View Document

Financial Code of Conduct - Receipting and Banking of Monies Procedure

This is the current version of this document. To view historic versions, click on the 'Historic Versions' tab above.

Section 1 - Summary

(1) This Procedure outlines the process for the collection, handling, receipting, recording and banking of all payments made to the University in a timely and efficient manner.

Top of Page

Section 2 - Scope

(2) This Procedure applies to all staff of the University.

Top of Page

Section 3 - Definitions

(3) Payment Card Industry Data Security Standards (PCI DSS)

(4) Cardholder data (CHD)

(5) Merchant

(6) Proof of Compliance

Top of Page

Section 4 - Policy/Regulation

(7) See Financial Code of Conduct Policy.

Top of Page

Section 5 - Procedures

Part A - Roles/Responsibilities

Roles Responsibility
Student Service Centre Cashiers/Finance — Accounts Receivable Cashiers and other University Cashiers
Responsible for the processing payments via the University cashiering system against the correct student, sponsor, customer and cost centre accounts.
All University staff
Responsible for familiarising themselves with the requirements of this Procedure and responsible for acting in compliance with this Procedure at all times in their conduct as a staff member.

Part B - Procedures


(8) The requirements of this Procedure are in addition to, and do not derogate from, the requirements of the Privacy Policy.

(9) Due to the diverse range of activities carried out across the organisation, there are many merchants/agents receipting monies on behalf of the University. These merchants/agents use various systems to receipt monies. The Student Service Centres, Finance, VU Interprofessional Clinic, and VU International (VUI) use the OneStop Cashiering System. Finance — Accounts Receivable oversees this cashiering system and governs the compliance of these receipting processes as well as provides the necessary training.

(10) The Childcare Centres, Advancement and Gymnasiums all use stand-alone receipting systems. These systems produce various receipting reports. A clear audit trail between the payments made and the allocation of this payment in these systems must be transparent. Once payments have been identified in the university operating bank account, the Finance — Bank Reconciliation Officer, will manually record any payments into the General ledger in Finance One, using the system based reports as supporting documentation. Health Practice Units (Teaching Clinics) and Personnel Services (Massage Clinic, Hair and Beauty) accepts payments through manual receipting, and once payments have been identified in the university operating account bank, the Finance - Bank Reconciliation Officer will record these payments into the General ledger in Finance One.

(11) Staff accepting credit card and debit card payments must complete annual PCI DSS training.


(12) All service providers and third party vendors that provide payment card services on behalf of the University (including processing, storage or transmission of payment card information) must be PCI DSS compliant.

(13) Contracts with service providers and third party vendors must contain a statement that the vendor will maintain their PCI DSS compliance and provide proof of compliance annually. Furthermore, if they have been made aware of a PCI DSS breach, the University must be advised immediately in writing.

(14) Finance – Strategic Capital Management will maintain a list of service providers and third party vendors.


(15) To establish, increase, decrease, close or change the custodian of a cashier float, complete the Cash Register Float Establishment-Increase Form or Cash Register Float Change of Custodian Form.

(16) EFTPOS terminals that require establishment, cancellation or exchange, must be managed and approved by the Accounts Receivable - Bank Reconciliation Officer. The expected volume and transaction value is required in order to make a commercial decision to grant this request. For new machines, a Letter of Offer will be provided from the bank, as well as the establishment of the new agent number.

(17) Where a manual EFTPOS Machine needs to be used, all transactions require authorisation from the bank to ensure the card has an available limit. This is done by contacting the bank, quoting the merchant number, following instructions and the bank will provide an authorisation number when the transaction is approved.

(18) All EFTPOS terminals must be regularly checked that they have not been tampered with, and located in a secure area by:

  1. keeping a record of the terminal serial number and checking this against the terminal;
  2. checking the terminal structure to see whether the terminal has been forced open or tampered with; that no skimmers or other items are affixed or connected with the terminal; and inspecting the tamper evidence stickers for damage or signs of sticker removal (refer to the Appendix - Diagram of EFTPOS Terminals);
  3. keeping a log documenting the above inspection of the terminal and the log is completed each time the inspection is performed;
  4. keeping the terminal in a secure position, and where possible, locked up in a secure drawer/safe overnight;
  5. keeping terminal passwords secure at all times. If password has been compromised, contact CBA Merchant Services immediately on 1800 230 177.

Register Management

(19) Daily cash draw reconciliations must be performed and authorised by the operational areas. This also includes EFTPOS transactions being processed and settled daily which forms part of the daily bank reconciliation process.

(20) Each agent must keep a copy of the daily receipt report and source documents in the area for audit purposes for a period up to 7 years.

(21) End of Day Receipt reports are generated from the OneStop Receipting System and are generated by the Accounts Receivable - Bank Reconciliation Officer on a daily basis. Those cashiers who are not using the OneStop Cashiering system must provide a copy of the receipting report and must send the daily report to the Accounts Receivable - Bank Reconciliation Officer. The Bank Reconciliation Officer will then match the amount on the report to the bank statement using the agent number as the identifier.

(22) Discrepancies between the receipt reports and the monies received from the registers during the daily reconciliation process must be forwarded to the area's supervisor for resolution. Any unresolved cash draw discrepancies must be reviewed and signed by the Manager of the area with the appropriate financial delegation with an explanation for the variance documented. A copy the reconciliation with a written explanation must forwarded to the Accounts Receivable - Bank Reconciliation Officer by the close of business the following day. The Accounts Receivable - Bank Reconciliation Officer is to refer unresolved discrepancies to his/her line manager for consideration of any further action required.

(23) Cash must be kept to a minimum in the cash registers. Cash must be cleared regularly from the cash registers and kept in a secure location until close of business when the daily reconciliation is performed. Operational areas are responsible in establishing cash threshold limits and register cash clearances for their respective areas.

(24) Any proposal to acquire or replace cash registers/software/systems for recording monies received should be referred in the first instance to the Associate Director, Corporate Finance Services for review to ensure PCI DSS and GST compliance, and compatibility with existing systems.

(25) Merchants/agents shall not mix private monies with University funds under their control. University monies must never be used for private purposes.

Receipting and Banking of Monies

(26) First and foremost, all monies received by the University are to be accounted for through the University's finance system. All collections of University monies must be paid into the appropriate University bank account completely, accurately and in a timely manner.

(27) All monies paid or banked into the University must have supporting documentation, i.e. student invoice, debtors invoice, deposit forms, registration form, screen print, letter or memo. This will assist the agent to determine the correct general ledger code to receipt, record and bank money to. All receipts must have supporting documentation for future reference.

(28) Only recognised merchants/agents who have approval to collect monies, can issue system generated or manual University receipts.

(29) Payers must be advised to make cheques/money orders/drafts payable to 'Victoria University' and crossed 'not negotiable'. A reference number/name/student id/debtor invoice number should be recorded on the back of the cheque in case the cheque is dishonoured.

(30) Personal Cheques must not be cashed for any person out of University monies.

(31) Change must not be given on Credit Card transactions.

(32) The University accepts Mastercard and Visa only for EFTPOS terminals.

(33) In line with PCI compliance requirements, the following principles in the handling of Cardholder Data (CHD) must be observed:

  1. all Cardholder Data (CHD) must be treated the same as cash. It should be locked in a safe or in a secure cabinet. Access to the forms containing CHD should be limited to only those staff that are required as part of their job;
  2. all media with cardholder data must be destroyed by cross cut shredding as soon as it is no longer required for business purposes. Concealing CHD with indelible ink does not meet minimum requirements for destroying CHD;
  3. email is not to be used for any receipt or transmission of CHD;
  4. voicemail is not to be used for any receipt or transmission of CHD. If a voicemail with CHD is received, staff must enter the CHD directly into the EFTPOS pin pad and the immediately delete the message. If the number is written down, the paper on which the card number has been written should be securely destroyed using a cross-cut shredder immediately after processing the payment, and the cardholder is to be contacted and informed that the University will not process future payment card information left on voicemail. The customer must also be advised of the acceptable payment methods;
  5. where practicable, refer customers to online weblinks and online portals to input their own information for purchases or payments.


(34) Monies are to be banked and promptly recorded into Finance 1 in a timely manner to ensure the safety of the University monies.

(35) All monies received by the University agents are to be banked in accordance within the timetable established between the secure courier, the agents and the Credit Controller. Additional pickup arrangements can be organised directly by the agent, with the secure courier when cash amounts totals exceed $5,000 (this excludes the cashier float).

(36) Cash transactions must be minimised and payment methods such as; EFT, Direct Debit, B-Pay, Aust Post Cheque and credit card should be encouraged. Enrolled students should be encouraged to pay through MyVUPortal to reduce the possible risk of non-compliance of PCI Compliance Guidelines.


(37) To minimise the risk of theft, robbery or loss of University monies the following should be strictly followed:

  1. Safe combinations should be periodically changed and restricted to authorised users;
  2. Safe keys and combinations must be kept in a safe/secure location;
  3. Staff should ensure that access to University systems are strictly limited to authorised users and logins and passwords should be kept in a secure place;
  4. During busy periods, additional security personnel should be requested, and instructed to stand close guard to where monies are being receipted or transported to safes before the secure couriers collect and take to bank;
  5. Public access to cash should be avoided, only custodians of floats should handle registers/cash drawers;
  6. All cash and/or cheques should be put into an Express Deposit bag with a completed agent deposit slip enclosed and the bag sealed. The number of express deposit bag, value to be deposited, the number of the secure courier docket - should be stapled to the duplicate agent deposit slip. The express deposit bag must be kept in a locked safe of filing cabinet until collected by a secure courier. The secure courier staff must sign the triplicate docket book to confirm the bags being collected, before taking the express deposit bag to the bank;
  7. In the case of a robbery, staff should fully cooperate with the perpetrator's instructions and hand over the money and not put themselves, other staff or clients at risk. Staff should try to observe any distinguishable features of the perpetrator e.g., height, tattoos, piercings, clothes, hair colour and contact campus security as soon as it is safe to do so.


(38) Organisational Units are encouraged to use the Cash Handling Checklist Self-Assessment Template for their own self-assessment. For the purposes of this Procedure, an "Organisational Unit" includes but is not limited to colleges, schools, institutes, departments and branches within the University. For compliance and audit purposes, the Finance — Credit Controller will conduct spot checks throughout the year on organisational units who handle or receipt monies. On an annual basis, the Associate Director, Corporate Finance Services will request a completed checklist signed by the organisational unit manager to ensure compliance of this Procedure.


(39) Any suspected or perceived breach must be immediately reported to the Associate Director, Corporate Finance Services.

(40) In addition, any suspected or perceived breach of any payment card information must also be immediately reported to Information Technology, in accordance with IT Policies and Procedures.

PART C - Templates

(41) Cash Handling Checklist Self-Assessment Template

Top of Page

Section 6 - Guidelines

(42) Nil