acquisition cost is entered into the fixed asset management system (Protégé) by Property Control Department, based on the acquisition cost on the purchase order. Property control enters the useful live of equipment in accordance with DFA Capital Asset Reporting guidelines. Cost, date and useful life are recorded in accordance with AHA guidelines for Hospital fixed assets. Departments are in charge of managing their equipment. Any changes in the status of equipment is submitted to the Property Control office and properly reflected in the Protégé asset management software application. Disposals must be approved by the UMMC Salvage Committee prior to disposal. Department property officers who determine items are obsolete or non functional submit an internal transfer request through the Protégé asset management application to UMMC Surplus Property, who receives notice and comes and picks up the items from the department, removes the tag, and places in surplus. These items are taken off the To ensure a clear audit trail exists for all fixed asset purchases. To ensure all property acquisitions, deletions or transfers are accurately accounted for and recorded in the proper period. To ensure all property acquisitions, deletions or transfers are accurately accounted for and recorded in the proper period. To ensure all property acquisitions, deletions or transfers are accurately accounted for and recorded in the proper period. To ensure all property acquisitions, deletions or transfers are accurately accounted for and recorded in the proper period. To ensure all property acquisitions, deletions or transfers are accurately accounted for and recorded in the proper period. To ensure all property acquisitions, deletions or transfers are accurately accounted for and recorded in the proper period.

59 CONTROL ACTIVITIES - PROPERTY CONTROL Type of Control Control Activity Control Objective Authorization Review and Approval Review and Approval Review and Approval Any transfers occur interdepartmental within the institution. The department transferring the equipment must initiate a transfer in the Protégé asset management system, and must be accepted by the receiving department before the asset can be transferred. There are no interagency transfers. Affidavits are required to be completed and signed by the department and reported to campus police on all lost or stolen property. All assets purchased from grants must be approved by grants and contracts accounting, which follow federal and state rules and regulations and grant/contract agreement stipulations. Any disposal of equipment purchased with grant funds must be approved by grants and contracts accounting. To ensure all property acquisitions, deletions or transfers are accurately accounted for and recorded in the proper period. To ensure all property is adequately safeguarded To ensure Federal and State laws and regulations and institutional policies and procedures are followed regarding additions, transfers, deletions or other adjustments to property. To ensure Federal and State laws and regulations and institutional policies and procedures are followed regarding additions, transfers, deletions or other adjustments to property.

60 CONTROL ACTIVITIES - FINANCIAL AID OBJECTIVES: Strategic - To ensure adequate and timely aid to students while complying with federal and state laws and regulations, and institutional policy. Operational - To ensure students are knowledgeable about financial aid policy Compliance - To ensure compliance with federal and state rules and regulations. Reporting - To ensure data reported to entities is accurate and timely CONTROL ACTIVITIES: Type of Control Control Activity Control Objective Review and Approval The student financial aid system generates electronic award notices, which direct students to access their accounts to view awards To ensure adequate and timely aid to students and compliance with federal and state laws and regulations. Education, training and Coaching Policies and procedures are posted on the Student financial services/financial aid website. Ensure students are knowledgeable about financial aid policy Education, Training and Coaching Review and Approval Financial Aid office provides well trained and professional supervision and staff equipped with appropriate resources The financial aid system (SAP) has rules built in to award only to students who are eligible To ensure adequate and timely aid to students and compliance with federal and state laws and regulations. To ensure adequate and timely aid to students and compliance with federal and state laws and regulations. To ensure compliance with federal and state rules and regulations

61 CONTROL ACTIVITIES - FINANCIAL AID Type of Control Control Activity Control Objective Review and Approval SAP System ensures Student Aid Reports (SARs) are loaded correctly and that all flags from DOE are identified appropriately To ensure adequate and timely aid to students and compliance with federal and state laws and regulations. Operational Rules are built into the system (SAP and ProSam software programs) to determine what types of aid a student is eligible for, and to ensure that the student's financial aid package is correct. To ensure adequate and timely aid to students and compliance with federal and state laws and regulations. Review and Approval Student Aid Reports are reviewed To ensure adequate and timely aid to students and compliance with federal and state laws and regulations. Review and Approval Data entered into the system is reviewed by someone other than the person entering the data To ensure adequate and timely aid to students and compliance with federal and state laws and regulations. Review and Approval System access is restricted based on job duties To ensure data is kept confidential within SAP Segregation of Duties Financial Aid Office awards. The Student Accounting Manager (separate) determines amounts to be drawn from the federal government for disbursement to the school and then to student. To ensure adequate and timely aid to students and compliance with federal and state laws and regulations. Education, training and coaching Financial aid staff are provided with professional development opportunities To ensure adequate and timely aid to students and compliance with federal and state laws and regulations.

62 CONTROL ACTIVITIES - FINANCIAL AID Type of Control Control Activity Control Objective Physical security over assets Students who expect to receive financial aid are required to sign up for direct deposit To ensure adequate and timely aid to students and compliance with federal and state laws and regulations. Reconciliatin An accountant in the Financial Aid office reconciles To ensure adequate and the accounts on a monthly basis. Director of timely aid to students and Financial Aid works with Student Accounting compliance with federal Manager at the end of the year to close out accounts. and state laws and regulations.

63 APPENDI E Information System Applications Software Name Software Description System Type Software Type ACT01 Online Accounting System General Accounting MainFrame IDMS Administration Emergency Response Plan Travel Desktop App APP Appropriations Accounting System General Accounting MainFrame Batch Bookstore Cash Register Receipts Server Budget Purchasi Accounting Software General Accounting Server Novell BudgetAdvisor Budget Reporting General Accounting Enterprise App CAS SEC01 CAS UMC Security Purchases MainFrame App CASCAP CAP Application Suite Disbursements MainFrame IDMS CASCPRD CPRD Application Suite Purchases MainFrame IDMS CASCPRO CPRO Application Suite Purchases MainFrame IDMS CASCPRS CPRS Application Suite Disbursements MainFrame IDMS CASCPRV CPRV Application Suite Purchases MainFrame IDMS CPSI_Lex Dell server Receipts Server FAS01 Financial Aid System General Accounting MainFrame IDMS HearForm Patient Tracking & Sales General Accounting Server Windows IPS IPS Receipts MainFrame Batch KRONOS Timecard batch Payroll Server Windows Kronos (Time Clo Gathers Data that is punched into time clocks Payroll Server Windows LAWSON Lawson both LID and Web Portal Payroll Server AI Lawson (Server D Novell File Server Payroll Server Novell LEA01 LEA01 Disbursements MainFrame IDMS Legato Scanning General Accounting Server Windows M_PHABILL Meditech Billing General Accounting MainFrame Batch RPM_Receivable RPM_Receivable General Accounting Server Windows SMS_EAD SMS EAD Database General Accounting Mainframe SMS_SIG Provider Billing System Receipts MainFrame App SMSSIG_Payer_C Provider Billing Claims Processing Receipts MainFrame App SMSSIG_Payer_R Provider Billing Remit Process Receipts MainFrame App SSI (Pat Accts) SSI (Pat Accts) Receipts Server Windows TOSSER Applications Secure FTP Utility General Accounting UNI *IDMS Integrated Data Management System (IBM Mainframe).