Processing Revenue

Scope

Back to top

Policy Statement

1. The Office of the Treasurer (“Treasury”) will establish the accepted payment methods and processes to support all RPAs of Indiana University. Treasury will review current and proposed revenue processing areas, including ongoing operations and those activities reported under Establishing and Modifying Revenue Producing Activities (RPA), FIN-TRE-121. These reviews may be conducted for any of the following reasons: RPA for new activity, change in activity or form of payments accepted, change in vendor, change in university policy, or at the request of university administration. These RPA reviews will cover all university revenue processing activities whether located on or off an IU campus. The unit head, unit fiscal officer, and campus administration are responsible for compliance with implementing the instructions contained in the review. 
2. Treasury, in accordance with best practices to efficiently and securely process payments, will standardize revenue processing within IU across similar functions. Purchases of any systems or software to process revenue (including integrated cash registers), and any contracts with vendors to process revenue must be approved by Treasury. No unit has the authority to purchase credit card processing software without first obtaining the explicit permission of Treasury.  Revenue producing activities with less than $1000 of annual revenue will not be set up to accept payment cards.
3. Treasury has operational authority over the acceptance and deposit of all payments received by the university, including those received at the individual unit level.
4. All units must employ consistent payment types across similar revenue generating activities.
5. Revenue processing procedures should enable operational efficiency with an optimal cost structure.
6. All revenue processing procedures must maintain the highest level of available operational controls to reduce the possibility of fraud, loss of assets, and/or loss of sensitive university data.
7. Any business needs for exceptions to standard university processes must be approved in advance of their implementation by the Revenue Producing Activity Committee (RPAC) in consultation with campus and university administration, on a case-by-case basis.
8. All receipts must be deposited into an approved university bank account and recorded with the appropriate general ledger account(s) and object code(s). All incoming funds over $500 should be deposited within one day of receipt or weekly, regardless of the amount. A general ledger document must be prepared the same day as the deposit. The daily deposit amount for coins and currency may be increased for some units to meet operational efficiency needs only with explicit permission from Treasury. Exceptions to the timing of deposits may be made by Treasury as a result of emergency situations such as extended campus closures.  Funds awaiting deposit must be kept in a secure, locked device until deposited. The method used to secure the funds should be appropriate for the amount. For example, a locked desk drawer would be adequate for $50; however, a safe would be required for $1000. Treasury sets threshold amounts and may adjust them to meet operational needs.

Back to top

Reason for Policy

The purpose of this policy is to standardize revenue processing within Indiana University across similar functions with efficient solutions characterized by strong controls to reduce the risk of fraud and/or loss while increasing the efficiency of its cash.

• The fiscal officer of the account receiving revenue is responsible for implementing proper revenue processing procedures and payment methods, and the unit represented by the fiscal officer assumes responsibility for payment risks and compliance.
• Treasury will provide ongoing education regarding accepting payments in compliance with IU’s data security policies and the Payment Card Industry Data Security Standards (PCI DSS) requirements. 

Back to top

Procedures

1. To establish a new RPA or make changes to an existing activity, form of payments accepted, or change in vendor, the unit must comply with FIN-TRE-121, Establishing and Modifying Revenue Producing Activities (RPA). Treasury will exercise its operational authority over the acceptance and deposit of all IU revenue, in accordance with best practices, to efficiently and securely process payments and any associated data.
2. Revenue processing requirements will involve the following:
   1. Process payments electronically whenever possible or practicable.
   2. Eliminate, where possible, face-to-face payments at the unit level through the use of web based and/or lockbox processed transactions.
   3. Use standard IU revenue collection processes to link payment options directly into the university’s Kuali Financial System (“KFS”), whenever possible, to ensure the timely recording of transactions and to expedite the prompt reconcilement of general ledger and bank accounts. 
   4. Discourage the use of cash to reduce the high administrative costs associated with its handling and transport.
   5. Endorse all checks immediately upon receipt and ensure that payee is appropriate.
   6. Prepare a KFS document and put in transit for deposit, via a method approved by Treasury, or remote capture the check(s) and prepare a KFS document within one day of receipt. Exceptions to allow checks to be held longer before depositing may be made by Treasury due to emergency situations.
   7. All revenues must be deposited into a university approved bank account per  FIN-TRE-52, Establishing and Closing University Bank Accounts.
   8. Ensure separation of duties for all revenue processing per FIN-ACC-470, Internal Controls.
   9. Verify that only IU employees, its agents, or individuals specifically approved by Treasury are processing revenue and making deposits.
   10. Process for deposit all checks, excluding foreign checks, using remote capture.
   11. Ensure that all employees involved in revenue processing or with access to university banking/payment card systems have completed Treasury Revenue Processing Training at a minimum on a biennial basis. This training is available on the Office of the Treasurer website.
   12. Ensure that all employees involved with processing credit and debit card transactions attend Security Awareness (SAE) training annually. This training is available on the Office of the Treasurer website.
   13. Work with the campus human resources office to ensure that all such background checks are performed within the requirements of IU’s Background Check policy; completion of background checks for all employees involved in revenue processing prior to the employee assuming payment processing responsibilities is strongly encouraged.
   14. Conduct all revenue processing activities in accordance with all university policies and state and federal regulations regarding data security, specifically including PCI DSS. 
   15. Delete/remove copies of checks (paper or electronic) or listings of complete bank account/credit/debit card account numbers from any university databases or files, unless specific written approval has been granted by Treasury. The storage of truncated numbers, in Treasury-approved formats, is permissible.
   16. Consult the Office of the Treasurer website for updates including standard operating procedures and guidelines.

Back to top

Definitions

• Trustees of Indiana University
• Indiana University
• Indiana University, (insert campus, unit, school, etc.)

Payment Card: A payment card that supports cashless payment for goods and services. Examples are: credit cards, debit cards, charge cards, and smart cards.

Payment Card Industry Data Security Standards (PCI DSS): A set of comprehensive requirements for enhancing payment account data security, developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.  International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

Remote Capture: The electronic transmission of check images and deposits to a bank for processing and clearing.

Revenue: Any incoming funds generated from the sale of products and/or services provided by the university or university employees.

Revenue Producing Activity: An activity that generates revenue from the sale of products and/or services provided by the university or university employees. This definition excludes all Sponsored Programs.

Self-Governed Student Organizations:  Student organizations that are considered organizations separate from Indiana University and that must agree to and operate under specified conditions in order to use university facilities and services and receive benefits associated with the Indiana University name; to be distinguished from University Student Organizations, which are treated as operating units or agencies of IU within the administrative and fiscal structure of Indiana University. See STU-01 for more information.

Sponsored Programs: Sponsored Programs shall not be considered an RPA under this policy. As a general rule, Sponsored Programs are differentiated by RPA’s by the following criteria:  

• Funds must be separately budgeted and accounted for, or;
• Funds are restricted to the sponsored activity until expiration of the agreement, or;
• The activity is the result of an individual agreement with an external entity with terms and conditions unique to that particular project or activity, or;
• The activity is the result of a federal or federal pass-through contracts of any kind.

Any questions as to whether an activity should be considered a Sponsored Program should be referred to Office for the Vice President for Research.

Back to top

Sanctions

When planning or approving business activities, deans, unit heads, and other appropriate administrators should ensure that revenue-producing activities comply with this policy. Units that do not follow the guidelines set forth in this policy will, at a minimum, be held responsible for any fines or penalties. Accepting payment cards imposes responsibilities on both the university and the unit. Failure to follow defined and approved procedures will minimally result in interruption of revenue processes and may result in immediate termination of the activity.

Back to top

Additional Contacts

Back to top

History

This policy was established on July 1, 2006.

This policy was revised on March 5, 2015 to emphasize training requirements for full-time, part-time, and student employees.

This policy was updated on August 18, 2021.

Back to top