New York State Education Department

NEW YORK STATE

EDUCATION DEPARTMENT

2014 A Brief Tutorial on Policy and Procedure Development

General Overview to Policies and Procedures

A school’s Financial Policy and Procedure Manual documents their internal control activities

Charter agreements state that the school shall at all times maintain appropriate governance and management procedures and financial controls.

Introduction to Internal ControlsInternal controls are all of the

policies and procedures management uses to

achieve the following:

Protect assets Ensure records are accurate and reliable Promote operational efficiency and effectiveness Compliance with policies, rules, and laws Accomplishment of goals and objectives

Examples of Internal ControlsPersonal Internal Controls Lock your home and your

vehicle. Keep ATM/debit card pin

number separate from your card

Review bills and credit card statements before paying

Do not leave blank checks or cash just lying around

Expect your children to ask permission to do certain things

Charter School Internal Controls:

Buildings and offices are kept locked when unoccupied

Computer passwords are periodically changed and not written down by the computer

Check management reports and purchase card charges against source documents

Lock cash drawers and secure storage for checks

Require authorizations for certain activities

Responsibilities: Board, Management and Staff

1. Board of Trustees are responsible for the general governance and administration of the Charter School. They are charged with issuing policies that govern the charter school which are the basis of the internal control system.

Board of Trustees should review and update the polices on a regular basis to ensure that the policy is adequate, not outdated and that staff is adhering to the policy. They should obtain continual input from managing staff on the efficiency of current policies as these policies and procedures are utilized by external entities to assess the systems in place within the school, external auditors, outside funding sources, bond raters, etc.

Responsibilities, cont’d

2. Management: Administrative management is responsible for maintaining an adequate system of internal control. Management is responsible for communicating the expectations and duties of staff as part of a control environment. They are also responsible for assuring that the other major areas of an internal control framework are addressed. These responsibilities should reflect the appropriate authority and accountability.

3. Staff: Staff and operating personnel are responsible for carrying out the internal control activities set forth by management.

Everyone is Responsible for Internal Controls

All staff should: Read and understand the policies

and procedures which affect their job Comply with the controls established

to protect the charter school Notice if there is a control weakness

and bring it to the attention of the supervisor or manager

Introduction to Policies and Procedures

There is an art and skill to writing policies and procedures:

Policies: Express rules, expectations and requirements Explain what to do Are realistic and attainable Have an active voice (subject-verb-object)

Procedures: List steps to follow Tell “how” to perform a job Have an active voice and are imperative

Policy and Procedure Example

Policy:

We provide one week of vacation after one year of

employment and two week’s vacation after five years of

employment.

Procedure:

1. Complete form VR-12. Submit form VR-1 to your supervisor one

month prior to the desired time off

Policy and Procedure Writing Skill

Say what you mean and mean what you say Be aware of all possible interpretations

Use specific language

Consider the Reader/Users Don’t assume anything Look at the experience of the user

Why don’t Internal Controls always work?

Inadequate knowledge of charter school policies or governing regulations. “I didn’t know that!”

Inadequate segregation of duties. “We trust ‘A’ who does all of those things.”

Inappropriate access to assets. Passwords shared, offices left unlocked, cash not secured . . .

Form over substance “You mean I’m supposed to do something besides initial it.”

Control override. “I know that’s the policy, but we do it this way.” “Just get it done, I don’t care how.”

Inherent limitations. People are people and mistakes happen. You can’t foresee or eliminate all risk.

Internal controls are usuallyPreventive or Detective

Preventive – To stop an

unwanted outcome before it

happens.

Detective – To find the problem before it grows.

Examples of Detective Controls

Cash counts and bank reconciliations Reviewing payroll reports Comparing transactions on monthly

management reports to source documents Monitoring expenditures against

budgeted amounts

Examples of Preventive Controls

To read and understand applicable Charter School Policy and Procedures to learn a process

To review the approval process for purchase orders or requisitions, to make sure they’re appropriate before the purchase

The use of computer passwords to stop unauthorized access

Internal Control Framework The framework of a good internal control system includes:

Control environment: A sound control environment is created by management through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities.

Risk Assessment: This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exist. To be most efficient, the greatest risks should receive the greatest amount of effort and level of control. For example, dollar amount or the nature of the transaction (for instance, those that involve cash) might be an indication of the related risk.

Monitoring and Reviewing: The system of internal control should be periodically reviewed by management. By performing a periodic assessment, management assures that internal control activities have not become obsolete or lost due to turnover or other factors. They should also be enhanced to remain sufficient for the current state of risks.

Information and communication: The availability of information and a clear and evident plan for communicating responsibilities and expectations is paramount to a good internal control system.

Control activities: These are the activities that occur within an internal control system.

Control Activities Internal control activities are the policies and procedures as well as the

daily activities that occur within an internal control system. A good internal control system should include the control activities listed below. These activities generally fit into two types of activities. Preventive: Preventive control activities aim to deter the instance of errors

or fraud. Preventive activities include thorough documentation and authorization practices. Preventive control activities prevent undesirable "activities" from happening, thus require well thought out processes and risk identification.

Detective: Detective control activities identify undesirable "occurrences" after the fact. The most obvious detective control activity is reconciliation.

Some control activities include:

Authorization (Preventive) Documentation (Preventive) Reconciliation (Detective) Security Separation of Duties

Internal Control Best PracticesWith a good internal control system in place, other

considerations to keep in mind include: Regularly communicate updates and reminders of policies and

procedures to staff through emails, staff meetings and other communication methods.

Periodically assess risks and the level of internal control required to protect Charter School assets and records related to those risks. Document the process for review, including when it will take place. (Example: Determine that all security activities, reconciliation processes and separation of duties will be reviewed annually. They will, however, be staggered. Security activities will be reviewed in July, reconciliation in September and separation of duties in March.)

Management is responsible for making sure that all staff are familiar with Charter School policies and changes in those policies.

Example of Internal Control Finding Charter School Finding in Annual Financial Audit: Although

the School previously adopted and implemented a formal financial policies and procedures manual (the “manual”), we concluded that there is a number of procedures that should be updated in the manual in order to achieve a sufficient internal control structure. This will help improve the School’s ability to process, record, summarize, and report financial information.

Independent Auditor Recommendation: Many daily procedures inevitably become known only to the individuals who perform them and the departure of any of these individuals could have a significant negative impact on the School’s operations. We recommend that consideration be given to updating the manual where finance and accounting policies and procedures are clearly defined.

Example of Procurement Finding

Procurement Procedures: During our walkthrough of procedures, we noted the following areas where controls were not always followed as documented in the Financial Policies and Procedures Manual (“FPPM”):

We noted in one disbursement packet there were no packing slips or other support present which indicated the goods were received. It is important the disbursement packets hold all the information as required by the Fiscal Policies and Procedures Manual.

The FPPM requires competitive bidding procedures for purchases exceeding $10,000 in the aggregate. Certain exceptions from these procedures are allowed as documented in the FPPM. We noted one disbursement over $10,000 did not have competitive bids or written evidence as to why no bids were obtained. We recommend the Charter School retain documentation of the quotes received when competitive bidding is required. In situations where competitive bidding is not required, this fact, along with the appropriate reason for exception should be documented on the purchase order or purchase request form.

Recommendation We recommend disbursement packets contain all documentation as outlined in the Financial Policies and Procedures Manual. Purchase Requisitions and should be completed and approved prior to the procurement of goods when possible. If goods are required to be purchased on short notice, the Charter School should make every effort to ensure the reasons for obtaining approval afterwards are adequately documented. All disbursement packets should contain proof of goods ordered and received, including invoices or other documentation from vendors to support the purchase, which are marked with the appropriate general ledger account, manually signed as approved and paid. Further, the Charter School should retain documentation of the quotes received when competitive bidding is required. In situations where competitive bidding is not required, this fact, along with the appropriate reason for exception should be documented on the purchase order or purchase request form.

Example- Financial Statement FindingFinding Statement of condition Material auditor adjustments were necessary to correctly state

the Charter School’s financial statements for the period ended June 30, 2013.

Criteria and effect of conditions During our audit, we noted various accounts, including

accounts payable and accrued expenses, accrued payroll and benefits, deferred lease liability, per pupil operating revenue, government grant revenue, and payroll related expenses were misstated as a result of these accounts not being properly reconciled and adjusted to the correct balance during the year and prior to the commencement of the audit. Furthermore, certain revenues and expenses relating to cost-reimbursement grants were not reconciled appropriately in the accounting system. Those errors resulted in material auditor adjustments.

Fiscal Oversight Resources

NYSED: Fiscal Oversight GuidebookThis guide provides a fiscal resource for charter schools authorized by the Board of Regents and the New York State Education Department as well as for prospective charter school applicants. This guidebook will be updated in Spring 2015 for federal grant management changes enacted under 'Omni.' Located at: http://www.p12.nysed.gov/psc/documents/NYSEDFiscalOversightGuidebook_FINAL.pdf

SUNY Financial Oversight HandbookSUNY Financial Oversight Handbook is in the process of being updated to a 2014 version and will be available soon. Please contact the SUNY Charter Schools Institute with any particular questions.

Example: Fiscal Oversight Guidebook Internal Control #26 (pg. 58)

26. The charter school’s accounting system is integrated with key business functions including accounts payable, budgeting, general ledger, inventory/depreciation, requisitions and purchase orders, accounts receivable, and payroll.

Develop Policy Develop Procedure Implement Policy and Procedure

Authorization Control

Definition: Authorization is the basis by which the authority to complete the various stages of a transaction is delegated. These stages include the processes of Purchase Order (approval to purchase), Recording (initiate, submit, process), Approving (pre-approval, post entry review), and Reconciling.

Purpose: All transactions and activities should be carried out and approved by employees acting within their range of knowledge and proper span of control. Proper authorization practices serve as a proactive approach for preventing invalid transactions from occurring.

Authorization Control 1

KEY CONCEPT

Level of authority should be documented:Documented authority creates an expectation of responsibility and accountability. Authority to perform a particular action may come in hard copy documents or system generated authority.

BEST PRACTICE

Policies and procedures within an organization should clearly identify which individuals have authority to initiate, submit, reconcile, view or approve different types of transactions.


KEY CONCEPT

Know what you are authorizing:Individuals should have first hand knowledge of the transactions being approved, or they should review supporting documentation to verify the validity and appropriateness of transactions. An employee being uninformed of their responsibilities related to departmental procedures is not acceptable in a good internal control system.

BEST PRACTICE

Employees should be properly trained and informed of departmental procedures related to internal controls.


KEY CONCEPT

Authorization should be timely:Workflow is an important aspect of good internal controls. Time lags between approval and processing provide opportunities for altered documents and potential fraud.

BEST PRACTICE

Many falsifications occur after the approval of a transaction. The workflow process should stress timely authorizations as well as timely processing of transactions following approval. Once a document has been approved it should not be returned to the preparer.

Documentation Control

Definition: In the context of internal controls, paper or electronic communication which supports the completion of the lifecycle of a transaction meets the criteria for documentation. Anything that provides evidence for a transaction, who has performed each action pertaining to a transaction, and the authority to perform such activities are all considered within the realm of documentation for these purposes.

Purpose: Documents provide a financial record of each event or activity, and

therefore ensure the accuracy and completeness of transactions. This includes expenses, revenues, inventories, personnel and other types of transactions. Proper documentation provides evidence of what has transpired as well as provides information for researching discrepancies.

Supporting documentation may come in paper or electronic form. In recent years, more often, official supporting documentation has moved from paper based to electronic forms. Keep in mind that in some instances electronic processing and approvals are the source documents for transactions.

Documentation Control 1

KEY CONCEPT

Format of source documents: Well designed documents help ensure the proper recording of transactions. Consistent use of standard forms or templates should be considered whenever possible.

BEST PRACTICE

The advance of online applications provides a fast and efficient method for accessing supporting documentation in a standard format. In other areas, wherever possible, the use of templates provides the same benefits. Consider creating templates for activities such as: Email approvals Departmentally created

supporting documentation Time reporting Reimbursement logs (such as

mileage logs, petty cash, others)


KEY CONCEPT

Charter School ownership of documents:

Documents used to support charter school business transactions are charter school property, not the personal property of employees.

BEST PRACTICE

Whenever possible, do not allow employees to take charter school owned records home. If business needs require charter school records to be taken home, communicate to employees their responsibility to keep documents secure, particularly those containing personal information. This is particularly important to communicate to employees that have telecommuting agreements.


KEY CONCEPT

Documenting changes: Changes made subsequent to approval of documents should be clear and concise.

BEST PRACTICE

Use attachments or footnotes to document the reasons for corrections/adjustments to any records. Make the time/date and the approval of such corrections/adjustments clear and evident.


KEY CONCEPT

Avoid duplicate processing: Establish a method to avoid duplicate processing, especially in regards to transactions that result in payments to individuals such as payroll, petty cash and travel reimbursements.

BEST PRACTICE

Build a check for duplicate payments into the processing and approval of payroll, petty cash and travel reimbursements.

Create an environment in which payroll, petty cash reimbursements and travel reimbursements are processed in a timely manner. Long delays in processing create opportunities for duplicate payments that go undiscovered.

Look closely at all late entries to watch for double submission of payments. (Example: late timecards, extremely late petty cash requests, travel expenses requested at a later time separate from the rest of the trip).


KEY CONCEPT

Retention: Retention policies exist for all types of supporting documentation. Always keep documents for the appropriate retention period and no longer.

BEST PRACTICE

Establish a process for purging documents that have reached the end of their retention period. Document who, when and how each record type should be purged.

Be aware of record retention responsibilities.

Reconciliation Control

Definition: Reconciliation is the process of comparing

transactions and activity to supporting documentation. Further, reconciliation involves resolving any discrepancies that may have been discovered.

Purpose: The process of reconciliation ensures the accuracy

and validity of financial information. Also, a proper reconciliation process ensures that unauthorized changes have not occurred to transactions during processing.

Reconciliation Control 1

KEY CONCEPT

Accuracy of activity: A good internal control system provides a mechanism to verify that transactions and activity are for the correct purpose and amount, and allowable.

BEST PRACTICE

For each type of activity consider documenting the particular information from source documents that is to be compared to the appropriate report. This assists to ensure that transactions are valid and are correct in purpose. (example: determine that for travel reimbursement source documents, the traveler name, destination, purpose of the trip, etc. will be matched to the monthly financial report)

Ensure that transactions have been properly authorized. Especially, if the source documents are paper based, review for potential changes to the document between approval and processing of transactions.

Ensure that all transactions are allowable.


KEY CONCEPT

Error correction: Errors and discrepancies, intentional or unintentional, should be detected, investigated and resolved in a timely fashion.

BEST PRACTICE

Verify the recording of transactions in a timely manner. Review source documents to assure they are processed and posted in a timely manner by the processing department. If not, follow up with the appropriate office

Document a plan for the research and correction of errors or discrepancies of each type of transaction or activity. Communicate these processes and procedures with the appropriate staff.

Establish expectations for timeliness of error correction.


KEY CONCEPT

Matching to the source: The oversight of any transaction is strengthened by the process of matching source documentation of the transaction to the appropriate reporting documentation or reporting tool.

BEST PRACTICE

What is budget reconciliation, and why do we need to do it?

Budget reconciliation is the process of reviewing transactions and supporting documentation, and resolving any discrepancies that are discovered.

How often should we reconcile? When possible reconciliation

should be completed monthly, within 45 days of month-end close, but no less frequently than quarterly. For sponsored agreements a final reconciliation should be completed within 45 days of the budget end date. Keep in mind that special situations such as biennium close may take longer to finish than “regular” months.


KEY CONCEPT

Documenting the process and completion:

Reconciliation processes are most effective when consistent and thorough. Employees involved in the reconciliation process should be knowledgeable and clear on responsibilities and expectations

It should be clear to an external reviewer when a reconciliation has been completed

BEST PRACTICE

Reconciliation should be documented clearly to verify that a review has been done

The reconciliation process and procedures should be documented clearly and communicated. Consider documenting: The steps in the process Who performs each step Expectations regarding

timeliness A mechanism for providing

proof that all activity has been reviewed and reconciled

A procedure for error correction

Security Control

Definition: The security of charter school assets and records includes three types of

safeguards; Administrative, Physical and Technical:

Administrative security: This focuses on the Charter School processes put in place to protect assets and records. This includes the above mentioned processes of authorization and reconciliation.

Physical security: This is the protection of physical records and assets from loss by theft or damage.

Technical security: This is the protection of electronic records from loss by theft, damage, or loss in transport.

Purpose:Assets and records should be kept secure at all times to prevent

unauthorized access, loss or damage. The security of assets and records is essential for

ongoing operations, accuracy of information, privacy of personal information

included in some records and in many cases is a state or federal law.

Security Control 1

KEY CONCEPT

Designate a

point person

BEST PRACTICE

Designating a point person for all areas or individually for the 3 types of security provides an established responsibility and accountability for proper security procedures.

Security Control 2

KEY CONCEPT

Administrative

Organization

BEST PRACTICE

Keep an up-to-date organizational chart that defines the reporting relationships as well as responsibilities, including back-up responsibilities, regarding internal controls within the unit.

Document such processes as opening and distributing mail, administration of keys, access to documents and other administrative controls.

Security Control 3

KEY CONCEPT

Access to electronic records: Limit access to

records and assets to those who have been authorized and have a business need for them.

BEST PRACTICE

Establish and communicate unit standards for screensavers and password protected screens.

Setup password protected access to electronic records.

Security Control 4

KEY CONCEPT

Physical access to records: Limit access to


BEST PRACTICE

Do not allow electronic records to be downloaded to mobile workstations and transported outside of the office.

Keep important records in lockable, fireproof storage

Security Control 5

KEY CONCEPT

Employee Turnover: Limit access to


BEST PRACTICE

Develop a checklist for removing access to records upon separation of an employee or upon transfer out of the unit. Develop a process and assign a point person the responsibility of administering the process for deleting access to records.

Security Control 6

KEY CONCEPT

Passwords:

BEST PRACTICE

Have a prescribed standard for departmental passwords. Make them complex and enforce a policy for changing passwords periodically.

Separation of Duties ControlDefinition: Separation of duties is the means

by which no one person has sole control over the lifespan of a transaction. Ideally, no one person should be able to initiate, record, authorize and reconcile a transaction.

Purpose: All organizations should separate functional responsibilities. The separation of duties assures that mistakes, intentional or unintentional, cannot be made without being discovered by another person.

Separation of Duties Control 1KEY CONCEPT

Unit differences: Separation of

duties may vary depending on each unit's size and structure.

BEST PRACTICE

Duties may be separated by department or by individuals within a department. The level of risk associated with a transaction should come into play when determining the best method for separating duties.


Demonstration: Separation of

duties should be able to be demonstrated to an outside party.

BEST PRACTICE

Documentation of processes and authorization is helpful in demonstrating a system of control that includes separation of duties.


Document the responsibilities: Separation of

duties should be clearly defined, assigned and documented.

BEST PRACTICE

Document and clearly communicate who will initiate, submit, process, authorize, review and/or reconcile each activity within the unit.


Review and oversight:

Management should increase the review and oversight function when it is difficult to sufficiently separate duties.

BEST PRACTICE

Assess the potential for mistakes or fraudulent transactions. If the separation of duties is not sufficient to eliminate or adequately reduce the risk of discovering errors, the level of review of management should be increased over the particular activity.

References

University of Washington: http://f2.washington.edu/fm/fa/internal-controls/authorization

new yorkDecember 2013

Questions?

Specific questions on developing policies and procedures should be discussed with

your charter authorizer.