I. Roles and Responsibilitites

The Chancellor has delegated the accountability for financial management of UCR's resources to organizational entities on campus. Each entity is accountable for managing its own financial resources. The Entity Head (EH) will normally delegate the overall financial management responsibility to a Financial Manager, (FM). The FM is responsible for developing an appropriate structure for managing the entity's financial resources. This includes delegating a variety of tasks to employees within the entity and operating an Accountability Structure that adheres to the following principles and responsibilities: The EH or FM is responsible for ensuring proper performance of the tasks. An employee cannot delegate greater authority than they have. Tasks shall only be delegated to qualified employees. A Systems Access Administrator (SAA) is responsible for maintaining a secure, updated record of the delegations and modifications made. Transactors are assigned to process on-line financial transactions within their delegated authority. Reviewers are assigned to review financial transactions on a post audit basis to ensure that each transaction is appropriate and complies with policies, regulations, and any other requirements. Inquirers are authorized to view transactions for University business purposes on a read-only basis. The EH or FM should ensure that professional standards of integrity are adhered to by all employees within the Accountability Structure. The EH or FM shall monitor the effectiveness of the Accountability Structure and initiate any modifications or improvements as necessary. All employees engaged in any financial-related activity must be cognizant of their respective roles in ensuring that adequate data controls are in place for those activities, and if not, must take an active part in assuring that necessary corrective measures are taken.   Entity Head or Financial Manager The EH or FM is responsible for ensuring the effectiveness and integrity of the Accountability Structure by: Delegating roles within the Accountability Structure to trained and qualified employees. A trained, qualified employee is one who: has the appropriate knowledge, experience and technical skills to perform the assigned tasks has completed the required training to fulfill the assigned tasks successfully fully understands what is expected of him/her knows whom to contact or what action to take if problems arise does not have conflicting duties Establishing a reasonable distribution of workload in accordance with the available resources. Ensuring that all employees be informed and trained for their assigned tasks. Continually monitoring the effectiveness of the Accountability Structure. Systems Access Administrator (SAA) An SAA is not a job classification title; it is an assignment of function and responsibility. The SAA could be the current MSO, MSS or any other employee with the appropriate training and delegated authority. Under the direction of the EH or FM, the SAA controls access to financial system applications by: Establishing a user profile for employees designated as Transactors, Reviewers and Inquirers. Ensuring that these employees have valid Logon-IDs on the financial system, issued by Computing and Communications before granting access to financial applications. Maintaining an updated secure file of the Accountability Structure delegations. Ensuring that the roles and responsibilities that form the Accountability Structure are being accomplished. Ensuring that a back-up SAA is available to perform the duties of the primary SAA in his/her absence. An e-mail message will be sent to the SAA, Process Owner, Internal Audit and the Office of Financial Control and Accountability in the event that a transaction was processed with no assigned reviewer or the Transactor is the only Reviewer. An SAA cannot self-assign (i.e. cannot set themselves up as a Transactor or Reviewer) or re-delegate their duties to another employee (only the EH or FM may assign another SAA). A back-up SAA is required and is responsible for: Performing the duties of the primary SAA in his/her absence Setting up the primary SAA as a Transactor and/or Reviewer as directed by the EH or FM Notifying the primary SAA of any changes initiated in the Accountability Structure. Transactor The Transactor is given authority by the EH or FM to process budgetary and financial transactions for which he/she is qualified. A Transactor may be authorized to process transactions for more than one entity and/or for more than one financial application. Transactors are empowered to perform their duties and are accountable for the accuracy and completeness of budgetary and financial data. The Transactor must understand all relevant policies and regulatory requirements as well as the purpose of each transaction since these will be processed directly into the financial system without additional authorization. The Transactor responsibilities include: Gathering the supporting transactional information. Applying relevant policies, meeting regulatory requirements and considering the appropriateness of the transaction to be processed. Entering complete and accurate data including the assignment of appropriate FAU (i.e., Account/Fund) distributions. Entering an accurate and thorough explanation of each transaction. Resolving questions during the preparation of a transaction as a result of online edits and related error messages. Completing the transaction and updating the financial system. Providing additional information and/or supporting transactional documentation requested by the Reviewer. Reversing and correcting any erroneous transactions. Notifying the SAA of work absence so that an authorized Back-up Transactor may be set up and assigned. Notifying the SAA upon return from absence. The Transactor is not authorized to enter into "self-dealing" transactions (e.g. disburse funds to themselves). In these instances, a different Transactor will be required. Reviewer: The Reviewer is given authority by the EH or FM to review budgetary and financial transactions for which he/she is qualified. A Reviewer can be an organizational subordinate of the Transactor, and a Reviewer may not review transactions he/she has initiated and processed as a Transactor. Reviewers may be authorized to review more than one type of transaction and may be authorized and set up within a single department or within an administrative cluster or through other organizational arrangement as follows: Initially set up as Primary Reviewer for each application with at least one authorized Back-up Reviewer who can be automatically set up by the SAA, without additional documentation, in the event the Primary Reviewer is unable to perform the review function. Subsequently set up a Back-up Reviewer as directed and documented (e-mail or in writing) by the EH or FM when the Primary Reviewer is not available to perform the review function and a Back-up Reviewer was not originally authorized and set up. If the SAA and FM are the same employee, then no documentation is required. In exceptional situations where the above may not be most efficient, multiple Reviewers may be set up for an application. Although only one Reviewer is required to review a particular transaction for a specific application, all the Reviewers set up for that application will be responsible and held accountable for reviewing the transaction. Departments may not establish multiple Reviewers for an application to match Reviewers with Transactors (i.e. Reviewer 1 reviews only transactions processed by Transactor 1, Reviewer 2 reviews Transactor 2, etc.). Post Audit Notification (PAN) provides a mechanism where transactions prepared and entered by Transactors are available in the financial system for subsequent review by the Reviewer. On a post audit basis, the Reviewer's examination should include for: overall appropriateness completeness accuracy compliance with policies, regulations, and other requirements The Reviewer must perform a timely review (within 2 business days), since the transactions have already been posted to the financial system and audit file. A Reviewer is responsible for: Ensuring that his or her questions raised as to the validity of a transaction are either resolved within 2 business days of the transaction date or the Transactor reverses (via a reversing entry) the transaction. Notifying the SAA of work absence so that an authorized Back-up Reviewer may be set up and assigned. Notifying the SAA upon return from absence. Transactions for review are available in the financial system. During the review, the following actions may be taken: Concurrence - Review marked as completed and notice removed from review log Pending - Additional information needed from the Transactor Correction - Transactor notified to correct the Transaction. If transactions are not marked as "Review Completed" within 2 business days of the transaction date, the PAN automatically informs, via an E-mail message, the SAA's (Primary and Back-up) that reviews are not being completed in a timely manner. If transactions are not marked as "Review Completed" within 5 business days of the transaction date, the PAN automatically informs, via an E-mail message, the SAA's (Primary and Back-up), Process Owner, Internal Audit and the Office of Financial Control and Accountability that reviews have not been completed within that time period. Inquirer: The Inquirer is given authority by the entity head or FM to view transactions on a read-only basis and only for University business purposes and in compliance with Privacy laws. All EH's and FM's should be set up as Inquirers to enable them to perform their monitoring functions. SAA's, Transactors and Reviewers, because of their assigned duties also have inquiry capability.

II. Accountability Performance Expectations

Accountability Structure Financial control and accountability is predominately rendered by individuals within the authorized Accountability Structure. The Transactor role is most critical because he/she must ensure that each financial transaction is complete, accurate, and appropriate. This requires that the Transactor understands all relevant policies and regulatory requirements, as well as the purpose of each financial transaction. When the roles and responsibilities that form the Accountability Structure are not being accomplished, management will take action that ensures these roles and responsibilities are being performed. Depending on the circumstances, this action can include providing consultation, additional training opportunities, or other assistance. Action may also include reconstructing the Accountability Structure. This reconstruction can occur, resources permitting, within a single department or within an administrative cluster or through other organizational arrangements. User Access Privilege Access to the various financial application means that a user has been given the privilege to use the system to conduct University financial business. This privilege is established by the FM/SAA after a user signs the Computer Security/Use Agreement and agrees to use the system in accordance with the Financial Accountability Policy. This privilege is on condition that a user obtains application and financial accountability training at the first available opportunity. A user's ability to operate the system in accordance with policies and procedures will be monitored. To eliminate a risk or threat to the University's financial resources, it may be necessary to immediately suspend a user's access privilege when irregularities are detected. The application/data owner, in consultation with other appropriate parties, may suspend or reinstate a user's access privilege. Access privilege can be denied, suspended, or permanently revoked when it is determined that a user is incapable of complying with or disregards or circumvents policies and procedures. User Access Security The conscientious management and implementation of the Data Integrity Policies is a key element of this new financial control environment. Populated with a variety of data and sensitivity levels, password-guarded networks contain a wealth of information, relying for their security on the safe practices of each user. While this structure presents obvious collaborative advantages and facilitates access to information, it is also vulnerable to intrusion. Because the threats of unauthorized access are real and pressing, access security, in the form of training, awareness and password integrity is a critical element for all computer users. Adopting and abiding by the Data Integrity Policies has become a vital and shared campus responsibility. Access privilege can be denied, suspended, or permanently revoked when it is determined that a user is incapable of complying with or disregards or circumvents policies with regards to Data Integrity.

Ethical Issues

Entity Heads or FMs should ensure that professional standards of integrity are adhered to by all employees within the Accountability Structure. Management must demonstrate control consciousness and a genuine interest and concern for internal controls that should be further conveyed to all employees. They must set a tone that encourages and supports employees contacting the appropriate officials or offices when suspicious of irregularities. Operating personnel should be made aware that they have stewardship responsibility for safeguarding University assets under their purview. A number of features of the UCRFS (e.g. distributed authority to enter transactions, "real-time" based system, reviews done after the fact (post audit), non-hierarchical review, etc.) may bring about higher risks of misuse and abuse of the system. The front line of defense within the UCRFS is the accountability and alertness of its users. Employees' responsibilities to address these issues are as follows: In cases wherein the Reviewer reports directly or indirectly to the Transactor, the Reviewer is given the authority to question and examine any transaction initiated by the Transactor. Employees must be aware of who to contact, or what action to take in situations where a person of higher authority is attempting to override compliance with policies or mandatory guidelines. The employees must use their professional judgment in determining the appropriate superiors or offices to report to. These include, but are not limited to: Employee's Immediate Supervisor Entity Head or Financial Manager Appropriate Dean's or Vice Chancellor's Office Office of Financial Control and Accountability Accounting Office Internal Audit Campus Ombudsman Human Resources - Labor Relations Campus Police All employees have the responsibility to report any improper activity, as defined in the "Reporting of Improper Governmental Activities Act" in accordance with the "Whistleblower" policy. Any employee may not directly or indirectly use or attempt to use the official authority or influence of his or her position of office for the purpose of interfering with the right of another employee to file a report as described above. When a known or suspected misuse or misappropriation of resources by an employee is reported, investigative procedures in accordance with UC Business and Finance Bulletin G-29 may be performed.