Audit uncovers shortcomings at Iowa's University Club
Management has addressed cash handling, revenue accounting, training
IOWA CITY — A recent internal audit of the now University of Iowa-owned University Club revealed lapses in cash handling procedures, revenue accounting, membership fee collections, and staff training.
Management for the University Club, which the university bought in 2008, said they have or are in the process of addressing shortcomings revealed by the audit. That includes checking monthly that the club’s more than 500 members pay their dues and locking out delinquent accounts, according to Bobbi Houselog, University Club general manager.
“After 90 days of non-payment, a member’s account goes to collections,” Houselog wrote in an email to The Gazette.
Auditors found management failed to regularly monitor past-due balances, despite a member agreement stipulating those with accounts 60 days overdue will lose charging privileges and those who are 90 days overdue will have memberships revoked and invoices sent to collections.
A review in August uncovered 12 members with balances more than 90 days overdue — all of whom had current month charges of about $2,000. Eight of those past-due balances were more than 120 days old, and four were more than 150 days past due.
Auditors verified that none of those with dues past 60 days had been suspended, and University Club managers told auditors they hadn’t reviewed past due balances in five months.
The club at 1360 Melrose Ave. was founded in 1960 as the University Athletic Club, a social and event center for members with UI ties — although it was privately owned and operated, according to the audit. The university began leasing space at the club in 2008, after that year’s devastating flood forced it to move events formerly scheduled at the Iowa Memorial Union. Several months later, the university bought the club and rebranded it as the University Club.
The club, according to the audit, has several sources of revenue, including membership dues, events, dining services, swimming and tennis lessons, sports camps, and event parking. Revenue from those sources totaled $1.38 million for the 2014 and 2015 budget years, the audit reported.
Membership fees, dining, and events accounted for 90 percent of that total, including $268,000 in dining revenue in the 2014 budget year and $234,000 in dining revenue in 2015. But, according to the audit, the club doesn’t use a cash register or issue “pre-numbered receipts” for Rotary Club luncheons.
“Therefore, revenue generated from this weekly event cannot be verified,” according to the audit, which advised management implement a process to “properly account for luncheon attendees and revenue.”
Houselog told The Gazette that rotary revenue was never in jeopardy and that its cash-handling policies had one person collecting cash and using a tally sheet.
“They asked that we use a cash register instead of a tally sheet,” she wrote in an email. “Complied.”
The club also has complied with recommendations related to its handling of event parking — like for Saturday home football games. The University Club lot has about 220 parking spaces available to members and “sponsored guests” during the games.
Members can park for free while guests have to pay $25. And round-trip bus service to Kinnick Stadium costs $10 per person. According to the audit, revenue for football event parking and guest bus service “is not properly reconciled” and not documented in the club’s cash-handling procedures.
“They asked that we use numbered parking tickets for those who pay cash during football games to reconcile against,” Houselog wrote in an email.
Auditors took issue with management of the club’s “point of sale” system, which records daily sales and member information. Concerns centered on user access and voided transactions for the system, which has three terminals throughout the club that allow staff to process sales.
Each staff member gets a unique, sequential, four-digit PIN to access the system, but auditors found that printed copies of all active numbers were posted at each terminal “and users of the snack bar terminal regularly use the same PIN.”
When auditors tested the 22 active numbers at the time, they found five with “full user privileges” assigned to former club employees.
“Furthermore, all staff are assigned a uniform level of user privileges by the data custodian upon hire,” according to the audit. “This allows them to perform system functions that should be reserved for management-level employees, such as voiding transactions.”
A review of voided transactions during the 2015 budget year found 132 valued at about $7,000, according to the audit. Of that total, authorized staff had performed about 57 percent.
“The identity of the individuals performing the remaining 57 (43.2 percent) voids was unable to be determined,” according to the report.
Unidentified users accounted for 25 of 31 voided transactions above $50 — except for those performed by the club’s general manager and the dining and operations coordinator. And auditors found no formal policy outlining who is authorized to void transactions and no management review of voids, all of which “reduces user accountability and increases the risk of fraudulent transactions.”
Houselog told The Gazette that auditors found no evidence of fraud.
“They asked that we scramble the PIN numbers instead of using consecutive numbering and that we inactivate servers,” she wrote in an email. “Complied.”
Auditors also found 24 of the club’s 33 employees responsible for serving alcohol had not completed the Iowa Program for Alcohol Compliance Training. And they found employees had not been trained to use the club’s automated external defibrillator, which staff couldn’t initially find for auditors.
“The device was later found to be located in the pool break room,” according to the report.
Houselog said all full-time staff now have completed the defibrillator training, and all students — not just bar tenders — have completed the alcohol compliance training.