Internal Controls andBest Practices Robert McGee, Associate Controller Holley Schramski, Associate Vice President and Controller Dale Wetzelberger, Director Internal Auditing Division
Goals Describe Basic Internal Control Objectives Describe the Best Practice Procedures Applied in Specific Areas • Cash Receipts • Signature Authority • Procurement • Accounts Payable • Payroll • Independent Contractors • Travel • Business Meals and Entertainment • Account Status Reports • Property Management • Conflict of Interest • Information Technology Areas Covered in Other Programs • P-Card and Petty Cash • Sponsored Research Topics • Department Sales Accounts • Human Resources Issues
Internal Controls 101 Primary Objectives of Internal Controls • Accurate Financial Information • Compliance with Policies and Procedures • Safeguarding Assets • Efficient Use of Resources • Accomplishment of Objectives and Goals -Institute of Internal Auditors
Internal Controls 101 Why are Internal Controls Important? Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and Efficiency of Operations • Reliability of Financial Reporting • Compliance with Laws and Regulations Source: Internal Control – Integrated Framework Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission (COSO) http://www.coso.org/publications/executive_summary_integrated_framework.htm
Internal Controls 101 Why are Internal Controls Important? Effectiveness and Efficiency of Operations • addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of resources. Reliability of Financial Reporting • preparation of reliable financial statements and publicly reported financial data. Compliance with Laws and Regulations • compliance with those laws and regulations to which the entity is subject. -COSO Integrated Framework Executive Summary
Internal Controls Internal Controls It’s Good for Your Fiscal Health • Effectiveness and Efficiency of Operations • Reliability of Financial Reporting • Compliance with Laws and Regulations It’s Good for Your Physical Health • Balanced Diet • Exercise • Good balance of leisure and work-mental health (Tegen and Stinson, SACUBO April 2006)
Internal Controls 101 Internal control consists of five interrelated components: • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring -COSO Integrated Framework Executive Summary
Internal Controls 101 The Five Interrelated Components Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. -COSO Integrated Framework Executive Summary
Internal Controls 101 Creating the Control Environment • Create environment that fosters internal controls • Expect Ethical Behavior • Hire qualified staff • Get to know your staff • Clear assignment of responsibility/Job Description • Supervision • Clear Communication
Internal Controls 101 The Five Interrelated Components Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change. -COSO Integrated Framework Executive Summary
Internal Controls 101 Types of Risk • Financial • Research • Student • Academic • Athletic • Human Resources • Faculty • Crime and Safety • Information Technology • Enrollment • Facilities
Internal Controls 101 Examples of Financial Risk: • Accounting processes • Auditing Matters • Compliance with Regulatory Issues • Falsification of reports/records • Fraud • Improper receipt of gifts • Improper vendor activity • Theft • Waste and Abuse • Misuse of Resources
Internal Controls 101 The Five Interrelated Components Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. -COSO Integrated Framework Executive Summary
Internal Controls 101 Key Components – Control Activities • Policies and Procedures Administrative Policies and Procedures (http://www.busfin.uga.edu/manual/) • Staff Training • Organization Charts/Job Descriptions • Performance Measures • Segregation of Duties Preventing one individual from having virtually complete control over a financial process.
Internal Controls 101 Key Components-Control Activities • Adequate Transaction Documentation A record of (paper or electronic) for Revenue • Receipt • Transfer • Deposit for Expense • Purpose • Authorization for Other • Delegation of Signature Authority • Monthly Account Status Report Reconciliation • Annual Property Inventory • Properly Designed Documentation • Unique numbering • Independent Verification
Internal Controls 101 The Five Interrelated Components Information and Communication Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders. -COSO Integrated Framework Executive Summary
Internal Controls 101 The Five Interrelated Components Monitoring A process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board. -COSO Integrated Framework Executive Summary
Internal Controls 101 Why Monitoring is Important: • Inherent Risks • Complexity • Decentralization – many hands, need accountability • Repeat Problems • Unresponsive to prior weaknesses • Exposures • Changes in Regulatory Environment • Personnel Changes • System and Process Changes • Rapid Growth • New Programs, services and staff
Internal Controls 101 Types of Controls Preventive Controls • Forestall errors and thereby avoid the cost of correction • Discourage fraud Detective Controls • Measure the effectiveness of preventive controls • Uncover errors and misappropriations • Provide the means to establish accountability
Internal Controls 101 Are Internal Controls Foolproof ? • Controls will not always prevent fraud or misappropriation. • Making controls infallible is cost prohibitive and unnecessarily cumbersome. • Controls do not eliminate the “human factor”. To a significant extent, systems of internal control rely on people and their actions.
Internal Controls 101 Real World Summary Why Internal Controls Are Important • Provides management with confidence that the entity is operating according to standards which are monitored-someone is watching. • Indicates to staff that what they are doing is important and that QUALITY is important. • Sends a signal that certain behaviors will not be tolerated.
Cash Receipts The term “cash receipts” includes: • Currency • Checks • Credit cards • Wire transfers received by mail or in person
Cash Receipts Use of Revenue Object Codes amounts received for • Payment of delivery of goods or services • Reimbursement of expenses or • Contributions Examples of third party receipts include: • General revenues for tuition and fees • Auxiliary income • Parking income • Sponsored awards and events • Revenues from sale of goods and services • Gifts and other designated funds • Reimbursements from: • affiliated institutions • conferences and seminars • alumni functions
Cash Receipts Use of Expense Credits • Refunds from vendors • Price adjustment of goods or services Use same object code of the original expense. Examples include: • Returned or rejected items • Overpayments
Cash Receipts Internal Controls Objective Ensure that all funds are timely deposited in the bank and are properly recorded in the appropriate account. Risks • Theft/fraud. • Mismanagement of funds. • Mis-statement of revenue and expenditures. • Noncompliance with University, BOR, State and Federal policies.
Cash Receipts Internal Controls Audit Check List • Persons verifying the monthly Account Status Reports do not process cash receipts. • Timely and adequate restrictive endorsement of checks • Documentation and procedures are sufficient so that loss or misappropriation of funds can be traced to the responsible individual(s).
Cash Receipts Internal Controls Documentation and Procedures Types of documentation • Pre-numbered cash receipt form • Payment log • Cash register tape using locked-in sales totals • Workshop attendance roster
Cash Receipts Internal Controls Documentation and Procedures Verification Procedures • Depositing cash receipts timely and intact. • Independently tracing cash receipt forms, logs and/or register tapes to the Bursar’ Office receipt and the Account Status Reports. • Comparing attendance rosters to revenue posted to workshop account. • Reviewing deposit documentation before gift acknowledgement letters are signed and mailed. • Accounting for unsold tickets. • Maintaining control over pre-numbered receipts. • Immediate notification to the Controller’s Office of detected shortages or inappropriate activity.
Signature Authority Transactions must be reviewed and approved by those officers under whose responsibility the project lies. Signatory authority may be delegated however, primary responsibility for funds and transactions remains with the budgetary unit head. It is therefore necessary for a policy to be in writing to ensure the delegation is authorized.
Signature Authority The written signatory authority document should be: • Initiated by the budgetary unit head. • Contain: • A description of the documents for which authority is being conveyed. Examples: • Vouchers. • Purchase requests. • Specimen signatures of persons to whom authority is conveyed. • Signed by the appropriate department head, dean/director or vice president. • Copies sent to: • Accounts Payable • Payroll Budgetary units should revise the policy when personnel or job assignments change.
Signature Authority Internal Controls Objectives • Documents are properly authorized. • Budgetary unit heads and principal investigators understand their responsibility. Risks • Noncompliance with federal regulations. • Noncompliance with University policies. • Misappropriation of funds/fraud. • Disallowance of costs. • Personal liability.
Signature Authority Internal Controls Audit Check List • The department has identified faculty and staff members authorized to sign documents in either paper or electronic form. • The list is up-to-date. • Budgetary unit heads and principal investigators understand their responsibility. • Documents are signed by the appropriate individuals at both the departmental and college/school levels • Delegated faculty / staff members sign their own name and not the dean or budgetary unit head’s name.
Procurement and Accounts Payable Procurement • The University Procurement Office has sole responsibility for the coordination of all University procurement activities. • Departments are authorized to make direct purchases with P-Cards and Petty Cash. • Streamline payment procedures • Reduce the administrative burden • All purchasing is subject to: • State of Georgia purchasing regulations • Board of Regents' policies • University of Georgia policies • The budgetary unit heads have the primary responsibility for the approval of all purchases charged against the accounts under their administration. • Budgetary units should maintain a file of their own purchasing documents.
Procurement and Accounts Payable Procurement • Purchase requests may be generated electronically or manually. • Purchase requests should be limited to items that can be supplied by one vendor. • When formal quotations are needed: • Complete as much of the Purchase Request Form as possible. • Forward the departmental copy (blue) directly to the Procurement Office for use in obtaining quotations. • Place a note on the face of the purchase request providing the reason for using this procedure. • All check requests must be accompanied by an original of the invoice for payment. • The responsibility for receiving and inspecting supplies and equipment rests with: • The central receiving units. • Budgetary units requesting the supplies and equipment.
Procurement and Accounts Payable Accounts Payable • The Accounts Payable Department is responsible for: • examining all accounts, claims, and demands against the University, and • making payment of all the University's legally incurred obligations • No payments are to be made: • Unless there is money in the account for such payments. • Until the Accounts Payable Department has been presented with supporting documents. • Purchase Authorization • Original Invoice • Receiving Report
Procurement and Accounts Payable Accounts Payable • The department will encumber all: • Purchase orders • Physical plant work orders • Requests for authority to travel
Procurement and Accounts Payable Internal Controls Objectives • Expenses charged are reasonable and allowable. • Expenses are properly coded. • Unallowable charges are separately designated. • Purchase order processing is completed promptly and accurately. Risks • Misappropriation of funds. • Loss of sponsored funding. • Disallowance of costs. • Noncompliance with federal regulations. • Delay of future funding. • Delay of delivery of goods and services. • Delay of payments to vendors. • Jeopardized relationships with vendors. • Jeopardized credit standing of the University.
Procurement and Accounts Payable Internal Controls Audit Check List • Transactions are properly approved and the stated purpose is reasonable. • Invoices are submitted to Accounts Payable timely. • Account Status Reports are independently reviewed for accuracy of encumbrances and charges.
Payroll Payroll disbursements represent the single largest expense category to the University. All payrolls are processed electronically through a web based electronic payroll system. All new employees are required to have their payments made through direct deposit. The University processes four types of payrolls: • Monthly Payroll • Academic Payroll • Salaried Biweekly • Hourly Biweekly
Payroll Monthly Payroll • Faculty (other than those on an "A" or "L" contract code). • Administrative personnel. • Graduate assistants (other than those on a "S" contract code). • Employees exempt from coverage under the Fair Labor Standards Act (Wage and Hour Law) Academic Payroll • Faculty with a contract code of "A" or "L“. • Graduate assistants with a contract code of "S“. • Compensation is earned at the rate of one-half of the contract salary for each academic semester. • Additional payments for Maymester & summer session classes can be made.
Payroll Salaried Biweekly • Payroll employees covered under the Fair Labor Standards Act. • The hourly rate of pay is determined by dividing the annual rate by the number of available work hours in the fiscal year. • The gross amount of each check is determined by multiplying the hourly rate of pay by the number of hours reported on the time sheet. Hourly Biweekly • Employees covered under the Fair Labor Standards Act. • Temporary or part-time employees (paid from lump sum positions in the University budget). • The gross amount of each check is determined by multiplying the hourly rate of pay by the number of hours reported on the time sheet.
Payroll The basic documents used to effect payroll payments are: • Personnel Report • Payroll Voucher • Time Records
Payroll The Personnel Report is used to document: • Employment • Termination • Change in status of all personnel Approved by: • Department heads • Deans • Vice presidents (in some cases ) Personnel Reports are electronically routed to the appropriate units.
Payroll Payroll Vouchers contain: • Names of all persons paid on the preceding payroll • Social security numbers • Hourly rate of pay or gross salary Approved by: • Department heads Payroll vouchers are sent to the Payroll Department.
Payroll Time Records, are prepared for each employee who is covered and nonexempt under the Federal Fair Labor Standards Act. The document records: • Name of employee • Pay period • Hours worked Approved by: • employee, • Supervisor These signatures and dates are important in complying with Federal Regulations. The time records should be retained by the Department for 5 years after the fiscal year ends.
Payroll International Employees • All international employees are required to complete the UGA Tax Information Form for Internationals • The completed form must be submitted to the International Tax Coordinator along with: • Immigration documents • Passport • I-94 card and • Visa • The International Tax Coordinator will perform a tax analysis and will provide the appropriate payroll withholding forms to the employee for review and signature.
Payroll Internal Controls Objectives • Proper authorization and payment of salary and wages. • Responsibility for payroll processing separated between: • authorization/processing • distribution of the pay check • Proper allocation of resources and system access privileges. • Current submission of payroll documents. Risks • Noncompliance with federal/state regulations. • Civil liability/lawsuits. • Non-compliance with University policies. • Penalties/fines. • Fraud/theft. • Retroactive transactions. • Personal/employer tax liabilities. • Overpayments/unallowable costs.
Payroll Internal Controls Audit Check List • Staff members who approve or process payroll documents do not have access to payroll checks. • Payroll vouchers are properly approved by an appropriate supervisor having knowledge of the hours worked. • Payroll vouchers agree with time sheets and leave records. • Payroll vouchers are signed and approved on the last working day of the pay period. • Time cards are checked for accuracy. • Overtime if paid is allowable and approved in advance. • Time cards are not returned to employees after they are approved by supervisors. • Terminated employees are removed promptly from payroll. • New hires are processed and paid in the appropriate pay cycle. • Visa expiration dates are monitored. • I-9 documentation is complete and on file for all employees.
Payments to Non-Employees Independent Contractors • General Rule: the employer has the right to control or direct only the result of the work, and not the means and methods of accomplishing the result • Some of the other factors to determine if a worker is an independent contractor include: • Has the contractor other clients? • Is the person an employee of any State of Georgia agency or institution? • Is there a contract for services? • Does the service involve an independent profession, trade, or business?
Payments to Non-Employees Independent Contractors - Minimum standards of documentation to use of independent contractors as consultants require evidence that: • The services are needed. • Cannot be met by direct salaries provided under the contract or grant. • A selection process was used to identify the most qualified individual available. • The individual or firm qualifies as an independent contractor. • The fee is appropriate considering the qualifications and services to be provided. • The express advance approval by the sponsoring and parent Federal agency of a consultant who is also a full-time employee of the Federal government.