County Auditors' Association of Ohio INTERNAL ACCOUNTING
advertisement
County Auditors’ Association of Ohio INTERNAL ACCOUNTING CONTROLS MANUAL for Ohio Counties Published October 2008 County Auditors’ Association of Ohio Columbus, Ohio i ii TABLE OF CONTENTS Page INTRODUCTION ..................................................................................................................................... iv OVERVIEW ............................................................................................................................................. 1 INTERNAL ACCOUNTING CONTROL ................................................................................................. 1 What is internal accounting control? What are the elements of internal accounting control? Who is responsible for internal accounting control? ASSESSING RISK IN YOUR AGENCY ................................................................................................ . 2 What is the agency’s risk overall? How is risk assessed at the activity or process level? TYPES OF INTERNAL ACCOUNTING CONTROLS ........................................................................... . 2 EXAMPLES OF INTERNAL ACCOUNTING CONTROLS .................................................................. . 3 Written policies and procedures Accountability Segregation of duties Execution of transactions Recording of transactions and events Control over assets and records Reconciliations, verifications and analytical reviews ONGOING MONITORING AND EVALUATION OF CONTROLS ........................................................ . 4 CONSIDERATION OF FRAUD ……………………………………………………………………………… 5 HOW TO USE THIS MANUAL ………………………………………………………………………………. 7 THE AGENCY AS A WHOLE ………………………………………………….……………………………. 9 TRANSACTION CYCLE: REVENUES AND RECEIPTS ……………………………………………….. 11 TRANSACTION CYCLE: PAYROLL ………………………………………………………………………. 23 TRANSACTION CYCLE: PURCHASES AND PAYMENTS ……………………………………………. 31 GLOSSARY …………………………………………………………………………………………………… 45 BIBLIOGRAPHY ……………………………………………………………………………………………… 46 iii INTRODUCTION We who work in county government are stewards of public monies. Our constituents, our bondholders and other levels of government rely on us to execute our responsibilities in a cost-effective and efficient manner consistent with laws and regulations, and to safeguard the assets entrusted to us. Establishing a strong framework of internal controls is a key element in ensuring accountability to them, and maintaining their confidence. The management in each county agency is responsible for designing, implementing, maintaining and enforcing an adequate and effective system of internal controls over the agency’s financial transactions. The emphasis on internal controls and the focus on management’s responsibility for those controls are increasing. Consider the following: • • • • In 2002, the Public Company Accounting Reform and Investor Protection Act of 2002 (commonly referred to as the Sarbanes-Oxley Act) was signed into law in response to the fraudulent practices of companies such as Enron, Worldcom and Arthur Andersen. One directive within the act requires external auditors to review the internal control structure of the organization, and to assess its effectiveness. The American Institute of Certified Public Accountants issued Statement on Auditing Standards No. 112, which sets forth requirements for external auditors to communicate certain internal control deficiencies identified in an audit. Effective 2006, the U.S. Federal Office of Management and Budget issued Circular A-123 – Management’s Responsibility for Internal Control, requiring government management to sign-off on its internal control structure via an assurance statement. As part of the county’s audit, elected officials and agency directors often sign a letter, acknowledging their responsibility for establishing and maintaining effective internal controls over financial transactions and for programs and controls to prevent and detect fraud. This manual is intended to serve as a resource to county elected officials, agency directors and managers in understanding what internal controls are, how to assess risks within their agencies, how to design policies and procedures to mitigate those risks, and how to evaluate the effectiveness of the controls once they have been implemented. iv OVERVIEW Every agency faces various risks from internal and external forces. An effective internal control structure helps mitigate those risks. By using this manual, county elected officials, agency directors and managers will be better able to identify what can go wrong (risk assessment) and what can be done to prevent it (internal controls), and to assess whether the measures taken are operating effectively. INTERNAL ACCOUNTING CONTROL What is internal accounting control? Internal accounting control is the system used by an agency to provide reasonable assurance that (1) resources are protected from waste, loss, theft or misuse, (2) resources are acquired economically and used cost-effectively, (3) resources are used in accordance with laws, regulations and internal policies and procedures, and (4) financial information is reliable, verifiable and timely. The objective is to find an optimal level of control for an acceptable level of risk – hence, the concept of “reasonable assurance”. Attaining an absolute level of assurance is not possible because it is costprohibitive and is subject to human elements. Management can bypass or override internal controls. Employees may collude with each other. Human error may occur. What are the elements of internal accounting control? Internal accounting control has three basic elements. Each element has certain characteristics: 1. Control environment • Management sets the tone, emphasizing the importance of internal controls. • Specific responsibilities are clearly assigned to individual employees at all levels. • Employees understand the importance of adhering to internal controls, and are held accountable. • Operations are monitored and variances between actual performance and anticipated results are investigated. 2. Accounting system • The information for all financial transactions and events is collected. • The data is properly classified according to the chart of accounts. • The data is recorded in the appropriate book of record (for instance, the payroll, accounts payable and accounts receivable subsidiary ledgers) and in the proper time period. • The assets and liabilities recorded actually exist, the reported transactions really occurred, and they relate to the rights and obligations of the agency. 3. Control policies and procedures • Accounting records and documentation are properly designed and maintained. • Incompatible duties are segregated. • All transactions are properly authorized. • Access to both records and assets is controlled. • Accounting data are periodically compared with the underlying items they represent. Who is responsible for internal accounting control? Elected officials and agency directors are ultimately responsible for the establishment of an internal control system. Employees must understand what is acceptable and what to do if they encounter improper behavior. To operate effectively, internal controls must be achieved by people at every level within the agency. For example, top management ensures that policies and procedures are documented and updated. Employees throughout the agency are expected to follow those policies and procedures. Management then monitors operations and assesses whether the policies and procedures need modification. 1 ASSESSING RISK IN YOUR AGENCY The objective of a risk assessment is to attain a reasonable level of assurance that the agency’s financial and compliance goals will be achieved. Risk should be assessed for the agency as a whole, and at the activity or process level. What is the agency’s risk overall? Consider whether various external and internal risk factors have affected your agency in the past twelve months. Examples of risk factors include: • • • • • • • • Changes in laws and regulations Significant decentralization of activities New requirements, new procedures, new technology Increased volume of transactions; severity of time constraints Turnover at the top level of management Staff inexperience; vacant positions Lack of supervision or oversight; decentralized activities Holding significant amounts of cash or other assets For each identified risk, estimate the potential impact (high, medium, or low) of such an event. Consider both quantitative and qualitative costs. Quantitative costs include the cost of property, equipment or inventory; cash dollar loss; damage and repair costs; cost of defending a lawsuit. Qualitative costs may include violation of laws, loss of public trust, increased legislation. Then, rank the risks to identify those that should be addressed first. See the risk assessment tools for the agency on pages 9 and 10. How is risk assessed at the activity or process level? First, identify the activities or processes within your agency. In this manual, we concentrate on three major transaction cycles: receipts, payments and payroll. Next, identify the objectives of the transaction cycle. Then, determine the risk that the objectives will not be achieved. Three types of risk assessment tools are provided in this manual: a risk assessment questionnaire, a segregation of duties chart, and a general internal controls questionnaire. Risk can be mitigated by implementing internal accounting controls. TYPES OF INTERNAL ACCOUNTING CONTROLS Controls exist at different levels in the agency. Levels and their related effectiveness vary depending on the transaction cycle or balance being reviewed. There are four types of controls: • • • • Control Environment encompasses the workplace. It includes things like the tone of the organization, the level of training provided and the structure of the agency. Monitoring Controls generally involve supervisory staff and are more of a review of transactions or balances which have been reported. They are typically performed on a periodic basis. Examples include management’s review (not performance) of reconciliations or review of revenue ledgers. Application Controls exist for each and every transaction of a given type. Examples include performing daily balancing of the cash register or cash drawer, ensuring each transaction is included and issuing all customers a receipt. Computer Controls cover computer or programmable operations. Generally, these deal with access through passwords and authorizations to perform certain functions with computers or cash registers. 2 Controls can be designed to address the agency’s objectives at various levels. However, limitations may exist that will prevent the agency from achieving an optimum control structure. In these cases, identify where those control weaknesses exist by performing a risk assessment and then develop compensating controls. This may not eliminate the risk, but can help minimize it to an acceptable level. For example, if there is not sufficient staff to have adequate segregation of duties that would allow one individual to ring sales into a cash register and allow a separate individual to prepare the deposit or pay-in (this would be a weakness in the control environment that would probably prevent having adequate application controls), a monitoring could be designed (such as requiring a supervisor to review and initial the reconciliation and pay-in or deposit) so as to minimize the underlying risks of theft and errors. EXAMPLES OF INTERNAL ACCOUNTING CONTROLS Written policies and procedures Written policies and procedures serve as a reference for staff members and provide the basis for knowledge, compliance and accountability. Policies explain the rule (e.g., an employee handbook). Procedures describe the sequential steps involved in accomplishing the task (e.g., the procedure for paying an invoice). Assign each procedural step to one or more individuals so as to promote accountability. The inclusion of references to the Ohio Revised Code, the Internal Revenue Code or other regulations provides background information. Flowcharts or diagrams may be helpful to visualize the process. Examples of forms and reports can be attached. Accountability Personal accountability is established through written job descriptions. Managers, supervisors and staff members should understand their responsibilities and be held accountable for their performance. Authority for decision making should be clear at all levels. Work assigned to staff members should be subject to supervisory review and approval. Supervisors should provide necessary training and oversight to their staff members so as to minimize errors, waste and inefficiency, and wrongful acts, and to ensure compliance with management’s policies and directives. Segregation of duties Roles and responsibilities should be divided among employees so that no single person will have the ability to both initiate and approve financial transactions. Adequate segregation of duties reduces the likelihood that errors (intentional or unintentional) will remain undetected. These three types of functions are mutually incompatible: authorization, custody and recording. Ideally, no single person should be able to 1) authorize a transaction, 2) maintain custody of the assets (e.g., cash, checks, inventory) resulting from the transaction and 3) record the transaction in the accounting records. For example, if a single person takes in receipts at the cash register (authorize), balances the cash drawer (maintains custody), and prepares and keys the pay-in into the accounting system (record), that person has been put in a position where it would be easy to steal receipts and conceal the theft. In a small agency, segregation of duties may be impractical. Instead, management may require employees to take vacation (e.g., two consecutive weeks) or periodically rotate duties among employees. Another method is to analyze the data for reasonableness (e.g., are the quantities of supplies purchased larger than the agency’s needs?). Execution of transactions Transactions should be initiated (e.g., purchase requisition, payment request) and executed (e.g., issuance of purchase order or payroll warrant) only in accordance with management’s directives. Advance approval should be required. Management loses its ability to control transactions and prevent problems when asked to approve something that has already happened. Written authorization provides an audit trail. However, “rubber stamping” documents circumvents this control. Approvers should review supporting documentation, and ask appropriate questions before signing. 3 Transactions should be supported by original documentation (not copies). Obtain explanations for any alterations to the original. Use sequentially numbered documents (e.g., customer receipts) to ensure all items are presented and recorded. Spoiled or voided documents should never be destroyed; Account for these documents and maintain them on file. Investigate gaps in sequences. Recording of transactions and events Transactions should be accurately recorded in a timely manner and properly classified in the accounting records. When an error occurs, do not delete the underlying transaction. Instead, establish a clear audit trail for reversing or correcting the error, including a documented reason for the correction. Use management overrides sparingly. Control over assets and records Security must be maintained over the agency’s cash, inventories and equipment to minimize the risk of loss or misuse. Security over the accounting records is also important. An individual should only have authorized access to assets as needed for their specific job responsibilities. Maintain proper control over personal and confidential information when filling public records requests. Physical safeguards against fire, damage and theft should be in place. Keep significant inventory in locked storerooms. Conduct periodic physical counts and investigate discrepancies. Deposit cash and checks promptly. Put vendor payments directly in the mail. Passwords for computer access should be meaningful, kept secret and changed regularly. Back up computer records on a daily basis. A business continuation plan should be in place. Maintain records in accordance with the agency's record retention schedule as approved by the County's Records Commission. Reconciliations, verifications and analytical reviews Periodically, reconciliations, verifications and analytical procedures should be performed. Reconciliations involve the comparison of two sets of accounting records. For instance, the cash balances carried in the accounting records should be reconciled to bank statements. Amounts reported in the general ledger should be reconciled to the subsidiary ledgers. Verifications involve the comparison of accounting records to independent sources. An example is tracing investment activity to the underlying trade tickets. Similarly, grants receivable balances can be confirmed with the grantor agency. Analytical reviews involve comparison of actual data and performance with budgeted amounts, prior year performance, or statutory mandates. Reasonableness should be evaluated – is it within expectations? Investigate variances, differences and unexpected results. The underlying situation should either be resolved or a satisfactory explanation should be obtained. ONGOING MONITORING AND EVALUATION OF CONTROLS After internal accounting controls have been put into place, it is important to monitor them and to evaluate their effectiveness. For instance, over time, written procedures may become outdated and need to be revised. New hires may not be familiar with the procedures. New legislation may require procedures to be changed. Through ongoing monitoring and evaluation, management can identify potential problems, and take action to avert a break-down or failure. Although the external auditor tests internal controls as part of the audit of the financial statements, this is not their focus and should not be relied upon as a substitute for management’s ongoing review and evaluation. Management can conduct its own evaluation by pulling a random sample of transactions for testing. If errors or irregularities are observed, then the sample size should be increased. Management should be willing to correct deficiencies and improve processes when indicated. 4 When evaluating controls, consider these things: 1. Compensating controls • More than one control may achieve the same goal. • The need for and usefulness of redundant controls should be evaluated. 2. Cost/benefit analysis • The cost of a control may outweigh the benefit. • A more economical procedure may be needed. 3. Effectiveness • The control may not operate as intended. • There may be a flaw in the design. • The control may operate inconsistently. • Control weaknesses need to be addressed immediately, with decisive action. CONSIDERATION OF FRAUD Most fraud is uncovered because of an insider’s tip. When irregularities are identified, management needs to maintain an attitude of professional skepticism and to follow-up by asking for explanations and supporting evidence. Management may decide to submit a request to the State Auditor for a special audit to be performed. These are some factors that can result in the occurrence of fraud: • • • Motive o Financial crisis or family problems o Gambling/drinking/drugs o Unappreciated o Revenge Justification o “I’ll pay it back.” o “It was so easy.” o “Other people break the rules, too.” o “They don’t pay me enough.” Opportunity o Weak internal controls o Lack of monitoring o Turnover of management 5 6 How To Use This Manual HOW TO USE THIS MANUAL Government accounting is based on in-flows of resources, and uses of those resources. This manual has four sections. The first section addresses the agency as a whole, followed by sections for the three basic types of accounting transaction cycles -- (1) revenues and receipts; (2) payments to employees; and (3) payments to vendors. Tools are presented in each section that will help identify the risks and evaluate internal accounting controls that are commonly utilized to mitigate the risks. The tools include questionnaires, charts and testing procedures. These tools should be used as a framework, and can be customized to address situations unique to an agency. Objectives The first part of each section lists common objectives. Add objectives specific to your agency. Risk Assessment The second part of each section is a risk assessment tool to determine the agency’s vulnerabilities. The underlying goal is to minimize the risk that the objectives will not be met. When evaluating the potential impact, consider quantitative costs such as cost of property, equipment or inventory; cash dollar loss; damage and repair costs; the cost of defending a lawsuit as well as qualitative costs such as violation of laws; loss of public trust; increased legislation. For the “Agency as a Whole” section, questions answered “Yes” and “High” indicate the areas of highest risk. By utilizing the tools in the transaction section cycles, you can drill down further, evaluating whether internal controls have been implemented to mitigate the risk and whether they are operating effectively. For the transaction cycle sections, questions answered “No” and “High” indicate the areas of potential internal control weaknesses that may have significant consequences for the agency. Segregation of Duties Roles and responsibilities should be divided among employees so that no single employee will have the ability to both initiate and approve financial transactions. The Segregation of Duties charts help determine the adequacy of segregation of duties. List the names of individuals responsible for particular functions in the column indicated. Review the chart for individuals whose names are listed in more than one column. Make a determination whether that represents a potential lack of segregation of duties. Consider whether individuals are performing incompatible duties within the same column. In a small organization, it may not be possible to fully segregate duties. Consider whether adequate compensating controls are in place, such as supervisory review of key processes. Internal Control Questions Questions answered “No” indicate controls that have not been implemented. Evaluate whether there are compensating controls, and then determine whether the cost of putting additional controls in place is worthwhile for the benefit that would be gained in mitigating the underlying risk of not meeting objectives. Testing Procedures Testing is part of the monitoring process to determine that procedures are being followed and that the internal controls are operating effectively. Pull a random sample of transactions for testing. If errors or irregularities are observed, then the sample size should be increased. Document the results of the evaluation in a report to management. The report should describe the testing performed and the results of the test, the impact of any deficiency noted, and a recommended action. The State Auditor uses a similar format in its Report to Management at the conclusion of an audit. 7 8 The Agency As A Whole THE AGENCY AS A WHOLE Overall Objectives 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Amounts reported represent valid transactions. Payments are made to legitimate vendors and employees. Transactions have been properly authorized. Transactions are supported by detailed, original source documentation. Purchases and payments have been made within approved budgetary limits. Purchases and payments conform to applicable laws, regulations, contracts and grants. Transactions are reported for the correct dollar amount. Transactions are reported in the correct accounting period. Transactions are coded and classified correctly in the accounting records. Balances are reported at the correct value (including allowance for bad debts). All transactions and balances are reported in the financial statements. Assets and records are properly maintained and safeguarded. Risk Assessment See “How to Use This Manual” on page 7. Answer each question with “Yes” or “No” and evaluate the impact as “High’, “Medium” or “Low”. Yes/High responses merit further evaluation to ensure internal controls have been implemented and are operating effectively. 1. Has there been turnover at the top level of management? 2. Has there been reorganization of departments or realignment of reporting relationships within the agency? 3. Has there been turnover of staff? 4. Are there vacant positions, so that other staff members are picking up the slack or tasks are not being performed in a timely manner? 5. Are staff members inexperienced? 6. Are staff members provided adequate supervision and oversight? 7. Does the agency have branches or satellite offices, or is staff spread across multiple floors or locations? 8. Are activities decentralized (e.g., multiple points of cash collection)? 9. Does the agency handle significant amounts of cash? 10. Does the agency have valuable assets or significant inventory that could be stolen or misused? 11. Have new procedures been implemented, or have procedures been revised recently? If so, have staff members received adequate training? 12. Are there new laws or regulations, or changes to existing laws or regulations, with which the agency must comply? 13. Have there been changes in technology, such as new software or conversion of a manual process to an automated one? 14. Has the volume of transactions increased? Is the volume of transactions cyclical with slow times and busy times (e.g., collection of property taxes)? 15. Are the transaction processes subject to time constraints or tight deadlines (e.g., debt service due dates, IRS filings)? 16. Are the transactions themselves or the underlying regulations complex (e.g., understanding the Internal Revenue Code for proper identification of taxable fringe benefits)? 9 Y or N Impact H, M or L THE AGENCY AS A WHOLE (cont.) Internal Control Questions See “How to Use This Manual” on page 7. Answer each question with “Yes” or “No”. “No” responses could indicate a potential internal control weakness. The transaction cycle (receipts, payments or payroll) associated with questions that have “No” answers should be further evaluated using the tools found elsewhere in this manual. 1. Are policies and procedures documented, reviewed and updated on a regular basis? 2. Are all employees required to periodically acknowledge that they have read, understood, and complied with the entity’s policies and procedures? 3. Are job descriptions written and understood by employees? 4. Are employees cross-trained in job functions? 5. Do employees have the use of an anonymous ethics and fraud hotline? 6. Do employees and management meet on a regular basis to discuss issues and problem areas? 7. Are estimates and budgets reasonable and achievable? 8. Is the chart of accounts maintained at a level of detail that facilitates management review? 9. Are periodic financial reports and financial system inquiries provided in sufficient detail to allow management review: o Are month to date revenues and expenditures included? o Are year to date revenues and expenditures included? o Are prior year revenues and expenditures included? 10. Are monthly reports and/or financial system inquiries reviewed by management to: o Ensure all transactions are posted (e.g., pay-ins made daily)? o Ensure transactions are posted to the correct account? o Ensure transactions are posted timely? o Identify unusual patterns by comparing actual revenue and expenditures with the budgeted and/or prior year amounts? 11. Are monthly financial reports reconciled to source documents or computer reports by someone other than the person who processes the underlying transactions? 12. Are reports and/or reconciliations reviewed by someone external to the transaction process to identify unusual patterns? This is especially useful when employees are on vacation and can help uncover fraud. 13. If unusual patterns or unreconciled amounts are identified, are they investigated and resolved? 14. Are changes to master file data, codes, data tables or computer programs only allowed by management authorization? 15. Are exception reports reviewed and investigated by supervisory staff? 16. Regarding computerized processes: o Is there a policy prohibiting the sharing of passwords? o Are passwords changed periodically? o Is the policy enforced? 17. Are employee passwords and access terminated when the employee is no longer employed by the agency? 18. If the agency transacts business via the Internet, have security procedures been implemented to authenticate electronic signatures and to verify the sender and the receiver (ORC § 304.02)? 19. Has the agency adopted a public records policy (ORC § 149.43)? 20. Has the agency adopted a record retention schedule for both paper documents and electronic data (including e-mails)? Are records maintained in accordance with that schedule? 10 Transaction Cycle: Revenues and Receipts TRANSACTION CYCLE: REVENUES AND RECEIPTS Common Revenues and Receipts Objectives 1. Receipts are physically safeguarded (e.g., locked cash drawer, safe). 2. Balances reported represent actual balances belonging to the agency. For example, accounts receivable balances for water and sewer represent actual amounts due from customers. The overstatement of receivables could be an indication that revenues have been overstated or money has been misappropriated (paid by the customer, but not posted to the customer’s account). 3. Reported amounts represent valid transactions. For example, there are no fictitious revenue transactions that may have been entered to meet departmental revenue goals or to qualify for employee incentive programs for collection of delinquent accounts. 4. Transactions are reported for the correct dollar amount. 5. Recorded transactions represent transactions that belong to the agency, have been properly authorized and made within approved budgetary limits, and in conformity with the terms of the underlying grant (when applicable). For example, the parks department might accept donations to benefit a non-profit conservation and environmental group not related to the county. These donations do not belong to the county and should not be included with the park department’s revenue; a separate agency fund should have been established for these receipts. 6. The recording and summarizing of receipts and distribution of the related revenues are accurate and agree with established account classifications. Generally, there is little risk of intentionally misclassifying revenue, but errors can occur especially during times of high volume collection. 7. Operation procedures and internal controls provide adequate assurance that authorized transactions are processed completely and accurately in a timely manner. 8. Receipts and revenue data are completely and accurately accumulated in the underlying financial records and in the proper accounting period. Not depositing money daily could be an indication that funds are being borrowed by an employee and repaid either once the employee has the funds to repay the money, or when subsequent receipts are sufficient to substitute for the monies that should have been paid in. 9. Balances are reported at the correct value, including allowance for bad debts, and they are reported in the correct accounts. The risk exists that amounts reported as receivable will never be collected. Most frequently in government, this occurs due to the customer’s bankruptcy. 10. Public records requests for confidential information are handled appropriately (e.g., through authorized individuals) and proper redactions are made (e.g., bank account MICR line on customer’s personal check). 11. All transactions and balances are reported in the financial statements. This focuses on ensuring all revenue transactions are accounted for and that monies have not been misappropriated. 12. Amounts reported in the financial statements are properly presented and adequately disclosed. 13. Organizational and divisional policies and procedures are complied with. 14. An effective receipts function and procedure has been established. Risk Assessment See “How to Use This Manual” on page 7. Performing risk assessments on a regular basis can provide an understanding of possible vulnerabilities that may have developed as a result of employee turnover, changes in processes and procedures, and/or any changes in respective laws and regulations. A few of the risks associated with the revenues and receipts cycle include: • Customer receipts may have been destroyed in a scheme to conceal theft. • Amounts listed as receivable may not be valid claims (e.g., amounts reported as grants receivable may not have be eligible under the terms of the grant). 11 TRANSACTION CYCLE: REVENUES AND RECEIPTS (cont.) Answer each question with “Yes” or “No” and evaluate the impact as “High”, “Medium” or “Low”. No/High responses could indicate a potential internal control weakness with significant consequences. 1. Are receipts (cash/checks) adequately secured? If cash and/or checks must be kept overnight, are they stored in a secured location? Are they accounted for in the morning? 2. Are pay-ins made in a timely fashion? 3. Does the supervisor review daily deposits for accuracy and completeness? 4. Are items returned by the bank (e.g., insufficient funds, account closed) reversed out of the revenue accounts in a timely fashion? 5. Are cash-handling activities (opening mail, handling cash receipts, preparing bank deposits, posting receipts to the ledger) adequately segregated? 6. Is there a process in place to review delinquent accounts to determine collectibility? 7. Are receipts and bad debt write-offs recorded in the correct period? 8. Are revenue certifications prepared at an appropriated level? Are estimates and budgets reasonable and achievable? Are they reviewed monthly? 9. Are monthly financial reports reconciled to source documents, cash register reports or computer reports by someone external to the receipting process? Are they reviewed by management? 10. Are monthly revenue reports and/or financial system inquiries reviewed by management to: o Ensure all transactions are posted (e.g., pay-ins made daily)? o Ensure transactions are posted to the correct account? o Ensure transactions are posted timely? 11. Are periodic financial reports and financial system inquiries provided for management review: o Are budgeted revenues included? o Are month to date revenues included? o Are year to date revenues included? o Are last year’s revenues included? o Are accounts maintained at a level of detail that allows management to identify unusual patterns (e.g., including rental receipts and donations as one line item makes it difficult to analyze rental receipts)? 12. Are computer-generated exception reports reviewed by supervisory staff? 13. When management identifies unusual patterns, are explanations obtained? If explanations are not satisfactory, is further investigation performed? 14. Are changes to cash register or computer programs only allowed with proper authorization? 12 Y or N Impact H, M or L TRANSACTION CYCLE: REVENUES AND RECEIPTS (cont.) Segregation of Duties See “How to Use This Manual” on page 7. The following charts list duties to be considered in determining the adequacy of segregation of duties among those responsible for various receipts and revenue transactions. List the names of individuals responsible for particular functions in the column indicated. Review the chart for individuals whose names are listed in more than one column. Make a determination whether that represents a potential lack of segregation of duties. For example, those who handle cash receipts should not have the authority to prepare or sign checks, have access to accounting records or be involved in reconciling bank accounts. Those who perform the order entry (sales) activity, including those who maintain contact with customers and issue sales orders, should not perform any credit approval, shipping, billing, cash receipting, issuing credit memos, or accounting activities. Consider whether individuals are performing incompatible duties within the same column. 1 Bank and Cash : List the names of individuals responsible for each task. Opening mail and listing checks Authorization Custody of Assets Handling cash receipts Preparation of bank deposits Comparison of listing of checks to bank deposits Maintenance of cash receipts journal Maintenance of customer’s master file records Reconciliation of bank accounts Authorization of bad debt write-offs Control of the accuracy, completeness of and access to receipts programs and data files 1 Copyrighted by and used with the permission of AudNet.org (www.auditnet.org) 13 Recording Control Procedure TRANSACTION CYCLE: REVENUES AND RECEIPTS (cont.) Accounts Receivable2: This section addresses entities that bill customers. Not all duties will pertain to all situations. For example, a county water and sewer department will not ship products. However, a county print shop may have shipping activities. Description Authorization Custody of Assets Issuance of sales orders Approval of credit Approval of access to credit-related files Authorization of shipments Preparation of shipping documents Handling inventory for shipment Handling inventory for resale Preparation of customer billings and/or monthly statements Verification of customer billings and/or monthly statements Accounting for the numerical sequence of sales invoices and/or billing statements Review and follow-up of customer inquiries and differences Handling customer payments Authorization of bad debt write-offs Reconciliation of the accounts receivable records with the general ledger control account Review and approval of the monthly aged accounts receivable trial balance Approval of access to rate/pricing data files Maintenance of the sales journal Maintenance of debtor’s records Control of the accuracy, completeness of and access to receipts programs and data files 2 Copyrighted by and used with the permission of AudNet.org (www.auditnet.org) 14 Recording Control Procedure TRANSACTION CYCLE: REVENUES AND RECEIPTS (cont.) General Revenues and Receipts Internal Control Questions See “How to Use This Manual” on page 7. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Are cash and checks kept in a lockbox or safe to which access is restricted? Is access to the receipts records, whether manual or computerized, adequately controlled? Are receipt books controlled to avoid alterations? Are cash/checks received at multiple locations? Is some identification required when accepting credit card payments from customers (e.g., show driver’s license to verify identity)? Are the daily deposits prepared by someone other than the employee opening the mail or operating the cash register? Are pre-numbered documents used (e.g., receipts, shipping documents, invoices)? If so, are numbering sequences accounted for? Are billings double-checked for: o Mathematical accuracy? o Accuracy of pricing? o Accuracy of quantities? If an item is returned by the bank (e.g., NSF, account closed), is follow-up done? By whom? Is this person independent of the accounts receivable function? Is the bank account reconciled monthly by someone independent of the receipts function? Are delinquent accounts handled in a way that complies with the law and local policy? Are approvals required for billing adjustments and bad debt write-offs? Are revenue reports and/or reconciliations reviewed by someone external to the receipting process to identify unusual patterns? This is especially useful when employees are on vacation (e.g., if more cash comes in when someone is on vacation, this could be an indication of fraud). 15 TRANSACTION CYCLE: REVENUES AND RECEIPTS (cont.) CALCULATION OF BILLINGS Internal Control Questions See “How to Use This Manual” on page 7. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. Are billings pre-numbered and accounted for? Are rates based on either the Ohio Revised Code or a resolution passed by the legislative authority? Are penalties and interest assessed on late fillings and/or late payments, when allowable by law? Do procedures exist to revoke licenses, deny permits, etc., if fees are not paid when due, or when payments have been returned (NSF checks)? Do refunds, credit memos and voids require a separate review and approval before being issued? Are refunds, credit memos and voids promptly recorded once approved? Are applications, returns, etc., reviewed for completeness and accuracy? Are security deposits required for new utility customers? When service is terminated, are deposits returned upon determination that no future charges exist? Are reports for new and deleted accounts run for the reconciliation? Are deleted accounts reviewed periodically to determine if they should be added back? Are receivables posted to the accounting records when billings have been issued? Has the correct period been identified for revenue recognition? Are prior period records used as a starting point for the current period’s billing statement? Are billing reports reconciled to the accounts receivable ledger? Are billing totals reports balanced to o Usage reports? o Number of customers? Are billing reports balanced by someone outside the collection process? Are billing reports received in a timely fashion? Are billing reports reviewed for reasonableness and consistency? Are reports reviewed by management for unusual items (e.g., credit balances)? Are discrepancies and other problems documented and investigated? Are questions regarding balances directed to the billing department rather than the receipting department? Are customer complaints documented and handled by an individual independent of the billing and receivables function? Are bad debt write-offs approved by management? Are bad debt write-offs promptly posted to the receivable and revenue ledger? Calculation of Billings Testing Procedures Objective: To ensure billings (receivables) represent valid claims by the entity and to ensure all billings are included as receivables for the entity. 1. Inspect billings/invoices to determine if a log of numbers is maintained to ensure all numbers are accounted for. NOTE: This may be a computerized function. 2. Select a sample of billing reports and inspect the reconciliations to: o Accounts receivable ledgers o Usage reports (in the case or water or sewer billings) o Number of customers from prior period 3. Trace the rates/fees to the Ohio Revised Code or to a resolution to ensure the charges are in accordance with the law or resolution. 4. Select a sample of exception reports intended to identify errors to determine if they have been reviewed and approved by management. 5. Select a sample of refunds, credit memos and voids to determine if they were properly authorized. 16 TRANSACTION CYCLE: REVENUES AND RECEIPTS (cont.) CASH HANDLING AND SAFEGUARDING Internal Control Questions See “How to Use This Manual” on page 7. 1. Does each employee operate from a separate cash drawer? 2. If cash drawers are shared, are they balanced prior to being used by a different employee? 3. If multiple users exist for a cash register, does each user have a separate ID that can be reconciled to the activities they posted? 4. Does the entity have a policy prohibiting the sharing of passwords? o Are passwords changed periodically? o Is the policy enforced? 5. Is a listing kept of cash receiving points and individuals authorized to handle cash receipts? 6. Is cash maintained in a restricted area with limited access? Is it physically safeguarded (locked)? 7. Are surprise cash counts performed periodically? 8. Does management review activities, especially cash, when employees are on vacation to identify trends which might identify fraud? 9. Are credit card numbers safeguarded to prevent fraud and misuse? 10. Are cash drawers balanced each day? 11. Are cash overages and shortages reflected on daily reconciliation sheets? 12. Are overages/shortages investigated by someone independent of the receipting process? 13. Are reconciliations performed and reviewed by someone independent of the receipting process? 14. Are monies deposited in accordance with ORC 9.38? (Deposits are delivered to the Treasurer’s office or to the bank within 1 business day of receipt if the total is $1,000, within 3 business days if the aggregated deposit amount is less than $1,000.) 15. Are employees bonded? Cash Handling and Safeguarding Testing Procedures Objective: To ensure cash is properly safeguarded against misappropriation 1. Inspect daily reconciliations to ensure: o They reflect overages/shortages. o They are signed by the preparer (individual who maintained the drawer). o They are signed by the reviewer (individual who prepares pay-in/deposit). o Supporting documentation is maintained with the reconciliation. 2. Review procedures and inspect areas where cash is maintained to ensure access is restricted to only authorized individuals. 17 TRANSACTION CYCLE: REVENUES AND RECEIPTS (cont.) CASH RECEIPTS General Receipts Internal Control Questions See “How to Use This Manual” on page 7. 1. Are receipt forms voided and retained rather than changed? 2. Are source documents maintained to allow for adequate cash reconciliations and deposit or pay-in substantiation? 3. Are all revenues received immediately recorded, including the date received, the payer, the purpose and the amount? 4. Are reconciliations between daily collections and outstanding accounts receivable performed by someone external to the receipting and billing processes? 5. Are pay-ins prepared from a standard document identifying account codes? 6. Are pay-ins posted by someone external to the receipting process? 7. In cases where goods are being sold: o Is an inventory system used and integrated with the accounting records? o Is an inventory of items remaining at the end of each period maintained? o Is inventory reconciled to the day’s receipts? o Is any spoilage of inventory documented? o As shipments are received, are they included in the inventory? 2. Does management review long outstanding items and control overrides? 8. Are NSF checks or declined credit card payments transactions promptly reversed from the reported transactions? 9. Are NSF checks or returned payments promptly investigated and recollection efforts applied by an individual not responsible for processing and recording receipts? Over the Counter Receipts Internal Control Questions 1. Are electronic or other counters (e.g., turnstiles) used to keep track of the number of individuals entering the premises? Is the ability to reset the counter limited to supervisory staff? 2. If individuals are allowed to leave and re-enter the premises, have methods been developed to account for these individuals? 3. Is supervisory staff available to monitor the cash collection? 4. Does the office have a policy requiring all customers to receive a receipt? 5. Are signs posted telling customers to make sure they get a receipt? 6. Do the cash registers or similar machines use a paper tape? 7. If a cash register receipt is not used, are receipt books pre-numbered? 8. Are duplicate receipts retained and used to reconcile the cash drawer? 9. Do cash register reports provide sufficient detail to allow different types of revenues to be identified? Mail Receipts Internal Control Questions 1. 2. 3. 4. Is mail opened and distributed by someone external to the receipting process? Are all checks restrictively endorsed when received? Is a log of all payments (especially cash) prepared? Are items file dated when received? Cash Receipts Testing Procedures Objective: To ensure all transactions are substantiated with documentation (e.g., receipts, remittance slips), are posted to the correct account code and are reported in the correct accounting period. 1. Inspect reconciliations to determine if documentation is sufficient to allow recalculation of deposit. 2. When goods are being sold, ensure inventory is taken and used as part of the reconciliation process. 18 TRANSACTION CYCLE: REVENUES AND RECEIPTS (cont.) LICENSES AND OTHER PRE-NUMBERED DOCUMENTS Internal Control Questions See “How to Use This Manual” on page 7. 1. Are unused pre-numbered receipts/licenses maintained in a secure area? 2. Are unused pre-numbered licenses that are not maintained in a secured area (e.g., a cash drawer) inventoried each day as part of the reconciliation? 3. Are source documents (e.g., conveyance forms) maintained and reconciled to the daily receipts? 4. Are pre-numbered documents/items specifically identified with a revenue posting? 5. Are reconciliations between daily collections and outstanding accounts receivable performed by someone external to the receipting and billing processes? Does the reconciliation account for revenue collected and specific documents identified? 6. Is the revenue ledger reconciled to the control numbers on at least a monthly basis by someone external to the receipting process? 7. Are prior year license holders compared to those in the current year to identify those who did not purchase a current license? Are these instances investigated? Licenses and Other Pre-Numbered Documents Objective: To ensure all revenues received are included in the revenue reported, are properly categorized by type of revenue, and are reported for the correct dollar amount. 1. Examine source documents to ensure they contain: date received, payee, purpose and amount. 2. Examine pay-ins to determine if pre-numbered items are specifically identified to the pay-in. 3. Examine reconciliations to determine if they are complete and performed by someone external to the collection process. 4. Review procedures to ensure unsold licenses are maintained in a secure location. 19 TRANSACTION CYCLE: REVENUES AND RECEIPTS (cont.) INTERGOVERNMENTAL REVENUE Internal Control Questions See “How to Use This Manual” on page 7. 1. Are all grant applications/awards approved by the legislative authority? 2. Are budgeted amounts based on the grant award? Are comparisons done to ensure the actual revenue does not exceed the budgeted amount? 3. Are account codes established to differentiate between federal and state receipts? (There should be no commingling of federal funds with funds from any other source, including state.) 4. Are separate accounts established for each grant to ensure separate accountability? 5. Are grant billings or draw-downs recorded and accounted for as receivables with sufficient detail for monitoring and tracking? 6. Are tickler files maintained to track the timing of grant requirements including the timing related to when monies are requested and when they are received? 7. Are the Auditor’s and Treasurer’s Offices notified when revenues are expected to be received from grantor agencies, the amount of revenue expected, the account code and the grant identification? 8. Are checks/credit cards/EFT’s identified by the department to ensure they are paid in to the correct account codes? 9. Are grant folders maintained to ensure money is posted to the correct grant/fund year? 10. Is revenue collected on behalf of other government entities promptly remitted to them? Intergovernmental Receipts Testing Procedures Objective: To ensure transactions are posted to the correct account code and are reported in the correct accounting period. 1. Select a sample of incoming EFT receipts and inspect for proper identification (account codes) and timely posting. 2. Determine if a review is performed between actual receipts and budgeted or grant amounts. 20 TRANSACTION CYCLE: REVENUES AND RECEIPTS (cont.) BANK ACCOUNT AND INVESTMENT ACTIVITIES Internal Control Questions See “How to Use This Manual” on page 7. 1. Do depository agreements exist with all banks with which the County has deposits? 2. Does the County have an investment policy? 3. Does the County have an investment committee? Does the investment committee meet as required by law? 4. Does the County wire money out, or utilize ACH debits/credits? If so: o Is documentation maintained to support the wire transfer or ACH transaction (the same as any other voucher for which a check/warrant is produced)? o Is access to the ability to wire or initiate an ACH transaction adequately protected? (Both physical and password protection should be considered.) o Do steps exist to authorize wire transfers and ACH’s before they occur? 5. How are the purchase and sale of investments or the movement of deposits authorized? 6. Are monthly bank reconciliations performed between the Auditor’s and Treasurer’s Offices? 7. Are reconciling items (e.g., interest income) reviewed to determine the proper accounting treatment? 8. Does the County have a policy addressing the handling of NSF checks levying of fees and following up with the individual passing the bad check? Bank Account and Investment Activity Testing Procedures Objective: To ensure transactions actually occurred and all actual transactions are reported and posted for the correct amount to the correct account code in the correct accounting period. 1. Determine which banks the County has deposits with and if valid (current) depository agreements exist with those banks. 2. Review the County’s investments to determine if they are consistent with the County’s investment policy and the Ohio Revised Code. 3. Examine the minutes of the County’s investment committee. 4. For wire transfers, inspect documents to determine if sufficient documentation exists to support the expenditure and if the expenditure by wire transfer was authorized. 5. Examine documentation regarding the movements of deposits and investments to determine if they are properly authorized. 6. Select a sample of monthly reconciliations between the Auditor’s and Treasurer’s Offices and review any reconciling items. 21 22 Transaction Cycle: Payroll TRANSACTION CYCLE: PAYROLL Common Payroll Objectives 1. Additions, separations, wage rates, salaries and deductions are authorized for all employees. 2. Employees’ time and attendance dates are properly reviewed, approved, processed, documented and accurately coded for accounting and distribution. 3. Organizational and divisional policies and procedures are complied with. 4. Basic payments to employees are properly calculated and authorized. 5. Additions to basic pay are authorized and correctly calculated. 6. Salary and other payments to employees are properly calculated and authorized. 7. All payments related to separation from employment are correctly calculated and authorized. 8. Computations for gross pay, deductions and net pay are accurate and based on authorized time and amounts; the recording and summarizing of payments made and costs distributed are accurate and agree with established account classifications. 9. Payments for employee compensation and benefits programs are made to or on behalf of only bona fide employees and for services performed. 10. The relationship with an individual is appropriately classified as “employee” or “independent contractor”, and the individual is paid accordingly. 11. Tax information derived from payroll activities is accurately and promptly reported. 12. Employee compensation and benefit costs are properly accumulated, classified and summarized in the accounts. 13. Operation procedures and internal controls provide adequate assurance that authorized transactions are processed completely and accurately in a timely manner. 14. All employee data in the system is accurate and appropriate to the personal issues of the employee. 15. Payroll data is completely and accurately accumulated in the underlying financial records and in the proper accounting period. 16. Personnel data is securely maintained. 17. The policies and procedures related to the payroll cycle are effective. 18. Public records requests for confidential information are handled appropriately (e.g., through authorized individuals) and proper redactions are made (e.g., Social Security numbers, employee home phone numbers). Risk Assessment See “How to Use This Manual” on page 7. Performing risk assessments on a regular basis can provide an understanding of possible vulnerabilities that may have developed as a result of employee turnover, changes in processes and procedures, and/or any changes in respective laws and regulations. A few of the risks associated with the payroll cycle include: • Ghost or phantom employees are fictitious employees that are created to induce fraudulent activity (e.g., creation of a fake employee in order to receive an additional paycheck). • Pay rate changes are unauthorized (e.g., ensuring that any changes in pay rate are properly approved and authorized). • Wages have been paid inappropriately (e.g., hours have not been worked, or leave was not earned). • Improper pay-outs are made to terminated employees (e.g., ensuring that once an employee terminates, they are inactivated in the system, thereby eliminating the issuance of a paycheck). 23 TRANSACTION CYCLE: PAYROLL (cont.) NOTE: The term “paychecks” includes both payroll warrants and payroll direct deposits. Answer each question with “Yes” or “No” and evaluate the impact as “High”, “Medium” or “Low”. No/High responses could indicate a potential Y or N internal control weakness with significant consequences. 1. Is there a checklist in place to ensure that all employment forms are present/completed? 2. Are all employment forms (e.g., I-9, Ohio Homeland Security DMA form) completed in a timely fashion? 3. Are all personnel records (hard-copy and computerized) adequately secured? 4. Are new employees added and terminated employees removed from the payroll in the correct period? 5. Is there a process in place to notify the payroll processor to remove individuals who are no longer employed from the payroll in a timely manner? 6. Are the payroll processing duties adequately segregated so that no one employee has control over all aspects of the payroll function (e.g., submitting payroll information to HR, receiving the paychecks, and reconciling payroll transactions)? 7. Are different individuals responsible for appointing and paying employees? 8. Are direct deposit authorizations or change of address requests handled by the same person who approves payroll or distributes paychecks? 9. Are all time records completed by the employee and approved by authorized personnel? 10. Do individuals responsible for approving employee time have direct knowledge of the hours worked? 11. Does the immediate supervisor review employee timesheets for accuracy and completeness and approve them? 12. Does proper authorization exist for overtime incurred? 13. Are records maintained to monitor and verify exempt vacation, sick, and personal days taken and available? 14. Do supervisors review these records annually, periodically, and/or on employee’s anniversary date before a report is sent to Human Resources for vacation and sick time accrual? 15. Are deductions, nonstandard requests, and changes in pay rates reviewed and approved by a limited number of authorized personnel? 16. Are standard forms used for all payroll activity requests? 17. Are check-related activities (authorizations, printing, distribution) adequately t d? must be kept overnight, are they stored in a secured location? 18. If any warrants Are they inventoried? 19. Are payroll bank account reconciliations performed? Are they done in a timely manner? 20. Is access to payroll data limited to a specified group of authorized personnel? Is their access to electronic information secured by frequently changed passwords? 21. Are procedures in place to ensure that all additions and deletions of employees to or from the database are reviewed and approved? 23. Are all unit employees aware of and do they have access to relevant personnel policies and procedures? 24 Impact H, M or L TRANSACTION CYCLE: PAYROLL (cont.) Segregation of Duties See “How to Use This Manual” on page 7. The following chart lists duties to be considered in determining the adequacy of segregation of duties among those responsible for payroll transactions. List the names of individuals responsible for particular functions in the column indicated. Review the chart3 for individuals whose names are listed in more than one column. Make a determination whether that represents a potential lack of segregation of duties. For example, those responsible for timekeeping should not also process the payroll cash disbursements or handle the accounting. Consider whether individuals are performing incompatible duties within the same column. Description Authorization Custody of Assets Recording Control Procedure Maintenance of personnel files Approval of access to personnel master files Approval of wage and salary increases, new hires, and terminations Control of timekeeping Approval of the payroll Preparation of paychecks Signing of payroll warrants Distribution of paychecks Control of unclaimed payroll warrants Reconciliation of payroll bank accounts Maintenance of payroll journals Control of the accuracy, completeness of, and access to payroll programs and data files • • • • 3 Are those responsible for maintaining personnel records or originating master file entries in the payroll records independent of those processing or distributing the payroll? Are those responsible for approving time worked independent of those determining payments, processing payroll and distributing payroll? Are those responsible for processing payroll preparation independent of those distributing payroll, particularly where casual labor is employed or where there is no separate HR department? Are those responsible for processing payroll independent of those authorizing payments and bank transfers? Copyrighted by and used with the permission of AudNet.org (www.auditnet.org) 25 TRANSACTION CYCLE: PAYROLL (cont.) General Payroll Internal Control Questions See “How to Use This Manual” on page 7. 1. Is access to the payroll records, whether manual or computerized, adequately controlled? 2. Are time reports or sheets controlled to avoid alterations? 3. Are the hours worked documented by a time clock or time sheet, signed by the employee and approved by a supervisor or other responsible personnel? 4. In preparation for payroll processing, are the hours worked computed by someone other than the employee? 5. Are employees able to accrue/earn comp time if they establish their own work schedule (and vice versa) 6. Are overtime payments (number of hours and rates) in agreement with the law and local policy? 7. Are approvals required for garnishments, termination payments, corrections to gross or net pay, special payments, etc.? 8. Is the payroll double-checked for: o Mathematical accuracy? o Accuracy of deductions? o Authenticity of names? o Proper accounting distribution? 9. Are payrolls subject to a review and final approval by an individual who is not within the payroll function/department (e.g., another department head/supervisor)? 10. Are amounts to be paid per hours worked reconciled to payroll amounts posted to the proper budget code(s) in system? 11. Are the number of employees, amounts paid, and deductions, reconciled from one period to the next? 12. Is there a periodic check by independent staff, comparing the payroll and personnel records? 13. If employees are paid by warrant: o Are unused payroll warrants rigidly controlled? o Are warrants pre-numbered? o If a check signer is used, is the facsimile plate properly controlled? Is a log maintained of the number of warrants signed and compared to the machine counter? o Are spoiled payroll warrants voided in a manner that prevents reuse? o Is the signing of warrants in advance of their being filled out prohibited? o Are warrants made out to the name of the employee as shown on the payroll records? o Is there a maximum amount for paychecks? o Is the payroll bank account used only for payroll purposes? o Is the payroll bank account reconciled monthly by those independent of the payroll department? 14. Are payroll documents (e.g., warrants or pay stubs) secured and stored in a safe or something similar? Is access restricted to the person responsible for payroll distribution? 15. Are the payroll warrants rechecked before distribution? 16. Is identification required for distribution of paychecks (especially in the cases of interns, part-time employees, seasonal workers, etc.)? 17. Do periodic audits include witnessing distribution of the paychecks to identify persons and accounting for those not immediately distributed? 18. If an employee terminates, are unclaimed wages returned? To whom? 19. Does the reconciliation of the payroll bank account include: o Delivery of the bank statements and redeemed warrants to the reconciler unopened? o Examination of endorsements of redeemed warrants, at least on a test basis? o Accounting for the numerical sequence of warrants? o Comparison of warrants with the payroll records? 26 TRANSACTION CYCLE: PAYROLL (cont.) NEW HIRES/TERMINATIONS Internal Control Questions See “How to Use This Manual” on page 7. 1. Are procedures in place to ensure that all authorizations (particularly notices of separation from employment) are provided promptly to the Human Resources Department and Payroll Department? 2. Are all additions and deletions of employees to or from the database reviewed and approved? 3. Do procedures ensure a staff member leaving the agency is removed from the payroll? 4. Are the individuals who are responsible for the following functions independent of each other: o Hire or fire employees o Approve/authoirze hours worked o Prepare time and attendance forms o Maintain personnel records o Distribute paychecks 5. If the above functions are independent, is the individual who prepared the Time and Attendance Forms able to access to them after they are approved? 4 New Hires Testing Procedures Objective: To ensure all new hires were legitimate, properly authorized and accurately and completely recorded in a timely manner. Select a sample of newly hired employees and perform the following: o Verify that there is a properly authorized New Hire sheet on the employee’s personnel file. o Verify the existence of the employee (e.g., physically meet them, ensure they are on the telephone list or in the e-mail directory, etc.). o Ensure the general information (such as base pay) was accurately loaded on the payroll system. Ghost/Fictitious Employees Testing Procedures5 Objective: To ensure all employees currently on the payroll are bona fide. Select a sample of employees from a payroll report and verify to an independent source (e.g., telephone listing) to ensure the employee actually exists. Terminating Employees Testing Procedures6 Objective: To ensure terminated employees were properly recorded and processed in the system. Select a sample of terminated employees and verify the following: o That the employee’s status was changed from ‘Active’ to “Terminated’ in the payroll system in a timely manner. o That the employee received their final salary and any leave balance pay-outs in a timely manner. o That the employee’s final payment was accurately calculated. o That all appropriate personnel (e.g., IT, Security, Credit Card Administrator, etc.) were notified and where required, took action in a timely manner. 4, 5 & 6 Copyrighted by and used with the permission of AudNet.org (www.auditnet.org) 27 TRANSACTION CYCLE: PAYROLL (cont.) PAY RATE CHANGES Internal Control Questions See “How to Use This Manual” on page 7. 1. 2. Is the original pay rate authorized in writing and are subsequent amendments properly approved? Are changes in pay rates reviewed and approved by a limited number of authorized personnel? Pay Rate Adjustments Testing Procedures7 Objective: To ensure pay rate adjustments are properly authorized, and accurately and completely processed in a timely manner. Select a sample of payroll adjustments (including both salary and timesheet employees) from the payroll reports and perform the following tests: o Trace to the appropriate source documentation. o Verify that the source document was appropriately signed by the person authorizing the pay rate change. o Ensure the adjustment was accurately and completely processed. o Ensure the adjustment was processed in a timely manner (e.g., within 2 weeks). SPECIAL PAYMENTS Additional payments, other than regular payroll, are processed from time to time through the payroll system (e.g., wellness incentives, bonuses, special bargaining contract concessions, etc.). The following questions apply to these special cases. Internal Control Questions 1. Are proper authorizations in place to ensure approval of any special payments provided to employees? 2. Is supporting documentation required for an employee to receive any incentive disbursements? 3. How is documentation of a bonus provided to the payroll department to ensure that the bonus is given to the appropriate employee? 4. Are bargaining agreements reviewed to verify the existence of concessions? 5. Is each type of payment evaluated for taxability and OPERS reporting? 7 Copyrighted by and used with permission of AuditNet.org (www.auditnet.org) 28 TRANSACTION CYCLE: PAYROLL (cont.) TIME AND ATTENDANCE AND USE OF LEAVE Internal Control Questions See “How to Use This Manual” on page 7. 1. Is time worked by non-salaried staff adequately recorded and authorized? 2. Are Time and Attendance Forms (or other records) being maintained for all employees? 3. Does an individual (other than the person who prepares payroll documents) approve the following before the hours are worked: o Overtime hours o Comp time o Revised work schedules 4. Are the persons who perform the following functions independent of each other: o Hire or fire employees (does not need to be separate from approval of hours worked) o Approve hours worked o Prepare time and attendance forms o Maintain personnel records o Distribute paychecks 5. If the above functions are independent, does the person who prepares the Time and Attendance Forms have access to them after they are approved? 6. Are leave records and comp time balances maintained in the department for all employees? 7. How are leave and comp time balances tracked for each employee? 8. Are proper provisions made for leave pay? Are these provisions periodically reconciled? 9. Are leave and absence through sickness properly controlled? 10. Is there a leave donation program in place for the entity? If so, how are donated hours accounted for (both donee time and donor time)? How is it processed? What authorizations are in place to ensure proper approvals of leave donation? Reporting and Recording Leave Entitlements Testing Procedures 8 Objective: To ensure leave entitlements (vacation, sick, etc.) are properly authorized, accurately and completely recorded and updated on the payroll system in a timely manner. Select a sample of leave payments and perform the following: o Trace to leave request form. o Ensure the form was submitted by the employee and approved by the supervisor in advance of the leave date, when so required. o Ensure the form was signed by the supervisor to show their authorization. o Ensure the hours were properly deducted from the accrued leave balance. Select a sample of YTD Vacation Entitlement reports sent to supervisors and perform the following: 8 o Ensure there is evidence of review. o Ensure the report was signed by the supervisor to show their review. o Ensure all reports were returned. Copyrighted by and used with permission of AuditNet.org (www.auditnet.org) 29 TRANSACTION CYCLE: PAYROLL (cont.) PAYROLL DEDUCTIONS AND WITHHOLDINGS Internal Control Questions See “How to Use This Manual” on page 7. 1. 2. 3. Is the calculation of a sample of employees’ net pay periodically checked? Are changes to allowances and deductions properly approved? Are deductions reviewed and approved by a limited number of authorized personnel? Voluntary Payroll Deductions Testing Procedures9 Objective: To ensure all voluntary employee payroll deductions are properly authorized, and accurately and completely processed in a timely manner. Select a sample of payroll deductions (including both salary and hourly employees) from the payroll reports and perform the following: o Trace to the appropriate source documentation (where possible). o Verify that the source document was appropriately signed by an HR representative (if required) and the employee. o Ensure the deduction was accurately and completely processed. EMPLOYEE REIMBURSEMENTS AND OTHER FRINGE BENEFITS Employees may receive reimbursements or various fringe benefits. The following are examples: o o o o o o o o o Tuition reimbursement Travel reimbursement Meal reimbursement Reimbursement for miscellaneous expenditures Employer-provided clothing Uniform allowances Personal use of a county-owned cell phone Usage of a county-owned vehicle Awards For assistance in determining whether the transaction or event is considered a taxable fringe benefit, refer to Publication 15-B (http://www.irs.gov/pub/irs-pdf/p15b.pdf) or to the Federal, State and Local Government Taxable Fringe Benefit Guide (http://www.irs.gov/pub/irs-tege/fringe_benefit_fslg[1].pdf). Internal Control Questions 1. Is prior authorization required in order to receive a reimbursement? 2. Are detailed receipts or other supporting documentation required to be submitted in order to process an employee reimbursement? 3. Are there specific criteria which need to be present in order to receive a tuition reimbursement (e.g., minimum grade/GPA, number of credit hours, etc.)? 4. What controls are in place to ensure that uniform allowances are processed at the appropriate times/pay period? 5. If the transaction or event is a taxable fringe benefit, is the value included in the employee’s taxable gross wages on the W-2? 9 Copyrighted by and used with the permission of AudNet.org (www.auditnet.org) 30 Transaction Cycle: Purchases and Payments TRANSACTION CYCLE: PURCHASES AND PAYMENTS Common Payments Objectives 1. Authorizations to approve requisitions and purchase orders, place orders with vendors and approve expenditures are clearly communicated to all staff. 2. Recorded encumbrances represent valid formal commitments for goods or services not yet received and are approved. 3. Encumbrance transactions are received and recorded accurately. 4. Encumbrances are recorded in the proper period. 5. Purchase transactions are encumbered and approved in accordance with the Ohio Revised Code and County policy. 6. Purchase transactions are received and processed in a timely manner. 7. Purchase transactions are substantiated as valid transactions. 8. Recorded purchase transactions represent actual receipts of goods and services. 9. Purchase transactions are accurately recorded as to amounts, quantities, dates, vendors, and account coding. 10. Purchase transactions are recorded in the proper accounting period. 11. Original, detailed documentation for expenditures is obtained, reviewed and maintained in accordance with the law and County policy 12. Recorded cash disbursements are for actual purchases of goods or services and are approved. 13. Noncash reductions of accounts payable represent valid adjustments and are approved. 14. Adjustments are made to the proper vendor account. 15. Only authorized personnel have access to the accounting system. 16. Information for IRS reporting (1099-MISC, 1099-INT or 1099-S) is accurately captured and promptly reported. 17. Personal and confidential information (e.g., vendor tax identification numbers, vendor bank account numbers, client information on invoices) is adequately protected. Risk Assessment See “How to Use This Manual” on page 7. Performing risk assessments on a regular basis can provide an understanding of possible vulnerabilities that may have developed as a result of employee turnover, changes in processes and procedures, and/or any changes in respective laws and regulations. A few of the risks associated with the payments cycle include: • Fictitious vendors are created in connection with fraudulent activity. • Invoice adjustments are unauthorized. • Duplicate payments are sent to the vendor. • Payment is made for goods or services that have not been received. • Invoices are not processed in a timely manner, resulting in late fees, penalties or interest. 31 TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) Answer each question with “Yes” or “No” and evaluate the impact as “High”, “Medium” or “Low”. No/High responses could indicate a potential internal control weakness with significant consequences. 1. Does the procurement policy include policies and procedures for acquiring capital items, routine and non-operating purchases, contracts, business travel expenses (both local and out- of-town) and petty cash uses? 2. Are invoices matched to receiving reports and purchase orders? 3. Are invoices reconciled to all available physical evidence of the obligation (e.g., meter readings, leases, contracts, completion reports)? 4. Is the mathematical accuracy of vendor invoices verified prior to payment? 5. Do procedures specify the method to be used in following up and resolving exceptions (e.g., unmatched invoices, receivers, errors)? 6. Do procedures state requirements for processing internal check requests? 7. Must voids and returns be authorized by a supervisor? 8. Does a schedule of payment approval authorities exist? Is it adequate to ensure proper approval for procurement, and timely processing of payments? 9. Are standing payment authorizations used? 10. Do disbursement procedures specify the individuals authorized to process accounts payable transactions? 11. If the accounts payable system accepts entries for future payments, are control features in place to ensure that the transaction is properly authorized when the payment becomes due? 12. Are there procedures in place to prevent a vendor from being paid twice for the same invoice? 13. Are IRS Form W-9s obtained from vendors before issuing payment? 14. Is access to vendor data limited to a specified group of authorized personnel? Is their access to electronic information secured by frequently changed passwords? 15. Are direct deposit authorizations or vendor change of address requests handled by the same person who processes the cash disbursements or mails the payments? 16. Are payments held for pick-up rather than being placed directly into the mail? 17. Are check-related activities (authorizations, printing, mailing) adequately segregated? 18. If any warrants must be kept overnight, are they stored in a secured location? Are they inventoried? 19. Are Electronic Data Interchange (EDI) purchase orders, invoices, purchase card or credit card transactions used in exchange transactions with business partners? 20. Has the responsibility for balancing and reconciling the EDI transfers been assigned? 32 Y or N Impact H, M or L TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) Segregation of Duties See “How to Use This Manual” on page 7. The following chart lists duties to be considered in determining the adequacy of segregation of duties among those responsible for purchase and payment transactions. List the names of individuals responsible for particular functions in the column indicated. Review the chart3 for individuals whose names are listed in more than one column. Make a determination whether that represents a potential lack of segregation of duties. For example, those who perform the ordering (purchasing) activity, including those who maintain contact with outside suppliers and issue purchase orders, should not perform any receiving, cash disbursements and accounting activities. Consider whether individuals are performing incompatible duties within the same column. Description Authorization Custody of Assets Issuance of requisitions Approval of requisitions Issuance of purchase orders Approval of purchase orders Maintenance of vendor master files Issuance and signing of receiving reports Matching invoices to purchase orders and receiving reports Key-entry of invoices and coding account distribution Approval of vouchers for payment Preparation of warrants Signing of warrants Distribution of warrants Maintenance of the purchases journals Reconciliation of accounts payable (the total of unpaid vouchers) with the general ledger Control of the accuracy, completeness of and access to purchasing and accounts payable programs and data files 10 Copyrighted by and used with the permission of AudNet.org (www.auditnet.org) 33 Recording Control Procedure TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) General Payments Internal Control Questions See “How to Use This Manual” on page 7. 1. Are procedures established to ensure: o The proper funds and accounts are charged? o Appropriations or funds from which payments will be made are available for that purpose? o Disbursements are made in accordance with purchase orders and contracts? o Disbursements are used only for authorized purposes? o All laws, rules, and regulations governing the disbursements are followed? 2. Is the responsibility for authorization of disbursements clearly defined and assigned to specific personnel? 3. Are controls established to assure that all payments are made on a timely basis? 4. Are prompt payment discounts taken? 5. Does a supervisor review the vendor invoices for account coding, unit cost and extended pricing? 6. Are controls established to ensure that duplicate payments are not made? 7. Are only original invoices (no photocopies) totaling the amount of the disbursement attached to each voucher before payment? 8. Is out-of-county travel approved in writing in advance by the agency head or authorized designee? 9. Are unused procurement cards inventoried at least quarterly and kept under lock? 10. For payments made by warrant: o Are unused warrants rigidly controlled? o Are warrants pre-numbered? o If a check signer is used, is the facsimile plate properly controlled? o Is a log maintained of the number of warrants signed and compared to the machine counter? o Are spoiled warrants voided in a manner that prevents reuse? o Is the signing of warrants in advance of their being filled out prohibited? o Are warrants made out to the name of the vendor as shown on the invoice? 11. Is follow-up done on warrants that have been returned in the mail? 34 TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) VENDOR MASTER FILE MAINTENANCE Internal Control Questions See “How to Use This Manual” on page 7. 1. Is a Vendor Request and Change Form completed for new vendors or to change vendor information? Is the form approved by an authorized individual? 2. Does the Vendor Request and Change Form include the proper information: name, address, phone number (important if the vendor has only provided a post office box number), taxpayer Tax Identification Number, vendor activity? 3. Is an IRS Form W-9 (Request for Taxpayer Identification Number and Certification) obtained for each new vendor? 4. Does the name on the Vendor Request and Change Form match the vendor name on the W-9? 5. Are there procedures in place to ensure payments are not made to unauthorized or non-existent vendors? 6. Are there procedures in place that prevent or detect entries to incorrect vendor accounts? 7. Are procedures in place to ensure all changes are accurately input? 8. Are there procedures in placed to ensure that a supervisor reviews and approves the changes after they are input? Vendor Master File Testing Procedures Objective: To ensure all new vendors and changes to vendor information are authorized, accurately completed, processed in a timely manner and recorded properly. Select a sample of Vendor Request and Change Forms to verify the following: o Form was approved by an authorized individual. o All relevant information (name, address, phone number, tax ID number, vendor activity) is provided. o IRS Form W-9 is on file for each vendor. o Information on Form agrees with W-9. o Information on Form and W-9 agrees with the vendor master file. o Proof report listing changes agrees to the Form and/or W-9. o Supervisory review and approval is documented on the proof report. 35 TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) PURCHASE ORDER AND RECEIVING DOCUMENT Internal Control Questions See “How to Use This Manual” on page 7. 1. Are all employees aware of purchasing procedures? 2. Are requisitions and purchase orders approved by authorized individuals? 3. Are competitive bids obtained for capital items and professional services in accordance with the Ohio Revised Code? 4. Are manual purchase orders sequentially numbered and accounted for? Are electronically generated purchase orders controlled with access and approval controls? 5. Are there procedures in place to prevent use of canceled or voided requisitions/purchase orders? 6. Are there procedures to assure that all purchase orders and contracts are input for processing? 7. Are purchase orders coded to the proper fund and account? 8. Are there procedures that prevent or detect the incorrect entry of amount, date, and purchase order number? 9. Are there procedures in place to determine that the purchase is considered in the current year budget and the cost does not exceed the budget? 10. Are procedures in place to assure: o The recorded encumbrance related to an actual transaction and is not fictitious? o Duplicate encumbrances are prevented? o Recorded encumbrances, adjustments, carryovers, lapses and closures are approved? 11. Are there procedures to prevent or detect incorrect entry of carryover encumbrances? 12. Are procedures in place to assure that what was received was ordered, or that the services have been performed? 13. Is a receiving document prepared? 14. Are encumbrances properly reversed upon receipt of goods or services and recorded to the general ledger? 15. Are encumbered funds that are no longer needed promptly made available for other purposes? 16. Are there procedures to assure that the total purchase order and purchase transaction input are equal to the amounts updated in the encumbrance data files and general ledger system accounts? 17. Are there procedures that prevent or detect incorrect entry of price, quantity, amounts, vendor, or account numbers related to purchase transactions? 18. Are procedures in place to assure that the purchase transaction recorded actually occurred and is not fictitious? 19. Are there procedures to prevent duplicate purchase transactions? 20. Are there procedures to investigate or resolve mismatched or long outstanding open purchase orders? 36 TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) Purchase Order/Receiving Document Testing Procedures Objective: To ensure purchasing policies and procedures are followed, and authorization to purchase supplies and services are reflected in the accounting records. Select a sample of requisitions/purchase orders and verify the following: o Approved by an authorized individual. o Adheres to the purchasing policy, including obtaining competitive bids when required. o Purchase order is sequentially number and is either electronically controlled with access codes or entered in manual log. o Voided or cancelled purchase orders are not used again. o Applies to the current year budget and the cost does not exceed the available budget. o Input for processing with the correct amount, date, purchase order number, vendor, fund and account number classification. o Proof list has been compared to total of all purchase orders and initialed/dated by clerk. Select a sample of encumbrances and verify the following: o Encumbrances, adjustments, lapses and carryovers have been approved by an authorized individual. o The recorded encumbrance is a valid commitment, neither fictitious nor a duplicate. Select a sample of receiving documents and verify the following: o Goods or services received were agreed to the purchase order. o Encumbrance was correctly reversed and recorded in the general ledger. 37 TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) INVOICE APPROVAL AND PAYMENT PROCESSING Internal Control Questions See “How to Use This Manual” on page 7. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. Are the invoices addressed to the proper agency? Are payments made after the receipt of goods or services, not in advance? Are payments only made based on original invoices and not photocopies or faxes? Is a three-way match performed (invoice, receiving document and purchase order) to assure: o Correct quantity? o Agreed-upon price? o Compliance with all terms of the purchase order or contract? Are there procedures in place to assure: o The invoice is recalculated? o Discounts are taken, when available? o Sales and use tax is not paid? o Payment is for a proper public purpose? o The invoice is marked “ok to pay,” initialed and dated? o The authorizing individual does not also sign the warrants? Are there procedures to ensure that payments are charged only against the program to which they relate, and not to the program most able to bear the cost? Are all invoices received input for processing? Are unpaid invoices reviewed periodically and investigated? Is the vendor’s invoice number and name keyed into the system? Are invoices stamped or marked to prevent duplicate entry? Is a proof report run and matched to the system batch total? Are payments reported in the proper period? Is unused check stock safeguarded and controlled? Is the person responsible maintaining the check stock someone other than those originating the disbursements requests? Are spoiled and voided warrants retained and the signature blocks on the warrants removed? Are warrants sequentially pre-numbered and accompanied by bills, vouchers, or list of bills that are marked paid? Are warrants mailed by someone other than the person preparing the warrants? If applicable, is the signature plate and use of the check signing machine kept under control of the official whose name appears on the signature plate or another authorized designee? Is access to automated functions strictly controlled? Are the County’s bank accounts reconciled monthly with the County’s general ledger? Are any variances investigated and resolved in a timely manner? Is this reconciliation done by someone not involved in the cash receipt or disbursement cycles? 38 TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) Invoice Approval and Payment Processing Testing Procedures Objective: To ensure all invoices are properly authorized for payment, accurately and completely processed and reported in the proper period, with proper segregation of duties. Select a sample of paid invoices/vouchers and verify the following: o Invoice is addressed to the proper agency. o Goods and services have been received in the correct quantity, at the agreed-upon price, in compliance with terms of purchase orders or contracts (match invoice with receiving document and purchase order). o Invoice is approved for payment by an authorized individual. o Invoice is an original, not a photocopy. o If the invoice is not computer-generated, an adding machine tape is attached to the invoice, verifying the mathematical accuracy. o Vendor’s invoice number and name has been entered into the system. o Invoice is stamped or marked to prevent duplicate entry into the system. o Payment is coded to proper program and account. o Payment is recorded in the proper accounting period. o Proof report has been run and matched to the batch total. o Payment has been mailed by someone other than the person preparing the warrants. Inquire about unpaid invoices and obtain explanations. Select a sample of monthly Auditor/Treasurer reconciliations to ensure the bank account and the general ledger are in balance, and any variances are investigated and resolved. Authorized Computer Access Testing Procedures Objective: To ensure only those employees responsible for the processing of payments have access to the applicable automated functions. Periodically review the system permissions and audit report to determine only those employees authorized to perform invoice/voucher and payment processing have access to those functions. Check Printing Testing Procedures Objective: To ensure warrants are issued in sequential order and are supported by evidentiary matter, and unused check stock and signature plate (if applicable) are physically secured. Select a sample of issued payments and verify the following: o Warrant numbers are sequentially listed by comparing the last warrant number used in the previous processing run to the first warrant number used in the current processing run. o Warrants are supported by invoices or vouchers. o Spoiled and voided warrants have been retained and defaced. Ensure blank check stock and the signature plate have been safeguarded and are maintained by someone separate from the disbursement requesting process. 39 TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) CHANGES TO INVOICES, PAYMENTS VARY FROM INVOICED AMOUNTS, VOIDED PAYMENTS Internal Control Questions See “How to Use This Manual” on page 7. 1. 2. 3. 4. Are records of returned goods and credit memos reviewed and approved prior to invoice payment? Are there procedures that prevent paid amounts not agreeing to the invoiced amounts? Are manual changes to invoices authorized? Is authorization obtained prior to voiding payments? Is the reason for the voided payment documented? Manual Changes to Invoices and Voided Payments Testing Procedures Objective: To ensure all voided payments and manual changes to invoices are authorized, accurately recorded and processed. Select a sample of invoices/vouchers and verify the following: o Invoice alterations for returned goods, credit memos or changes to amounts being paid are properly authorized and dated. o Payment amount per invoice agrees to the check register. Select a sample of voided warrants and verify the following: o Reason for void is documented with supervisor’s initials and date. o Voided warrant is processed in the system. o If voided warrant was reissued, trace to invoice and check register and agree information on invoice to redeemed warrant/check register. RETURNED MAIL Internal Control Questions 1. Has every effort been made to determine why a piece of mail has been returned? o Has the address been checked for accuracy? o Has every database available been checked for a change of address? For example, a search in the real estate or dog tag database may reveal a change. 2. If the mail is determined to be, in fact, undeliverable, is it returned to the department that presented the voucher for payment? 3. Is there a pre-determined amount of time that returned mail (undeliverable) is kept in the records? For example, a 1099 or a W-2 may be kept indefinitely. 40 TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) TRAVEL-RELATED DISBURSEMENTS Internal Control Questions See “How to Use This Manual” on page 7. 1. Are formally adopted, written internal policies and procedures established to control the utilization of meals, coffee, and light refreshments at meetings and formal training sessions? 2. Are written procedures for travel and food consistent with the agency’s policies? 3. Is authorization of travel exercised through use of a Travel Authorization Form or other equally effective means? 4. Is written approval of the agency head or designee obtained prior to authorizing direct billing to the agency? 5. Does the agency permit individuals to be given travel allowances in advance? If so, is written approval of the agency head or designee obtained first? 6. Prior to payment, is the agency copy of the Travel Authorization Form matched to the transportation provider's copies, or to the employee’s credit card receipts (attached to the Travel Expense Voucher)? (Monthly credit card statements do not provide sufficient detail.) 7. Are Travel Expense Vouchers signed by the employee and approved by the agency head or authorized designee? 8. Are Travel Expense Vouchers reviewed for compliance with the agency’s travel policy (including requirements over air travel, frequent flier miles, cancelled trips, etc.)? 9. Are persons who authorize commercial transportation prohibited from receiving tickets or using the transportation? Travel-Related Disbursements Testing Procedures Objective: To ensure travel expenditures are authorized in advance, and are paid in accordance with agency policy. Select a sample of Travel Expense Vouchers and test for the following: o Vouchers are signed by the employee and approved by a supervisor or other authorized individual. o Detailed receipts or other supporting documentation are attached to each Voucher, and validate the expenditures. o Expenditures are for a proper public purpose (Ohio Revised Code compliance) and constitute valid business expenses (IRS regulations). 41 TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) PROCUREMENT CARDS Internal Control Questions See “How to Use This Manual” on page 7. 1. Does the County have a procurement card policy? 2. If the County does have a policy, does it include policies and procedures for using the procurement card to acquire capital items and to pay for routine and non-operating purchases, contracts, and business travel expenses (both local and out-of- town)? 3. Does an authorization list exist for each procurement card? 4. Have all employees who are authorized to use procurement cards been given a copy of the County’s policy? Have they signed an acknowledgement form? 5. Is the employee using the procurement card authorized to do so? 6. Are purchase orders opened and funds encumbered before purchases are made using the procurement card? 7. Is the purchase for an authorized product and/or service? If not, is action taken to follow-up with the card user? 8. Have limits been placed on single purchases or on total monthly purchases? 9. Is the purchase adequately supported by proper documentation? 10. Are receipts matched to monthly statements in a timely fashion? 11. Is each purchase properly coded for accounting? 12. Do procedures specify the method to be used in following up and resolving exceptions, such as unmatched invoices, receivers, or errors? 13. Are 1099’s issued to the vendors that sold the goods or services (not to the bank issuing the card)? 14. Are adequate controls in place over unissued cards and cards that have been returned/collected? 15. Is there a procedure in place to immediately cancel the procurement card for employees who have separated from County employment? Procurement Cards Testing Procedures Objective: To ensure the use of procurement cards complies with County policy, and the use of the cards is not abused. Select a sample of procurement card transactions and verify the following: o A purchase order was in place before the purchase was made. If not, a “then and now” certificate should have been obtained. o The purchase complies with the County’s policy. o Detailed receipts are attached. o All charges listed on the monthly statement are supported by detailed receipts. o The receipts support the expenditure as valid and proper. o Sales tax has not been included in the charges. o Mathematical accuracy was recalculated. 42 TRANSACTION CYCLE: PURCHASES AND PAYMENTS (cont.) PAPERLESS PAYMENT PROCESSING Internal Control Questions See “How to Use This Manual” on page 7. 1. Does the County use paperless payment processing? Are electronic signatures utilized? 2. Does the software that supports the process allow for a summary of the claims and/or details about the claims? 3. Does the electronic form contain the same information as the standard County hard copy voucher? 4. Are mathematical calculations done by the software? 5. Is the electronic voucher approved by an authorized individual? 6. Is the electronic voucher routed to an accounts payable clerk for audit and processing? 7. During voucher review, can the approver and/or the accounts payable clerk ask for supporting hard copy documentation if online detail is not sufficient to determine the validity, the propriety and the legitimacy of the claim? 8. Are there controls in place (e.g., computer passwords) to verify that the correct employee and/ or supervisor are submitting the electronic voucher? Paperless Payment Processing Testing Procedures Objective: To ensure checks and balances are in place over paperless payment processing. Select a sample of electronic transactions and review for the following: o The electronic form provides details of the purchase or service. o The form is signed electronically by the employee. o The voucher has been approved by an authorized individual. o The voucher has been audited by an accounts payable clerk. o A warrant was issued as payment for the voucher. 43 44 Appendix GLOSSARY Accounts Payable – Amounts owed to others for goods and services received and assets acquired. Accounts Receivable – Amounts due from others for goods furnished and services rendered. These amounts include taxes and fees due, reimbursements earned and refunds receivable. Agency – Any office, board, commission, department or other entity within County government. Assets – Any item of economic value owned by the agency. The item may be physical in nature (tangible) or a right to ownership (intangible) that is expressed in terms of cost or some other value. Control Environment – Various environmental factors that can influence the effectiveness of internal accounting controls over agency functions. Expenditures – Payments for goods and services received, contractual obligations and similar transactions. Internal Accounting Control – The system used by an agency to provide reasonable assurance that (1) resources are protected from waste, loss, theft or misuse, (2) resources are acquired economically and used cost-effectively, (3) resources are used in accordance with laws, regulations and internal policies and procedures, and (4) financial information is reliable, verifiable and timely. Reasonable Assurance – A satisfactory level of confidence that considers costs, benefits and risks. Reasonable assurance recognizes that the cost of internal accounting control should not exceed the benefit derived. Revenues – Revenues represent the increase in assets (or decrease in liabilities) that results from operations. Revenues primarily result from (1) services performed by the agency, (2) goods and other tangible property delivered to purchasers, (3) taxes, (4) investment earnings, (5) fines, fees and forfeitures, and (6) monies received from other governmental entities. Risk Assessment – A review of the vulnerability of an agency or transaction cycle to the occurrence of loss or unauthorized use of resources, errors in reports and information, illegal or unethical acts, and/or adverse or unfavorable public opinion. Segregation of Duties – Assigning roles and responsibilities so that no single employee has the ability to initiate, approve and process financial transactions, thereby permitting errors, omissions or irregularities to remain undetected. Transaction Cycle – The route by which an event (transaction) flows from inception to final reporting. Warrants – The official documents issued pursuant to the Ohio Revised Code that establish the amount of money authorized to be withdrawn from the County Treasury. 45 BIBLIOGRAPHY 1. A How-To for Implementing Sarbanes-Oxley Act Mandates in Government, Terese M. Fretz and Lisa L. Skapura, Summit County Internal Audit Department. 2. An Elected Official’s Guide to Internal Controls and Fraud Prevention, Stephen J. Gauthier, Government Finance Officers Association, 1994. 3. Assessment of Control Environment, Records of Monitoring Controls (various) and Records of Application Controls (various), Auditor State of Ohio. 4. Department Internal Control Questionnaire, University of California, San Diego, Audit & Management Advisory Services, May 9, 2002. 5. Evaluating Internal Controls: A Local Government Manager’s Guide, Stephen J. Gauthier, Government Finance Officers Association, 1996. 6. Fairfield County Finance Internal Control Manual, Barbara Curtiss, Fairfield County Auditor. 7. Internal Control and Risk Assessment Resources, State of Washington Office of Financial Management. 8. Internal Control Toolkit, The University of Texas Health Science Center at San Antonio, 2002. 9. Payroll Processing Policy: Resources, 4/12/07. Segregation of Duties, The Ohio State University Office of Human 10. Payroll Internal Control Questions. In AuditNet.org [Web], Jim Kaplan, Oakton, VA, 2005. 11. Payroll Objectives. In AuditNet.org [Web], Jim Kaplan, Oakton, VA, 2005. 12. Payroll Testing Procedures. In AuditNet.org [Web], Jim Kaplan, Oakton, VA, 2005. 13. Segregation of Duties Matrices. In AuditNet.org [Web], Jim Kaplan, Oakton, VA, 2005. 14. State of Ohio Internal Accounting Control Program, Office of Budget and Management, October 2006. 46 County Auditors Association of Ohio 66 E. Lynn Street Columbus, OH 43215 Telephone: (614) 228-2226 Fax: (614) 228-8901 www.caao.org
