Search for Keywords
- Annual Financial Report
A summarized version of this best practice can found at this link.
A system of internal control may be implemented in many different ways. Because political subdivisions vary in purpose, size and complexity, no single method of internal control is universally applicable. However, the five internal control components should be present and functioning in all political subdivisions.
Questions have been accumulated for all five internal control components. This document includes questions pertaining to various noncompliance issues regarding the preparation, review and submission of the Annual Financial Report (AFR). These questions can be used to aid in designing a proper system of internal control over the preparation, review and submission of the AFR that will allow misstatements of the AFR to be prevented or detected and corrected in a timely manner. It is not necessary to address all questions in this document. These are only suggestions and ultimately it is up to the unit on how they implement it. The internal control system as a whole has to be designed and implemented appropriately in order to allow errors and deficiencies in internal controls in the preparation, review and submission of the AFR to be prevented or detected and corrected.
Units prepare the AFR using the Gateway reporting system. The financial information within the AFR and submitted to Gateway is used to compile the financial statements for those unites that present on a Regulatory basis. Units who report on a generally accepted accounting principles (GAAP) basis will complete all sections of the AFR, as well as, submitting their accrual financial statements. The procedures established should be reflective of whatever process is used to complete the AFR.
Components of Internal Control:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Control Environment - Sets the tone of the unit and influences the effectiveness of internal controls within the unit. It comprises the integrity and ethical values of the unit and is set by the governing board and management. The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control.
The questions in this section are divided by questions that pertain to the governing board, management and both the governing board and management.
Governing Board:
1) Does the governing board oversee the unit’s internal control system over the preparation, review and submission of the AFR?
2) If considered necessary, did the governing board establish an oversight committee and appoint members with high ethical values, excellent communication and problem solving skills?
3) Does the unit have a mission statement, objective and goals?
4) Does the governing board convey periodic messages of expectations to all employees?
5) Are there written policies documenting internal control procedures over the preparation, review and submission of the AFR? If yes, do these written policies outline the authority and responsibility for the preparation, review and submission of the AFR within the unit?
6) How involved is the governing board in understanding the unit’s AFR process, overseeing the effectiveness of internal controls over the preparation, review and submission of the AFR, and evaluating whether the accounting records that support the AFR are correct? For example, is the governing board’s involvement limited to attending board meetings, or does the board oversee other things such as unit controls, accounting practices, etc.
7) Did the governing board develop an organizational chart? If yes, is the organizational chart current and accurate? If yes, did the governing board create job duties for each level of the organizational chart? If job duties were created, do these duties address responsibilities required for the preparation, review and submission of the AFR?
8) Has fiscal authority been formally delegated to specific management personnel?
9) Did the governing board develop a formal employee evaluation system to set the intervals in which employees will be evaluated? If yes, does the formal evaluation system include disciplinary action that will be taken if an employee does not meet the expectations noted in the evaluation system?
10) How does the governing board oversee the activities of management that are related to financial reporting? What oversight does the governing board give on the accounting records?
11) Are accounting department employees required to take vacations?
12) Has the governing board developed and implemented an ethics policy? If yes, does the policy address potential conflicts of interest? Is there a system of annual acknowledgment in place where either through e-mail submission or manual documentation, each official and employee attests that they have read the policy and will adhere to the policy?
13) Are there regular meetings of the governing board to set policies and objectives and review the unit’s performance?
14) Are the minutes of such meetings prepared and signed on a timely basis?
15) Are confidentiality agreements required for employees who come in contact with confidential information?
16) Are policies regarding personal use of computer equipment and software clearly stated?
17) Does the fiscal officer present the AFR to the governing board for review and approval at a regularly scheduled public meeting?
Management:
1) Does management develop and maintain documentation of the internal control system over the preparation, review and submission
of the AFR?2) What procedures did management put in place for the preparation, review and submission of the AFR?
a. Does management assign responsibility, and delegate authority to achieve a correct AFR and ensure it is submitted timely?
3) Does management establish an organizational structure, assign responsibility and delegate authority in order to achieve a correct AFR? If yes, did management establish and document the organizational structure of each office and department Examples of items to incorporate into the structure could include: an organizational chart; outline of specific duties; designation of responsible persons for each part of the accounting process; documentation of internal control procedures over specific accounting areas; etc.
4) Does management ensure compliance with the unit’s personnel policies and procedures regarding hiring, training, promoting and compensating?
5) Does management check credentials and references for new employees?
6) Do employees who are involved in the AFR process receive continuous or periodic training? If yes, what kind of training do employees receive to help them maintain their accounting and financial reporting competencies?
a. What background, education, and experience do accounting personnel have that assist them with their duties?
7) Does management reward employees for following good internal control practices through promotions or increase in compensation?
8) Is turnover of key fiscal personnel relatively low?
9) Does the workload of accounting employees facilitate the preparation of reliable accounting records?
10) Does management evaluate performance and hold individuals accountable for their responsibilities? If yes, what action is taken for employees not performing their responsibilities?
11) Is cross training completed to ensure that more than one employee is knowledgeable about the AFR process? This cross training would allow more than one employee to be aware of potential design deficiencies in the internal controls or of noncompliance with internal controls.
12) Do accounting supervisors frequently prepare reports or reconciliations to verify the accuracy of financial transactions?
13) Does management take an active role in the financial reporting of the unit?
14) Is management actually involved in supervision of the various functions?
15) Does management ask employees for their suggestions on how to improve processes?
16) Has management given a high priority to its internal control structure?
17) Is management willing to adjust the financial statements or other information entered into Gateway for misstatements that approach a material amount?
18) Does management discuss internal controls at management and other staff meetings?
Governing Board and Management:
1) Does the governing board and management stress adherence to policies and procedures?
2) Is there a clear assignment of responsibility and delegation of authority to deal with such matters as organizational goals and objective, operating functions and regulatory requirements?
3) If an outside consultant is used to complete the AFR, is there a supporting contract that addresses the following items:
a. Services to be provided
b. Compliance with laws and regulations should be adhered to
c. Compensation
d. Effective and ending dates
e. Deadlines
f. Renewal options
Risk Assessment - Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment is the process used to identify and assess internal and external risks to the achievement of objectives, and then establish risk tolerances. It is the basis for determining how risk will be managed.
1) Does management identify, analyze and respond to risks regarding the preparation, review and submission of the AFR?a. What areas have been identified regarding the preparation, review and submission of the AFR that may be exposed to fraud
risk?i. Risk factors may include noncompliance with statutes, changes in management or employees, competence and experience of personnel involved in the AFR process, findings reported in prior audits regarding the AFR, new accounting system, inaccurate financial statements and other information required by Gateway, volume of transactions and funds, late submission of the AFR, etc.
b. Does management analyze the identified risks to determine the effect of the risk on achieving a correct AFR? For example, does management consider how likely the risk will occur, how it will impact a correct AFR, if the risk is based on complex or unusual transactions, if the risk is based on fraud, etc.
c. How has management addressed risks associated with using computerized accounting records, such as unauthorized access to applications or data, potential loss of data, and reliance or inadequate systems that may adversely affect internal control?
d. How has management responded to identified risks? For example, management may accept the risk and take no action, choose to eliminate certain processes to avoid the risk and institute proper internal controls.
e. When needed, does management go back to the governing board to enact or modify policies that will that will clearly define these areas?
2) Does management clearly define proper procedures over the preparation, review and submission of the AFR to enable the identification of risks and to define risk tolerances? Written procedures should be clear and address items such as who will be involved in the AFR process, how proper AFR procedures will be achieved, and when will proper AFR procedures be in place.
3) How does management prevent fraud and errors in the accounting records, which are used to prepare the AFR? For example, are important internal control procedures in place such as approvals, regular preparation or review of reconciliations, review of supporting schedules or reports, etc.?
4) Is management continually aware of changes, both external and internal, that could affect a correct AFR? If yes, does management determine any modifications needed in the internal control process to adopt to these changes?
5) Did the governing board or management incorporate external requirements, such as state statutes and Uniform Compliance
Guidelines?6) What procedures are in place to ensure that the information reported on the AFR is correct and reflective of the accounting
records?Control Activities - The actions and tools management establishes through policies and procedures that help to detect, prevent, or reduce the identified risks that interfere with the achievement of objectives and to respond to risk in the internal control system.
An integral part of the control activity component is segregation of duties. However, in very small governmental units, such segregation may not be practical. In this case, compensating activities should be implemented which may include additional levels of review for key operational processes, random and/or periodic review of selected transactions. In smaller units, these reviews and testing of processes might be performed by governing boards or other elected officials.
There is an expectation of segregation of duties. If compensating controls are necessary, documentation should exist to identify both the areas where segregation of duties are not feasible or practical and the compensating controls implemented to mitigate the risk. Clear documentation should be maintained for continuity as well as ease of communication to outside parties.
1) Is there a system of checks and balances (segregation of duties) to ensure a correct AFR?
a. Are responsibilities for preparing the AFR segregated from those involved in reviewing the AFR?
b. Are responsibilities for preparing the AFR segregated from those involved in submitting the AFR?
c. Are responsibilities for reviewing the AFR segregated from those involved in submitting the AFR?
2) Did management design the unit’s information system and related control activities to ensure the proper preparation, review and submission of the AFR?
a. Did management implement control activities through written policies?
3) Is the individual authorized to review the AFR knowledgeable in the annual financial report process?
a. Is there a checklist for the preparation, review and submission of the AFR that includes the following?
i. Employee names with their responsibilities and duties
ii. Deadlines for submission of information from each employee
iii. Detail of supporting documentation required, etc.
iv. Is a comparison to the prior AFR made to identify material errors and verify the beginning cash and investment balances agree with the prior ending cash and investment balance?
4) Does the individual authorized to review the AFR understand the unit’s recordkeeping system?
5) Is access to the unit’s records appropriately controlled by user logins and passwords? Do individuals involved in the AFR process share their user id and password?
6) Does management or another designated individual review and check the accuracy of the information submitted through the Gateway reporting system by comparing it to supporting documentation used to input the information before submission? Is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
7) Are there funds held outside the unit’s funds ledger that are required to be included in the AFR? If yes, are they supported by Supplemental Annual Reports submitted by departments or other outside agencies?
8) Does management review and check the accuracy of the Supplemental Annual Report submitted by the departments by comparing it to supporting documentation used to input the information before submission to the fiscal officer? Is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
9) Are the Detailed Error Reports generated from the Gateway system reviewed by management or an individual not involved in the AFR process? How are the errors noted on the report corrected?
10) Does the unit use an outside consultant to prepare the AFR?
a. Is information submitted to the outside consultant reviewed by an individual separate from those involved in gathering the
information?i. Does the review include verifying the information submitted to the outside consultant agrees with supporting documentation? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
ii. Does the fiscal officer or a designated individual compare the AFR prepared by the outside consultant to supporting documentation submitted to the outside consultant? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
b. Does management verify the outside consultant is performing all services detailed in the approved contract?
Information and Communication - Relevant information from both internal and external sources is necessary to support the functioning of the other components of internal control. Communication is the continual process of providing, sharing, and obtaining necessary information.
1) Are procedures established to ensure that proper communication and documentation exists for internal communications between offices, departments, management and the governing board regarding the preparation, review and submission of the AFR?
a. How does the unit internally communicate information regarding the preparation, review and submission of the AFR to employees, including how to prepare a correct AFR and responsibilities for internal control? Are records maintained to document
this communication?b. Are procedures established to ensure that the communication requirements are being followed and necessary information is
being communicated properly?c. Are procedures established for feedback on and clarification of the information provided?
2) What procedures are in place to collect the information needed to complete the AFR?
a. Does management use the most current information available to ensure the AFR will be correct?
Monitoring - Activities that allow management to assess the quality of internal controls over time and make adjustments as necessary. Proper monitoring ensures that controls function properly.
1) Are procedures in place to ensure that appropriate personnel perform their required duties sufficiently and adequately follow the
policies and procedures of the unit regarding the preparation, review and submission of the AFR?2) Are internal control procedures over the preparation, review and submission of the AFR evaluated and adjusted on a regular basis? For example, personnel changes, newly elected officials, etc.
a. What follow-up action is taken for identified problems or weaknesses in internal controls over the preparation, review and
submission of the AFR?3) Are monthly reports detailing receipts, disbursements, appropriations and cash and investment balances provided to the
appropriate department to review for accuracy and reasonableness?4) Are monthly reports detailing receipts, disbursements, appropriations and cash and investment balances provided to management to review for accuracy and reasonableness?
5) Are monthly reports of receipts, disbursements, appropriations and cash and investment balances provided to the governing board to review?
6) Does a confidential reporting system exist so that individuals may report suspected fraud and abuse of the unit’s policies?
- Bank Account Reconcilements
A summarized version of this best practice can found at this link.
A system of internal control may be implemented in many different ways. Because political subdivisions vary in purpose, size and complexity, no single method of internal control is universally applicable. However, the five internal control components should be present and functioning in all political subdivisions.
Questions have been accumulated for all five internal control components. This document includes questions pertaining to various noncompliance issues regarding bank account reconcilements. These questions can be used to aid in designing a proper system of internal control over bank reconcilements that will allow incorrect bank reconcilements to be prevented or detected and corrected in a timely manner. It is not necessary to address all questions in this document. These are only suggestions and ultimately it is up to the unit on how they implement it. The internal control system as a whole has to be designed and implemented appropriately in order to allow errors made on the bank reconcilement to be prevented or detected and corrected in a timely manner.
Components of Internal Control:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Control Environment - Sets the tone of the unit and influences the effectiveness of internal controls within the unit. It comprises the integrity and ethical values of the unit and is set by the governing board and management. The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control.
The questions in this section are divided by questions that pertain to the governing board, management and both the governing board and management.
Governing Board:
1) Does the governing board oversee the unit’s internal control system over the preparation and review of the bank reconcilement?
2) If considered necessary, did the governing board establish an oversight committee and appoint members with high ethical values, excellent communication and problem solving skills?
3) Does the unit have a mission statement, objective and goals?
4) Does the governing board convey periodic messages of expectations to all employees?
5) Are there written policies documenting internal control procedures over the preparation and review of the bank reconcilement? If yes, do these written policies outline the authority and responsibility for the preparation and review of the bank reconcilement within the unit and require bank reconcilements to be performed monthly?
6) How involved is the governing board in understanding the unit's bank reconcilement process, overseeing the effectiveness of internal controls over the preparation and review of the bank reconcilement, and evaluating whether the accounting records that support the bank reconcilement are correct? For example, is the governing board’s involvement limited to attending board meetings, or does the board oversee other things such as unit controls, accounting practices, etc.
7) Does the governing board have a complete listing of all bank accounts?
8) Did the governing board develop an organizational chart? If yes, is the organizational chart current and accurate?
9) Have job descriptions been created outlining specific duties? Is yes, do these duties address responsibilities required for the preparation and review of the bank reconcilement
10) Has fiscal authority been formally delegated to specific management personnel?
11) Did the governing board develop a formal employee evaluation system to set the intervals in which employees will be evaluated? If yes, does the formal evaluation system include disciplinary action that will be taken if an employee does not meet the expectations noted in the evaluation system?
12) Does management provide documented processes regarding the preparation and review of the bank reconcilement to the governing board for review?
13) How does the governing board oversee the activities of management that are related to financial reporting? What oversight does the governing board give on the accounting records?
14) Are accounting department employees required to take vacations?
15) Has the governing board developed and implemented an ethics policy? If yes, does the policy address potential conflicts of interest? Is there a system of annual acknowledgment in place where either through e-mail submission or manual documentation, each official and employee attests that they have read the policy and will adhere to the policy?
16) Are there regular meetings of the governing board to set policies and objectives and review the entity’s performance?
17) Are the minutes of such meetings prepared and signed on a timely basis?
18) Are confidentiality agreements required for employees who come in contact with confidential information?
19) Are policies regarding personal use of computer equipment and software clearly stated?
Management:
1) Does management develop and maintain documentation of the internal control system regarding the preparation and review of the bank reconcilement?
2) What procedures did management put in place for the preparation and review of the bank reconcilement and review of cash and investment balances?
a. Does management assign responsibility and delegate authority to achieve a correct bank reconcilement and ensure it is prepared monthly?
3) Have all bank accounts been reported to management?
4) Does management establish an organizational structure, assign responsibility and delegate authority in order to achieve a correct bank reconcilement in a timely manner? If yes, did management establish and document the organizational structure of each office and department? Examples of items to incorporate into the structure could include: an organizational chart, outline of specific duties, designation of responsible persons for each part of the accounting process, documentation of internal control procedures over specific accounting areas, etc.
5) Does management ensure compliance with the unit’s personnel policies and procedures concerning hiring, training, promoting and compensating?
6) Does management check credentials and references for new employees?
7) Do employees who are involved in the preparation and review of the bank reconcilement receive continuous or periodic training? If yes, what kind of training do employees receive to help them maintain their accounting and financial reporting competencies?
a. What background, education, and experience do accounting personnel have that assist them with their duties?
8) Does management reward employees for following good internal control practices through promotions or increase in compensation?
9) Is turnover of key fiscal personnel relatively low?
10) Does the workload of accounting employees facilitate the preparation of reliable accounting records?
11) Does management evaluate performance and hold individuals accountable for their responsibilities? If yes, what action is taken for employees not performing their responsibilities?
12) Is cross training completed to ensure that more than one employee is knowledgeable about the bank reconcilement process? This cross training would allow more than one employee to be aware of potential design deficiencies in the internal controls or of noncompliance with internal controls.
13) Do accounting supervisors frequently prepare reports or reconciliations to verify the accuracy of financial transactions?
14) Does management take an active role in the financial reporting of the unit?
15) Is management actually involved in supervision of the various functions?
16) Does management ask employees for their suggestions on how to improve processes?
17) Has management given a high priority to its internal control structure?
18) Does management emphasize meeting the budget and/or financial and operating goals?
19) Is management willing to adjust the financial statements for misstatements that approach a material amount?
20) Does management discuss internal controls at management and other staff meetings?
Governing Board and Management:
1) Does the governing board and management stress adherence to policies and procedures?
2) Is there a clear assignment of responsibility and delegation of authority to deal with such matters as organizational goals and objectives, operating functions and regulatory requirements?
3) Is the entity meeting its financial obligations?
Risk Assessment - Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment is the process used to identify and assess internal and external risks to the achievement of objectives, and then establish risk tolerances. It is the basis for determining how risk will be managed.1) Does management identify, analyze and respond to risks regarding the preparation and review of the bank reconcilement?
a. What areas have been identified regarding the preparation and review of the bank reconcilement that may be exposed to risk?
i. Risk factors may include non-compliance with statutes, changes in management or employees, competence and experience of personnel assigned to the bank reconcilement process, findings reported in prior audits regarding the bank reconcilement, new accounting system, new technology allowing alteration of documents, volume of receipt and disbursement transactions, susceptibility of fraud occurring in receipting and disbursing activities (including both misappropriation of assets and fraudulent financial reporting), bank errors and various fees not investigated timely, nonsufficient checks received and no timely follow up, insufficient documentation, interest and finance charges, unauthorized access to accounting applications, override of system controls, etc.
b. Does management analyze the identified risks to determine the effect of risk on achieving a correct bank reconcilement? For example, does management consider how likely the risk will occur, if the risk is based on complex or unusual transactions, if the risk is based on fraud, etc.
c. How has management addressed risks associated with using computerized accounting records, such as unauthorized access to applications or data, potential loss of data, and reliance or inadequate systems that may adversely affect internal control?
d. How has management responded to identified risks? For example, management may accept the risk and take no action, choose to eliminate certain processes to avoid the risk and/or institute proper internal controls.
e. When needed, does management go back to the governing board to enact or modify policies that will that will clearly define these areas?
2) Does management clearly define proper procedures for the preparation and review of the bank reconcilement to enable the identification of risks and to define risk tolerances? Written procedures should be clear and address items such as who will be involved in the bank reconcilement process, how a correct bank reconcilement will be achieved and when will proper bank reconcilement procedures be in place.
3) How does management prevent fraud and errors in the accounting records, which are used to compute cash and investment balances? For example, are important internal control procedures in place such as approvals, regular preparation or review of reconciliations, review of supporting schedules or reports, etc.?
4) Is management continually aware of changes, both external and internal, that could affect a correct bank reconcilement? If yes, does management determine any modifications needed in the internal control process to adopt to these changes?
5) Did the governing board or management incorporate external requirements, such as state statutes and Uniform Compliance Guidelines?
6) What procedures are in place to ensure that the information reported on the bank reconcilement is correct and reflective of the accounting records and the bank reconcilement is performed monthly?
7) Are employees involved in the bank reconcilement process bonded?
Control Activities - The actions and tools management establishes through policies and procedures that help to detect, prevent, or reduce the identified risks that interfere with the achievement of objectives and to respond to risk in the internal control system.
An integral part of the control activity component is segregation of duties. However, in very small governmental units, such segregation may not be practical. In this case, compensating activities should be implemented which may include additional levels of review for key operational processes and random and/or periodic review of selected transactions. In smaller units, these reviews and testing of processes might be performed by governing boards or other elected officials.
There is an expectation of segregation of duties. If compensating controls are necessary, documentation should exist to identify both the areas where segregation of duties are not feasible or practical and the compensating controls implemented to mitigate the risk. Clear documentation should be maintained for continuity as well as ease of communication to outside parties.
1) Is there a system of checks and balances (segregation of duties) to ensure a correct bank reconcilement?
a. Are responsibilities for reviewing the bank reconcilement segregated from those preparing the bank reconcilement?
b. Are responsibilities for preparing the bank reconcilement segregated from those involved in receipting and disbursing activities?
c. Are responsibilities for preparing a reconcilement between the receipts ledger and the credits to the bank account segregated from those involved in the receipting process?
d. Are responsibilities for preparing a reconcilement between the disbursements ledger and the debits to the bank account segregated from those involved in the disbursing process?
2) Does management present the bank reconcilement to the governing board for review and approval?
3) Did management design the entity’s information system and related control activities to ensure the proper preparation and review of the bank reconcilement?
a. Did management implement control activities through written policies?
b. Is access to the bank reconciliation applications appropriately controlled by user logins and passwords?
c. Do individuals involved in the bank reconciliation process share their user id and password?
4) Are bank statements received directly by the appropriate level of management or another appropriate person and reviewed prior to routing to the individual who performs the bank reconcilement?
5) Does management or a designated individual review and check the accuracy of the bank reconcilement by comparing it to supporting documentation used and verify the bank reconcilement was performed monthly? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
6) Are canceled checks examined to ensure vendors are recognized, signatures are by authorized signers and endorsements are appropriate?
7) Are bank statements and cancelled checks examined to ensure checks are not issued out of sequence?
8) Is the individual authorized to oversee the bank reconcilement knowledgeable in the bank reconcilement process?
9) Does the individual authorized to oversee cash and investment balances understand the unit’s recordkeeping system?
10) Is there a checklist for the preparation and review of the bank reconcilement that includes the following?
a. Employee names with their responsibilities and duties
b. Deadlines for completing the bank reconcilement
c. Detail of supporting documentation required
d. Supporting documentation required for all reconciling items
11) Is there a periodic investigation of checks outstanding for a considerable time?
Information and Communication - Relevant information from both internal and external sources is necessary to support the functioning of the other components of internal control. Communication is the continual process of providing, sharing, and obtaining necessary information.
1) Are procedures established to ensure that proper communication and documentation exists for internal communications between offices, departments, management and the governing board regarding the preparation and review of bank reconcilements?
a. How does the unit internally communicate information to employees regarding the preparation and review of the bank reconcilement, including responsibilities for internal control? Are records maintained to document this communication?
b. Are procedures established to ensure that the communication requirements are being followed and necessary information is being communicated properly?
c. Are procedures established for feedback on and clarification of the information provided?
2) What procedures are in place to collect the information needed to complete the bank reconcilement?
a. Does management use the most current information available to ensure the bank reconcilement is correct?
Monitoring – Activities that allow management to assess the quality of internal controls over time and make adjustments as necessary. Proper monitoring ensures that controls function properly.
1) Are procedures in place to ensure that appropriate personnel perform their required duties sufficiently and adequately follow the policies and procedures of the unit regarding the preparation and review of the bank reconcilement?
2) Are internal controls over the bank reconcilement process evaluated for weaknesses on a regular basis? For example personnel changes, newly elected officials, new technology, etc.
a. What follow-up action is taken for identified problems or weaknesses in internal controls regarding the preparation and review of the bank reconcilement?
3) Are monthly reports detailing receipts, disbursements, cash and investment balances and appropriations of the funds provided to the appropriate department to review for accuracy and reasonableness?
4) Are monthly reports detailing receipts, disbursements, cash and investment balances and appropriations of the funds provided to management to review for accuracy and reasonableness?
5) Are monthly reports of receipts, disbursements, cash and investment balances and appropriations of the funds provided to the governing board to review?
6) Does a confidential reporting system exist so that individuals may report suspected fraud and abuse of the unit’s policies? - Credit Card Purchases
A summarized version of this best practice can found at this link.
A system of internal control may be implemented in many different ways. Because political subdivisions vary in purpose, size and complexity, no single method of internal control is universally applicable. However, the five internal control components should be present and functioning in all political subdivisions.
Questions have been accumulated for all five internal control components. This document includes questions pertaining to various noncompliance issues regarding the use of credit cards. These questions can be used to aid in designing a proper system of internal control over credit cards that will allow deficiencies in procedures over credit cards to be prevented or detected and corrected. It is not necessary to address all questions in this document. These are only suggestions and ultimately it is up to the unit on how they implement it. The internal control system as a whole has to be designed and implemented appropriately in order to allow deficiencies over credit card procedures to be prevented or detected and corrected.
Components of Internal Control:
* Control Environment
* Risk Assessment
* Control Activities
* Information and Communication
* MonitoringControl Environment - Sets the tone of the unit and influences the effectiveness of internal controls within the unit. It comprises the integrity and ethical values of the unit and is set by the governing board and management. The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control.
The questions in this section are divided by questions that pertain to the governing board, management and both the governing board and management.
Governing Board:
1) Does the governing board oversee the unit’s internal control system regarding credit cards?
2) If considered necessary, did the governing board establish an oversight committee and appoint members with high ethical values, excellent communication and problem solving skills?
3) Does the unit have a mission statement, objective and goals?
4) Does the governing board convey periodic messages of expectations to all employees?
5) Did the governing board authorize credit card use through an approved credit card policy? If yes, was the credit card policy approved in the minutes?
6) Did the credit card policy include the following?
a. Internal control procedures over credit card purchases.
b. Outline the authority and responsibility for credit card purchases within the governmental unit.
c. Issuance and use must be handled by an official or employee designated by the governing board.
d. Limit the number of credit cards and users to a minimum if possible.
e. Set account limits with credit card companies and vendors.
f. Deactivate the ability to make cash advances.
g. The purpose for which the credit card may be used. (travel, online purchasing, emergency/ small purchases, automatic payments)
h. Types of purchases that are prohibited or restricted. (personal expenses, purchases above a threshold amount, etc.)
i. The card must be returned to the custody of the responsible person after credit card purchases are made.
j. The designated official or employee must maintain an accounting system or log which would include names of individuals requesting usage of the cards, their position, estimated amounts to be charged, fund and account numbers to be charged and the date the card is issued and returned. The log should be reviewed by the appropriate level of management.
k. Credit cards must not be used to bypass the accounting system.
l. Purchase orders are issued to provide the fiscal officer with the means to encumber and track appropriations to provide timely and accurate accounting information and monitoring of the accounting system.
m. Payments cannot be made on the basis of a statement or a credit card slip only. Supporting documents such as paid bills and receipts must be available.
n. Any interest or penalty incurred due to late filing or furnishing of documentation by an officer or employee may be the personal obligation of the responsible officer or employee.
7) How involved is the governing board in understanding the entity's credit card procedures, overseeing the effectiveness of internal controls over credit card procedures, and evaluating whether the accounting records that support the payment of credit cards are correct? For example, is the governing board’s involvement limited to attending board meetings, or does the board oversee other things such as unit controls, accounting practices, etc.
8) Did the governing board develop an organizational chart? If yes, is the organizational chart current and accurate?
9) Have job descriptions been created outlining specific duties? If yes, do these duties address responsibilities required for the handling of credit cards?
10) Has fiscal authority been formally delegated to specific management personnel?
11) Did the governing board adopt a written travel policy?
12) Did the governing board develop a formal employee evaluation system to set the intervals in which employees will be evaluated? If yes, does the formal evaluation system include disciplinary action that will be taken if an employee does not meet the expectations noted in the evaluation system?
13) Does management provide documented processes for the handling of credit cards to the governing board for review?
14) Are accounting department employees required to take vacations?
15) Has the governing board developed and implemented a conflict of interest and ethics policy? Is there a system of annual acknowledgment in place where either through e-mail submission or manual documentation, each official and employee attests that they have read the policy and will adhere to the policy?
16) Are there regular meetings of the governing body to set policies and objectives and review the entity’s performance?
17) Are the minutes of such meetings prepared and signed on a timely basis?
18) Are confidentiality agreements required for employees who come in contact with confidential information?
19) Are policies regarding personal use of computer equipment and software clearly stated?
Management:
1) Does management develop and maintain documentation of the internal control system regarding credit cards?
2) What procedures did management put in place for the handling of credit cards?
a. Does management assign responsibility, and delegate authority to oversee credit card use and ensure that the credit card policy is being followed?
3) Does management establish an organizational structure, assign responsibility and delegate authority in order to achieve proper procedures over credit cards? If yes, did management establish and document the organizational structure of each office and department? Examples of items to incorporate into the organizational structure could include: an organizational chart, outline of specific duties, designation of responsible persons for each part of the accounting process, documentation of internal control procedures over specific accounting areas, etc.
4) Does management ensure compliance with the unit’s personnel policies and procedures concerning hiring, training, promoting and compensating?
5) Does management check credentials and references for new employees?
6) Do employees who are involved in credit card procedures receive continuous or periodic training? If yes, what kind of training do employees receive to help them maintain their accounting and financial reporting competencies?
a. What background, education, and experience do accounting personnel have that assist them with their duties?
7) Does management reward employees for following good internal control practices through promotions or increase in compensation?
8) Is turnover of key fiscal personnel relatively low?
9) Does management evaluate performance and hold individuals accountable for their responsibilities? If yes, what action is taken for employees not performing their responsibilities?
10) Is cross training completed to ensure that more than one employee is knowledgeable about credit card procedures? This cross training would allow more than one employee to be aware of potential design deficiencies in the internal controls or of noncompliance with internal controls.
11) Does management ask employees for their suggestions on how to improve processes?
12) Has management given a high priority to its internal control structure?
13) Does management discuss internal controls at management and other staff meetings?
Governing Board and Management:
1) Does the governing board and management stress adherence to policies and procedures?
2) Is there a clear assignment of responsibility and delegation of authority to deal with such matters as organizational goals and objective, operating functions and regulatory requirements?
Risk Assessment - Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment is the process used to identify and assess internal and external risks to the achievement of objectives, and then establish risk tolerances. It is the basis for determining how risk will be managed.1) Does management identify, analyze, and respond to risks related to credit card procedures?
a. What areas have been identified regarding credit card procedures that may be exposed to risk?
i. Risk factors may include noncompliance with statutes and other policies and ordinances, changes in management or employees, competence and experience of personnel assigned to the review of credit cards, findings reported in prior audits regarding credit cards, new technology allowing alteration of documents, unauthorized disbursements, returning goods for cash, fictitious invoices and vendors, unauthorized access to accounting applications, override of system controls, lost or stolen credit cards, etc.
b. Does management analyze the identified risks to determine the effect of the risk on achieving proper procedures over credit
cards? For example, does management consider how likely the risk will occur, if the risk is based on complex or unusual transactions, if the risk is based on fraud, etc.
c. How has management addressed risks associated with using computerized accounting records, such as unauthorized access to applications or data, potential loss of data, and reliance or inadequate systems that may adversely affect internal control?d. How has management responded to identified risks? For example, management may accept the risk and take no action, choose to eliminate certain processes to avoid the risk and/or institute proper internal controls.
e. When needed, does management go back to the governing board to enact or modify policies that will clearly define these areas?
2) Does management clearly define proper credit card procedures to enable the identification of risks and to define risk tolerances? Written procedures should be clear and address items such as who will be involved in the handling of credit cards, how proper credit card procedures will be achieved, and when will proper credit card procedures be in place.
3) Is management continually aware of changes, both external and internal, that could affect credit card procedures? If yes, does management determine any modifications needed in the internal control process to adopt to these changes?
4) Did the governing board or management incorporate external requirements, such as state statutes and Uniform Compliance Guidelines?
5) What happens when the credit card policy is not followed? What consequences will be enforced?
a. Who is responsible for late charges?
b. Who is responsible when sufficient documentation of purchases is not provided?
c. If personal expenses are incurred using the credit card, how is repayment obtained from the employee?
6) What procedures are in place when employees with access to credit cards leave employment, credit cards are lost or stolen or unauthorized cards are obtained?
7) What procedures are in place to ensure credit card purchases are allowable and properly reflected in the accounting records?
8) Are employees involved in the credit card process bonded?
Control Activities - The actions and tools management establishes through policies and procedures that help to detect, prevent, or reduce the identified risks that interfere with the achievement of objectives and to respond to risk in the internal control system.
1) Is there a system of checks and balances (segregation of duties) to ensure the proper handling of credit cards and proper reporting of credit card transactions?
a. Are responsibilities for approving credit card claims segregated from those preparing credit card claims?
b. Are responsibilities for writing the checks segregated from those involved in approving credit card claims?
c. If a signature stamp is used, are there controls in place to safeguard against access to the signature stamp?
d. Are responsibilities for acknowledging the receipt of goods or services segregated from those involved in preparing claims?
e. Are responsibilities for acknowledging the receipt of goods or services segregated from those involved in writing checks?
f. Is a review completed by an individual outside the disbursement process in which the credit card claim amount is compared to the supporting documentation attached to the claim and the amount of the check? If yes, is this review documented as evidenced by initials, tick marks, etc., indicating procedures performed.
g. Does an employee who does not have authority to make credit card purchases review monthly credit card documentation in sufficient detail to determine that proper supporting documentation is available? If yes, is this review documented as evidenced by initials, tick marks, etc., indicating procedures performed.
2) Does a designated official or employee maintain an accounting system or log which includes the names and titles of individuals requesting usage of the cards, their position, estimated amounts to be charged, fund and account numbers to be charged, the date the card is issued and returned, sufficient documentation provided, etc.?
3) If a log is maintained, is the log reviewed by an appropriate level of management?
4) Does the designated official or employee collect the credit card once the purpose of the credit card has been accomplished?
5) Are credit card purchases authorized by designated individuals?
6) Does a designated official or employee compare credit card purchases to an approved credit card policy?
7) Does a designated official or employee compare credit card purchases to an approved travel policy?
8) What procedures exist to document that goods and services were received?
9) Are credit card claims audited by the fiscal officer prior to payment?
10) Are credit card claims approved by the governing board?
11) If credit card claims are paid prior to the approval of the governing board, is there a policy on paying claims in advance that includes credit card payments?
12) If purchase orders are used, are all credit card purchases based on purchase orders signed by officials or employees?
13) Are original invoices or other receipts (not photocopies) attached to each credit card claim to support the disbursement?
14) Are original invoices or other receipts used rather than credit card statements?
15) Are original invoices or other receipts reconciled to credit card statements?
16) Are credit cards reviewed for errors?
17) Are detailed credit receipts obtained and not just the summary?
18) Are invoices or other receipts originals and not photocopies?
19) Are credits or refunds reviewed for reasonableness? For example, are credits or refunds for returned goods or unallowable charges you are aware of reflected on the credit card statement?
20) Are vendors noted on the credit card statement for authorized vendors only?
21) Did management design the entity’s information system and related control activities to ensure the proper handling of credit card purchases?
a. Did management implement control activities through written policies?
b. Is access to disbursement applications appropriately controlled by user logins and passwords?
22) Are individuals involved in credit card procedures knowledgeable?
23) Is there a checklist for the review of credit card transactions that includes the following?
a. Employee names with their responsibilities and duties
b. Deadlines for completing the preparation, review and posting of credit card claims
c. Detail of supporting documentation required
24) When reviewing credit card charges, is it determined if expenses were for items that did occur and are for business related items?
Information and Communication - Relevant information from both internal and external sources is necessary to support the functioning of the other components of internal control. Communication is the continual process of providing, sharing, and obtaining necessary information.
1) Are procedures established to ensure that proper communication and documentation exists for internal communications between offices, departments, management and the governing board regarding credit card procedures?
a. How does the unit internally communicate information to employees regarding credit card procedures, including responsibilities for internal control? Are records maintained to document this communication?
b. Are procedures established to ensure that the communication requirements are being followed and necessary information is being communicated properly?
c. Are procedures established for feedback on and clarification of the information provided?
2) What procedures are in place to collect the information needed in the handling of credit cards?
a. Does management use the most current information available to ensure the handling of credit cards is working as required?
Monitoring - Activities that allow management to assess the quality of internal controls over time and make adjustments as necessary. Proper monitoring ensures that controls function properly.1) Are procedures in place to ensure that appropriate personnel perform their required duties sufficiently and adequately follow the policies and procedures of the unit regarding credit card procedures?
2) Are internal control procedures over the handling of credit cards evaluated and adjusted on a regular basis? For example, personnel changes, newly elected officials, etc.
a. What follow-up action is taken for identified problems or weaknesses in internal controls over the handling of credit cards?
3) Does a confidential reporting system exist so that individuals may report suspected fraud and abuse of the unit’s policies?
- Disbursing Activities
A summarized version of this best practice can found at this link.
A system of internal control may be implemented in many different ways. Because political subdivisions vary in purpose, size and complexity, no single method of internal control is universally applicable. However, the five internal control components should be present and functioning in all political subdivisions.
Questions have been accumulated for all five internal control components. This document includes questions pertaining to various noncompliance issues regarding disbursing activities. These questions can be used to aid in designing a proper system of internal control over disburse activities that will allow improper procedures to be prevented or detected and corrected. It is not necessary to address all questions in this document. These are only suggestions and ultimately it is up to the unit on how they implement it. The internal control system as a whole has to be designed and implemented appropriately in order to allow errors and deficiencies in disbursing activities to be prevented or detected and corrected.
Components of Internal Control:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Control Environment - Sets the tone of the unit and influences the effectiveness of internal controls within the unit. It comprises the integrity and ethical values of the unit and is set by the governing board and management. The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control.
The questions in this section are divided by questions that pertain to the governing board, management and both the governing board and management.
Governing Board:
1) Does the governing board oversee the unit’s internal control system regarding disbursing activities?
2) If considered necessary, did the governing board establish an oversight committee and appoint members with high ethical values, excellent communication and problem solving skills?
3) Does the unit have a mission statement, objective and goals?
4) Does the governing board convey periodic messages of expectations to all employees?
5) Are there written policies documenting internal control procedures over disbursing activities including purchase orders and contracts?
6) Do written policies address what approvals are necessary for certain dollar amount or types of purchases, how approvals are documented, types of purchases that are prohibited or restricted (i.e. purchases for personal use, computer hardware and software, etc.), and procedures for determining the most cost effective purchase (i.e. quotes, local business preferences, emergency purchases, etc.),?
7) How involved is the governing board in understanding the unit's disbursing activities, overseeing the effectiveness of internal controls over disbursing activities, and evaluating whether the accounting records that support disbursements are correct? For example, is the governing board’s involvement limited to attending board meetings, or does the board oversee other things such as unit controls, accounting practices, etc.
8) Does the governing board approve major expenditures in the board minutes?
9) Did the governing board develop an organizational chart? If yes, is the organizational chart current and accurate?
10) Have job descriptions been created outlining specific duties? Is yes, do these duties address responsibilities required for disbursing activities?
11) Has fiscal authority been formally delegated to specific management personnel?
12) Did the governing board develop a formal employee evaluation system to set the intervals in which employees will be evaluated? If yes, does the formal evaluation system include disciplinary action that will be taken if an employee does not meet the expectations noted in the evaluation system?
13) Does management provide documented processes regarding disbursing activities to the governing board for review?
14) How does the governing board oversee the activities of management that are related to financial reporting? What oversight does the governing board give on the accounting records?
15) Are accounting department employees required to take vacations?
16) Has the governing board developed and implemented an ethics policy? If yes, does the policy address potential conflicts of interest? Is there a system of annual acknowledgment in place where either through e-mail submission or manual documentation, each official and employee attests that they have read the policy and will adhere to the policy?
17) Are there regular meetings of the governing board to set policies and objectives and review the entity’s performance?
18) Are the minutes of such meetings prepared and signed on a timely basis?
19) Are confidentiality agreements required for employees who come in contact with confidential information?
20) Are policies regarding personal use of computer equipment and software clearly stated?
21) Is there an approved travel policy?
22) Is there an approved policy for employee reimbursements for other expenses?
Management:
1) Does management develop and maintain documentation of the internal control system over disbursing activities?
2) What procedures did management put in place for disbursing activities?
a. Does management assign responsibility, and delegate authority to achieve a proper disbursing activities?
3) Does management establish an organizational structure, assign responsibility and delegate authority in order to achieve proper disbursing activities? If yes, did management establish and document the organizational structure of each office and department? Examples of items to incorporate into the structure could include: an organizational chart; outline of specific duties; designation of responsible persons for each part of the accounting process; documentation of internal control procedures over specific accounting areas; etc.
4) Does management ensure compliance with the unit’s personnel policies and procedures regarding hiring, training, promoting and compensating?
5) Does management check credentials and references for new employees?
6) Do employees who are involved in disbursing activities receive continuous or periodic training? If yes, what kind of training do employees receive to help them maintain their accounting and financial reporting competencies?
a. What background, education, and experience do accounting personnel have that assist them with their duties?
7) Does management reward employees for following good internal control practices through promotions or increase in compensation?
8) Is turnover of key fiscal personnel relatively low?
9) Does the workload of accounting employees facilitate the preparation of reliable accounting records?
10) Does management evaluate performance and hold individuals accountable for their responsibilities? If yes, what action is take for employees not performing their responsibilities?
11) Is cross training completed to ensure that more than one employee is knowledgeable about disbursing activities? This cross training would allow more than one employee to be aware of potential design deficiencies in the internal controls or of noncompliance with internal controls.
12) Do accounting supervisors frequently prepare reports or reconciliations to verify the accuracy of financial transactions?
13) Does management take an active role in the financial reporting of the unit?
14) Is management actually involved in supervision of the various functions?
15) Does management ask employees for their suggestions on how to improve processes?
16) Has management given a high priority to its internal control structure?
17) Does management emphasize meeting the budget and/or financial and operating goals?
18) Is management willing to adjust the financial statements for misstatements that approach a material amount?
19) Does management discuss internal controls at management and other staff meetings?
20) Are procedures for the disbursement of funds under grants imposing requirements updated when they differ from the unit’s normal policies?
Governing Board and Management:
1) Does the governing board and management stress adherence to policies and procedures?
2) Is there a clear assignment of responsibility and delegation of authority to deal with such matters as organizational goals and objective, operating functions and regulatory requirements?
3) Is the unit meeting it financial obligations?
Risk Assessment - Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment is the process used to identify and assess internal and external risks to the achievement of objectives, and then establish risk tolerances. It is the basis for determining how risk will be managed.
1) Does management identify, analyze and respond to risks regarding disbursing activities?a. What areas have been identified regarding disbursing activities that may be exposed to fraud risk?
i. Risk factors may include changes in management or employees, competence and experience of personnel assigned to disbursing activities, findings reported in prior audits regarding disbursements, new technology allowing alteration of documents, non-compliance with statutes and other policies and ordinances, new accounting system, volume of disbursement transactions, inaccurate financial statements, insufficient documentation, interest and finance charges being paid, unnecessary expenses, insufficient appropriation, unauthorized journal entries, unauthorized access to disbursement applications, override of system controls, etc.
b. Does management analyze the identified risks to estimate the effect of the risk on achieving proper disbursing activities? For example, does management consider how likely the risk will occur, how it will impact the objective, if the risk is based on complex or unusual transactions, if the risk is based on fraud, etc.
c. How has management addressed risks associated with using computerized accounting records, such as unauthorized access to applications or data, potential loss of data, and reliance or inadequate systems that may adversely affect internal control?
d. How has management responded to identified risks? For example, management may accept the risk and take no action, choose to eliminate certain processes to avoid the risk and institute proper internal controls.
e. When needed, does management go back to the governing board to enact or modify policies that will that will clearly define these areas?
2) Does management clearly define proper disbursing activities to enable the identification of risks and to define risk tolerances? Written procedures should be clear and address items such as who will be involved in disbursing activities, how proper disbursing activities will be achieved, and when will proper disbursing activities be in place.
3) Is management continually aware of changes, both external and internal, that could affect disbursing activities? If yes, does management determine any modifications needed in the internal control process to adopt to these changes?
4) Did the governing board or management incorporate external requirements, such as state statutes and Uniform Compliance Guidelines?
5) What procedures are in place to ensure that disbursements are correct and reflective of the accounting records?
6) Are employees involved in disbursing activities bonded?
Control Activities - The actions and tools management establishes through policies and procedures that help to detect, prevent, or reduce the identified risks that interfere with the achievement of objectives and to respond to risk in the internal control system.
1) Is there a system of checks and balances (segregation of duties) to ensure the proper reporting of disbursements?a. Are responsibilities for approving claims segregated from those involved in preparing the claims?
b. Are responsibilities for preparing and writing checks segregated from those who approve claims?
c. Are responsibilities for acknowledging the receipt of goods or services segregated from those preparing and writing checks?
d. Are responsibilities for preparing the bank reconcilement segregated from those involved in disbursing activities?
e. Are responsibilities for reviewing the bank reconcilement segregated from those involved in disbursing activities?
f. Are responsibilities for performing reconcilements between the disbursement ledger and the debits to the bank account completed periodically by an individual segregated from those involved in disbursing activities?
g. Are responsibilities for individuals involved in the receipting process segregated from those involved in disbursing activities?
h. Are responsibilities for the preparation and approval of claims segregated from those involved in recording or entering cash disbursement information in the records? (In most cases the disbursement will be posted during the preparation of the disbursement.)
i. Does a responsible individual who is independent of the purchasing department perform periodic reviews of purchase prices?
2) Are there controls in place to ensure each disbursement is properly supported by a claim and an original (no photocopies) invoices?
3) Does the fiscal officer or their designee review and audit supporting documentation to ensure funds are disbursed for only authorized purchases?
4) Are invoices date stamped before releasing them for departmental approval?
5) When an invoice is received from a supplier not previously dealt with, are steps taken to verify the supplier actually exists?
6) Are claims approved by the governing board prior to payment?
7) If checks are written prior to the approval of the governing board, does an ordinance exist allowing for such items to be prepaid?
8) If checks are written prior to the approval of the governing board, does the governing board approve the disbursement at the next regular board meeting?
9) What procedures exist to document the receipt of goods and services?
10) Are goods received accurately counted and examined to verify they meet quality standards?
11) Are checks signed only after all required documentation to support the payment is obtained, evidence that goods or services have been received, proper approvals have been obtained, etc?
12) Are checks accounted for in numerical order and reconciled to the disbursement ledger?
13) Are voided checks and documents to support the voided checks retained?
14) Are checks payable to “Cash” prohibited?
15) Is access to signature stamps, mechanical check signers or signature plates used to sign checks adequately controlled?
16) Are all disbursements made by check, except for small payments from petty cash?
17) Is the signing of checks in advance prohibited?
18) Are blank check stock kept in a secure location?
19) Does a responsible individual take monthly physical inventories of blank checks?
20) Are checks mailed or properly distributed to vendors?
21) Are signed checks delivered directly to the mail room or postal office, making them inaccessible to persons who requested, prepared or recorded them?
22) Are signed checks promptly recorded?
23) Is a reconcilement completed between the claims for payment approved by the governing board and the actual disbursements posted to the ledger?
24) Is the review of the distribution of charges to various appropriation line items performed by an individual with knowledge and experience to determine the correctness of the distribution?
25) Are error reports created to identify vendors with the same bank account number or same address?
26) Is there a separate bank account for payroll?
27) Is access to disbursement applications appropriately controlled by user logins and passwords?
28) Did management design the unit’s information system and related control activities to ensure the proper handling of disbursements?
a. Did management implement control activities through written policies?
29) Are monthly disbursements compared to prior months to determine reasonableness?
30) Are there controls in place to ensure duplicate payments are not made?
31) Are electronic payments properly itemized, authorized, audited by the fiscal officer or their designee and approved by the governing board?
32) Before electronic payments are submitted for approval, are the amounts reviewed to ensure the dollar amount charged is correct?
33) Are individuals involved in the disbursement process knowledgeable?
34) Are investigations made of unusual journal entries?
35) Are there controls in place to ensure all payments are made on a timely basis and in accordance with all purchase orders and contracts?
36) Does the purchasing department maintain price lists and other records of price quotes?
37) Does the purchasing department maintain a record of suppliers who have not met quality or other performance standards?
38) Are there controls to identify costs and expenditures not allowable under grant programs before payment is made?
39) Are claims filed against vendors for all shortages or damaged materials?
40) Are vendor listings reviewed by management to in order to identify unusual vendors or excessive payments to vendors?
41) Is timely payment of invoices required to avoid late fee charges and to take advantage of available discounts?
42) Are transactions monitored to ensure all cash discounts are taken and exemptions from sales tax and federal excise?
43) Are both the accounting and purchasing departments promptly notified of returned purchases?
44) Are returned purchases matched with vendor credits?
45) Is a current list of individuals authorized to approve expenditures maintained by the accounting department?
46) Are there procedures for immediate notification when authorized individuals leave the unit or are no longer authorized to approve claims?
47) Contracts:
a. Are contract programs monitored?
b. Are the results of monitoring documented?
c. Does the monitoring ensure that contractors are performing in accordance with the contracts?
d. Is a comparison made of contract disbursements to approved contract amounts?
e. Are contract or purchasing officers areas of responsibility rotated on a regular basis?
f. Is an audit of contractor’s costs required prior to approving payment for contracts for materials, services, or facilities acquired?
g. If change orders are necessary, do they comply with IC 36-1-12-18?
h. Is the reasonableness of progress payments based on work performed validated and documented?
i. Are audits of the final costs under cost reimbursement contracts required?
j. Are contractors’ requests for progress payments under long-term contracts compared to the contractor’s efforts and results?
48) Are purchase orders (General Form 98 or Approved Form) used?
a. Is the original copy of the purchase order given to the vendor at the time of purchase?
b. Is the duplicate copy filed with the purchasing authority (department purchasing the goods or services)?
c. Is the triplicate copy filed with the fiscal officer?
d. Does the person requesting the purchase authorized to do so?
e. Does the person requesting the purchase indicate on the purchase order the appropriation to be charged?
f. Does the fiscal officer certify on the original, duplicate and triplicate copies of the purchase order that there is an unobligated balance in the appropriation sufficient to pay the amount of the order?
g. Does the individual ordering the goods sign the original, duplicate and triplicate copies of the purchase order?
h. Does the individual receiving the goods certify on the duplicate and triplicate copies of the purchase order that the items have been received in good condition? If not all goods were received or were in poor condition, is this noted on the purchase order?
i. Does the fiscal officer encumber the amount of the purchase order when the triplicate copy is provided?
j. Does the purchase order number appear on all invoices and claims OR original order prepared by the vendor?
k. Are purchase orders issued on bids and contracts delivered within thirty (30) days after acceptance by the governing board? (IC 5-22-18-5)
l. Does the original purchase order issued to the vendor accompany the bill or invoice and claim to the department before payment is made? If not, is the purchase order number shown on the bill or invoice and accounts payable voucher?
m. Is an itemized claim covering the purchase filed with the department after delivery is made?
n. Are purchase orders pre-numbered and accounted for? If purchase orders are not pre-numbered, is there some other control in place to account for purchase orders?
o. Is a record of open purchase orders maintained?
p. Are invoice quantities and prices compared to purchase order quantities and prices?
q. Are monthly reconciliations of outstanding purchase orders to encumbrances performed?
r. Is recorded encumbrance entries based only on approved purchase orders?
49) Are requisition forms used when making requisition for supplies or equipment to be purchased or for items provided in the
storeroom?50) When reviewing travel and other employee reimbursements, are the following procedures performed?
a. Verify that the reimbursement for travel complied with the approved travel policy.
b. Verify that the reimbursement for travel and other expenses were not already paid on a credit card or advanced travel payment.
c. Determine if travel disbursements exceeded the budgeted amount or prior year totals.
d. Verify the mileage claimed is reasonable.
e. Determine if expenses claimed were on days the employee did work.
f. Determine if proper support exists for the reimbursement request.
g. Determine if there are unusual or excessive reimbursements to one employee.
h. Are standard detailed expense reports used for employee reimbursements? If yes, are there a supervisors with knowledge of employee activities approving the reports.
51) Is the budget process working effectively?
a. Are proper estimates and other documents used in the budget process retained and reviewed by management?
b. Are budgets reviewed and approved by the responsible department head?
c. Are budgets reviewed and approved by the governing board?
d. Are budget modifications approved by management and/or the governing board?
e. Are monthly reports detailing disbursements and appropriations provided to the appropriate department to review for accuracy and reasonableness?
f. Are monthly reports detailing disbursements and appropriations provided to management to review for accuracy and reasonableness?
g. Are monthly disbursement and appropriation reports reviewed by the governing board?
h. Are comparisons made between budgeted and actual disbursements? Do significant variations require an explanation?
i. Are appropriation balances reviewed to determine if sufficient balances exists prior to writing checks?
j. Have controls been established to track periodic or contractual payments made to a vendor in order to properly oversee and forecast budgeted amounts?
Information and Communication - Relevant information from both internal and external sources is necessary to support the functioning of the other components of internal control. Communication is the continual process of providing, sharing, and obtaining necessary information.
1) Are procedures established to ensure that proper communication and documentation exists for internal communications between offices, departments, management and the governing board regarding disbursing activities?a. How does the unit internally communicate information regarding disbursing activities to employees, including objectives and responsibilities for internal control? Are records maintained to document this communication?
b. Are procedures established to ensure that the communication requirements are being followed and necessary information is being communicated properly?
c. Are procedures established for feedback on and clarification of the information provided?
2) What procedures are in place to collect the information needed to ensure the proper handling of disbursements?
a. Does management use the most current information available to ensure disbursing activities are working properly?
Monitoring - Activities that allow management to assess the quality of internal controls over time and make adjustments as necessary. Proper monitoring ensures that controls function properly.
1) Are procedures in place to ensure that appropriate personnel perform their required duties sufficiently and adequately follow the policies and procedures of the governmental unit regarding disbursing activities?2) Are internal control procedures over disbursing activities evaluated and adjusted on a regular basis? For example, personnel changes, newly elected officials, etc.
a. What follow-up action is taken for identified problems or weaknesses in internal controls over disbursing activities?
3) Are monthly reports detailing disbursements and appropriations of the funds provided to the appropriate department to review for accuracy and reasonableness?
4) Are monthly reports detailing disbursements and appropriations of the funds provided to management to review for accuracy and reasonableness?
5) Are monthly reports of disbursements and appropriations of the funds provided to the governing board to review?
6) Does a confidential reporting system exist so that individuals may report suspected fraud and abuse of the unit’s policies?
7) Is there a comparison by the appropriate level of management or another designated individual of actual disbursements to budgeted and prior disbursements? If yes, are investigations performed for all variances noted?
- Overdrawn Cash and Investment Balances
A summarized version of this best practice can found at this link.
A system of internal control may be implemented in many different ways. Because political subdivisions vary in purpose, size and complexity, no single method of internal control is universally applicable. However, the five internal control components should be present and functioning in all political subdivisions.
Questions have been accumulated for all five internal control components. This document includes questions pertaining to various noncompliance issues regarding overdrawn cash and investment balances. These questions can be used to aid in designing a proper system of internal control over the review of cash and investment balances that will allow overdrawn cash and investment balances to be prevented or detected and corrected in a timely manner. It is not necessary to address all questions in this document. These are only suggestions and ultimately it is up to the unit on how they implement it. The internal control system as a whole has to be designed and implemented appropriately in order to allow overdrawn cash and investment balances to be prevented or detected and corrected in a timely manner.
Components of Internal Control:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Control Environment - Sets the tone of the unit and influences the effectiveness of internal controls within the unit. It comprises the integrity and ethical values of the unit and is set by the governing board and management. The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control.
The questions in this section are divided by questions that pertain to the governing board, management and both the governing board and management.
Governing Board:
1) Does the governing board oversee the unit’s internal control system regarding the review of cash and investment balances?
2) If considered necessary, did the governing board establish an oversight committee and appoint members with high ethical values, excellent communication and problem solving skills?
3) Does the unit have a mission statement, objective and goals?
4) Does the governing board convey periodic messages of expectations to all employees?
5) Are there written policies documenting internal control procedures over the review of cash and investment balances? If yes, do these written policies outline the authority and responsibility for the review of cash and investment balances?
6) How involved is the governing board in understanding the entity's accounting system, overseeing the effectiveness of internal controls over the accounting system, and evaluating whether the accounting records that support the cash and investment balances are correct? For example, is the governing board’s involvement limited to attending board meetings, or does the board oversee other things such as unit controls, accounting practices, etc.
7) Did the governing board develop an organizational chart? If yes, is the organizational chart current and accurate?
8) Have job descriptions been created outlining specific duties? Is yes, do these duties address responsibilities required for the review of overdrawn cash and investment balances?
9) Has fiscal authority over the review of cash and investment balances been formally delegated to specific management personnel?
10) Did the governing board develop a formal employee evaluation system to set the intervals in which employees will be evaluated? If yes, does the formal evaluation system include disciplinary action that will be taken if an employee does not meet the expectations noted in the evaluation system?
11) Does management provide documented processes regarding the review of cash and investment balances to the governing board for review?
12) How does the governing board oversee the activities of management that are related to financial reporting? What oversight does the governing board give on the accounting records?
13) Are accounting department employees required to take vacations?
14) Has the governing board developed and implemented an ethics policy? If yes, does the policy address potential conflicts of interest? Is there a system of annual acknowledgment in place where either through e-mail submission or manual documentation, each official and employee attests that they have read the policy and will adhere to the policy?
15) Are there regular meetings of the governing board to set policies and objectives and review the entity’s performance?
16) Are the minutes of such meetings prepared and signed on a timely basis?
17) Are confidentiality agreements required for employees who come in contact with confidential information?
18) Are policies regarding personal use of computer equipment and software clearly stated?
Management:1) Does management develop and maintain documentation of the internal control system regarding the review of cash and investment balances?
2) What procedures did management put in place for the review of cash and investment balances?
a. Does management assign responsibility, and delegate authority to achieve correct cash and investment balances?
3) Does management establish an organizational structure, assign responsibility and delegate authority in order for overdrawn cash and investment balances to be prevented or detected and corrected in a timely manner? If yes, did management establish and document the organizational structure of each office and department? Examples of items to incorporate into the structure could include: an organizational chart, outline of specific duties, designation of responsible persons for each part of the accounting process, documentation of internal control procedures over specific accounting areas, etc.
4) Does management ensure compliance with the unit’s personnel policies and procedures concerning hiring, training, promoting and compensating?
5) Does management check credentials and references for new employees?
6) Do employees who are involved in the review of cash and investment balances receive continuous or periodic training? If yes, what kind of training do employees receive to help them maintain their accounting and financial reporting competencies?
a. What background, education, and experience do accounting personnel have that assist them with their duties?
7) Does management reward employees for following good internal control practices through promotions or increase in compensation?
8) Is turnover of key fiscal personnel relatively low?
9) Does the workload of accounting employees facilitate the preparation of reliable accounting records?
10) Does management evaluate performance and hold individuals accountable for their responsibilities? If yes, what action is taken for employees not performing their responsibilities?
11) Is cross training completed to ensure that more than one employee is knowledgeable about the review of cash and investment balances? This cross training would allow more than one employee to be aware of potential design deficiencies in the internal controls or of noncompliance with internal controls.
12) Do accounting supervisors frequently prepare reports or reconciliations to verify the accuracy of financial transactions?
13) Does management take an active role in the financial reporting of the unit?
14) Is management actually involved in supervision of the various functions?
15) Does management ask employees for their suggestions on how to improve processes?
16) Has management given a high priority to its internal control structure?
17) Does management emphasize meeting the budget and/or financial and operating goals?
18) Is management willing to adjust the financial statements for misstatements that approach a material amount?
19) Does management discuss internal controls at management and other staff meetings?
Governing Board and Management:
1) Does the governing board and management stress adherence to policies and procedures?
2) Is there a clear assignment of responsibility and delegation of authority to deal with such matters as organizational goals and objective, operating functions and regulatory requirements?
Risk Assessment - Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment is the process used to identify and assess internal and external risks to the achievement of objectives, and then establish risk tolerances. It is the basis for determining how risk will be managed.
1) Does management identify, analyze and respond to risks regarding the review of cash and investment balances?a. What areas have been identified regarding the review of cash and investment balances that may be exposed to risk?
i. Risk factors may include non-compliance with statutes, changes in management or employees, competence and experience of personnel assigned to review cash and investment balances, findings reported in prior audits regarding overdrawn cash and investment balances, new accounting system, volume of receipt and disbursement transactions, susceptibility of fraud occurring in receipting and disbursing activities (including both misappropriation of assets and fraudulent financial reporting), high interest rate on debt, serious financial problems, unauthorized access to accounting applications, override of system controls, etc.
b. Does management analyze the identified risks to determine the effect of risk on properly monitoring cash and investment balances? For example, management may accept the risk and take no action, choose to eliminate certain processes to avoid the risk and institute proper internal controls.
c. How has management addressed risks associated with using computerized accounting records, such as unauthorized access to applications or data, potential loss of data, and reliance or inadequate systems that may adversely affect internal control?
d. How has management analyzed and responded to identified risks? For example, management may accept the risk and take no action, choose to eliminate certain processes to avoid the risk and/or institute proper internal controls.
e. When needed, does management go back to the governing board to enact or modify policies that will that will clearly define these areas?
2) Does management clearly define procedures for the review of cash and investment balances to enable the identification of risks and to define risk tolerances? Written procedures should be clear and address items such as who will be involved in the review of cash and investment balances, how proper procedures over the review of cash and investment balances will be achieved and when will proper procedures over the review of cash and investment balances be in place.
3) How does management prevent fraud and errors in the accounting records, which are used to compute cash and investment balances? For example, are important internal control procedures in place such as approvals, regular preparation or review of reconciliations, review of supporting schedules or reports, etc.?
4) Is management continually aware of changes, both external and internal, that could affect the review of cash and investment balances? If yes, does management determine any modifications needed in the internal control process to adopt to these changes?
5) Did the governing board or management incorporate external requirements, such as state statutes and Uniform Compliance Guidelines?
6) What procedures are in place to ensure that the cash and investment balances reported on the fund report (or other reports that report cash and investment balances) are correct and reflective of the accounting records?
7) Are employees involved in the bank reconcilement process, receipting processes and disbursing processes bonded?
Control Activities - The actions and tools management establishes through policies and procedures that help to detect, prevent, or reduce the identified risks that interfere with the achievement of objectives and to respond to risk in the internal control system.
1) Is there a system of checks and balances (segregation of duties) to ensure the proper review of cash and investment balances?a. Are responsibilities for preparing the bank reconcilement segregated from those involved in the review of cash and investment balances?
b. Are responsibilities for reviewing the bank reconcilement segregated from those involved in the review of cash and investment balances?
c. Is a reconcilement between the receipts ledger and the credits to the bank account completed periodically by individuals segregated from those involved in the review of cash and investment balances?
d. Is a reconcilement between the disbursements ledger and the debits to the bank account completed periodically by individuals segregated from those involved in the review of cash and investment balances?
e. Are responsibilities for reviewing cash and investment balances segregated from those involved in the receipting and disbursing processes?
2) Does management present month end reports detailing cash and investment balances to the governing board for review and approval?
3) Did management design the entity’s information system and related control activities to ensure the proper review of cash and investment balances?
a. Did management implement control activities through written policies?
b. Is access to the bank reconciliation applications appropriately controlled by user logins and passwords?
c. Do individuals involved in the bank reconciliation process share their user id and password?
4) Does management or a designated individual review and check the accuracy of cash and investment balances by comparing them to other supporting documentation? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
5) Is the individual authorized to oversee the review of cash and investment balances knowledgeable?
6) Does the individual authorized to oversee cash and investment balances understand the unit’s recordkeeping system?
7) Is there a checklist for reviewing cash and investment balances that includes the following:
a. Employee names with their responsibilities and duties
b. Deadlines for completing the review of cash and investment balances
c. Detail of supporting documentation required
8) Is the budget process working effectively?
a. Are proper estimates and other documents used in the budget process retained and reviewed by management?
b. Are budgets reviewed and approved by the responsible department head?
c. Are budgets reviewed and approved by the governing board?
d. Are budget modifications approved by management and/or the governing board?
e. Are monthly reports detailing disbursements and appropriations provided to the appropriate department to review for accuracy and reasonableness?
f. Are monthly reports detailing disbursements and appropriations provided to management to review for accuracy and reasonableness?
g. Are monthly disbursement and appropriation reports reviewed by the governing board?
h. Are comparisons made between budgeted and actual disbursements? Do significant variations require an explanation?
i. Are appropriation balances reviewed to determine if sufficient balances exists prior to writing checks?
j. Have controls been established to track periodic or contractual payments made to a vendor in order to properly oversee and forecast budgeted amounts?
Information and Communication - Relevant information from both internal and external sources is necessary to support the functioning of the other components of internal control. Communication is the continual process of providing, sharing, and obtaining necessary information.
1) Are procedures established to ensure that proper communication and documentation exists for internal communications between offices, departments, management and the governing board regarding the review of cash and investment balances?a. How does the unit internally communicate information to employees regarding the review of cash and investment balances, including responsibilities for internal control? Are records maintained to document this communication?
b. Are procedures established to ensure that the communication requirements are being followed and necessary information is being communicated properly?
c. Are procedures established for feedback on and clarification of the information provided?
2) What procedures are in place to collect the information needed to complete a proper review of cash and investment balances?
a. Does management use the most current information available to ensure cash and investment balances are correct?
Monitoring - Activities that allow management to assess the quality of internal controls over time and make adjustments as necessary. Proper monitoring ensures that controls function properly.
1) Are internal controls over the review of cash and investment balances evaluated and adjusted for weaknesses on a regular basis? For example personnel changes, newly elected officials, new technology, etc.a. What follow-up action is taken for identified problems or weaknesses in internal controls over the review of cash and investment balances?
2) Are monthly reports detailing receipts, disbursements, cash and investment balances and appropriations of the funds provided to the appropriate department to review for accuracy and reasonableness?
3) Are monthly reports detailing receipts, disbursements, cash and investment balances and appropriations of the funds provided to management to review for accuracy and reasonableness?
4) Are monthly reports of receipts, disbursements, cash and investment balances and appropriations of the funds provided to the governing board to review?
5) Does a confidential reporting system exist so that individuals may report suspected fraud and abuse of the unit’s policies?
- Payroll Activities
A summarized version of this best practice can found at this link.
A system of internal control may be implemented in many different ways. Because political subdivisions vary in purpose, size and complexity, no single method of internal control is universally applicable. However, the five internal control components should be present and functioning in all political subdivisions.
Questions have been accumulated for all five internal control components. This document includes questions pertaining to various noncompliance issues regarding payroll activities. These questions can be used to aid in designing a proper system of internal control over payroll activities that will allow deficiencies in payroll activities to be prevented or detected and corrected. It is not necessary to address all questions in this document. These are only suggestions and ultimately it is up to the unit on how they implement it. The internal control system as a whole has to be designed and implemented appropriately in order to allow errors and deficiencies in payroll activities to be prevented or detected and corrected.
Components of Internal Control:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Control Environment - Sets the tone of the unit and influences the effectiveness of internal controls within the unit. It comprises the integrity and ethical values of the unit and is set by the governing board and management. The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control.
The questions in this section are divided by questions that pertain to the governing board, management and both the governing board and management.
Governing Board:
1) Does the governing board oversee the unit’s internal control system over payroll activities
2) If considered necessary, did the governing board establish an oversight committee and appoint members with high ethical values, excellent communication and problem solving skills?
3) Does the unit have a mission statement, objective and goals?
4) Does the governing board convey periodic messages of expectations to all employees?
5) Are there written policies documenting internal control procedures over payroll activities? If yes, do these written policies outline the authority and responsibility for payroll activities?
6) Did the governing board establish policies that cross over offices and departments for payroll activities?
7) Did the governing board establish policies and procedures established to monitor employees who earn compensation or exchange time? If yes, does someone ensure that employees are following the policies?
8) Are all compensation and benefits paid to officials and employees, including salary changes and the creation of new positions that occur during the year, included in a salary ordinance, resolution, labor contract or salary schedule adopted by the governing board, unless otherwise authorized by law? Note: Compensation for elected officials may be not changed in the year for which it is fixed. County Council approves salaries for counties.
9) How involved is the governing board in understanding the payroll process, overseeing the effectiveness of internal controls over payroll activities, and evaluating whether the accounting records that support payroll disbursements are correct? For example, is the governing board’s involvement limited to attending board meetings, or does the board oversee other things such as unit controls, accounting practices, etc.
10) Did the governing board develop an organizational chart? If yes, is the organizational chart current and accurate?
11) Have job descriptions been created outlining specific duties? Is yes, do these duties address responsibilities regarding payroll activities?
12) Has fiscal authority been formally delegated to specific management personnel?
13) Did the governing board develop a formal employee evaluation system to set the intervals in which employees will be evaluated? If yes, does the formal evaluation system include disciplinary action that will be taken if an employee does not meet the expectations noted in the evaluation system?
14) Does management provide documented processes regarding the payroll activities to the governing board for review?
15) How does the governing board oversee the activities of management that are related to financial reporting? What oversight does the governing board give on the accounting records?
16) Are accounting department employees required to take vacations?
17) Has the governing board developed and implemented an ethics policy? If yes, does the policy address potential conflicts of interest? Is there a system of annual acknowledgment in place where either through e-mail submission or manual documentation, each official and employee attests that they have read the policy and will adhere to the policy?
18) Are there regular meetings of the governing board to set policies and objectives and review the entity’s performance?
19) Are the minutes of such meetings prepared and signed on a timely basis?
20) Are confidentiality agreements required for employees who come in contact with confidential information?
21) Are policies regarding personal use of computer equipment and software clearly stated?
Management:
1) Does management develop and maintain documentation of the internal control system over payroll activities?
2) What procedures did management put in place for payroll activities?
a. Does management assign responsibility and delegate authority to achieve a proper payroll process?
3) Does management establish an organizational structure, assign responsibility and delegate authority in order to achieve proper payroll activities? If yes, did management establish and document the organizational structure of each office and department? Examples of items to incorporate into the structure could include: an organizational chart; outline of specific duties; designation of responsible persons for each part of the accounting process; documentation of internal control procedures over specific accounting areas; etc.
4) Does management ensure compliance with the unit’s personnel policies and procedures concerning hiring, training, promoting and compensating?
5) Does management check credentials and references for new employees?
6) Do employees who are involved in the payroll process receive continuous or periodic training? If yes, what kind of training do employees receive to help them maintain their accounting and financial reporting competencies?
a. What background, education, and experience do accounting personnel have that assist them with their duties?
7) Does management reward employees for following good internal control practices through promotions or increase in compensation?
8) Is turnover of key fiscal personnel relatively low?
9) Does the workload of accounting employees facilitate the preparation of reliable accounting records?
10) Does management evaluate performance and hold individuals accountable for their responsibilities? If yes, what action is taken for employees not performing their responsibilities?
11) Is cross training completed to ensure that more than one employee is knowledgeable about the payroll process? This cross training would allow more than one employee to be aware of potential design deficiencies in the internal controls or of noncompliance with internal controls.
12) Do accounting supervisors frequently prepare reports or reconciliations to verify the accuracy of financial transactions?
13) Does management take an active role in the financial reporting of the unit?
14) Is management actually involved in supervision of the various functions?
15) Does management ask employees for their suggestions on how to improve processes?
16) Has management given a high priority to its internal control structure?
17) Does management emphasize meeting the budget and/or financial and operating goals?
18) Is management willing to adjust the financial statements for misstatements that approach a material amount?
19) Does management discuss internal controls at management and other staff meetings?
Governing Board and Management:
1) Does the governing board and management stress adherence to policies and procedures?
2) Is there a clear assignment of responsibility and delegation of authority to deal with such matters as organizational goals and objective, operating functions and regulatory requirements?
Risk Assessment - Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment is the process used to identify and assess internal and external risks to the achievement of objectives, and then establish risk tolerances. It is the basis for determining how risk will be managed.
1) Does management identify, analyze and respond to risks regarding payroll activities?a. What areas have been identified regarding payroll activities that may be exposed to fraud risk
i. Risk factors may include non-compliance with statutes, changes in management or employees, competence and experience of personnel assigned to payroll activities, findings reported in prior audits regarding payroll activities, new accounting system, new technology allowing alteration of documents, volume of payroll transactions, ghost employment, padding hours for time not worked, salary payment not in compliance with the salary ordinance, incorrect posting of classifications, unauthorized access to payroll applications, miscalculations, override of system controls, etc.
b. Does management analyze the identified risks to determine the effect of the risk on on achieving correct payroll activities? For example, does management consider how likely the risk will occur, how it will impact the objective, if the risk is based on complex or unusual transactions, if the risk is based on fraud, etc.
c. How has management addressed risks associated with using computerized accounting records, such as unauthorized access to applications or data, potential loss of data, and reliance or inadequate systems that may adversely affect internal control?
d. How has management responded to identified risks? For example, management may accept the risk and take no action, choose to eliminate certain processes to avoid the risk and institute proper internal controls.
e. When needed, does management go back to the governing board to enact or modify policies that will clearly define these areas?
2) Does management clearly define proper payroll activities to enable the identification of risks and to define risk tolerances? Written procedures should be clear and address items such as who will be involved in payroll activities, how proper payroll activities will be achieved, and when will proper payroll activities be in place.
3) How does management prevent fraud and errors in the accounting records, which are used to post payroll transactions? For example, are important internal control procedures in place such as approvals, regular preparation or review of reconciliations, review of supporting schedules or reports, etc.?
4) Is management continually aware of changes, both external and internal, that could affect payroll activities? If yes, does management determine any modifications needed in the internal control process to adopt to these changes?
5) Did the governing board or management incorporate external requirements, such as state statutes and Uniform Compliance Guidelines?
6) What procedures are in place to ensure that payroll disbursements are correct and reflective of the accounting records?
7) Are employees involved in payroll activities bonded?
Control Activities - The actions and tools management establishes through policies and procedures that help to detect, prevent, or reduce the identified risks that interfere with the achievement of objectives and to respond to risk in the internal control system.
An integral part of the control activity component is segregation of duties. However, in very small governmental units, such segregation may not be practical. In this case, compensating activities should be implemented which may include additional levels of review for key operational processes, random and/or periodic review of selected transactions. In smaller units, these reviews and testing of processes might be performed by governing boards or other elected officials.
There is an expectation of segregation of duties. If compensating controls are necessary, documentation should exist to identify both the areas where segregation of duties are not feasible or practical and the compensating controls implemented to mitigate the risk. Clear documentation should be maintained for continuity as well as ease of communication to outside parties.
1) Is there a system of checks and balances (segregation of duties) to ensure the proper reporting of payroll activities?a. Are salary and wage rates verified by someone outside the payroll process?
b. Are responsibilities for preparing payroll segregated from other payroll and personnel duties? For example, approving time sheets, distribution of checks, hiring and terminating employees, approving promotions
c. Are responsibilities for payroll accounting segregated from those involved in the general ledger function?
d. Are payroll adjustment reports reviewed by someone outside the payroll process?
e. Are responsibilities for signing the checks segregated from those who prepare the checks?
f. Are unclaimed payroll checks/stubs returned to an individual other than those involved in the payroll process?
g. Are responsibilities for posting vacation and leave records segregated from those who prepare and sign the checks?
h. Are changes to payroll disbursements approved by an individual other than those authorized to make the changes?
i. Are responsibilities for reconciling the payroll bank account separate from those involved in the payroll process?
j. Are responsibilities for hiring, terminating, and approving promotions segregated from those individuals involved in payroll activities and those individuals maintaining personnel files?
k. Are responsibilities for payroll data entry segregated from those individuals who have payroll approval authority?
l. Does an individual not involved in payroll activities periodically verify all personnel salaries and wage rates?
2) Are payroll disbursements approved by the governing board by signing the Payroll Schedule and Voucher (form 99) or the Accounts Payable Voucher Register (form 364)? If approval is documented through the use of the Accounts Payable Voucher Register, is the Payroll Schedule and Voucher included with other claims approved by the governing board?
3) Are employees' time and attendance records approved by their supervisors?
4) Are time clocks and time cards properly controlled?
5) Are corrections to recorded time and attendance records approved by the employee's supervisor and authorized by management?
6) Are overtime payments and comp time earned monitored, properly supported, approved and reasonable?
7) Are there adequate authorization and approval procedures regarding vacation, holiday, and sick leave compensation?
8) Are leave accruals reviewed for reasonableness? For example employees who have taken leave, but reports don’t show a decrease in the accrual balance.
9) Are there adequate procedures in place for changes in salary and wage rates?
a. Are these functions authorized by appropriate personnel?
b. Are these functions reviewed and approved by someone outside the payroll process?
c. Is information compared to documentation from human resources, departmental managers, and similar sources?
10) Are there adequate procedures in place for the processing of new and terminated employees?
a. Are these functions authorized by appropriate personnel?
b. Are these functions reviewed and approved by someone outside the payroll process?
c. Is information on new and terminated employees compared to documentation from human resources, departmental managers
and similar sources?11) Are procedures in place to ensure that changes in employment status are promptly reported to the payroll processing department and recorded in the payroll data base?
12) Are personnel files checked against a set checklist of required documents to determine that withholding forms and authorizations for payroll deductions exist?
13) Is a separate payroll bank account maintained?
14) Are payroll disbursements compared to previous payrolls and/or budgeted amounts to determine reasonableness?
15) Are payroll reports reviewed by a department head or designated individual to ensure that payroll costs are allocated to the appropriate accounts, funds, and programs?
16) Are payroll disbursements approved by an authorized individual prior to payment?
17) Are investigations made of unusual journal entries?
18) Are deposits to the payroll bank account compared with the payroll register?
19) Are direct deposits properly reviewed, authorized, and approved?
20) Does the appropriate level of management or another appropriate person review reconciliations between payroll registers and general ledger accounts?
21) Are payroll checks accounted for in numerical order and reconciled to the payroll check register and general ledger?
22) Are payroll checks accounted for in numerical order and reconciled to the disbursement ledger?
23) Are payroll check registers and the general ledger reconciled to gross and net pay amounts noted on payroll tax returns?
24) Is there a year-end reconciliation of total W-2 wages (including taxable fringe benefits) to the wages paid per the general ledger and payroll register?
25) Are budget reports reviewed to ensure payroll and benefit expenditures are where they should be?
26) Do departments review payroll distribution lists for reasonableness?
27) Are error reports created to identify employees with the same bank account number or same address?
28) Are procedures in place to ensure that employees who leave employment are deleted from the payroll system?
29) Are there adequate procedures in place for changes in payroll deductions?
a. Are these functions authorized by appropriate personnel?
b. Are these functions reviewed and approved by someone outside the payroll process?
c. Is information compared to documentation from human resources, departmental managers, and similar sources?
30) Are there procedures in place to ensure that payroll taxes are paid in a timely manner and that payroll tax returns are filed when due?
31) Are procedures in place to ensure that other withholdings, such as health insurance premiums, 401(k) and cafeteria plan withholdings, are remitted in a timely manner?
32) Are benefit reports reviewed to ensure they are accurate and meet expectations? For example employee paid benefits being paid by the employer, deductions that do not make sense, etc.
33) Did management design the entity’s information system and related control activities to ensure the proper handling of payroll activities?
a. Did management implement control activities through written policies?
b. Is access to payroll applications appropriately controlled by user logins and passwords?
34) Is access to signature stamps, mechanical check signers or signature plates used to sign payroll checks adequately controlled?
35) Are payroll checks/stubs periodically distributed by someone outside the normal payroll distribution function?
36) Is the signing of payroll checks in advance prohibited?
37) Are voided checks and documents to support the voided checks retained?
38) Are checks payable to “Cash” prohibited?
39) Are blank check stock kept in a secure location?
40) Does a responsible individual take monthly physical inventories of blank checks?
41) Are signed checks promptly recorded?
42) Are employee addresses and bank account numbers reviewed to determine if multiple payments are going to the same address or bank account? This is a common way organizations are defrauded when family members work for the same unit.
43) Are employees who use post office boxes reviewed?
44) Are personnel files reviewed to verify if they are a real person and if they are an employee?
45) If payroll is processed by an outside service organization, are procedures in place to ensure the following?
a. Time records submitted for processing are complete and accurate. Appropriate control totals are maintained for subsequent reconciliation to payroll registers.
b. All other payroll information provided to the service organization (pay rates, withholdings, etc.) is authorized, and all authorized information is communicated.
c. Payroll registers produced by the service organization are reviewed after processing, reconciled to control totals, and approved prior to distribution of paychecks.
d. Total of paychecks and/or direct deposits agrees with payroll registers.
46) Are individuals involved in the payroll process knowledgeable?
Information and Communication - Relevant information from both internal and external sources is necessary to support the functioning of the other components of internal control. Communication is the continual process of providing, sharing, and obtaining necessary information.
1) Are procedures established to ensure that proper communication and documentation exists for internal communications between offices, departments, management and the governing board regarding payroll activities?a. How does the entity internally communicate information regarding payroll activities to employees, including objectives and responsibilities for internal control? Are records maintained to document this communication?
b. Are procedures established to ensure that the communication requirements are being followed and necessary information is being communicated properly?
c. Are procedures established for feedback on and clarification of the information provided?
2) What procedures are in place to collect the information needed for payroll activities?
a. Does management use the most current information available to ensure proper payroll activities?
Monitoring - Activities that allow management to assess the quality of internal controls over time and make adjustments as necessary. Proper monitoring ensures that controls function properly.1) Are procedures in place to ensure that appropriate personnel perform their required duties sufficiently and adequately follow the policies and procedures of the governmental unit over payroll activities?
2) Are internal control procedures over payroll activities evaluated and adjusted on a regular basis? For example personnel changes, newly elected officials, new technology, etc.
a. What follow-up action is taken for identified problems or weaknesses in internal controls regarding payroll activities?
3) Are monthly reports detailing payroll disbursements and appropriations for payroll provided to the appropriate department to review for accuracy and reasonableness?
4) Are monthly reports detailing payroll disbursements and appropriations for payroll provided to management to review for accuracy and reasonableness?
5) Are monthly reports of payroll disbursements and appropriations for payroll provided to the governing board to review?
6) Does a confidential reporting system exist so that individuals may report suspected fraud and abuse of the unit’s policies?
7) Are individuals knowledgeable of legal, regulatory, actuarial, and accounting requirements responsible for monitoring employee benefit matters?
8) Is there a comparison by the appropriate level of management or another appropriate person of actual payroll disbursements to budgeted and prior payroll disbursements? If yes, are investigations performed for all variances noted? - Prepaid Meals - Schools
A summarized version of this best practice can found at this link.
A system of internal control may be implemented in many different ways. Because political subdivisions vary in purpose, size and complexity, no single method of internal control is universally applicable. However, the five internal control components should be present and functioning in all political subdivisions.
Questions have been accumulated for all five internal control components. This document includes questions pertaining to various noncompliance issues regarding prepaid meals. These questions can be used to aid in designing a proper system of internal control over the handling of prepaid meals that will allow deficiencies in the handling of prepaid meals to be prevented or detected and corrected. It is not necessary to address all questions in this document. These are only suggestions and ultimately it is up to the unit on how they implement it. The internal control system as a whole has to be designed and implemented appropriately in order to allow errors and deficiencies in the handling of prepaid meals to be prevented or detected and corrected.
Although the preferred method of accounting for a school food and nutrition program is through School Lunch funds in the school corporation account, authority is provided in IC 20-41-2-4 to account for the program in extracurricular accounts. This document refers to the School Lunch fund and the Prepaid School Lunch fund accounted for in the school corporation records. If extracurricular accounts are used to account for the school food and nutrition program these fund numbers will most likely not agree with fund numbers used by the school corporation.
Components of Internal Control:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Control Environment – Sets the tone of the unit and influences the effectiveness of internal controls within the unit. It comprises the integrity and ethical values of the unit and is set by the governing board and management. The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control.
The questions in this section are divided by questions that pertain to the governing board, management and both the governing board and management.
Governing Board:
1) Does the governing board oversee the unit’s internal control system over the handling of prepaid meals?
2) If considered necessary, did the governing board establish an oversight committee and appoint members with high ethical values, excellent communication and problem solving skills?
3) Does the unit have a mission statement, objective and goals?
4) Does the governing board convey periodic messages of expectations to all employees?
5) Are there written policies documenting internal control procedures over the handling of prepaid meals? If yes, do these written policies outline the authority and responsibility for the handling of prepaid meals within the governmental unit?
6) Has the governing board established a policy for the handling of bad debt accounts?
7) Has the governing board established a policy for repayment plans on delinquent student accounts?
8) Has the governing board established a policy for charged meals?
9) Has the governing board established a policy on the frequency of transfers of income to be made from the Prepaid School Lunch fund to the School Lunch fund?
10) How involved is the governing board in understanding the unit's handling of prepaid meals, overseeing the effectiveness of internal controls over prepaid meals, and evaluating whether the accounting records that support transactions and fund balances for the Prepaid School Lunch fund are correct? For example, is the governing board’s involvement limited to attending board meetings, or does the board oversee other things such as unit controls, accounting practices, etc.
11) Did the governing board develop an organizational chart? If yes, is the organizational chart current and accurate? If yes, did the governing body create job duties for each level of the organizational chart? If job duties were created, do these duties address responsibilities required for the handling of prepaid meals?
12) Has fiscal authority been formally delegated to specific management personnel?
13) Did the governing board develop a formal employee evaluation system to set the intervals in which employees will be evaluated? If yes, does the formal evaluation system include disciplinary action that will be taken if an employee does not meet the expectations noted in the evaluation system? 14) Does management provide documented processes regarding prepaid meals to the governing board for review?
15) How does the governing board oversee the activities of management that are related to financial reporting? What oversight does the governing board give on the accounting records?
16) Are accounting department employees and school lunch employees involved in the handling of prepaid meals required to take vacations?
17) Has the governing board developed and implemented an ethics policy? If yes, does the policy address potential conflicts of interest? Is there a system of annual acknowledgment in place where either through e-mail submission or manual documentation, each official and employee attests that they have read the policy and will adhere to the policy?
18) Are there regular meetings of the governing board to set policies and objectives and review the unit’s performance?
19) Are the minutes of such meetings prepared and signed on a timely basis?
20) Are confidentiality agreements required for employees who come in contact with confidential information?
21) Are policies regarding personal use of computer equipment and software clearly stated?
22) Are school lunch prices established by the governing board?
Management:
1) Does management develop and maintain documentation of the internal control system over prepaid meals?
2) What procedures did management put in place for prepaid meals?
a. Does management assign responsibility, and delegate authority to achieve the proper handling of prepaid meals?
3) Does management establish an organizational structure, assign responsibility and delegate authority in order to achieve the proper handling of prepaid meals? If yes, did management establish and document the organizational structure of each office and department. Examples of items to incorporate into the structure could include: an organizational chart; outline of specific duties; designation of responsible persons for each part of the accounting process; documentation of internal control procedures over specific accounting areas; etc.
4) Does management ensure compliance with the unit’s personnel policies and procedures concerning hiring, training, promoting and compensating?
5) Does management check credentials and references for new employees?
6) Do employees who are involved in the handling of prepaid meals receive continuous or periodic training? If yes, what kind of training do employees receive to help them maintain their accounting and financial reporting competencies?
a. What background, education, and experience do accounting personnel have that assist them with their duties?
7) Does management reward employees for following good internal control practices through promotions or increase in compensation?
8) Is turnover of key fiscal personnel relatively low?
9) Does the workload of accounting employees facilitate the preparation of reliable accounting records?
10) Does management evaluate performance and hold individuals accountable for their responsibilities? If yes, what action is taken for employees not performing their responsibilities?
11) Is cross training completed to ensure that more than one employee is knowledgeable about the handling of prepaid meals? This cross training would allow more than one employee to be aware of potential design deficiencies in the internal controls or of noncompliance with internal controls.
12) Do accounting supervisors frequently prepare reports or reconciliations to verify the accuracy of financial transactions?
13) Does management take an active role in the financial reporting of the unit?
14) Is management actually involved in supervision of the various functions?
15) Does management ask employees for their suggestions on how to improve processes?
16) Has management given a high priority to its internal control structure?
17) Does management emphasize meeting the budget and/or financial and operating goals?
18) Is management willing to adjust the financial statements for misstatements that approach a material amount?
19) Does management discuss internal controls at management and other staff meetings?
20) Are there documented procedures for employees to follow when the balance of the Prepaid School Lunch fund does not reconcile to the total of the individual meal accounts?
Governing Board and Management:
1) Does the governing board and management stress adherence to policies and procedures?
2) Is there a clear assignment of responsibility and delegation of authority to deal with such matters as organizational goals and
objective, operating functions and regulatory requirements?
Risk Assessment – Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment is the process used to identify and assess internal and external risks to the achievement of objectives, and then establish risk tolerances. It is the basis for determining how risk will be managed.
1) Does management identify, analyze and respond to risks regarding the handling of prepaid meals?a. What areas have been identified regarding the handling of prepaid meals that may be exposed to fraud risk?
i. Risk factors may include changes in management or employees, competence and experience of personnel assigned to handle prepaid meals, new accounting system, complexity of the handling of prepaid meals, new or amended laws, the size and volume of individual transactions, understated lunch collections, theft of cash received, recording collections and revenue in incorrect periods, improper transfers from the Prepaid School Lunch fund to the School Lunch fund, etc.
b. Does management analyze the identified risks to determine the effect of the risk on achieving proper procedures over prepaid meals? For example, does management consider how likely the risk will occur, how it will impact the proper handling of prepaid meals, etc.
c. How has management addressed risks associated with using computerized accounting records, such as unauthorized access to applications or data, potential loss of data, and reliance or inadequate systems that may adversely affect internal control?
d. How has management responded to identified risks? For example, management may accept the risk and take no action, choose to eliminate certain processes to avoid the risk and institute proper internal controls.
e. When needed, does management go back to the governing board to enact or modify policies that will that will clearly define these areas?
2) Does management clearly define proper procedures over prepaid meals to enable the identification of risks and defines risk tolerances? Documentation of procedures over prepaid meals should be clear and address items such as who will be involved in the handling of prepaid meals, how proper procedures over prepaid meals will be achieved, and when will proper procedures over prepaid meals be in place.
3) How does management prevent fraud and errors in the accounting records, which are used to post financial transactions related to prepaid meals? For example, are important internal control procedures in place such as approvals, regular preparation or review of reconciliations, review of supporting schedules or reports, etc.?
4) Is management continually aware of changes, both external and internal that could affect the handling prepaid meals? If yes, does management determine any modifications needed in the internal control process to adopt to these changes?
5) Did the governing board incorporate external requirements, such as state statutes, Uniform Compliance Guidelines and requirements of the SCHOOL FOOD AND NUTRITION?
6) Are employees involved in the handling of prepaid meals bonded?
Control Activities – The actions and tools management establishes through policies and procedures that help to detect, prevent, or reduce the identified risks that interfere with the achievement of objectives and to respond to risk in the internal control system.
An integral part of the control activity component is segregation of duties. However, in very small governmental units, such segregation may not be practical. In this case, compensating activities should be implemented which may include additional levels of review for key operational processes and random and/or periodic review of selected transactions. In smaller units, these reviews and testing of processes might be performed by governing boards or other elected officials.
There is an expectation of segregation of duties. If compensating controls are necessary, documentation should exist to identify both the areas where segregation of duties are not feasible or practical and the compensating controls implemented to mitigate the risk. Clear documentation should be maintained for continuity as well as ease of communication to outside parties.
1) Is there a system of checks and balances (segregation of duties) to ensure the proper handling of prepaid meals?
a. Is the individual collecting school lunch funds separate from the individual generating daily reports?
b. Is an individual not involved in collecting school lunch receipts or generating daily reports compare receipt postings to the Prepaid School Lunch fund to the Daily Record of Cash Received reports (form SF-2)? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
c. Is an individual not involved in collecting school lunch receipts or generating daily reports compare deposits/remittances of student collections to the Daily Record of Cash Received reports (form SF-2)? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
d. Is an individual not involved in collecting school lunch receipts or generating daily reports compare the total amount of individual meal account balances to the fund balance of the Prepaid School Lunch fund? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
e. Is an individual not involved in collecting school lunch receipts or generating daily reports comparing total debits posted to individual meal accounts to Daily Record of Cash Received reports (form SF-2)? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
f. Is an individual not involved in collecting school lunch receipts or generating daily reports compare total debits posted to individual meal accounts to deposits/remittances of student collections? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
g. Is an individual not involved in collecting school lunch receipts or generating daily reports compare total credits posted to individual meal accounts to receipts posted to the School Lunch fund? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
2) Did management design the entity’s information system and related control activities to ensure the proper handling of prepaid meals?
3) Are the accounting records for the Prepaid School Lunch fund established in accordance with the SBOA chart of accounts and Uniform Compliance Guidelines in order to allow proper oversight by management and the governing board?
a. Has a Prepaid School Lunch fund (fund 8400) been established?
b. Are collections, including those received through on line banking and in person, posted to fund 8400 using receipt account 1630 (Special Functions)?
c. Are charged meals disbursed from the Prepaid School Lunch fund (fund 8400) using expenditure account 31900 (Other Food Services)? Note: A charged meal is when the student goes through the lunch line and charges a meal or ala carte items to their account.
d. Are charged meals disbursed from the Prepaid School Lunch fund (fund 8400) receipted to fund 800 School Lunch fund (fund 800) using receipt accounts 1611-1623? If yes, are the transfers net of bad debts, uncollectible accounts and collections received for repayment plans?
4) Are individual meal accounts established for each student?
5) Are school lunch collections and the write off of bad debts posted to the individual student meal accounts?
6) Are charged meals posted to the individual student meal accounts?
7) Are bad debts and uncollectible accounts written off in accordance with the policy approved by the governing board?
8) Are charged meals bad debts and uncollectible accounts written off in accordance with the policy approved by the governing board?
9) Are repayment plans handled in accordance with the policy approved by the governing board?
10) Are charged meals deducted from student accounts immediately (when the student goes through the line and charges a meal or ala carte items)?
11) Are collections added to student accounts timely?
12) Are receipts issued by the ECA Treasurer or School Corporation Treasurer to the individual remitting the collections? If yes, is the receipt retained by the school lunch staff to support deposits and receipt postings to fund 8400?
13) Are transfers of charged meals from the Prepaid School Lunch fund to the School Lunch fund made in accordance with the policy approved by the governing board to ensure accurate monthly reporting?
14) Are families notified of negative cash balances in their student’s account?
15) Do families have access to detailed collections, charges and ending balances of student accounts?
16) Is the individual authorized to oversee prepaid meals knowledgeable?
a. Is there a checklist for the proper handling of prepaid meals that includes the following?
i. employee names with their responsibilities and duties
ii. deadlines for generating reports, making deposits, etc.
iii. detail of supporting documentation required, etc.
iv. compliance with written policies
Information and Communication – Relevant information from both internal and external sources is necessary to support the functioning of the other components of internal control. Communication is the continual process of providing, sharing, and obtaining necessary information.
1) Are procedures established to ensure that proper communication and documentation exists for internal communications between offices, departments, management and the governing board regarding prepaid meals?a. How does the unit internally communicate information regarding prepaid meals to employees, including objectives and responsibilities for internal control? Are records maintained to document this communication?
b. Are procedures established to ensure that the communication requirements are being followed and necessary information is being communicated properly?
c. Are procedures established for feedback on and clarification of the information provided?
2) What procedures are in place to collect the information needed to ensure the proper handling of prepaid meals?
a. Does management use the most current information available to ensure the proper handling of prepaid meals?
Monitoring – Activities that allow management to assess the quality of internal controls over time and make adjustments as necessary. Proper monitoring ensures that controls function properly.
1) Are procedures in place to ensure that appropriate personnel perform their required duties sufficiently and adequately follow the policies and procedures of the governmental unit regarding prepaid meals?
2) Are internal control procedures over prepaid meals evaluated and adjusted on a regular basis? For example, personnel changes, newly elected officials, etc.
a. What follow-up action is taken for identified problems or weaknesses in internal controls regarding prepaid meals?
3) Are monthly reports detailing receipts, disbursements and cash balances of the school lunch funds provided to management of the school lunch funds to review for accuracy and reasonableness?
4) Are monthly reports of receipts, disbursements and cash balances of the school lunch funds provided to the governing board to review for accuracy and reasonableness?
5) Does a confidential reporting system exist so that individuals may report suspected fraud and abuse of the unit’s policies?
- Receipting Activities
A summarized version of this best practice can found at this link.
A system of internal control may be implemented in many different ways. Because political subdivisions vary in purpose, size and complexity, no single method of internal control is universally applicable. However, the five internal control components should be present and functioning in all political subdivisions.
Questions have been accumulated for all five internal control components. This document includes questions pertaining to various noncompliance issues regarding receipting activities. These questions can be used to aid in designing a proper system of internal control over receipting activities that will allow deficiencies in receipting activities to be prevented or detected and corrected. It is not necessary to address all questions in this document. These are only suggestions and ultimately it is up to the unit on how they implement it. The internal control system as a whole has to be designed and implemented appropriately in order to allow errors and deficiencies in receipting activities to be prevented or detected and corrected.
Components of Internal Control:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Control Environment - Sets the tone of the unit and influences the effectiveness of internal controls within the unit. It comprises the integrity and ethical values of the unit and is set by the governing board and management. The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control.
The questions in this section are divided by questions that pertain to the governing board, management and both the governing board and management.
Governing Board:
1) Does the governing board oversee the unit’s internal control system over receipting activities?
2) If considered necessary, did the governing board establish an oversight committee and appoint members with high ethical values, excellent communication and problem solving skills?
3) Does the unit have a mission statement, objective and goals?
4) Does the governing board convey periodic messages of expectations to all employees?
5) Are there written policies documenting internal control procedures over receipting activities? If yes, do these written policies outline the authority and responsibility for receipting activities within the unit?
6) If credit cards are an acceptable form of payment for the unit, did the governing board approve policies on the handling credit card transactions and deposits, procedures for another acceptable form of payment when a credit card is declined and a refund policy?
7) How involved is the governing board in understanding the entity's receipting activities, overseeing the effectiveness of internal controls over receipting activities, and evaluating whether the accounting records that support receipts are correct? For example, is the governing board’s involvement limited to attending board meetings, or does the board oversee other things such as unit controls, accounting practices, etc.
8) Did the governing board develop an organizational chart? If yes, is the organizational chart current and accurate?
9) Have job descriptions been created outlining specific duties? Is yes, do these duties address responsibilities required for receipting activities?
10) Has fiscal authority been formally delegated to specific management personnel?
11) Did the governing board develop a formal employee evaluation system to set the intervals in which employees will be evaluated? If yes, does the formal evaluation system include disciplinary action that will be taken if an employee does not meet the expectations noted in the evaluation system?
12) Does management provide documented processes regarding receipting activities to the governing board for review?
13) How does the governing board oversee the activities of management that are related to financial reporting? What oversight does the governing board give on the accounting records?
14) Are accounting department employees required to take vacations?
15) Has the governing board developed and implemented an ethics policy? If yes, does the policy address potential conflicts of interest? Is there a system of annual acknowledgment in place where either through e mail submission or manual documentation, each official and employee attests that they have read the policy and will adhere to the policy?
16) Are there regular meetings of the governing board to set policies and objectives and review the unit’s performance?
17) Are the minutes of such meetings prepared and signed on a timely basis?
18) Are confidentiality agreements required for employees who come in contact with confidential information?
19) Are policies regarding personal use of computer equipment and software clearly stated?
20) Are fees charged specifically authorized by statute or established by the governing board through an ordinance or resolution?
Management:
1) Does management develop and maintain documentation of the internal control system over receipting activities?
2) What procedures did management put in place for receipting activities?
a. Does management assign responsibility, and delegate authority to achieve proper receipting activities?
3) Does management establish an organizational structure, assign responsibility and delegate authority in order to achieve proper receipting activities? If yes, did management establish and document the organizational structure of each office and department. Examples of items to incorporate into the structure could include: an organizational chart; outline of specific duties; designation of responsible persons for each part of the accounting process; documentation of internal control procedures over specific accounting areas; etc.
4) Does management ensure compliance with the unit’s personnel policies and procedures concerning hiring, training, promoting and compensating?
5) Does management check credentials and references for new employees?
6) Do employees who are involved in the receipting process receive continuous or periodic training? If yes, what kind of training do employees receive to help them maintain their accounting and financial reporting competencies?
a. What background, education, and experience do accounting personnel have that assist them with their duties?
7) Does management reward employees for following good internal control practices through promotions or increase in compensation?
8) Is turnover of key fiscal personnel relatively low?
9) Does the workload of accounting employees facilitate the preparation of reliable accounting records?
10) Does management evaluate performance and hold individuals accountable for their responsibilities? If yes, what action is taken for employees not performing their responsibilities?
11) Is cross training completed to ensure that more than one employee is knowledgeable about the receipting process? This cross training would allow more than one employee to be aware of potential design deficiencies in the internal controls or of noncompliance with internal controls.
12) Do accounting supervisors frequently prepare reports or reconciliations to verify the accuracy of financial transactions?
13) Does management take an active role in the financial reporting of the unit?
14) Is management actually involved in supervision of the various functions?
15) Does management ask employees for their suggestions on how to improve processes?
16) Has management given a high priority to its internal control structure?
17) Does management emphasize meeting the budget and/or financial and operating goals?
18) Is management willing to adjust the financial statements for misstatements that approach a material amount?
19) Does management discuss internal controls at management and other staff meetings?
20) Are there documented procedures for employees to follow when collections do not reconcile to the receipts issued?
21) If credit cards are accepted as a form of payment and a refund policy was established by the governing board, is the refund policy clearly displayed or communicated to the customer at the time of the initial transaction?
Governing Board and Management:
1) Does the governing board and management stress adherence to policies and procedures?
2) Is there a clear assignment of responsibility and delegation of authority to deal with such matters as organizational goals and objective, operating functions and regulatory requirements?
3) Is there a secure area provided for processing and safeguarding incoming cash receipts? If yes, is access to the secured area restricted to authorized personnel only and is the secured area locked when not occupied?
Risk Assessment - Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment is the process used to identify and assess internal and external risks to the achievement of objectives, and then establish risk tolerances. It is the basis for determining how risk will be managed.
1) Does management identify, analyze and respond to risks over receipting activities?a. What areas have been identified regarding receipting activities that may be exposed to fraud risk?
i. Risk factors may include non-compliance with statutes, changes in management or employees, competence and experience of personnel assigned to receipting activities, findings reported in prior audits regarding receipting activities, new accounting system, new technology allowing alteration of documents, volume of receipt transactions, inaccurate financial statements, understated sales, theft of cash received, substitution of checks for cash, recording receipts in incorrect periods, receipts not issued at time of collection, unauthorized journal entries, inaccurate fs, recording receipts in incorrect periods, reporting more receivables and less cash, unauthorized adjustments or journal entries, understated sales, etc.
b. Does management analyze the identified risks to determine the effect of the risk on achieving proper receipting procedures? For example, does management consider how likely the risk will occur, how it will impact the objective, if the risk is based on complex or unusual transactions, if the risk is based on fraud.
c. How has management addressed risks associated with using computerized accounting records, such as unauthorized access to applications or data, potential loss of data, and reliance or inadequate systems that may adversely affect internal control?
d. How has management responded to identified risks? For example, management may accept the risk and take no action, choose to eliminate certain processes to avoid the risk and institute proper internal controls.
e. When needed, does management go back to the governing board to enact or modify policies that will that will clearly define these areas?
2) Does management clearly define proper receipting activities to enable the identification of risks and defines risk tolerances? Documentation of receipting activities should be clear and address items such as who will be involved in receipting activities, how proper receipting activities will be achieved, and when will proper receipting activities be in place.
3) How does management prevent fraud and errors in the accounting records, which are used to record receipts? For example, are important internal control procedures in place such as approvals, regular preparation or review of reconciliations, review of supporting schedules or reports, etc.?
4) Is management continually aware of changes, both external and internal, that could affect receipting activities? If yes, does management determine any modifications needed in the internal control process to adopt to these changes?
5) Did the governing board and/or management incorporate external requirements, such as state statutes and Uniform Compliance Guidelines?
6) What procedures are in place to ensure that collections received were properly reflected in the accounting records?
7) Are employees involved in the receipting process bonded?
Control Activities - The actions and tools management establishes through policies and procedures that help to detect, prevent, or reduce the identified risks that interfere with the achievement of objectives and to respond to risk in the internal control system.
An integral part of the control activity component is segregation of duties. However, in very small governmental units, such segregation may not be practical. In this case, compensating activities should be implemented which may include additional levels of review for key operational processes and random and/or periodic review of selected transactions. In smaller units, these reviews and testing of processes might be performed by governing boards or other elected officials.
There is an expectation of segregation of duties. If compensating controls are necessary, documentation should exist to identify both the areas where segregation of duties are not feasible or practical and the compensating controls implemented to mitigate the risk. Clear documentation should be maintained for continuity as well as ease of communication to outside parties.
1) Is there a system of checks and balances (segregation of duties) to ensure the proper collection and reporting of receipts?a. Are responsibilities for collecting money and issuing receipts segregated from those preparing the bank deposit?
b. Are responsibilities for collecting money and issuing receipts segregated from those posting the records?
c. Are responsibilities for making bank deposits segregated from those preparing the monthly bank reconcilements?
d. Is a reconcilement between the receipts ledger and the credits to the bank account completed periodically by an individual separate of the receipting process?
e. Are responsibilities for making bank deposits segregated from those posting the records?
f. Are responsibilities for issuing receipts segregated from those who open the mail?
g. Are responsibilities for billing segregated from those who mail the bills?
h. Are responsibilities for collecting money and issuing receipts segregated from those who issue permits or licenses?
i. Are responsibilities for customer billings segregated from those involved in the receipting process?
j. Are responsibilities for maintaining accounts receivable records segregated from those involved in the billing process?
k. Are responsibilities for receipting activities segregated from those involved in disbursing activities?
l. Are non-sufficient funds checks delivered to an individual independent of those processing and recording collections?
m. Are responsibilities for processing credit card payments segregated from those involved in processing voided credit card transactions?
n. Are responsibilities for processing credits or refunds segregated from those involved in the payment processing function?
o. Are responsibilities for reconciling credit card payments segregated from those processing payments, voids, credits and refunds?
p. Are reviews made of deposit slips by someone outside the receipting process to verify all deposit slips are accounted for?
2) Are collections received by mail?
a. Is the mail opened by two people?
b. Are all remittances collected by mail documented on a list of receipts at the time the mail is opened? If yes, is the list prepared by an individual other than those opening the mail? If remittances collected by mail are documented on a list of receipts, are copies of the listing forwarded, along with the money, to the cashier or depositor?
c. Does an individual who does not open the mail and is not the cashier or depositor compare the list with the deposit?
d. When opening mail, are checks endorsed or stamped “For Deposit Only”?
e. Are other copies attached to collections received through the mail as supporting documentation to the accounting transaction? If yes, are these documents enclosed with the currency, are the documents machine date stamped or dated and initialed by the individual opening the mail?
3) Did management design the entity’s information system and related control activities to ensure proper receipting activities?
a. Did management implement control activities through written policies?
4) Are deposits of all receipts made according to state statute?
5) Are receipts issued timely for electronic deposits? What procedures are in place for identifying and issuing receipts for electronic deposits?
6) Are there established procedures for follow-up of non-sufficient funds checks?
7) Are pre-numbered duplicate receipts issued for all money collected?
8) Are duplicate receipts retained?
9) Is an approved or prescribed receipt form used? If no, are other receipt books used in place of an approved or prescribed receipt?
10) Are receipts issued at the time of collection?
11) If you are using any software to issue receipts, is there a backup system for issuing receipts when the system is down and not accessible?
12) Do voided receipts require review and authorization by management?
13) Are voided receipts with supporting documentation retained?
14) Are separate cash drawers used for each individual collecting money? If yes, is access limited to the individual responsible and assigned to that cash drawer?
15) Are collections stored in a secure location?
16) Are collections reconciled to receipts issued (or other cash reports) by someone other than the individual collecting the money? If no, are these reconciliations reviewed and approved by management? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
17) Are collections accounted for and balanced to receipts issued or other collection records daily?
18) Is monitoring performed on all cash longs and shorts?
19) Are collections promptly and accurately recorded in the records?
20) Are collections deposited in the form originally received? Do receipts indicate the type of payment received (cash, check, etc.) and is this reconciled to the make-up of the bank deposit (cash, check, etc.)?
21) Are delay of deposits avoided by making sure fund distribution are immediately determinable?
22) Are there comparisons of deposit amounts and dates with cash receipt postings?
23) Are adjustments to customer accounts properly documented and reviewed by an individual independent of the billing and accounts receivable processes?
24) Are receivable amounts aged monthly? If yes, is the aging of monthly receivables reviewed by an authorized individual?
25) Does the governing board approve bad debt write offs?
26) Are procedures provided for executing all possible legal remedies to collect charged-off or non-collectable accounts?
27) Do accounts receivable record-keeping procedures include reconciling the aggregate collections and balance of the accounts receivable control against postings to individual accounts receivable accounts?
28) Are periodic reviews made of receivable accounts with credit balances?
29) Are overpayments subsequently refunded and underpayments collected?
30) Are individuals involved in the receipting process knowledgeable?
31) Is access to receipt applications appropriately controlled by user logins and passwords? Do individuals involved in receipting activities share their user id and password?
32) Are there procedures for authorizing and recording inter-bank and inter-fund transfers and providing for proper accounting for those transactions?
33) Are investigations made of unusual journal entries?
34) If credit cards are an allowable form of payment, are the following procedures in place?
a. Are pre-numbered receipts or number computed generated receipts used so that all credit card collections are accounted for?
b. Is a log or receipt register used to account for credit card collections? If yes, does the log or receipt register contain the same information as a prescribed receipt?
c. Are the daily receipts total from all credit card processing devices printed and used to reconcile each business day? If yes, are
variances investigated in a timely manner?d. Are employees trained to know when a settlement cut-off time occurs in order to correctly reconcile the daily transactions?
e. Are total credit card receipts or reports reconciled on a daily basis to the total dollar value sold? For example, total dollar amount reconciled to number of licenses issued via credit cards
f. Are the credit card amounts reconciled on a day-by-basis to a statement from the bank servicing the credit card?
35) If credit card collections are accepted over the internet are the following procedures in place?
a. Is the amount charged based on the customer’s payment selection?
b. Are basic security measures in place to reduce fraud for credit card collections accepted over the internet? These measures are components of an online service that a unit would employ to receive electronic payments.
36) If credit card collections are accepted face-to-face, are the following procedures in place?
a. Before the transaction is electronically submitted for approval, is the amount reviewed to ensure the dollar amount charged is
correct?b. Is the name on the credit card and the last four digits of the account number compared to the data on the receipt?
c. Is the customer’s signature on the sales receipt compared to the signature on the back of the card?
d. Is the name on the credit card verified against other personal identification in the possession of the user such as a photo ID?
e. Do only the last four digits and the expiration date appear on the cardholder’s copy of the printed receipt?
f. If the credit card magnetic strip cannot be read, are there procedures for manually entering the credit card information?
37) If credit card refunds are issued, are the following procedures in place for refunds?
a. Are credit card refunds issued in a timely manner, i.e., as near as possible to the date of the original transaction?
b. Is there appropriate documentation on file with the credit card refund?
c. Are credits issued to the same credit card used in the original transaction?
38) Does the unit have separate cash collection points?
a. Are there proper controls at each collection point to assure timely deposits and accurate recording of collections?
b. Are there timely notices of receipts collected at separate collection points given to a central accounting department?
c. Are collections received at separate collection points transmitted to the central accounting department through the banking system?
d. Are daily reported receipts at separate collection points compared to records of the accounting department?
39) If the unit bills for services, are the following procedures in place?
a. Are billings of service fees and taxes billed timely?
b. Do procedures include providing for an independent verification of quantities, prices, and clerical accuracy of billing statements?
c. Are statements of account balances mailed on a timely basis?
d. Are there procedures providing for timely notification to the accounting department at the time billings are prepared?
e. Do billings contain a unique identification number; name, address, and contact information; description of charges; the amount being charged; billing date; due date; and account balance?
f. Do procedures include numerical processing controls over billings?
g. Do procedures include controls of the billing of miscellaneous revenues?
h. Are penalties and interest assessed on delinquent payments where allowable by law?
i. Are there procedures to prevent interception or alternation by unauthorized persons of billings after preparation, but before
mailing?j. Do procedures prompt investigation of disputes with billing amounts, reported by taxpayers or customers, by an individual independent of the accounts receivable record keeping process?
k. Do procedures include protecting records of receivables from destruction and unauthorized access?
l. Do procedures for revenues that include service readings performed in a timely fashion, if billing is based on usage?
m. Do procedures include providing for identification and investigation of unusual billing patterns?
n. Do procedures describe how receivables are to be established?
Information and Communication - Relevant information from both internal and external sources is necessary to support the functioning of the other components of internal control. Communication is the continual process of providing, sharing, and obtaining necessary information.
1) Are procedures established to ensure that proper communication and documentation exists for internal communications between offices, departments, management and the governing board regarding receipting activities?a. How does the unit internally communicate information regarding receipting activities to employees, including objectives and responsibilities for internal control? Are records maintained to document this communication?
b. Are procedures established to ensure that the communication requirements are being followed and necessary information is being communicated properly?
c. Are procedures established for feedback on and clarification of the information provided?
2) What procedures are in place to collect the information needed to ensure proper receipting activities?
a. Does management use the most current information available to ensure receipting activities are working properly?
Monitoring - Activities that allow management to assess the quality of internal controls over time and make adjustments as necessary. Proper monitoring ensures that controls function properly.
1) Are procedures in place to ensure that appropriate personnel perform their required duties sufficiently and adequately follow the policies and procedures of the unit regarding receipting activities?2) Are internal control procedures over receipting activities evaluated and adjusted on a regular basis? For example, personnel changes, newly elected officials, etc.
a. What follow-up action is taken for identified problems or weaknesses in internal controls over receipting activities?
3) Are monthly reports detailing receipts of the funds provided to the appropriate department to review for accuracy and reasonableness?
4) Are monthly reports detailing receipts of the funds provided to management to review for accuracy and reasonableness?
5) Are monthly receipt reports provided to the governing board to review?
6) Does a confidential reporting system exist so that individuals may report suspected fraud and abuse of the unit’s policies?
7) Is there a comparison by the appropriate level of management or another designated individual of actual receipts to budgeted and prior receipts? If yes, are investigations performed for all variances noted?
8) Are unannounced cash counts performed?
- Schedule of Expenditures of Federal Awards (SEFA)
A summarized version of this best practice can found at this link.
A system of internal control may be implemented in many different ways. Because political subdivisions vary in purpose, size and complexity, no single method of internal control is universally applicable. However, the five internal control components should be present and functioning in all political subdivisions.
Questions have been accumulated for all five internal control components. This document includes questions pertaining to various noncompliance issues regarding the preparation, review and submission of a correct Schedule of Expenditures of Federal Awards (SEFA). These questions can be used to aid in designing a proper system of internal control over the preparation, review and submission of the SEFA that will allow misstatements of the SEFA to be prevented or detected and corrected. It is not necessary to address all questions in this document. These questions are related to suggested internal control procedures, but the actual structure of an internal control system must be tailored to the unique needs of the political subdivision. The internal control system as a whole has to be designed and implemented appropriately in order to allow errors made in the preparation, review and submission of the SEFA to be prevented or detected and corrected.
Most political subdivisions are assisted by the State Board of Accounts in the compilation of the SEFA. Information related to federal awards is entered by the political subdivision into the Gateway reporting system. This information is used to compile the SEFA. When this process is used, internal control procedures are needed to ensure the accuracy of information entered into the Gateway reporting system. There are a few units that prepare the SEFA without the use of the Gateway reporting system. The procedures established should be reflective of whatever process is used to complete the SEFA whether it is through the Gateway reporting system or prepared outside the Gateway reporting system.
Components of Internal Control:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Control Environment - Sets the tone of the unit and influences the effectiveness of internal controls within the unit. It comprises the integrity and ethical values of the unit and is set by the governing body and management. The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control.
The questions in this section are divided by questions that pertain to the governing board, management and both the governing board and management.
Governing Board:
1) Does the governing board oversee the unit’s internal control system over the preparation, review and submission of the SEFA?
2) If considered necessary, did the governing board establish an oversight committee and appoint members with high ethical values, excellent communication and problem solving skills?
3) Does the unit have a mission statement, objective and goals?
4) Does the governing board convey periodic messages of expectations to all employees?
5) Are there written policies documenting internal control procedures over the preparation, review and submission of the SEFA? If yes, do these written policies outline the authority and responsibility for the preparation, review and submission of the SEFA within the unit?
6) How involved is the governing board in understanding the unit’s SEFA process, overseeing the effectiveness of internal controls over the preparation, review and submission of the SEFA, and evaluating whether the accounting records that support the SEFA are correct? For example, is the governing board’s involvement limited to attending board meetings, or does the board oversee other things such as unit controls, accounting practices, etc.
7) Did the governing board develop an organizational chart? If yes, is the organizational chart current and accurate? If yes, did the governing board create job duties for each level of the organizational chart? If job duties were created, do these duties address responsibilities required for the preparation, review and submission of the SEFA?
8) Has fiscal authority been formally delegated to specific management personnel?
9) Did the governing board develop a formal employee evaluation system to set the intervals in which employees will be evaluated? If yes, does the formal evaluation system include disciplinary action that will be taken if an employee does not meet the expectations noted in the evaluation system?
10) How does the governing board oversee the activities of management that are related to financial reporting? What oversight does the governing board give on the accounting records?
11) Are accounting department employees required to take vacations?
12) Has the governing board developed and implemented an ethics policy? If yes, does the policy address potential conflicts of interest? Is there a system of annual acknowledgment in place where either through e-mail submission or manual documentation, each official and employee attests that they have read the policy and will adhere to the policy?
13) Are there regular meetings of the governing board to set policies and objectives and review the unit’s performance?
14) Are the minutes of such meetings prepared and signed on a timely basis?
15) Are confidentiality agreements required for employees who come in contact with confidential information?
16) Are policies regarding personal use of computer equipment and software clearly stated?
17) Does the fiscal officer present the SEFA to the governing board for review and approval at a regularly scheduled public meeting?
18) Do the departments present grant proposals to the governing board for approval at a regularly scheduled public meeting?
19) Once the grant application is completed, is the grant application approved by the governing board prior to submission to the grantor agency?
20) Is the grant application and all other required information remitted to the grantor agency for approval by a designated individual?
21) Once approval has been obtained from the grantor agency, does the department present the approval of the grant to the governing board at a regularly scheduled public meeting?
Management:
1) Does management develop and maintain documentation of the internal control system over the preparation, review and submission of the SEFA?
a. Does management assign responsibility, and delegate authority to achieve a correct SEFA and ensure it is submitted timely?
2) Does management establish an organizational structure, assign responsibility and delegate authority in order to achieve a correct SEFA? If yes, did management establish and document the organizational structure of each office and department? Examples of items to incorporate into the structure could include: an organizational chart; outline of specific duties; designation of responsible persons for each part of the accounting process; documentation of internal control procedures over specific accounting areas; etc.
3) Does management ensure compliance with the unit’s personnel policies and procedures regarding hiring, training, promoting and compensating?
4) Does management check credentials and references for new employees?
5) Do employees who are involved in the SEFA process receive continuous or periodic training? If yes, what kind of training do employees receive to help them maintain their accounting and financial reporting competencies?
a. What background, education, and experience do accounting personnel have that assist them with their duties?
6) Does management reward employees for following good internal control practices through promotions or increase in compensation?
7) Is turnover of key fiscal personnel relatively low?
8) Does the workload of accounting employees facilitate the preparation of reliable accounting records?
9) Does management evaluate performance and hold individuals accountable for their responsibilities? If yes, what action is taken for employees not performing their responsibilities?
10) Is cross training completed to ensure that more than one employee is knowledgeable about the SEFA process? This cross training would allow more than one employee to be aware of potential design deficiencies in the internal controls or of noncompliance with internal controls.
11) Do accounting supervisors frequently prepare reports or reconciliations to verify the accuracy of financial transactions?
12) Does management take an active role in the financial reporting of the unit?
13) Is management actually involved in supervision of the various functions?
14) Does management ask employees for their suggestions on how to improve processes?
15) Has management given a high priority to its internal control structure?
16) Is management willing to adjust the SEFA for misstatements that approach a material amount?
17) Does management discuss internal controls at management and other staff meetings?
Governing Board and Management:
1) Does the governing board and management stress adherence to policies and procedures?
2) Is there a clear assignment of responsibility and delegation of authority to deal with such matters as organizational goals and objective, operating functions and regulatory requirements?
3) If an outside consultant is used to complete the SEFA, is there a supporting contract that addresses the following items:
a. Services to be provided
b. Compliance with laws and regulations should be adhered to
c. Compensation
d. Effective and ending dates
e. Deadlines
f. Renewal options
Risk Assessment - Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment is the process used to identify and assess internal and external risks to the achievement of objectives, and then establish risk tolerances. It is the basis for determining how risk will be managed.
1) Does management identify, analyze and respond to risks regarding the preparation, review and submission of the SEFA?
a. What areas have been identified regarding the preparation, review and submission of the SEFA that may be exposed to fraud risk?
i. Risk factors may include noncompliance with statutes and grant requirements, changes in management or employees, competence and experience of personnel involved in the SEFA process, inaccurate Schedule of Expenditures of Federal Awards, findings reported in prior audit reports regarding the SEFA, new accounting system, volume of transactions and funds, etc.
b. Does management analyze the identified risks to estimate the effect of the risk on achieving a correct SEFA? For example, does management consider how likely the risk will occur, how it will impact a correct SEFA, if the risk is based on complex or unusual transactions, if the risk is based on fraud, etc.
c. How has management addressed risks associated with using computerized accounting records, such as unauthorized access to applications or data, potential loss of data, and reliance or inadequate systems that may adversely affect internal control?
d. How has management responded to identified risks? For example, management may accept the risk and take no action, choose to eliminate certain processes to avoid the risk and institute proper internal controls.
e. When needed, does management go back to the governing board to enact or modify policies that will that will clearly define these areas?
2) Does management clearly define proper procedures over the preparation, review and submission of the SEFA to enable the identification of risks and to define risk tolerances? Written procedures should be clear and address items such as who will be involved in SEFA process, how proper SEFA procedures will be achieved, and when will proper SEFA procedures be in place.
3) Is management continually aware of changes, both external and internal, that could affect a correct SEFA? If yes, does management determine any modifications needed in the internal control process to adopt to these changes?
4) Did the governing board or management incorporate external requirements, such as state statutes and Uniform Compliance Guidelines?
5) What procedures are in place to ensure that the information reported on the SEFA is correct and reflective of the accounting records?
Control Activities - The actions and tools management establishes through policies and procedures that help to detect, prevent, or reduce the identified risks that interfere with the achievement of objectives and to respond to risk in the internal control system.
An integral part of the control activity component is segregation of duties. However, in very small governmental units, such segregation may not be practical. In this case, compensating activities should be implemented which may include additional levels of review for key operational processes, random and/or periodic review of selected transactions. In smaller units, these reviews and testing of processes might be performed by governing boards or other elected officials.
There is an expectation of segregation of duties. If compensating controls are necessary, documentation should exist to identify both the areas where segregation of duties are not feasible or practical and the compensating controls implemented to mitigate the risk. Clear documentation should be maintained for continuity as well as ease of communication to outside parties.
1) Is there a system of checks and balances (segregation of duties) to ensure a correct SEFA?a. Are responsibilities for preparing the SEFA segregated from those involved in reviewing the SEFA?
b. Are responsibilities for preparing the SEFA segregated from those involved in submitting the SEFA?
c. Are responsibilities for reviewing the SEFA segregated from those involved in submitting the SEFA?
2) Did management design the unit’s information system and related control activities to ensure the proper preparation, review and submission of the SEFA?
a. Did management implement control activities through written policies?
3) Is the individual authorized to review the SEFA knowledgeable in the SEFA process?
a. Is there a checklist for the preparation, review and submission of the SEFA that includes the following?
i. Employee names with their responsibilities and duties
ii. Deadlines for submission of information from each employee
iii. Detail of supporting documentation required, etc.
iv. Is a comparison to the prior SEFA made to identify material errors
4) Does the individual authorized to review the SEFA understand the unit’s recordkeeping system?
5) Is access to the unit’s records appropriately controlled by user logins and passwords? Do individuals involved in the SEFA process share their user id and password?
6) Does management or another designated individual review and check the accuracy of the information submitted through the Gateway reporting system by comparing it to supporting documentation used to input the information before submission? Is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
7) Are standard reports or standard documentation used to support information in the SEFA?
a. Are there reconciliations between the financial records and any standard reports received from various employees involved in the process of the preparation of the SEFA?
8) Does management review and check the accuracy of the information submitted by the departments to the fiscal officer by comparing it to supporting documentation used to input the information before submission to the fiscal officer? Is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
9) Does management send the grant information submitted through the Gateway reporting system to the departments for their review?
a. If yes, does the department verify the information and include documentation of the review? For example: initials, tick marks indicating procedures performed, records traced to, etc.
b. Are differences noted by the department reviewed by management before changes are made to the information entered in the Gateway system
10) Are the Detailed Error Reports that are generated from the Gateway system reviewed by management or an individual not involved in the SEFA process? How are the errors noted on the report corrected?
11) Does the unit use an outside consultant to prepare the SEFA?
a. Is information submitted to the outside consultant reviewed by an individual separate from those involved in gathering the information?
i. Does the review include verifying the information submitted to the outside consultant agrees with supporting documentation? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
ii. Does the fiscal officer or a designated individual compare the SEFA prepared by the outside consultant to supporting documentation submitted to the outside consultant? If yes, is this review documented as evidenced by initials, tick marks, etc. indicating procedures performed?
b. Does management verify the outside consultant is performing all services detailed in the approved contract?
12) Does each department maintain grant files for every individual grant and include all grant documents that have been remitted to the auditor? Does each department ensure that all grant documentation is remitted to the auditor, including the grant application, grant approval, grant contract/agreement from the grantor agency?
13) Are grant files or electronic files maintained by the fiscal officer for each grant and include proper supporting documentation?
a. Does management send checklists to the various departments listing documents to be provided to the fiscal officer? For example, the grant application, grant award letter, grant agreement, grant budget, correspondence with grantor agency, claim vouchers with supporting invoices, requests for advances, reports with supporting documentation, etc.
14) Is the source of the grant identified before grant proceeds are received? For example: This will be found with the grant application, grant agreement and grant award letter. It may require contacting the grantor agency for additional information.
15) Are fund names for the grants set up by using a CFDA number and/or title of the grant? Do grant fund numbers follow the chart of accounts established by the SBoA?
Information and Communication - Relevant information from both internal and external sources is necessary to support the functioning of the other components of internal control. Communication is the continual process of providing, sharing, and obtaining necessary information.
1) Are procedures established to ensure that proper communication and documentation exists for internal communications between offices, departments, management and the governing board regarding the preparation, review and submission of the SEFA?a. How does the unit internally communicate information regarding the preparation, review and submission of the SEFA to employees, including how to prepare a correct SEFA and responsibilities for internal control? Are records maintained to document this communication?
b. Are procedures established to ensure that the communication requirements are being followed and necessary information is being communicated properly?
c. Are procedures established for feedback on and clarification of the information provided?2) What procedures are in place to collect the information needed to complete the SEFA?
a. Does management use the most current information available to ensure the SEFA will be correct?
Monitoring - Activities that allow management to assess the quality of internal controls over time and make adjustments as necessary. Proper monitoring ensures that controls function properly.
1) Are procedures in place to ensure that appropriate personnel perform their required duties sufficiently and adequately follow the policies and procedures of the unit regarding the preparation, review and submission of the SEFA?2) Are internal control procedures over the preparation, review and submission of the SEFA evaluated and adjusted on a regular basis? For example, personnel changes, newly elected officials, etc.
a. What follow-up action is taken for identified problems or weaknesses in internal controls over the preparation, review and submission of the SEFA?
3) Are monthly reports detailing receipts, disbursements, appropriations and cash and investment balances provided to the appropriate department to review for accuracy and reasonableness?
4) Are monthly reports detailing receipts, disbursements, appropriations and cash and investment balances provided to management to review for accuracy and reasonableness?
5) Are monthly reports of receipts, disbursements, appropriations and cash and investment balances provided to the governing board to review?
6) Does a confidential reporting system exist so that individuals may report suspected fraud and abuse of the unit’s policies?