1 / 51

New York State Education Department

New York State Education Department. 2014. A Brief Tutorial on Policy and Procedure Development. General Overview to Policies and Procedures. A school’s Financial Policy and Procedure Manual documents their internal control activities

Download Presentation

New York State Education Department

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. New York State Education Department 2014 A Brief Tutorial on Policy and Procedure Development

  2. General Overview to Policies and Procedures A school’s Financial Policy and Procedure Manual documents their internal control activities Charter agreements state that the school shall at all times maintain appropriate governance and management procedures and financial controls.

  3. Introduction to Internal Controls Internal controls are all of the policies and procedures management uses to achieve the following: Protect assets Ensure records are accurate and reliable Promote operational efficiency and effectiveness Compliance with policies, rules, and laws Accomplishment of goals and objectives

  4. Examples of Internal Controls Personal Internal Controls Lock your home and your vehicle. Keep ATM/debit card pin number separate from your card Review bills and credit card statements before paying Do not leave blank checks or cash just lying around Expect your children to ask permission to do certain things Charter School Internal Controls: Buildings and offices are kept locked when unoccupied Computer passwords are periodically changed and not written down by the computer Check management reports and purchase card charges against source documents Lock cash drawers and secure storage for checks Require authorizations for certain activities

  5. Responsibilities: Board, Management and Staff 1. Board of Trusteesare responsible for the general governance and administration of the Charter School. They are charged with issuing policies that govern the charter school which are the basis of the internal control system. Board of Trustees should review and update the polices on a regular basis to ensure that the policy is adequate, not outdated and that staff is adhering to the policy. They should obtain continual input from managing staff on the efficiency of current policies as these policies and procedures are utilized by external entities to assess the systems in place within the school, external auditors, outside funding sources, bond raters, etc.

  6. Responsibilities, cont’d 2. Management: Administrative management is responsible for maintaining an adequate system of internal control. Management is responsible for communicating the expectations and duties of staff as part of a control environment. They are also responsible for assuring that the other major areas of an internal control framework are addressed. These responsibilities should reflect the appropriate authority and accountability. 3. Staff: Staff and operating personnel are responsible for carrying out the internal control activities set forth by management.

  7. Everyone is Responsible for Internal Controls All staff should: Read and understand the policies and procedures which affect their job Comply with the controls established to protect the charter school Notice if there is a control weakness and bring it to the attention of the supervisor or manager

  8. Introduction to Policies and Procedures There is an art and skill to writing policies and procedures: Policies: Express rules, expectations and requirements Explain what to do Are realistic and attainable Have an active voice (subject-verb-object) Procedures: List steps to follow Tell “how” to perform a job Have an active voice and are imperative

  9. Policy and Procedure Example Policy: We provide one week of vacation after one year of employment and two week’s vacation after five years of employment. Procedure: Complete form VR-1 Submit form VR-1 to your supervisor one month prior to the desired time off

  10. Policy and Procedure Writing Skill Say what you mean and mean what you say Be aware of all possible interpretations Use specific language Consider the Reader/Users Don’t assume anything Look at the experience of the user

  11. Why don’t Internal Controls always work? Inadequate knowledge of charter school policies or governing regulations. “I didn’t know that!” Inadequate segregation of duties. “We trust ‘A’ who does all of those things.” Inappropriate access to assets. Passwords shared, offices left unlocked, cash not secured . . . Form over substance “You mean I’m supposed to do something besides initial it.” Control override. “I know that’s the policy, but we do it this way.” “Just get it done, I don’t care how.” Inherent limitations. People are people and mistakes happen. You can’t foresee or eliminate all risk.

  12. Internal controls are usuallyPreventive or Detective Preventive – To stop an unwanted outcome before it happens. Detective – To find the problem before it grows.

  13. Examples of Detective Controls Cash counts and bank reconciliations Reviewing payroll reports Comparing transactions on monthly management reports to source documents Monitoring expenditures against budgeted amounts

  14. Examples of Preventive Controls To read and understand applicable Charter School Policy and Procedures to learn a process To review the approval process for purchase orders or requisitions, to make sure they’re appropriate before the purchase The use of computer passwords to stop unauthorized access

  15. Internal Control FrameworkThe framework of a good internal control system includes: • Control environment: A sound control environment is created by management through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities. • Risk Assessment: This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exist. To be most efficient, the greatest risks should receive the greatest amount of effort and level of control. For example, dollar amount or the nature of the transaction (for instance, those that involve cash) might be an indication of the related risk. • Monitoring and Reviewing: The system of internal control should be periodically reviewed by management. By performing a periodic assessment, management assures that internal control activities have not become obsolete or lost due to turnover or other factors. They should also be enhanced to remain sufficient for the current state of risks. • Information and communication: The availability of information and a clear and evident plan for communicating responsibilities and expectations is paramount to a good internal control system. • Control activities: These are the activities that occur within an internal control system.

  16. Control Activities • Internal control activities are the policies and procedures as well as the daily activities that occur within an internal control system. A good internal control system should include the control activities listed below. These activities generally fit into two types of activities. • Preventive: Preventive control activities aim to deter the instance of errors or fraud. Preventive activities include thorough documentation and authorization practices. Preventive control activities prevent undesirable "activities" from happening, thus require well thought out processes and risk identification. • Detective: Detective control activities identify undesirable "occurrences" after the fact. The most obvious detective control activity is reconciliation. Some control activities include: • Authorization (Preventive) • Documentation (Preventive) • Reconciliation (Detective) • Security • Separation of Duties

  17. Internal Control Best Practices With a good internal control system in place, other considerations to keep in mind include: • Regularly communicate updates and reminders of policies and procedures to staff through emails, staff meetings and other communication methods. • Periodically assess risks and the level of internal control required to protect Charter School assets and records related to those risks. Document the process for review, including when it will take place. (Example: Determine that all security activities, reconciliation processes and separation of duties will be reviewed annually. They will, however, be staggered. Security activities will be reviewed in July, reconciliation in September and separation of duties in March.) • Management is responsible for making sure that all staff are familiar with Charter School policies and changes in those policies.

  18. Example of Internal Control Finding • Charter School Finding in Annual Financial Audit: Although the School previously adopted and implemented a formal financial policies and procedures manual (the “manual”), we concluded that there is a number of procedures that should be updated in the manual in order to achieve a sufficient internal control structure. This will help improve the School’s ability to process, record, summarize, and report financial information. • Independent Auditor Recommendation: Many daily procedures inevitably become known only to the individuals who perform them and the departure of any of these individuals could have a significant negative impact on the School’s operations. We recommend that consideration be given to updating the manual where finance and accounting policies and procedures are clearly defined.

  19. Example of Procurement Finding Procurement Procedures: During our walkthrough of procedures, we noted the following areas where controls were not always followed as documented in the Financial Policies and Procedures Manual (“FPPM”): We noted in one disbursement packet there were no packing slips or other support present which indicated the goods were received. It is important the disbursement packets hold all the information as required by the Fiscal Policies and Procedures Manual. The FPPM requires competitive bidding procedures for purchases exceeding $10,000 in the aggregate. Certain exceptions from these procedures are allowed as documented in the FPPM. We noted one disbursement over $10,000 did not have competitive bids or written evidence as to why no bids were obtained. We recommend the Charter School retain documentation of the quotes received when competitive bidding is required. In situations where competitive bidding is not required, this fact, along with the appropriate reason for exception should be documented on the purchase order or purchase request form. Recommendation We recommend disbursement packets contain all documentation as outlined in the Financial Policies and Procedures Manual. Purchase Requisitions and should be completed and approved prior to the procurement of goods when possible. If goods are required to be purchased on short notice, the Charter School should make every effort to ensure the reasons for obtaining approval afterwards are adequately documented. All disbursement packets should contain proof of goods ordered and received, including invoices or other documentation from vendors to support the purchase, which are marked with the appropriate general ledger account, manually signed as approved and paid. Further, the Charter School should retain documentation of the quotes received when competitive bidding is required. In situations where competitive bidding is not required, this fact, along with the appropriate reason for exception should be documented on the purchase order or purchase request form.

  20. Example- Financial Statement Finding Finding Statement of condition Material auditor adjustments were necessary to correctly state the Charter School’s financial statements for the period ended June 30, 2013. Criteria and effect of conditions During our audit, we noted various accounts, including accounts payable and accrued expenses, accrued payroll and benefits, deferred lease liability, per pupil operating revenue, government grant revenue, and payroll related expenses were misstated as a result of these accounts not being properly reconciled and adjusted to the correct balance during the year and prior to the commencement of the audit. Furthermore, certain revenues and expenses relating to cost-reimbursement grants were not reconciled appropriately in the accounting system. Those errors resulted in material auditor adjustments.

  21. Fiscal Oversight Resources NYSED: Fiscal Oversight Guidebook This guide provides a fiscal resource for charter schools authorized by the Board of Regents and the New York State Education Department as well as for prospective charter school applicants. This guidebook will be updated in Spring 2015 for federal grant management changes enacted under 'Omni.' Located at: http://www.p12.nysed.gov/psc/documents/NYSEDFiscalOversightGuidebook_FINAL.pdf SUNY Financial Oversight Handbook SUNY Financial Oversight Handbook is in the process of being updated to a 2014 version and will be available soon. Please contact the SUNY Charter Schools Institute with any particular questions.

  22. Example: Fiscal Oversight Guidebook Internal Control #26 (pg. 58) The charter school’s accounting system is integrated with key business functions including accounts payable, budgeting, general ledger, inventory/depreciation, requisitions and purchase orders, accounts receivable, and payroll. Develop Policy Develop Procedure Implement Policy and Procedure

  23. Authorization Control • Definition: Authorization is the basis by which the authority to complete the various stages of a transaction is delegated. These stages include the processes of Purchase Order (approval to purchase), Recording (initiate, submit, process), Approving (pre-approval, post entry review), and Reconciling. • Purpose: All transactions and activities should be carried out and approved by employees acting within their range of knowledge and proper span of control. Proper authorization practices serve as a proactive approach for preventing invalid transactions from occurring.

  24. Authorization Control 1 KEY CONCEPT Level of authority should be documented:Documented authority creates an expectation of responsibility and accountability. Authority to perform a particular action may come in hard copy documents or system generated authority. BEST PRACTICE Policies and procedures within an organization should clearly identify which individuals have authority to initiate, submit, reconcile, view or approve different types of transactions.

  25. Authorization Control 2 KEY CONCEPT Know what you are authorizing:Individuals should have first hand knowledge of the transactions being approved, or they should review supporting documentation to verify the validity and appropriateness of transactions. An employee being uninformed of their responsibilities related to departmental procedures is not acceptable in a good internal control system. BEST PRACTICE Employees should be properly trained and informed of departmental procedures related to internal controls.

  26. Authorization Control 3 KEY CONCEPT Authorization should be timely:Workflow is an important aspect of good internal controls. Time lags between approval and processing provide opportunities for altered documents and potential fraud. BEST PRACTICE Many falsifications occur after the approval of a transaction. The workflow process should stress timely authorizations as well as timely processing of transactions following approval. Once a document has been approved it should not be returned to the preparer.

  27. Documentation Control Definition: In the context of internal controls, paper or electronic communication which supports the completion of the lifecycle of a transaction meets the criteria for documentation. Anything that provides evidence for a transaction, who has performed each action pertaining to a transaction, and the authority to perform such activities are all considered within the realm of documentation for these purposes. Purpose: Documents provide a financial record of each event or activity, and therefore ensure the accuracy and completeness of transactions. This includes expenses, revenues, inventories, personnel and other types of transactions. Proper documentation provides evidence of what has transpired as well as provides information for researching discrepancies. Supporting documentation may come in paper or electronic form. In recent years, more often, official supporting documentation has moved from paper based to electronic forms. Keep in mind that in some instances electronic processing and approvals are the source documents for transactions.

  28. Documentation Control 1 KEY CONCEPT Format of source documents: Well designed documents help ensure the proper recording of transactions. Consistent use of standard forms or templates should be considered whenever possible. BEST PRACTICE The advance of online applications provides a fast and efficient method for accessing supporting documentation in a standard format. In other areas, wherever possible, the use of templates provides the same benefits. Consider creating templates for activities such as: Email approvals Departmentally created supporting documentation Time reporting Reimbursement logs (such as mileage logs, petty cash, others)

  29. Documentation Control 2 KEY CONCEPT Charter School ownership of documents:Documents used to support charter school business transactions are charter school property, not the personal property of employees. BEST PRACTICE Whenever possible, do not allow employees to take charter school owned records home. If business needs require charter school records to be taken home, communicate to employees their responsibility to keep documents secure, particularly those containing personal information. This is particularly important to communicate to employees that have telecommuting agreements.

  30. Documentation Control 3 KEY CONCEPT Documenting changes: Changes made subsequent to approval of documents should be clear and concise. BEST PRACTICE Use attachments or footnotes to document the reasons for corrections/adjustments to any records. Make the time/date and the approval of such corrections/adjustments clear and evident.

  31. Documentation Control 4 KEY CONCEPT Avoid duplicate processing: Establish a method to avoid duplicate processing, especially in regards to transactions that result in payments to individuals such as payroll, petty cash and travel reimbursements. BEST PRACTICE Build a check for duplicate payments into the processing and approval of payroll, petty cash and travel reimbursements. Create an environment in which payroll, petty cash reimbursements and travel reimbursements are processed in a timely manner. Long delays in processing create opportunities for duplicate payments that go undiscovered. Look closely at all late entries to watch for double submission of payments. (Example: late timecards, extremely late petty cash requests, travel expenses requested at a later time separate from the rest of the trip).

  32. Documentation Control 5 KEY CONCEPT Retention: Retention policies exist for all types of supporting documentation. Always keep documents for the appropriate retention period and no longer. BEST PRACTICE Establish a process for purging documents that have reached the end of their retention period. Document who, when and how each record type should be purged. Be aware of record retention responsibilities.

  33. Reconciliation Control Definition: Reconciliation is the process of comparing transactions and activity to supporting documentation. Further, reconciliation involves resolving any discrepancies that may have been discovered. Purpose: The process of reconciliation ensures the accuracy and validity of financial information. Also, a proper reconciliation process ensures that unauthorized changes have not occurred to transactions during processing.

  34. Reconciliation Control 1 KEY CONCEPT Accuracy of activity: A good internal control system provides a mechanism to verify that transactions and activity are for the correct purpose and amount, and allowable. BEST PRACTICE For each type of activity consider documenting the particular information from source documents that is to be compared to the appropriate report. This assists to ensure that transactions are valid and are correct in purpose. (example: determine that for travel reimbursement source documents, the traveler name, destination, purpose of the trip, etc. will be matched to the monthly financial report) Ensure that transactions have been properly authorized. Especially, if the source documents are paper based, review for potential changes to the document between approval and processing of transactions. Ensure that all transactions are allowable.

  35. Reconciliation Control 2 KEY CONCEPT Error correction: Errors and discrepancies, intentional or unintentional, should be detected, investigated and resolved in a timely fashion. BEST PRACTICE Verify the recording of transactions in a timely manner. Review source documents to assure they are processed and posted in a timely manner by the processing department. If not, follow up with the appropriate office Document a plan for the research and correction of errors or discrepancies of each type of transaction or activity. Communicate these processes and procedures with the appropriate staff. Establish expectations for timeliness of error correction.

  36. Reconciliation Control 3 KEY CONCEPT Matching to the source: The oversight of any transaction is strengthened by the process of matching source documentation of the transaction to the appropriate reporting documentation or reporting tool. BEST PRACTICE What is budget reconciliation, and why do we need to do it? Budget reconciliation is the process of reviewing transactions and supporting documentation, and resolving any discrepancies that are discovered. How often should we reconcile? When possible reconciliation should be completed monthly, within 45 days of month-end close, but no less frequently than quarterly. For sponsored agreements a final reconciliation should be completed within 45 days of the budget end date. Keep in mind that special situations such as biennium close may take longer to finish than “regular” months.

  37. Reconciliation Control 4 KEY CONCEPT Documenting the process and completion: Reconciliation processes are most effective when consistent and thorough. Employees involved in the reconciliation process should be knowledgeable and clear on responsibilities and expectations It should be clear to an external reviewer when a reconciliation has been completed BEST PRACTICE Reconciliation should be documented clearly to verify that a review has been done The reconciliation process and procedures should be documented clearly and communicated. Consider documenting: The steps in the process Who performs each step Expectations regarding timeliness A mechanism for providing proof that all activity has been reviewed and reconciled A procedure for error correction

  38. Security Control Definition: The security of charter school assets and records includes three types of safeguards; Administrative, Physical and Technical: Administrative security: This focuses on the Charter School processes put in place to protect assets and records. This includes the above mentioned processes of authorization and reconciliation. Physical security: This is the protection of physical records and assets from loss by theft or damage. Technical security: This is the protection of electronic records from loss by theft, damage, or loss in transport. Purpose: Assets and records should be kept secure at all times to prevent unauthorized access, loss or damage. The security of assets and records is essential for ongoing operations, accuracy of information, privacy of personal information included in some records and in many cases is a state or federal law.

  39. Security Control 1 KEY CONCEPT Designate a point person BEST PRACTICE Designating a point person for all areas or individually for the 3 types of security provides an established responsibility and accountability for proper security procedures.

  40. Security Control 2 KEY CONCEPT Administrative Organization BEST PRACTICE Keep an up-to-date organizational chart that defines the reporting relationships as well as responsibilities, including back-up responsibilities, regarding internal controls within the unit. Document such processes as opening and distributing mail, administration of keys, access to documents and other administrative controls.

  41. Security Control 3 KEY CONCEPT Access to electronic records: Limit access to records and assets to those who have been authorized and have a business need for them. BEST PRACTICE Establish and communicate unit standards for screensavers and password protected screens. Setup password protected access to electronic records.

  42. Security Control 4 KEY CONCEPT Physical access to records: Limit access to records and assets to those who have been authorized and have a business need for them. BEST PRACTICE Do not allow electronic records to be downloaded to mobile workstations and transported outside of the office. Keep important records in lockable, fireproof storage

  43. Security Control 5 KEY CONCEPT Employee Turnover: Limit access to records and assets to those who have been authorized and have a business need for them. BEST PRACTICE Develop a checklist for removing access to records upon separation of an employee or upon transfer out of the unit. Develop a process and assign a point person the responsibility of administering the process for deleting access to records.

  44. Security Control 6 KEY CONCEPT Passwords: BEST PRACTICE Have a prescribed standard for departmental passwords. Make them complex and enforce a policy for changing passwords periodically.

  45. Separation of Duties Control Definition: Separation of duties is the means by which no one person has sole control over the lifespan of a transaction. Ideally, no one person should be able to initiate, record, authorize and reconcile a transaction. Purpose: All organizations should separate functional responsibilities. The separation of duties assures that mistakes, intentional or unintentional, cannot be made without being discovered by another person.

  46. Separation of Duties Control 1 KEY CONCEPT Unit differences: Separation of duties may vary depending on each unit's size and structure. BEST PRACTICE Duties may be separated by department or by individuals within a department. The level of risk associated with a transaction should come into play when determining the best method for separating duties.

  47. Separation of Duties Control 2 KEY CONCEPT Demonstration: Separation of duties should be able to be demonstrated to an outside party. BEST PRACTICE Documentation of processes and authorization is helpful in demonstrating a system of control that includes separation of duties.

  48. Separation of Duties Control 3 KEY CONCEPT Document the responsibilities: Separation of duties should be clearly defined, assigned and documented. BEST PRACTICE Document and clearly communicate who will initiate, submit, process, authorize, review and/or reconcile each activity within the unit.

  49. Separation of Duties Control 4 KEY CONCEPT Review and oversight: Management should increase the review and oversight function when it is difficult to sufficiently separate duties. BEST PRACTICE Assess the potential for mistakes or fraudulent transactions. If the separation of duties is not sufficient to eliminate or adequately reduce the risk of discovering errors, the level of review of management should be increased over the particular activity.

  50. References • University of Washington: http://f2.washington.edu/fm/fa/internal-controls/authorization new yorkDecember 2013

More Related