Financial Regulations Contents:

• A. General
• B. Financial Control
• C. Financial Management
• D. Income
• E. Expenditure
• F. Assets
• G. Other Regulations
• A-Z Index
• Guide to the Finance Office
• Financial Procedures
• Financial Policies
• Executive Policy Statements
• Appendices

FINANCIAL REGULATIONS: Financial Procedures

• PR1 Administration of Research Projects – Balances on Projects
• PR2 Handling Money & Cash in Transit
• PR3 Major Capital Projects – Financial Approval Process
• PR4 Major Capital Grants
• PR5 Recording and Disposing of Equipment and the Maintenance of Asset Registers
• PR6 Academic Consultancy
• PR7 Credit and Debit Card Transaction Procedures
  

PROCEDURE PR1

Administration of Research Projects
(This procedure is effective from 1April 2006, the start of full economic costing).

BALANCES ON PROJECTS

This section deals with research projects that have officially terminated but where balances still remain.

1 Debit Balances

Some of the reasons why debit balances arise are detailed below, together with the new treatments.

1. Costs which cannot be recovered from the sponsor but which have been incorrectly charged to the project code. For example, costs classed by the sponsor as inadmissible; costs incurred after the end date of the project; overspends .
   
   Six months and three months before a project is due to finish, the Research Support & Funding office (RSF) will send the Principal Investigator (PI) a statement showing expenditure versus budget. A copy of this will be sent to the Faculty Research Support Administrator or equivalent (RSA), and to Human Resources (if staff are paid from the project) for information. Before preparation of final expenditure statements (by the RSF) written confirmation of the required action needed to clear the project will be sent by the RSF to the PI and the RSA. Action should be taken on this by the faculty as soon as possible. The eventual financial position will only be known once final income has been received from the funder (this may take several months or in extreme cases up to a year). Any items of expenditure still outstanding at this point will be brought to the attention of both the PI and the RSA. If, after one month, action has not been taken to clear the items, the RSF will send a written reminder to the RSA (copy to the PI). If the items remain on the project after a further two weeks the RSF is authorised to transfer the amounts to the  Operating Budget in the PI’s Department. The Department will be notified of this, and it will be the Department's responsibility to decide whether the costs can legitimately be moved to another code.

2. Staff costs continue to be charged after the official end date of the project. For research staff, the RSF will contact the PI, RSA, and appropriate HR Manager for advice.
   In the case of technical and clerical staff, the RSF will contact the RSA and PI requesting a different code in order to transfer the costs. If there is no response within one month, the RSF will send a written reminder giving two more weeks. If there is no response at the end of that period, the cost will be moved to the Department's Operating Budget, with notification to the Department .

2 Credit Balances

1. Refundable to sponsor (e.g. charities)
   
   When the project ends, the RSF will write to the Principal Investigator (copy to RSA) stating the balance on the account and asking whether all valid expenditure has been processed. Two months will be allowed as a response time. At the end of the two months a reminder will be sent, again stating the balance. A further two weeks will be allowed before the refund is processed.
   
   
2. Surpluses (Fixed Price Contracts) and exchange gains
   
   
3. Post fEC, surpluses on Fixed Price Contracts will only occur where an element of profit has been built in to the agreed price, over and above the full cost of the research as calculated by pFACT. An adequate amount of academic staff time must be costed in as well as the correct level of indirect and estates costs. The treatments set out below will only apply where all contractual obligations have been satisfied and overheads (ie indirect, estates, and academic staff costs) have been taken to budget
• Balance <£1,000: RSA to decide which account the surplus should be moved to (e.g. Operating Budget Account, Principal Investigator’s “Personal Account”).
• Balance £1,000 - £5,000: PI to submit proposal to RSF, via Head of Department, stating how the funds will be spent. For amounts in this bracket, the surplus should normally be used within one year.
• >£5,000: PI to submit proposal, including a full budget breakdown, to Dean of Faculty, via Head of Department. If approved by the Dean, the proposal is to be submitted to the RSF and from there to the Director of Finance for final approval.

Note: Projects which have been authorised by the Dean to be accepted at below the full economic cost, cannot treat savings on the direct costs as a credit to be taken. Any unspent direct costs should first be taken to reduce the project deficit on the full cost.

Exchange Losses and Gains

These can occur when dealing with income in any foreign currency. The University submits invoices or claims in sterling, which are then converted to the foreign currency by the sponsor who subsequently remits foreign currency, which is then converted back to sterling at a different rate. Substantial exchange losses and gains have occurred in this way on contracts between the University and the European Commission. The University recognises that such losses or gains are outside the control of the Department undertaking the project and does not wish to deter academic staff from participating in European and other overseas funded research. Therefore the fairest way to manage this is to take all losses and gains which occur as a result of exchange rates to each department's overhead account.

PROCEDURE PR2

Instructions for Handling Money and Security Precautions for Cash in Transit

The University has a duty to ensure that all receipts are recorded properly, promptly and in full. The procedures set out below are to be regarded as standard practice. Any deviations should be undertaken only with appropriate authority.

The over-riding principle is that there should be a segregation of duties between the collection of cash and the verification of income received (e.g. a supervisor should check the total taken through a till against the till reading). Where this is not possible, two people working together should be responsible for receiving cash (e.g. collecting launderette takings).

“Money” refers to cheques and cash. “Cash” means notes and coins.

Money received in School/Department Offices

Requests to customers for payments should indicate that cheques are to be sent directly to the University Cashier’s Office (rather than to the School or Department). Please inform the Cashier’s Office Supervisor of payments expected, quoting the accounts codes to be credited. For control purposes and the efficient processing of receipts, all requests for payments should be invoiced through the Cashier’s Office.

ALL REQUESTS FOR PAYMENTS WHICH INCLUDE VAT MUST BE INVOICED. SCHOOLS/DEPARTMENTS MUST NEVER ISSUE THEIR OWN INVOICES.

Where it is anticipated that cheques or cash will be received through the mail, two members of staff should open the post together. They should keep details of the remittances as a permanent record (date, name, amount and purpose).

It will be convenient at times to receive small sums of money in School/Department offices from staff and students. Any payments in cash must be counted in front of the customers and signed receipts must be given. Receipt books are available from the Cashier’s office – these must be kept secure and returned to the Cashier’s office when no longer required. (Exceptionally for course notes, it will be sufficient to draw up a list of students in advance, tick off the names when payment is received and hand over the course notes as a receipt).

Money received must always be counted by two people – either a member of staff with the customer or two members of staff.

Correcting fluid must not be used to amend accounting records – mistakes should be struck out with a single line and the amendment initialed.

Cash and cheques received should be locked away in a cash box or drawer and then taken to the Cashier’s Office for banking as soon as possible. Cash in excess of £250 must be delivered to the Cashier’s Office on the day of collection. Cheques and lesser amounts of cash should be banked within 48 hours.

Cash receipts must be banked intact – on no account must any cash held be used to meet expenses.

When cash collected changes hands, the amount should be recorded and where possible counted by both parties in the presence of each other. Cheques should be listed and checked. Both parties should sign and date a receipt to confirm the transfer.

Tills

Outlets receiving takings principally in cash are equipped with tills.

Tills must be placed within sight of customers.

Each till float is to be controlled through a “float book”. The float book is to be signed when the float is collected and whenever the float is passed from one operator to another.

All sales must pass through the till.

Tills must be closed between each transaction.

Receipts should be given wherever possible.

Audit rolls must be used.

Official shortage pads should be used to record till errors. The person concerned should sign these documents and they should be countersigned by a Supervisor. Significant shortages should be reported immediately for action to be taken.

Till roll totals should be reconciled daily to takings by a Supervisor and recorded in a permanent register. Z keys are to be kept by Supervisors and not by till operators. Z key readings are to be taken on cashing up the till and must be reconciled to takings. Records are to be maintained by Supervisors of sequential numbers of Z key readings.

Vending Machines

Two people should empty all machines taking cash. Two people working together should count the cash and the total must be agreed with any readings available from the machine.

Safes

Holders of safe keys should be listed by Heads of Schools/Departments. All spare duplicate keys should be deposited in sealed envelopes in the Security Office safe. As a condition of the University’s insurance, all safe keys must either be removed from the premises or held by the Security Office out of business hours.

Cash Equivalent Vouchers

High Street gift vouchers, book tokens and similar cash equivalent vouchers may sometimes be used as incentives to participants of research contracts. Where this happens they must be treated as if they were cash and the same level of controls exercised.

Vouchers purchased must always be counted by two people and the receipt logged in a register. The register should be signed to acknowledge the initial value.

The vouchers must be kept in a locked sage with restricted access and a person designated to be responsible for them. this should not be the same person who intends to use them.

Vouchers should only be issued on receipt of documentation that backs this up. This documentation should be retained. The designated responsible person and user (the person who will distribute the vouchers) should both sign the register to acknowledge the issue.

The register should therefore provide evidence of receipts, issues and balance of vouchers. At the end of the exercise a check should be made that the vouchers issued matched the number of participants.

The use of cash as an incentive is discouraged, but if deemed necessary then please contact the Finance Office for further information and advice.

Cash in Transit

THE SAFETY OF THE CARRIER AND ESCORT ARE OF PARAMOUNT IMPORTANCE AT ALL TIMES!

1. Where circumstances permit, cash should be conveyed by motor vehicle and not on foot. All doors of the vehicle are to be kept locked.
   
   Where this is not practicable, two persons should be used for the escort of sums of cash in excess of £250. The University’s insurance cover demands that cash amounts in transit in excess of £6,000 are accompanied by three people.
2. The escort should keep to busy thoroughfares, away from the kerb edge and should face oncoming traffic.
3. Routes should be indoors wherever possible.
4. Timings and routes should be varied as much as possible.
5. Security Officers should be in radio contact with base.
6. The escort should walk marginally behind the carrier.
7. Bags used for the transit of money should be inconspicuous.
8. Bags to be carried by Security Officers should be sealed before collection.
9. Once inside a building, all outer doors should be locked until the money is deposited within a secure area.
10. If accosted, on no account should any resistance be offered. The cash should be handed to the thief who should be allowed to leave without hindrance. Telephone 666 to inform the Security Office urgently.

THE SAFETY OF THE CARRIER AND ESCORT ARE OF PARAMOUNT IMPORTANCE AT ALL TIMES!

For reasons of practicability and expediency, it may not be possible to adhere totally to these principles at all times. Particular circumstances will need to be looked at individually.

For further advice, please contact the Cashiers Office Manager (ext 3937) or the Internal Auditor (ext 5736).

PROCEDURE PR3

Major Capital Projects – Financial Approval Process

Definition

All capital works in excess of £100,000.

This definition includes refurbishment projects as well as new build. The financial project limit to be inclusive of fees, VAT, loose equipment and furniture, etc.

Process

1. Proposals for projects between £100,000 and £1 million will be submitted to the Vice-Chancellor for approval. A proposal will include details of the aims, benefits, risks, timescale, cost and funding of the project.
2. Projects between £100,000 and £499,999 may proceed following receipt of approval by the Vice-Chancellor. The Vice-Chancellor will consult as appropriate (for example, with Executive Committee) before determining whether the project may proceed.
3. Projects between £500,000 and £1 million may proceed following receipt of approval by the Vice-Chancellor. All decisions on capital expenditure over £500,000 would be reported to Council and Finance Committee at their next meeting and would have to be agreed also by the Chair of Council and Treasurer where the project was not identified within a strategy that had already been agreed by Council.
4. Detailed schemes for projects in excess of £1 million will be submitted to Council for approval on the recommendation of the Finance Committee.
5. Any upward revision(s) of the approved project budget totaling up to £250,000 (or, for projects over £2.5 million, 10% of the project budget, subject to a maximum of £500,000), will be subject to approval by the Vice-Chancellor.
6. Any upward revision(s) of the approved project budget more than the upper limit in paragraph 5 but less than £500,000 (or, for projects over £2.5 million, 20% of the project budget, subject to a maximum of £750,000) will be subject to joint approval by the Chair of Council, Treasurer and Vice-Chancellor.
7. Any upward revision(s) of the approved project budget totaling in excess of that specified in paragraph 6 will be subject to approval by Council on the recommendation of Finance Committee.
8. The project will be controlled by a Project Control Group or the Director of Estates, in the absence of a Project Control Group. All changes having financial implications within contingency sums will be signed off in accordance with the paragraph “Control of Contingencies” set out below.
9. A regular financial report will be presented to the Finance Committee for projects in excess of £1 million, which will include original agreed project budget together with variations since the last meeting and expenditure to date. Finance Committee will also review the design and advise on and monitor the planning and construction process.

Control of Contingencies

PROCEDURE PR4

Financial Procedures in Relation to Major Capital Grants for Building, Refurbishment and Equipment

1. These grants come from a variety of sources. The majority are HEFCE initiatives, sometimes as a collaborative initiative with research councils, charities or government departments (e.g. Joint Infrastructure Fund, Joint Research Equipment Initiative), sometimes as their own specific initiative (e.g. Capital Project Allocations, Science Research Infrastructure Fund). Other grant funding can come from a number of sources, key ones being the research councils, charitable trusts, industry and the Lottery.

2. The application process should be coordinated centrally:

1. HEFCE capital initiatives are usually co-ordinated by the Vice-Chancellor’s office.
2. In all other cases, the Research Support Unit (RSU) should be consulted to see if the application process should be co-ordinated through that office or, if not, to advise as to where it should be.

3. Where the available grants are for equipment, the Head of Purchasing Services should be consulted at the proposal stage by the Department applying for the award. Where the grants are for buildings or refurbishment, the Director of Estates must be directly involved in the application process.

4. Once an application is successful, the source and underlying purpose of that funding are key in determining where a financial project account is set up and administered internally:

a) Where the underlying purpose is to further research and the source is not HEFCE, then a research grant account will be set up and administered by the RSU.
b) In all other cases the account will be set up and overseen by the Finance Office.

5. Before a project account is set up and before any expenditure is committed, a Project Control form must have been completed by the Department and submitted to the Director of Finance. There are two Project Control forms, one for equipment and one for building works. The forms will require that:

1. Where the approved budgeted costs exceeds the grant funds available, the Department has identified the additional funding source(s) and has had this agreed by the relevant Faculty Dean.
2. Expenditure profiles have been completed. Where these have to be sent to the project sponsor the profile must be completed by the Department with the assistance of the Finance Office or RSU and sent on to the project sponsor by the Finance Office / RSU. In the case of building works, certain fees may have to be incurred before a final profile can be sent onto the project sponsor. In this case an account may be set up with authority to incur preliminary costs up to an agreed budget. Costs must not be committed on the main works until the expenditure profile has been agreed and sent on to the project sponsor by the Finance Office.
3. A listing of all major (>.10K) equipment to be purchased on that grant is provided.

6. In relation to grants awarded for equipment:

1. The Head of Purchasing Services should be consulted to provide advice and guidance on procurement procedures in order to ensure compliance with University Financial Regulations relating to contracts and tenders. This will include assistance in complying with EU tendering procedures for larger items.
2. Current Purchasing Policy and Procedures (UP3) must be followed prior to the issue of a purchase order
3. All project sponsor documentation relating to procurement of equipment must be completed in conjunction with the Purchasing Services Office and signed off and submitted to the project sponsor by the Head of Purchasing Services before any expenditure is committed. A copy should be sent to the Finance Office

7. In relation to grants awarded for building and refurbishment work:

1. University Financial Regulations in regard to the approval of works over £100.000 apply. This is detailed in Procedure PR3 in the Financial Regulations.
2. Due regard should be taken of any required documentation regarding the procurement and tendering process. HEFCE or other sponsor forms in this area should be completed and returned by the Estates Department as soon as possible and before the main works commence. A copy should be sent to the Finance Office.
3. The Estates Department must retain all documentation regarding procurement and tendering for audit purposes.

8. It is the responsibility of the Department to which the grant has been made to ensure that only valid expenditure is charged to the grant account in line with the terms and conditions of the agreement and also to ensure that spending is kept within budget and time limits. For building work the responsibility for some or all the costs may be passed to the Estates Office.

• For equipment, any excess of costs over funding will be charged to the Department’s operating budget
• For building & refurbishment projects, any increase to budgeted costs must be authorised by way of a revised cost profile approved by the relevant Head of Department and the Director of Finance. This should make clear where the additional funding is to come from. No further expenditure may be committed until this is done.

9. Significant variations in the timing and pattern of expenditure compared to the original profile must be notified to the Finance Office. HEFCE require variations in expenditure of more than 50% in one month or significant delays to be notified to them and this should be done through the Finance Office.

10. The responsible Department should let the Finance Office / RSU know as soon as the project is ‘complete’ in order that a final claim can be submitted to the project sponsor. That claim should be submitted by the Finance Office / RSU, but may be prepared with the assistance of the Department.

11. Where a completion statement is required by the sponsor, this should be submitted by the Finance Office / RSU in the case of equipment grants or by Estates in the case of building grants (with a copy to Finance)

12. Any audit required of the financial aspects of the project should be organised by the Finance Office / RSU. Any costs (where rules require an external auditor) will be borne by the Department.

13. The above are general procedures. Due regard should be taken of the instructions peculiar to the specific initiative.

PROCEDURE PR5

Recording and Disposing of Equipment and the Maintenance of Asset Registers

The procedure can be found at http://www.bath.ac.uk/finance/procedures/equipment/index

PROCEDURE PR6

Academic Consultancy

The University has approved a new incentives scheme for academics to carry out consultancies through the University, starting from 1 August 2007. The scheme will run as a pilot for two years, with an impact assessment after 12 months. Two of the key metrics which will be used to assess the scheme are the income from consultancy and the proportion of the net income that academics chose to invest back into their local research activity, via Department, Research Centre or general fund (“K”) accounts.

Academics will still need to obtain the approval of their Head of Department before starting any consultancy and should be able to demonstrate both a close link between the consultancy and their Department's strategy, and that the work complements the University's mission. As long as the assignment has been properly approved and contracted by the University before the work starts, it should be covered by the University's Professional Indemnity Insurance. This insurance cover is one of the principal benefits of carrying out consultancy through the University.

The scheme is administered through Research and Innovation Services and guidance notes, forms and processes can be found at:

http://www.bath.ac.uk/research and innovation/services/consultancy/docs.bho/informationforstaff.htm

Clarifying the Procedures for Private Consultancy

To avoid any conflicts of interest, academics should always inform their Head of Department before starting a private consultancy assignment. It is particularly important that no use is made of University premises, stationery, email and other support systems which could imply involvement of the University in the work and also exposure to liabilities. Private consultancy work is not covered by the University's insurance policies and academics consulting in a private capacity are strongly advised to take out their own professional indemnity insurance.

It is important for staff to remember that they are personally responsible for the consequences of performing private consultancy work and for ensuring that clients are fully aware that the University is in no way responsible or liable in respect of consultancy work which is carried out privately by members of its staff. In order to minimise the risks to the University, from 1 August 2007 academics working in a private capacity are required to obtain a disclaimer signed by their clients. This highlights that:

• The University is not responsible or liable for the work
• The University's professional indemnity insurance does not cover the work
• The University is aware of the work and the academic has compiled with institutional requirements in respect of this type of work.

The required form that the disclaimer document must take should be obtained from Research & Innovation Services (RIS). The completed disclaimer should be lodged with the Head of Department and copied to Research & Innovation Services.

PROCEDURE PR7

Credit and Debit Card Transaction Procedures

Introduction

The security of information related to credit and debit cards has become increasingly important in recent years. As an organisation which processes card-holder data, the University is now obliged to comply with the Payment Card Industry Data Security Standard (PCI/DSS)

In the longer term, the University will be moving towards using web-based processing, where the card-holder information is held only by the payment service providers who have enhanced security in place.

In the meantime, it is important that the University does not store this sort of data on electronic systems, which may be vulnerable to hacking and other unauthorised access. For this reason, while transaction processing may be carried out electronically, e.g. on credit card terminals, all procedures detailed below which relate to information storage will be paper-based.

These procedures cover the security of credit and debit card-related information and must be distributed to all University employees who deal with credit and debit card transactions. Management will review and update the procedures at least once a year to incorporate relevant security needs that may develop. Each employee involved must read the procedures and verify that they have read and understood them.

Ethics and Acceptable Use Policies

These procedures are subject to the appropriate University Regulations and Policies.

Of particular relevance are :-

• University Policy 12 – Business Ethics and Fraud
  (http://www.bath.ac.uk/finance/regulations/policies.html#up12)
• IT Security Policy
  (http://www.bath.ac.uk/bucs/aboutbucs/policies-guidelines/policies-it-security.html).

An employee's failure to comply with the procedures set forth in this document may result in disciplinary action up to and including the termination of employment.

Credit and Debit Card Transactions

Credit Card Terminals

Departments with access to credit card terminals must use them in accordance with the security measures specified with those terminals.

Credit card slips should be retained for at least 6 months, to enable charge-backs. However, they must be held securely. They should in any case not be held for longer than 2 years.

Departments without terminals

Departments who do not have access to a credit card terminal must use the appropriate University pre-printed Credit and Debit Card Transaction Form.

There is one form for sending out to customers for them to complete and return. This form can be obtained from the Downloadable Forms sections of the Finance Office web page (http://www.bath.ac.uk/finance).

There is also a pre-numbered form for internal departmental use only. This form is obtainable from the Cashier's Office.

On occasion, a Department may wish to combine a course or conference enrolment form with the credit/debit card form. All such forms must be agreed in advance of use with the Cashier's Office.

It is prohibited to use any other style of form for credit and debit card transactions.

Transaction Form - Customer use

This form will typically be used where customers are paying for conference or course fees, etc. When a customer expresses an interest, the department sends out a form for payment.

The customer will complete cardholder details and card details. The department will complete the payment details, and send the form to the Cashier's Office for processing.

It is prohibited to make a copy of completed forms at any time.

Transaction Form - Internal use

When a department takes cardholder details directly from a customer, either where the customer is present, or over the telephone, they should use this form.

These forms are pre-numbered. It is prohibited to make a copy of this form at any time, either before or after completion.

Where the credit card security code (the 3 to 4 digit code on the back of the card) has been taken to validate a transaction, it should be recorded on the tear-off strip of the Credit and Debit Card Transaction Form. The strip should be separated from the rest of the form and stored separately.

Transaction Form - Combined booking form / credit/debit card details

The format and use of all such combined forms must be agreed in advance with the Cashier's Office.

A copy may be made of the booking section of the form, but never of the card details.

Credit/Debit Card Paying-in Advice

Account coding for the transactions should be entered on the paying-in advice, which should be sent to the Cashier's Office together with the Transaction Forms.

The use of this advice is similar to that of the advices used for the paying in of cash or cheques

Protection of Stored Data

All sensitive information must be stored securely and disposed of in a secure manner when no longer required for business reasons. Only paper media should be used to store sensitive information, and it must be protected from unauthorised access. Media no longer needed must be destroyed in a manner to render sensitive data irrecoverable (e.g. shredding, etc).

If in doubt, please refer to the guidance contained on the web-site :-

http://www.bath.ac.uk/internal/rm/waste/htm

Department

All sensitive information must be stored securely in a locked cupboard or drawer, with access limited to those properly authorised (see below).

Credit and debit card information should never be retained in the department for longer than 24 hours (unless over a weekend or University Holiday ).

The card security code and the rest of the cardholder information should be stored separately from each other.

Cashier's Office

The Cashier's Office will store cardholder information, in the Cashier's safe or in an alternative secure environment, for up to 2 years to enable refunds to be made.

Card security code information must be destroyed as soon as it has been used for a particular transaction

Credit and Debit Card Information Handling Specifies

• It is prohibited to store the contents of the card magnetic stripe (track data) on any media whatsoever
• It is prohibited to store the card security code (last 3 or 4 digit value printed on the signature of the card) on any media whatsoever except the tear-off strip from the pre-numbered Credit and Debit Card Transaction Form
• It is prohibited to store cardholder information on PCs or any other electronic media. Cardholder information is defined as :-
• Card account number
• Expiry date
• Cardholder name (in conjunction with the above)
• The card security code must never be stored with the cardholder information
• Destroy cardholder information by a secure method when no longer needed. Media containing card information must be destroyed by shredding or other means of physical destruction that would render the data irrecoverable

Protection of Data in Transit

Sensitive information should never be transported electronically. Physical transport should always be via a trusted and secure method.

Department

Cardholder information and card security code should be taken or sent for processing within 24 hours (or immediately after a weekend or University Holiday). Separate envelopes should be used for the two types of information - cardholder data to the Cashier's Office, and the card security code to the Accounting Technician (Cashier's) in the Finance Office

Cashier's Office

Once the card security code information has been matched with appropriate cardholder information and the transaction has been processed, the card security code must be destroyed.

Credit and Debit Card Information Handling Specifics

• Card account numbers must never be e-mailed
• Media containing card account numbers must only be given to trusted persons for transport within the University.

Restriction of Access to Data

Access to sensitive information should be restricted to those who have a need to know. No employees should have access to card account numbers unless they have a specific job function that requires such access.

Access for each such employee must be authorised by their Head of Department and the Director of Finance or her deputy. A list of these employees will be held centrally in the Finance Office.

before authorising an employee to handle credit and debit card transactions, the Head of Department must be satisfied that the employee has read and understood the procedures, and understands how it affects their job.

Physical Security

Restrict physical access to sensitive information to protect it from those who do not have a need to access that information.

• Media containing sensitive information must be securely handled and distributed
• Media containing stored sensitive information should be properly inventoried and disposed of when no longer needed for business reasons, by shredding, etc
• In areas that may contain sensitive information, be aware of the need to hold such information securely, especially in relation to visitors and others who should not have access to it

Cardholder information will be retained by the Cashier's Office in order to enable later refunds. It should not be retained for longer than necessary for business reasons, and in any case never for longer than 2 years. At the end of the period of retention, it must be physically destroyed by shredding, etc.

Security Awareness and Procedures

Keeping sensitive information secure requires periodic training of employees and contractors to keep security awareness levels high.

Third Parties holding Cardholder Data

The Assistant Accountant (Cashier's) will maintain a central list of service providers who hold cardholder data.

All third parties with access to card account numbers are contractually obliged to comply with card association security standards (PCI/DSS)

Security Management / Incident Response Plan

These procedures are subject to the Financial Regulation G14 – Irregularities (http://www.bath.ac.uk/finance/regulations/other.html#irr)

In the event of a compromise of sensitive information, the Internal Auditor will oversee the execution of the incident response plan.

Incident Response Plan

1. If compromise is suspected, alert the Internal Auditor (internalaudit@bath.ac.uk).
2. The Internal Auditor will conduct an initial investigation of the suspected compromise.
3. If a compromise of information is confirmed, the Internal Auditor will alert management and begin informing parties that may be affected by the compromise. If the compromise involves card account numbers, the Internal Auditor will perform the following :-
   

• Contain and limit the extent of the exposure by shutting down any systems or processes involved in the compromise
• Alert necessary parties (Merchant Bank, Visa Fraud Control, the police, etc)
• Provide compromised or potentially compromised card numbers to Visa Fraud Control within 24 hours
• More information - http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html

Top of page

^Top

• A-Z Financial Regulations