590 likes | 606 Views
This document provides an overview of internal controls, policies, and procedures for the New York State Education Department. It includes information on the initial statement, financial policy and procedure manual, and the engagement of an independent auditor.
E N D
New York State Education Department January 16, 2014 Part 1: Internal Controls (including Policies and Procedures) Part 2: Initial Statement
Internal Control Webinar Agenda Part 1: Internal Controls • Susan Megna: Introduction • Susan DuFour: Internal Controls, Policies/Procedures, Initial Statement and Due Dates • Jamal Young: Policy/Procedure Templates and Fiscal Oversight Guidebook • Fiscal Team: Examples of Internal Controls and related Policies and Procedures Part 2: Initial Statement
General Overview: Financial Policy and Procedure Manual documents the schools internal control activities and is due to CSO by March 1, 2014 Initial Statement is a report a new school prepares, on nine specific internal control activities and is due to CSO 120 days from date of charter. Engage Independent Auditor to perform Agreed Upon Procedures Audit Report on the Initial Statement.
Citation in the Charter Agreement on Internal Controls 5.1 Management and Financial Controls: The Charter School shall at all times maintain appropriate governance and management procedures and financial controls. To better ensure this outcome from the School’s commencement, the Charter School shall provide a statement to SED no later than one hundred-twenty (120) days from the Effective Date concerning the status of management and financial controls (the "Initial Statement"). The Initial Statement must address whether the Charter School has documented adequate controls relating to: Preparing and maintaining financial statements and records in accordance with generally accepted accounting procedures (GAAP) Payroll procedures Accounting for contributions and grants Procedures for the creation and review of interim and annual financial statements, which procedures shall specifically identify the individual(s) who will be responsible for preparing and reviewing such financial statements and ensure that such statements contain valid and reliable data Appropriate internal financial controls and procedures Safeguarding of assets including cash and equipment Compliance with applicable laws and regulation Ensuring the purchasing process results in the acquisition of necessary goods and services at the best price Following appropriate guidance relating to a code of ethics, budget development and administration, and cash management and investments
Charter Agreement: Internal Controls, cont'd 5.1 Management and Financial Controls, cont'd: School Responsibility: The Initial Statement shall be reviewed and ratified by the Charter School’s Board of Trustees prior to its submission to SED. Auditor Responsibility: The Charter School shall thereafter retain an independent certified public accountant (CPA) licensed in New York State to perform an agreed-upon procedures engagement (the “Independent Accountants’ Report”) in accordance with attestation standards established by the American Institute of Certified Public Accountants. The purpose of the engagement will be to assist the Board of Trustees and SED in evaluating the Initial Statement and the procedures, policies and practices established there under. The engagement shall commence within sixty (60) days after the date on which the Charter School has received and disbursed more than $50,000 in monies received from payments from school districts, under section 2856 of the Education Law, or from grants or other revenue sources.
Charter Agreement: Internal Controls, cont'd 5.1 Management and Financial Controls, cont'd: The resulting Independent Accountants’ Report should be provided to the Board of Trustees no later forty-five days (45) after the commencement of such engagement with a copy to SED. In the event that the Independent Accountants’ Report reveals that any of the above Management and financial controls (subparagraphs (a) – (i) of this paragraph) are not in place, the Charter School shall remedy such deficiencies no later than forty-five (45) days from the date the Independent Accountants’ Report was received by the Board of Trustees and shall provide to SED within that forty-five (45) day period a statement that all deficiencies identified in the Independent Accountants’ Report have been corrected. Such statement shall identify the Steps undertaken to correct the identified deficiencies. SED may require additional evidence to Verify the correction of all such deficiencies. All documents required to be submitted pursuant to this paragraph shall be submitted electronically in accordance with guidance provided by SED.
Introduction to Internal Controls Internal controls are all of the policies and procedures management uses to achieve the following: Protect assets Ensure records are accurate and reliable Promote operational efficiency and effectiveness Compliance with policies, rules, and laws Accomplishment of goals and objectives
Examples of Internal Controls: Personal Internal Controls Lock your home and your vehicle. Keep ATM/debit card pin number separate from your card Review bills and credit card statements before paying Do not leave blank checks or cash just lying around Expect your children to ask permission to do certain things Charter School Internal Controls: Buildings and offices are kept locked when unoccupied Computer passwords are periodically changed and not written down by the computer Check management reports and purchase card charges against source documents Lock cash drawers and secure storage for checks Require authorizations for certain activities
Responsibilities: The Board of Trustees are responsible for the general governance and administration of the Charter School. They are charged with issuing policies that govern the charter school which are are the basis of the internal control system.
Responsibilities, cont’d: • Management: Administrative management is responsible for maintaining an adequate system of internal control. Management is responsible for communicating the expectations and duties of staff as part of a control environment. They are also responsible for assuring that the other major areas of an internal control framework are addressed. These responsibilities should reflect the appropriate authority and accountability. • Staff: Staff and operating personnel are responsible for carrying out the internal control activities set forth by management.
Everyone is Responsible for Internal Controls All staff should: Read and understand the policies and procedures which affect their job Comply with the controls established to protect the charter school Notice if there is a control weakness and bring it to the attention of the supervisor or manager
Internal Controls: Myths vs. Fact Myth Internal control starts with a strong set of policies and procedures… Internal control is why we have internal auditors… Internal control is a finance thing. We do what the business office tells us… Internal controls are a necessary evil. They take time away from our core activities, serving students… Internal controls are a list of what not to do … If controls are strong enough, we can be sure there will be no fraud, and financial statements will be accurate… Fact Internal control starts with a strong control environment Management is the owner of internal control Internal control is integral to every aspect of the business Internal controls should be built into, not on to business processes Internal control makes the right things happen the first time, and every time Internal controls provide reasonable, but not absolute assurance that objectives will be achieve
Introduction to Policies and Procedures There is an art and skill to writing policies and procedures: Policies: Express rules, expectations and requirements Explain what to do Are realistic and attainable Have an active voice (subject-verb-object) Procedures: List steps to follow Tell “how” to perform a job Have an active voice and are imperative
Policy and Procedure Example: Policy: We provide one week of vacation after one year of employment and two week’s vacation after five years of employment. Procedure: Complete form VR-1. Submit form VR-1 to your supervisor one month prior to the desired time off.
Policy and Procedure Writing Skill: Say what you mean and mean what you say. Be aware of all possible interpretations. Use specific language Consider the Reader/Users Don’t assume anything Look at the experience of the user.
Why don’t Internal Controls always work? Inadequate knowledge of charter school policies or governing regulations. “I didn’t know that!” Inadequate segregation of duties. “We trust ‘A’ who does all of those things.” Inappropriate access to assets. Passwords shared, offices left unlocked, cash not secured . . . Form over substance “You mean I’m supposed to do something besides initial it.” Control override. “I know that’s the policy, but we do it this way.” “Just get it done, I don’t care how.” Inherent limitations. People are people and mistakes happen. You can’t foresee or eliminate all risk.
Internal controls are usuallyPreventive or Detective Preventive – To stop an unwanted outcome before it happens Detective – To find the problem before it grows
Examples of Detective Controls: Cash counts and bank reconciliations Reviewing payroll reports Comparing transactions on monthly management reports to source documents Monitoring expenditures against budgeted amounts
Examples of Preventive Controls To read and understand applicable Charter School Policy and Procedures to learn a process The review the approval process for purchase orders or requisitions, to make sure they’re appropriate before the purchase The use of computer passwords to stop unauthorized access
Internal Control FrameworkThe framework of a good internal control system includes: • Control environment: A sound control environment is created by management through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities. • Risk Assessment: This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exist. To be most efficient, the greatest risks should receive the greatest amount of effort and level of control. For example, dollar amount or the nature of the transaction (for instance, those that involve cash) might be an indication of the related risk. • Monitoring and Reviewing: The system of internal control should be periodically reviewed by management. By performing a periodic assessment, management assures that internal control activities have not become obsolete or lost due to turnover or other factors. They should also be enhanced to remain sufficient for the current state of risks. • Information and communication: The availability of information and a clear and evident plan for communicating responsibilities and expectations is paramount to a good internal control system. • Control activities: These are the activities that occur within an internal control system.
Control Activities: • Internal control activities are the policies and procedures as well as the daily activities that occur within an internal control system. A good internal control system should include the control activities listed below. These activities generally fit into two types of activities. • Preventive: Preventive control activities aim to deter the instance of errors or fraud. Preventive activities include thorough documentation and authorization practices. Preventive control activities prevent undesirable "activities" from happening, thus require well thought out processes and risk identification. • Detective: Detective control activities identify undesirable "occurrences" after the fact. The most obvious detective control activity is reconciliation. Some control activities include: • Authorization (Preventive) • Documentation (Preventive) • Reconciliation (Detective) • Security • Separation of Duties Information regarding these activities including best practices is provided beginning on slide # 31-57.
Internal Control Best Practices: With a good internal control system in place, other considerations to keep in mind include: • Regularly communicate updates and reminders of policies and procedures to staff through emails, staff meetings and other communication methods. • Periodically assess risks and the level of internal control required to protect Charter School assets and records related to those risks. Document the process for review, including when it will take place. (Example: Determine that all security activities, reconciliation processes and separation of duties will be reviewed annually. They will, however, be staggered. Security activities will be reviewed in July, reconciliation in September and separation of duties in March.) • Management is responsible for making sure that all staff are familiar with Charter School policies and changes in those policies.
Example of Internal Control Finding: • Charter School Finding in Annual Financial Audit: Although the School previously adopted and implemented a formal financial policies and procedures manual (the “manual”), we concluded that there is a number of procedures that should be updated in the manual in order to achieve a sufficient internal control structure. This will help improve the School’s ability to process, record, summarize, and report financial information. • Independent Auditor Recommendation: Many daily procedures inevitably become known only to the individuals who perform them and the departure of any of these individuals could have a significant negative impact on the School’s operations. We recommend that consideration be given to updating the manual where finance and accounting policies and procedures are clearly defined.
Example of Procurement Finding: Procurement Procedures: During our walkthrough of procedures, we noted the following areas where controls were not always followed as documented in the Financial Policies and Procedures Manual (“FPPM”): We noted in one disbursement packet there were no packing slips or other support present which indicated the goods were received. It is important the disbursement packets hold all the information as required by the Fiscal Policies and Procedures Manual. The FPPM requires competitive bidding procedures for purchases exceeding $10,000 in the aggregate. Certain exceptions from these procedures are allowed as documented in the FPPM. We noted one disbursement over $10,000 did not have competitive bids or written evidence as to why no bids were obtained. We recommend the Charter School retain documentation of the quotes received when competitive bidding is required. In situations where competitive bidding is not required, this fact, along with the appropriate reason for exception should be documented on the purchase order or purchase request form. Recommendation We recommend disbursement packets contain all documentation as outlined in the Financial Policies and Procedures Manual. Purchase Requisitions and should be completed and approved prior to the procurement of goods when possible. If goods are required to be purchased on short notice, the Charter School should make every effort to ensure the reasons for obtaining approval afterwards are adequately documented. All disbursement packets should contain proof of goods ordered and received, including invoices or other documentation from vendors to support the purchase, which are marked with the appropriate general ledger account, manually signed as approved and paid. Further, the Charter School should retain documentation of the quotes received when competitive bidding is required. In situations where competitive bidding is not required, this fact, along with the appropriate reason for exception should be documented on the purchase order or purchase request form.
Example- Financial Statement Finding: Finding Statement of condition Material auditor adjustments were necessary to correctly state the Charter School’s financial statements for the period ended June 30, 2013. Criteria and effect of conditions During our audit, we noted various accounts, including accounts payable and accrued expenses, accrued payroll and benefits, deferred lease liability, per pupil operating revenue, government grant revenue, and payroll related expenses were misstated as a result of these accounts not being properly reconciled and adjusted to the correct balance during the year and prior to the commencement of the audit. Furthermore, certain revenues and expenses relating to cost-reimbursement grants were not reconciled appropriately in the accounting system. Those errors resulted in material auditor adjustments.
Team Presentation: Jamal Young Susan DuFour Blair Gearhart
Some Accounting Controls Guard Against Mistakes and Theft: Accounting is characterized by a lot of ‘paperwork’ — forms and procedures are plentiful. Internal accounting controls that guard against errors, omissions and theft are essential. Internal controls are designed to minimize errors in bookkeeping, which has to process a great deal of detailed information and data. Controls are also necessary to deter employee fraud, embezzlement, and theft. A few common examples of internal control procedures: Requiring a second signature on cash disbursements over a certain dollar amount (Authorization) Matching up receiving reports based on actual counts and inspections of incoming shipments with purchase orders before cutting checks for payment to vendors (Reconciliation) Having auditors or employees who are not responsible for inventory, take surprise counts of products stored in classrooms or the storeroom and compare the counts with inventory records (Separation of Duties) Requiring mandatory vacations by every employee, including bookkeepers and accountants, during which time someone else does that person’s job (because a second person may notice irregularities or deviations from company policies)
Fiscal Oversight Guidebook: Internal Control #26 (pg. 58) The charter school’s accounting system is integrated with key business functions including accounts payable, budgeting, general ledger, inventory/depreciation, requisitions and purchase orders, accounts receivable, and payroll. Develop Policy Develop Procedure Implement Policy and Procedure
Authorization Control • Definition: Authorization is the basis by which the authority to complete the various stages of a transaction is delegated. These stages include the processes of Recording (initiate, submit, process), Approving (pre-approval, post entry review), and Reconciling. • Purpose: All transactions and activities should be carried out and approved by employees acting within their range of knowledge and proper span of control. Proper authorization practices serve as a proactive approach for preventing invalid transactions from occurring.
Authorization Control 1: KEY CONCEPT Level of authority should be documented:Documented authority creates an expectation of responsibility and accountability. Authority to perform a particular action may come in hard copy documents or system generated authority. BEST PRACTICE Policies and procedures within an organization should clearly identify which individuals have authority to initiate, submit, reconcile, view or approve different types of transactions.
Authorization Control 2: KEY CONCEPT Know what you are authorizing:Individuals should have first hand knowledge of the transactions being approved, or they should review supporting documentation to verify the validity and appropriateness of transactions. An employee being uninformed of their responsibilities related to departmental procedures is not acceptable in a good internal control system. BEST PRACTICE Employees should be properly trained and informed of departmental procedures related to internal controls.
Authorization Control 3: KEY CONCEPT Authorization should be timely:Workflow is an important aspect of good internal controls. Time lags between approval and processing provide opportunities for altered documents and potential fraud. BEST PRACTICE Many falsifications occur after the approval of a transaction. The workflow process should stress timely authorizations as well as timely processing of transactions following approval. Once a document has been approved it should not be returned to the preparer.
Documentation Control: Definition: In the context of internal controls, paper or electronic communication which supports the completion of the lifecycle of a transaction meets the criteria for documentation. Anything that provides evidence for a transaction, who has performed each action pertaining to a transaction, and the authority to perform such activities are all considered within the realm of documentation for these purposes. Purpose: Documents provide a financial record of each event or activity, and therefore ensure the accuracy and completeness of transactions. This includes expenses, revenues, inventories, personnel and other types of transactions. Proper documentation provides evidence of what has transpired as well as provides information for researching discrepancies. Supporting documentation may come in paper or electronic form. In recent years, more often, official supporting documentation has moved from paper based to electronic forms. Keep in mind that in some instances electronic processing and approvals are the source documents for transactions.
Documentation Control 1: KEY CONCEPT Format of source documents: Well designed documents help ensure the proper recording of transactions. Consistent use of standard forms or templates should be considered whenever possible. BEST PRACTICE The advance of online applications provides a fast and efficient method for accessing supporting documentation in a standard format. In other areas, wherever possible, the use of templates provides the same benefits. Consider creating templates for activities such as: Email approvals Departmentally created supporting documentation Time reporting Reimbursement logs (such as mileage logs, petty cash, others)
Documentation Control 2: KEY CONCEPT Charter School ownership of documents:Documents used to support charter school business transactions are charter school property, not the personal property of employees. BEST PRACTICE Whenever possible, do not allow employees to take charter school owned records home. If business needs require charter school records to be taken home, communicate to employees their responsibility to keep documents secure, particularly those containing personal information. This is particularly important to communicate to employees that have telecommuting agreements.
Documentation Control 3: KEY CONCEPT Documenting changes: Changes made subsequent to approval of documents should be clear and concise. BEST PRACTICE Use attachments or footnotes to document the reasons for corrections/adjustments to any records. Make the time/date and the approval of such corrections/adjustments clear and evident.
Documentation Control 4: KEY CONCEPT Avoid duplicate processing: Establish a method to avoid duplicate processing, especially in regards to transactions that result in payments to individuals such as payroll, petty cash and travel reimbursements. BEST PRACTICE Build a check for duplicate payments into the processing and approval of payroll, petty cash and travel reimbursements. Create an environment in which payroll, petty cash reimbursements and travel reimbursements are processed in a timely manner. Long delays in processing create opportunities for duplicate payments that go undiscovered. Look closely at all late entries to watch for double submission of payments. (Example: late timecards, extremely late petty cash requests, travel expenses requested at a later time separate from the rest of the trip).
Documentation Control 5: KEY CONCEPT Retention: Retention policies exist for all types of supporting documentation. Always keep documents for the appropriate retention period and no longer. BEST PRACTICE Establish a process for purging documents that have reached the end of their retention period. Document who, when and how each record type should be purged. Be aware of record retention responsibilities.
Reconciliation Control: Definition: Reconciliation is the process of comparing transactions and activity to supporting documentation. Further, reconciliation involves resolving any discrepancies that may have been discovered. Purpose: The process of reconciliation ensures the accuracy and validity of financial information. Also, a proper reconciliation process ensures that unauthorized changes have not occurred to transactions during processing.
Reconciliation Control 1: KEY CONCEPT Accuracy of activity: A good internal control system provides a mechanism to verify that transactions and activity are for the correct purpose and amount, and allowable. BEST PRACTICE For each type of activity consider documenting the particular information from source documents that is to be compared to the appropriate report. This assists to ensure that transactions are valid and are correct in purpose. (example: determine that for travel reimbursement source documents, the traveler name, destination, purpose of the trip, etc. will be matched to the monthly financial report) Ensure that transactions have been properly authorized. Especially, if the source documents are paper based, review for potential changes to the document between approval and processing of transactions. Ensure that all transactions are allowable.
Reconciliation Control 2: KEY CONCEPT Error correction: Errors and discrepancies, intentional or unintentional, should be detected, investigated and resolved in a timely fashion. BEST PRACTICE Verify the recording of transactions in a timely manner. Review source documents to assure they are processed and posted in a timely manner by the processing department. If not, follow up with the appropriate office Document a plan for the research and correction of errors or discrepancies of each type of transaction or activity. Communicate these processes and procedures with the appropriate staff. Establish expectations for timeliness of error correction.
Reconciliation Control 3: KEY CONCEPT Matching to the source: The oversight of any transaction is strengthened by the process of matching source documentation of the transaction to the appropriate reporting documentation or reporting tool. BEST PRACTICE What is budget reconciliation, and why do we need to do it? Budget reconciliation is the process of reviewing transactions and supporting documentation, and resolving any discrepancies that are discovered. How often should we reconcile? When possible reconciliation should be completed monthly, within 45 days of month-end close, but no less frequently than quarterly. For sponsored agreements a final reconciliation should be completed within 45 days of the budget end date. Keep in mind that special situations such as biennium close may take longer to finish than “regular” months.
Reconciliation Control 4: KEY CONCEPT Documenting the process and completion: Reconciliation processes are most effective when consistent and thorough. Employees involved in the reconciliation process should be knowledgeable and clear on responsibilities and expectations It should be clear to an external reviewer when a reconciliation has been completed BEST PRACTICE Reconciliation should be documented clearly to verify that a review has been done The reconciliation process and procedures should be documented clearly and communicated. Consider documenting: The steps in the process Who performs each step Expectations regarding timeliness A mechanism for providing proof that all activity has been reviewed and reconciled A procedure for error correction
Security Control: Definition: The security of charter school assets and records includes three types of safeguards; Administrative, Physical and Technical: Administrative security: This focuses on the Charter School processes put in place to protect assets and records. This includes the above mentioned processes of authorization and reconciliation. Physical security: This is the protection of physical records and assets from loss by theft or damage. Technical security: This is the protection of electronic records from loss by theft, damage, or loss in transport. Purpose: Assets and records should be kept secure at all times to prevent unauthorized access, loss or damage. The security of assets and records is essential for ongoing operations, accuracy of information, privacy of personal information included in some records and in many cases is a state or federal law.
Security Control 1: KEY CONCEPT Designate a point person BEST PRACTICE Designating a point person for all areas or individually for the 3 types of security provides an established responsibility and accountability for proper security procedures.
Security Control 2: KEY CONCEPT Administrative Organization BEST PRACTICE Keep an up-to-date organizational chart that defines the reporting relationships as well as responsibilities, including back-up responsibilities, regarding internal controls within the unit. Document such processes as opening and distributing mail, administration of keys, access to documents and other administrative controls.
Security Control 3: KEY CONCEPT Access to electronic records: Limit access to records and assets to those who have been authorized and have a business need for them. BEST PRACTICE Establish and communicate unit standards for screensavers and password protected screens. Setup password protected access to electronic records.
Security Control 4: KEY CONCEPT Physical access to records: Limit access to records and assets to those who have been authorized and have a business need for them. BEST PRACTICE Do not allow electronic records to be downloaded to mobile workstations and transported outside of the office. Keep important records in lockable, fireproof storage