Windham School Board election tomorrow: Internal Financial Controls - another reason to vote for Ken Eyring - Granite Grok

Windham School Board election tomorrow: Internal Financial Controls – another reason to vote for Ken Eyring

…and not for the candidates that Al Letizio Jr. and Dennis Senibaldi want on as part of the “Good Ole’ Boys” clique.  One of the things that became obvious was the lack of financial controls in the Windham School Board system.  Imagine that – $43M budget and a whoop-de-do-anything-goes with transfers and, I guess, writing checks (hmmm, isn’t that a “deal”?).  Hey, with no one peering over the shoulders, “just trust us” seemed to be the watchwords of Al Letizio Jr and Dennis Senibaldi’s (and crew) School Board histories.

So, Ken, seeing the problem with an engineer and entrepreneur’s eye for detail,  had an Internal Controls audit done.  Well, 130 problems, later here was the result (reformatted to make it a bit more “bloggish”).  So, don’t you want someone that fixed a major problem?

Windham School District
Internal Control Review
December 20, 2016

Table of Contents

Page
Transmittal Letter                                           1

Internal Control Review Areas:
Entity-Level Controls                                     3
Anti-Fraud Controls                                       4
Governance                                                      5
Financial Reporting                                        7
General Ledger                                                8
Information Technology                                9
Budgeting                                                        11
Treasury Function                                         12
Purchasing and Vendor Disbursements   14
Payroll Cycle                                                   17
Departmental Receipts                                18
Student Activity Funds                                19
22
Fixed Asset and Equipment Tracking      24
Other Areas                                                    25

Addendum:

Addendum A – GFOA Best Practice         26
Addendum B – Anti-Fraud Controls Checklist     29
Addendum C – GFOA Best Practice         35
Addendum D – GFOA Best Practice         37
Addendum E – GFOA Best Practice         40
Addendum F – Elements of Governance Checklist 43
Addendum G – GFOA Best Practice         47
Addendum H – Procurement Policies Example
(Uniform Guidance Compliant)                 50

 

 

To the School Board
Windham School District
Windham, New Hampshire
We have concluded our engagement related to our internal control review for Windham School District (the District). This report reflects our findings and recommendations based on the procedures performed.

We have performed the following procedures enumerated in our engagement letter, which were agreed to by the Board of the Windham School District, solely to assist in determining if internal controls and procedures are established and functioning in a manner that provides reasonable assurance that the District and the Board are fulfilling their fiduciary responsibilities with respect to preventing and detecting fraud within reason, and that financial procedures are efficient and effective and in conformance with Board policies. The sufficiency of these procedures is solely the responsibility of the parties specified in this report. In performing our procedures, we relied on the cooperation of the management of Windham School District and the information provided by them, including the accuracy and reliability of such information. Consequently, we have not independently verified the information gathered or contained in this report. Our procedures did not constitute an examination, review, or compilation of the information provided. We make no representation regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose, and we express no level of assurance on them.

As part of our internal control review procedures, we performed the following:

  • Reviewed current staffing, including job descriptions, organizational charts, function assignments, and related policies and procedures in order to determine if internal controls and procedures are adequately established and functioning.
  • Observed and reviewed workflow processing and procedures.
  • Interviewed key employees and others within the District.
  • Compared the District’s internal controls and procedures to other districts of similar size and structure in order to determine if adequately established and functioning.
  • Assessed and tested key internal controls for effective design, implementation, and operating effectiveness.
  • Assessed staff roles and job functions with respect to internal controls.

We understand that the current administration has already addressed some of the recommendations in this report and is also in the process of addressing additional areas.

Due to the personal nature of certain information in this report, certain specific details have been intentionally omitted. This report is intended solely for the information and use of the Board and management of Windham School District and is not intended to be and should not be used by anyone other than these specified parties.

We appreciate the cooperation and diligence of the District staff who worked with us during the internal control review.

December 20, 2016

 

 

 

Entity-Level Controls

The Government Finance Officers Association (GFOA) recommends that governmental entities adopt the Committee of Sponsoring Organizations’ (COSO) Internal Control – Integrated Framework (ICIF) as the conceptual basis for designing, implementing, operating, and evaluating internal control. COSO’s ICIF has been recognized globally as a suitable framework on which management may develop an entity’s system of internal control. See Addendum A for GFOA best practices.

We recommend that the District apply the concepts of COSO’s ICIF in furthering its entity-level controls. COSO’s ICIF formalizes the fundamental concepts of internal control into 17 principles that are associated with 5 basic components of internal control, as follows:

Control Environment

1. Demonstrates commitment to integrity and ethical values.
2. Exercises oversight responsibility.
3. Establishes structure, authority, and responsibility.
4. Demonstrates commitment to competence.
5. Enforces accountability.

Risk Assessment

6. Specifies suitable objectives.
7. Identifies and analyzes risks to objectives.
8. Assesses fraud risk.
9. Identifies and analyzes significant change.

Control Activities

10. Selects and develops control activities.
11. Selects and develops general controls over technology.
12. Deploys control activities through policies and procedures.

Information & Communication

13. Uses relevant, quality information.
14. Communicates internally.
15. Communicates externally.

Monitoring Activities

16. Conducts ongoing evaluations of effectiveness of internal controls.
17. Evaluates and communicates deficiencies.

Specific recommendations related to entity-level controls are also included in the sections that follow.

Anti-Fraud Controls

We recommend that the District expand current anti-fraud programs and controls in order to prevent and detect potentially fraudulent activity. Below are some of the essential elements of an effective anti-fraud program and controls. These should apply to Board members, employees of the District, students (in some cases), as well as vendors. Addendum B includes a more detailed checklist that can be used to evaluate and identify elements and controls of an anti-fraud program that are designed to mitigate risks due to fraud.

  • Oversight by Those Charged with Governance (“Tone at the Top”) – An effective anti-fraud program should consider the oversight and involvement by those charged with governance (i.e., the Board or Audit Committee or equivalent).
  • Code of Conduct – The promotion of a culture of honesty, integrity and ethical behavior is essential to an effective anti-fraud program.
  • Complaint or Fraud Hotlines (e.g., Whistleblower Policy) – The Whistleblower Policy should be established to provide employees and outside third parties with a confidential and anonymous method of submitting concerns regarding matters related to financial issues and compliance with laws and regulations.
  • Awareness of the Code and Whistleblower Policy – The Whistleblower and Code should be sufficiently communicated throughout the District.
  • Assessing Fraud Risks – Fraud risks should be reviewed and evaluated regularly.
  • Management Oversight – Management has the primary responsibility for establishing, communicating, and monitoring programs and controls related to fraud.

The GFOA recommends that governments establish policies and procedures to encourage and facilitate the reporting of fraud or abuse. See Addendum C for GFOA best practices.

Governance

Governance relates to the interactions, responsibilities and oversight of the District by members of management and the Board, including the Audit Committee or equivalent. An effective system of governance should consider the composition of the Board and related committees, including the necessary skills of members, independence, and assessment of performance.

We recommend that additional entity-level controls related to governance be implemented. Controls should include the following control objectives:

  • Sound integrity and ethical values, particularly of top management that set the standard of conduct for financial reporting and internal control.
  • The governing body understands and exercises oversight responsibility related to financial reporting and related internal control.
  • Management’s philosophy and operating style support internal control objectives.
  • To address the risk of fraud, the District should maintain programs and controls that include; identifying and measuring fraud risks, taking steps to mitigate identified risks, and implementing and monitoring appropriate preventive and detective internal controls and other deterrent measures.
  • A process that is designed and implemented to identify, account for, and disclose related-party relationships.
  • A process that is designed and implemented to authorize and approve significant transactions and arrangements outside the normal course of operations.
  • All personnel, particularly those in roles affecting financial reporting, receive a clear message from top management related to internal control over financial reporting.
  • The District’s personnel have an effective method to communicate significant information upstream to the governing body, particularly when it relates to override of internal control and potential fraud.

We also recommend the following:

  • Expanding the roles and responsibilities of the Finance Committee to also serve as an Audit Committee. See Addendum D for GFOA best practices.
  • Creating a comprehensive risk management program. See Addendum E for GFOA best practices.
  • Requiring Board members, employees of the District, as well as vendors to complete a written conflict of interest statement at least annually, or more frequently if there are any changes in events.
  • Requiring approval by the Board of any non-District sponsored activity, camp, event, training, etc. being conducted on District property by any Board or committee member, District employee, or outside vendor.
  • Requiring Board approval of the use of the District’s name or logo by any non District sponsored activity.
  • Enhancing certain District policies and procedures. We recommend that the District consult the GFOA, NHMA, NSBA, and other state and national professional organizations for templates with example language. The following are some of the areas that should be improved and/or addressed:
    • Anti-fraud.
    • Code of conduct.
    • Whistleblower.
    • Conflict of interest.
    • Financial policies.
    • Accounting policies and procedures.
    • Information technology controls.
    • Budgeting.
    • Treasury.
    • Purchasing.
    • Grants management.
    • Business continuity and disaster recovery.
    • Gift acceptance, acknowledgement, and accounting.
  • Developing written “best practices” for Board and committee meetings, including communication of goals/guidelines at the beginning of each meeting, time limitations, required structure/format of meetings, and rules of order. Materials and information should be required to be provided in advance, allowing for ample time for review.
  • Training in best practices for highly effective Boards. There are professional organizations such as NSBA that can be used as resources, as well as many publications directed at effective Boards.
  • Developing a high-level strategic plan that ties performance to dollars.

The checklist in Addendum F provides points to consider in evaluating the effectiveness of the District’s governance at the entity level.

We understand that the current administration is already in the process of addressing some of these recommendations.

 

Financial Reporting

During our internal control review, we reviewed a quarterly reporting package (Q2 fiscal year 2016) that was provided by the Director of Business, Finance, and Operations to the Superintendent. The report was comprised of the following:

  • A one-page executive summary and overview, followed by a one-page projected surplus summary by object code (expenditures only).
  • A one-page expanded summary of projected surplus by object code.
  • Detailed quarterly expense report from the accounting system by line item showing the original budget, budget adjustments, adjusted budget, quarterly and year to date expenditures, encumbrances, and budget balance for the general fund.

Recommendations

We recommend that improvements be made to financial reporting. Specifically, we recommend that the following information be included in the reporting package and that this information be provided to the Superintendent and the Board or Finance Committee (in advance of the meeting) each month:

  • A one-page budget versus actual summary of general fund revenues and expenditures prepared in Excel with comments/notes.
  • A detailed (by general ledger line item) budget versus actual report generated directly from the general ledger software that agrees to the summarized budget versus actual report, including the original budget, adjustments, adjusted budget, current revenues and expenditures year-to-date, budget balance, encumbrances.
  • A summarized balance sheet with totals for the general fund, grants, food services, revolving funds, trust funds.
  • A summarized income statement showing totals for the general fund, grants, food services, revolving funds, trust funds.
  • A cash flow report for the month, including cash flow projection. Beginning cash should agree to the prior month balance sheet total and ending cash to the current month balance sheet total.
  • A cash summary or “Treasurer’s” report containing a detailed list of bank accounts including the name of the bank, the account number, the corresponding general ledger number, and the reconciled cash balance. All bank accounts using the District’s federal tax identification number should be included. Accounts should be grouped to indicate which funds they relate to and be reconciled to the general ledger cash balances.
  • Summary of line item budget transfers made during the month with brief explanations.

 

General Ledger

During our internal control review, we reviewed the District’s processes and controls with respect to the general ledger. As a result of our inquiry of District personnel, observation and review of supporting documentation, and walkthroughs of processes, we noted the following:

Chart of Accounts
We reviewed the District’s chart of accounts for compliance with the New Hampshire Financial Accounting Handbook (“Handbook”). Although several object codes utilized by the District are not specifically listed in the Handbook, they are consistent with the Handbook’s categorization methodology. Our review of the fiscal year 2016 general ledger did not note any “0000” function or “000” object codes.

Categorization of Expenditures
The District does not categorize employee benefits such as health, dental, disability, and retirement by function and instead includes them all under “Other Support Services”. In fiscal year 2016 and prior years, total costs for this expenditure category were in excess of $10 million. As a result, other functional categories do not adequately reflect actual expenditures. In order to improve financial reporting, we recommend that in fiscal year 2018 these costs be charged to the related functions and locations.

Journal Entries
Based on testing and review of supporting documentation for adjusting journal entries, we noted an effectively designed and operating process for journal entries. Our review of fiscal year 2016 adjusting entries noted a relatively small number (131), which reduces the risk that other properly functioning controls were circumvented with journal entries.

Fund Balance Transfers
Fund balance transfers (between funds) should either be authorized as part of a school district warrant or voted by the Board.

Accounting System Access
Based on our review of user roles in the accounting software, we noted multiple individuals with full access to all accounting modules. For certain individuals, this creates a lack of segregation of duties. We recommend that user roles be limited to specific modules related to individual job responsibilities, and that only the Security Administrator have full access and the ability to change roles (upon direction from the Business Administrator).

We understand that the current administration is already in the process of addressing several of these recommendations.

 

General Controls for Information Technology
(Related to Financial Reporting)

We recommend that additional entity-level controls related to information technology (IT) be implemented. Within the following control objectives, we recommend documenting:

  • An IT strategic planning and risk management process in place to support its financial reporting requirements –
    • All outside service providers are evaluated to determine those who provide material financial services that may impact controls.
  • Maintaining reliable systems that include appropriate data backup and recovery processes –
    • Batch processing is controlled and monitored to ensure proper completion.
    • Appropriate environmental controls (such as fire/smoke detection, temperature controls, and alternate power supply) exist to ensure the security and reliability of equipment. (We understand this is currently in progress.)
    • A process exists to ensure that systems incidents, problems, and errors are reported, analyzed, and resolved in a timely manner.
  • Physical security and access to programs and data are appropriately controlled to prevent unauthorized use, disclosure, modification, damage, or loss of data –
    • An information security policy exists that defines information security objectives. This policy is supported by documents, standards, and procedures where necessary.
    • Physical access to file/communication servers, off-line data areas, and other sensitive areas is appropriately restricted to authorized personnel. Access is reviewed for appropriateness on a periodic basis.
  • Program changes and systems acquisition and development are appropriately managed to ensure that the application software adequately supports financial reporting objectives.
    • Formalized change management policies and procedures, including policies and procedures related to emergency changes, exist and are updated as necessary.
    • A formal change management policy documents the minimum requirements for program changes and system acquisition and development on an entity-wide basis.

 

Budgeting

During our internal control review, we reviewed certain components of the budget process, as well as budget reporting, and noted the following:

  • There were an inordinate number of budget entries for line item transfers noted during fiscal years 2014, 2015, and 2016. The large number of budget transfers suggests that the District does not adhere to spending as laid out by the approved budget; rather, the budget is manipulated to correspond to spending. “Best practices” is to have fewer line item budget transfers.
  • A written process for initiating and approving line item budget transfers should be implemented. This process should include documentation requirements, as well as an “authorization matrix” that indicates which individuals or positions have the authority to initiate and approve line item transfers and other budget changes in the accounting system.
  • Comparison of budget versus actual expenditures noted a large number of significant variances that may be indicative of poor budgeting.
  • In order to improve the accuracy of budgeting, we recommend that the District improve budgeting methodology by substantiating (and documenting) each line item with specific, identifiable costs. Further, we recommend that a process that links specific costs with the District’s long-range educational goals and objectives be developed.
  • Consideration should be given to incorporating performance measurement into the budget process. See GFOA website for further details.
  • Budgeted transfers to reserve funds should be reported as transfers, not expenditures on the MS-22.

The GFOA has developed a series of best practices in school district budgeting. See Addendum G.

We understand that the current administration is already in the process of addressing some of these recommendations. Specifically, significant changes to the budget development process were implemented in the fall of 2016, and it is expected that further improvements will occur in subsequent years with a change in budget methodology that connects specific costs with long-range educational objectives.

 

Treasury Function

During our internal control review, we reviewed the District’s processes and controls with respect to the treasury cycle. The following issues related to the treasury function were noted:

We noted that the Business Administrator is an authorized signer on several of the District’s bank accounts, and has the ability to make transfers, withdrawals, and wire payments. We also noted other individuals with full access to accounting systems that can process checks with the Treasurer’s signature. Since these individuals have full access to the accounting system and are also responsible for overseeing the accounting system, financial reporting, the approval of purchase orders and certain disbursements, preparation of disbursements and journal entries, a lack of segregation of duties exists with respect to these functions. This creates a situation where errors or irregularities could occur and go undetected within a timely manner.

We recommend that the District review the responsibilities of the treasury function, and restrict individuals that are involved in receipts, disbursements, and accounting functions from access to District bank accounts, including the ability to make wire transfers and electronic payments. These individuals should also not have the ability to process checks with the Treasurer’s signature. The responsibilities of the Treasurer position should include control over the District’s cash accounts (all accounts using the Districts federal tax identification number, including Student Activity Fund agency accounts and PayPal), signing checks (or control over electronic signature), performing bank transfers and withdrawals, and reviewing and approving monthly bank reconciliations to general ledger cash balances. Ideally, the Treasurer should be an individual that is not involved in the operations or governance of the District.

In addition, the District’s PayPal account should be treated as a District cash account and access to it should be limited to the District Treasurer (Note – Read only access to other individuals is acceptable). The Treasurer should also be a signer on student activity funds (agency accounts). Further, we noted the use of a “Petty Cash” bank account prior to June 30, 2016 which the Treasurer was not authorized on (Business Administrator and Administrative Assistant authorized on).

We recommend that dual signatures be considered for checks over a certain dollar amount and that the Treasurer position be bonded. Changes to banking access should be restricted to the District Treasurer (upon approval by the Board) who is responsible for custody of District funds. Banks within a reasonable distance of the District should be contacted at least annually for the existence of bank accounts in the District’s name or similarly to the District’s. We also recommend that the District develop and implement formal cash manage ment policies and procedures.

In summary, improvements are needed with respect to strengthening treasury functions so that it serves as effective internal control, reducing risk to the District. In order to implement a sufficient segregation of duties in the treasury function, it may be necessary to add an Assistant Treasurer who is not involved in the operations or governance of the District. A “job description” detailing the specific responsibilities and duties of these positions should also be created, as well as a monthly “checklist” of procedures to be performed.

 

Purchasing and Vendor Disbursements

During our internal control review, we reviewed the District’s processes and controls with respect to purchasing and vendor disbursements, as follows:

  • The control objective.
  • A description of what could go wrong.
  • A description of the identified key controls that exist.
  • An assessment of whether the identified key controls are designed effectively.
  • An assessment of whether the identified key controls are implemented.
  • A description of the control deficiency if the identified key controls are not designed effectively or implemented properly.

Recommendations

The following recommendations relate to the control issues identified from walkthroughs, review of documentation, and specific issues identified during testing:

Specific Issues

  • As the use of credit cards can be a means of circumventing controls, we recommend that they be reduced and limited to certain individuals for use in specific circumstances. In fiscal year 2016, we noted an excessive use of credit cards with over a dozen individuals having District credit cards, with approximately $183,000 in charges incurred.
  • We noted instances where individuals approved charges to their own credit cards. Credit card charges should require approval by another authorized individual.
  • Controls over use of credit card points should be implemented.
  • We noted instances of District funds being used for retirement parties and gifts. District funds should not be used for these purposes.
  • District funds should not be used to personalize District-owned equipment. We noted an instance where an iPad was engraved with WHS
  • Special Services – Reading Specialist.
  • District purchases should not be delivered to home addresses.
  • The purchase of gift cards and ITunes cards should be prohibited due to the lack of controls over these items.
  • District payments to Student Activity Funds should be avoided. Instead of providing funds for disbursements out of student activity funds (where there are less effective internal controls), large purchases should be made out of the District’s bank account, with reimbursement from the related activity fund.
  • Reimbursed expenses and purchases should require prior approval. We noted several instances where the purchase order and approval were made after the purchase was made.
  • Employee-specific tuition reimbursement arrangements (outside of regular professional development) should be authorized in the employee’s contract and included as supporting documentation for the reimbursement, along with the related invoice/bill, and proper documented approval. Changes should require re-approval.
  • Although expense allowances are not provided to District employees, the District should develop and implement a written IRS-compliant “accountable plan” for expenses paid on behalf of or reimbursed to employees.
  • Care should be taken to ensure that goods and services are recorded to the proper expenditure line item and as expenditures in the accounting period received. We noted several instances where expenditures were charged to incorrect line items, as well as the incorrect fiscal year.

Process Recommendations

  • In order to improve controls over disbursements, changes to vendor files should be prohibited for individuals that process accounts payable or improvements to existing mitigating controls should be made. Specifically, we understand that as a mitigating control there is an independent review of changes made; however, it is not documented or consistently performed. We recommend that this oversight/mitigating control become part of monthly closing procedures.
  • The written process for initiating and approving requisitions, purchase orders, and approval to pay should be improved. This process should include more specific documentation requirements related to procurement, as well as an “authorization matrix” that indicates which individuals or positions have the authority to initiate and approve.
  • The District’s practice is to use approved purchase orders as approval to pay bills and invoices. As a result, the receipt of purchased goods and services, as well as specific invoice/bill approval, is not well documented. We noted instances where there were approved purchase orders to support disbursements; however, the approving individual was not the department head responsible for the particular budget line item.
  • Specifically, we noted instances where the Business Administrator, Lead Accountant, and Administrative and Executive Assistants approved certain disbursements outside of their areas of responsibility. We recommend that individual invoices and receipts with proper documented approval (see previous bullet “authorization matrix”) be provided prior to accounts payable processing and inclusion on the manifest.
  • We recommend that the electronic date stamping feature in the accounting software be utilized to better document the purchasing and disbursement approval processes.
  • We recommend additional training to department heads be provided and that communication of District policies and procedures with respect to purchasing and related procedures be improved.

Procurement Recommendations

  • Centralized purchasing for certain items should be considered in order to better utilize District funds.
  • Procurements requiring Board approval should be provided in advance of Board meetings. Board approval should be documented in the minutes of the meeting and a copy of the minutes kept on file along with related invoices, bills, and documented bids/quotes, in order to support compliance with District policy.
  • Changes to procurements previously approved by the Board should be required to be re-approved by the Board. Board approval should be documented in the minutes of the meeting and a copy of the minutes kept on file along with related invoices, bills, and documented bids/quotes, in order to support compliance with District policy.
  • In order to provide clarity to purchasing requirements, the District may want to consider changing Bidding Policy DJE, as follows:
    • To change the title of the policy from “Bidding Requirements” to “Procurement Requirements”.
    • To remove wording, “when feasible” for procurements of $50,000 or more.
    • To remove wording, “when possible”, for procurements in excess of $5,000 but less than $50,000.
    • To require specific documentation to support compliance with District policy, including written documentation for “sole source” items, written documentation for exceptions to procurement requirements, and documented approvals by authorized individuals.
    • To document who has the authority to contract on behalf of the District.
    • To include the requirements of OMB’s Uniform Guidance for expenditure of federal funds. See Addendum H example wording.

We understand that the current administration is already in the process of addressing some of these recommendations.

Payroll Cycle

During our internal control review, we reviewed the District’s processes and controls with respect to the payroll cycle through inquiry of District personnel, observation, review of supporting documentation, and walkthroughs of the processes, as follows:

  • The control objective.
  • A description of what could go wrong.
  • A description of the identified key controls that exist.
  • An assessment of whether the identified key controls are designed effectively.
  • An assessment of whether the identified key controls are implemented.
  • A description of the control deficiency if the identified key controls are not designed effectively or implemented properly.

Recommendations

The following recommendations relate to the control deficiencies identified from walkthroughs and specific issues identified during testing:

  • In order to improve controls over disbursements, changes to payroll files should be prohibited for individuals that process payroll or improvements to existing mitigating controls should be made. Specifically, we understand that there is an independent review of changes made; however, it is not documented or consistently performed. We recommend that this oversight/ mitigating control become part of monthly closing procedures.
  • We recommend that final payout calculations include documented review and approval by an authorized individual that is not involved in processing payroll.

We understand that the current administration is already in the process of addressing some of these recommendations.

 

Departmental Receipts

During our internal control review, we reviewed the District’s processes and controls with respect to departmental receipts. The primary areas where receipts are collected include student activity funds (see Student Activity Funds), food service, facilities rentals, summer programs, and preschool tuition.

Recommendations

We recommend that the following improvements be implemented:

  • Even though certain mitigating controls exist with respect to food service receipts, additional controls should be implemented to compensate for the lack of segregation of duties in cash out procedures. Documented verifications for each phase of the receipts process should be required.
  • Detailed register reports should be reconciled to bank deposits and to the general ledger by an individual that is not involved in the food service receipts process.
  • There is a lack of segregation of duties with respect to facilities rentals, summer programs, and preschool tuition receipts as the same individual that is involved in billing is also collecting the payments. We recommend that collection of receipts be centralized at the District office in order to reduce risk in this area.
  • We recommend that written procedures for receipts be developed, implemented, and monitored by an individual that is not involved in the receipts process.
  • Service Organization Control reports (“SOC”) for food service receipts and Medicaid billing were unable to be obtained. We recommend that the District evaluate the potential risk of using a service provider that does not have a SOC audit. A SOC report is important because it is a report on the provider’s system of internal controls.

We understand that the current administration is already in the process of addressing some of these recommendations.

 

Student Activity Funds

During our internal control review, we reviewed the District’s processes and controls with respect to student activity funds at the Golden Brook School, Windham Center School, Windham Middle School, and Windham High School.

Recommendations

The most significant issues related to student activity funds related to ineligible accounts being maintained, including separate bank accounts for “Principal’s Accounts”.

We also recommend that the following issues related to internal controls over student activity funds be addressed:

Improve Policies and Procedures for Student Activity Funds

Although a Board policy related to student activity funds exists, it should be expanded to include or make reference to specific procedures for the establishment, governance, day-to-day operation, and monitoring of student activity funds, similar to those identified in the Student Activity Fund Handbook, dated October 2014.

Review Individual Student Activity Funds

Student activity accounts should only be maintained for activities where funds are raised by students and expended by those students for their benefit. We recommend the following:

  • Each activity’s revenue sources and uses be reviewed and evaluated in order to determine compliance with these guidelines.
  • Certain activities not meeting the criteria, although related to students, should be accounted for in the District’s general ledger or handled by outside organizations such as the PTA.
  • Separate principal’s accounts are not student activities and should be prohibited.
  • Business Office authorization should be required for each new fund, and all funds should be reviewed and approved annually.
  • Inactive funds should be reviewed and closed upon authorization of the Board.
  • Deficit fund balances should be prohibited.
  • Gifts should not be accounted for in student activity accounts. These should be accepted by the Board and accounted for in the District’s general ledger.

Improve the Segregation of Duties

There should be a segregation of duties between custody, record keeping, deposits/receipts, and disbursement of student activity funds. We noted the following issues during our review of student activity funds:

  • Several instances where individuals were responsible for record keeping and also authorized signers on bank accounts.
  • Several individuals with check signing authority that were also activity fund advisors.
  • New bank accounts and signers on bank accounts should be provided to the Board at least annually.

Provide Ongoing Training

All individuals involved with processing, recording, and overseeing student activity fund transactions should be provided ongoing training to ensure the required level of skills are maintained.

Perform Ongoing Internal Monitoring

We understand that certain monitoring procedures are performed periodically by an individual that is not involved in student activity funds. We recommend that this monitoring be documented and include communication of issues identified, as well as corrective action requirements.

Improve Reconciliation and Reporting Procedures

Monthly bank reconciliations should be signed off by both the preparer and the reviewer and reconciled to the total of individual fund balances. Further, detailed activity reports showing receipts, disbursements, and fund balances should be provided to each fund advisor monthly for review and approval. This review should be documented and be included as a step in the internal monitoring process.

Improve Controls over Receipts

We recommend that pre-numbered forms be required for all receipts that are turned over for deposit, and that both the individual receiving and turning over receipts be required to sign. In addition, the forms should include an area for both cash and checks. A copy of the form should be maintained by the activity fund bookkeeper along with copies of checks attached, and by the fund advisor. As part of the internal monitoring process, all pre-numbered receipts should be accounted for in the accounting records and reviewed by someone that is independent of student activity funds.

Specific procedures and standardized forms for accounting for receipts related to the following should be implemented:

  • Ticketed events – accounting for all pre-numbered tickets using a standardized form.
  • Cash events – two individuals present at all times and required to sign off on amounts collected using a standardized form.
  • Attendance logs – reconciling the logs to the amount collected and turned over for deposit.
  • Field trips – standardized field trip cost calculation form should be required to prepared and approved. A statement of financial accountability should be required at the conclusion of the trip showing the costs incurred, amounts charged, and calculation of over/under for the trip.

Improve Controls over Disbursements

Although established procedures exist with respect to student activity funds, we noted that they were not always consistently followed. Specifically, we noted several instances where there was not documented approval by the activity fund advisor. Compliance with established procedures should be included as a step in the internal monitoring process. We also recommend the following:

  • All written contracts such as travel arrangements, busing, etc. required to be reviewed, approved, and executed by the Business Office. District staff at the school level should be prohibited from contracting on behalf of the District.
  • Large disbursements required to be paid by the District (reimbursed by the activity fund).
  • Competitive bidding/quotes required consistent with the District’s procurement policies.
  • Checks written to “cash” and cash advances prohibited.
  • All checks, including voids, accounted for in the accounting records and reviewed as part of the independent monitoring process.

We understand that the current administration has already addressed some of the above recommendations and is currently in the process of addressing additional areas. In October 2016, training was also provided to staff.

 

Grant Accounting

The requirements of 2 CFR Chapter II, Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) are effective for fiscal year 2016 grants. In order to be in compliance with the requirements of UG, the District will need to implement the following:

  • General Provisions – Includes conflict of interest requirements and mandatory disclosures to awarding agencies of fraud and other violations (section 200.100).
  • Pre-Federal Award Requirements and Contents of Federal Awards – Grant application process (section 200.200).
  • Post-Federal Award Requirements
    • Financial and program management –
      • Written cash management procedures required (section 200.302).
      • Written procedures for determining allowable costs required (section 200.302).
      • Written travel policy required (section 200.474).
      • Internal controls that comply with COSO’s “Internal Control Integrated Framework” (section 200.303).
    • Property standards – equipment (section 200.313) –
      • Property records maintained that include description, serial/identification number, source of funding, acquisition date, cost, location, and ultimate disposition data.
      • Physical inventory required every two years and reconciled to property records.
      • Control system to safeguard from loss, damage, theft.
    • Procurement (section 200.320) –
      • Written procurement procedures that comply with UG procurement standards required (must be specific to your organization).
      • Written standards of conduct covering conflicts of interest required.
      • Written process for conducting proposal evaluations required.
      • Maintenance of certain records to detail the history of procurement.
      • Oversight to ensure contractors perform in accordance with terms.
    • Performance and financial monitoring and reporting.
    • Subrecipient monitoring and management (section 200.330) – Written policies and procedures required for the following:
      • Communication of award requirements.
      • Responsibilities for monitoring subrecipients.
      • Process for monitoring.
      • Methodology for resolving findings.
      • Requirements for audits.
    • Cost Principles – Includes changes related to indirect costs, compensation, conferences, employee health and welfare costs, equipment and capital expenditures. UG has 55 specific items of cost (section 200.420 – 200.475).

 

Fixed Asset and Equipment Tracking

Capital assets of $5,000 or more are currently tracked as part of the District’s fixed asset and depreciation schedule. Our review of the inventory listing indicated inconsistent capitalization. Specifically, some individual assets under the $5,000 threshold appear to have been grouped, whereas others were not. We recommend that the District develop and implement a fixed asset capitalization policy to define the requirements. We also recommend that a fixed asset inventory (including the tagging of assets) be conducted at least every two years and that the current listing be reviewed and adjusted as needed for individual assets and disposals.*

With respect to equipment under the $5,000 capitalization threshold (primarily technology equipment), we found the lack of an accurate inventory and tracking system. Due to the large dollar amounts expended each year related to technology equipment, we recommend that a District-wide inventory be performed including tagging of individual items and creating a comprehensive list that identifies the location (or assigned individual for portable items) of each item. At least annually, an inventory of all items should be performed.

* Note – There are more stringent requirements for fixed assets purchased with certain State grant funds.

We understand that the current administration is already in the process of addressing some of these recommendations.

 

Other Areas

During our interviews with District staff and certain members of the Board, other areas of concern were raised. Although outside the scope of an internal control review, the District may want to pursue these areas further in separate engagements. Below is a list of the areas:

  • Compliance with voted and failed articles prior to fiscal year 2016.
  • Controls over the use of and accounting for professional development funds.
  • Operational audit. An operational audit is an independent, systematic review of effectiveness, efficiency and economy of operations.
  • A review of specific procurements for compliance with District policies.
  • A review of specific contracts for compliance with District policies.

 

Addendum A – GFOA Best Practice

BEST PRACTICE

Framework for Internal Control: The Control Environment

BACKGROUND:

In its Establishing a Comprehensive Framework for Internal Control (Framework) best practice, GFOA recommended that state, provincial, and local governments adopt the Committee of Sponsoring Organizations’ (COSO) Internal Control—Integrated Framework (2013) as their conceptual basis for designing, implementing, operating, and evaluating internal control so as to provide reasonable assurance that they are achieving their operational, reporting, and compliance objectives. To support governments’ efforts in this area, GFOA is developing best practices that explain how to implement each of the five components of that framework. This best practice focuses on the first of those five components, the control environment, which the COSO has defined as a set of standards, processes, and structures that provide the basis for carrying out internal control.

RECOMMENDATION:

GFOA recommends that governments do all of the following to establish a strong internal control environment:

1. The governing body,1 upper level management, and all levels of staff throughout the organization should demonstrate a commitment to the framework, as follows: Officially adopt the framework (governing body);
1. Adopt a policy to incorporate the implementation, maintenance, and updating of the framework into the government’s strategic goals (governing body);
2. Develop standards of conduct for employees and provide training on those standards;
3. Require management and employees to sign a statement that they will follow the standards of conduct and to reaffirm that commitment periodically; and
4. Include compliance with standards of conduct as part of employee evaluations to ensure accountability.

2. The governing body should assume responsibility for overseeing internal control by: Actively overseeing management’s development and implementation of the framework;

1. Actively monitoring the performance of the framework;
2. Obtaining training about the nature and purpose of internal control sufficient to allow members of the governing body to meaningfully perform their oversight function with the assistance of an expert;
3. Obtaining expert advice, independent of management, to help it perform its oversight function if no member of the audit committee possesses that expertise;
4. Establishing an audit committee made up of members of the governing body;
5. Documenting that it has reviewed the framework and its updates;
6. Approving significant control-related policies; and
7. Determining how often policies and procedures need to be reviewed, reaffirmed, and updated.

3. Management should develop organizational structures and ensure staff accountability by creating a formal organizational chart for both the government as a whole and for each of its departments;
1. Requiring written procedures for important government processes (for example, payroll);
2. Developing flowcharts of each significant process;
3. Maintaining electronic copies of process flowcharts to facilitate updating;
4. Identifying responsibilities for workflow approvals in their systems; and
5. Making sure systems incorporate compensating controls.

4. Governments should commit to attracting and retaining competent employees by: Developing comprehensive job descriptions;

1. Ensuring that hiring panels include experts in the desired skill sets;
2. Providing opportunities for employees to gain continuing professional education to stay current in their field;
3. Encouraging membership in professional organizations to develop networking;
4. Supporting the development of succession planning;
5. Cross-training staff;
6. Thoroughly documenting the responsibilities of each position and appropriate processes for succession planning;
7. Providing managerial training, in addition to technical training, for staff members who will be promoted;
8. Requiring that supervisors give staff members hands-on training on key responsibilities; and
9. Developing an ongoing mentoring program to enhance employees’ skills.

5. Governments should hold individuals accountable for their internal control responsibilities by preparing comprehensive, fact-based performance appraisals;

1. Providing performance appraisals on a timely basis;
2. Taking disciplinary action if conduct is not consistent with expected performance;
3. Including internal control goals as part of employee performance reviews;
4. Identifying zero-tolerance policies (e.g., theft) and adhering to them; and
5. Ensuring that union agreements clearly delineate responsibilities up front.

Notes:

1. If the governing body is elected, rather than appointed, the term governing body would apply to both members of the governing body and the elected officials to whom they report.
203 N. LaSalle Street – Suite 2700 | Chicago, IL 60601-1210 | Phone: (312) 977-9700 – Fax: (312) 977-4806

 

Addendum B – Anti-Fraud Controls Checklist

The items below can be used to evaluate and identify elements and controls of an anti-fraud program that are designed to mitigate risks due to fraud. Although the checklist is not meant to be all inclusive, the list should help establish the essential elements of an effective anti-fraud program and controls.

Oversight by Those Charged with Governance (“Tone at the Top”)

An effective anti-fraud program should consider the oversight and involvement by those charged with governance (i.e., the Board and Audit Committee or equivalent).

1. Do those charged with governance take responsibility for and actively participate in the review of management’s anti-fraud programs and controls?
2. Have those charged with governance established and communicated the Code of Conduct or equivalent (“Code”)?

3. Do those charged with governance oversee the Code and alerts received via complaint or fraud hotlines, including receiving complaints directly or from an individual(s) independent of management?

4. Do those charged with governance demonstrate independence in their oversight of the development and performance of internal control?
5. Do those charged with governance receive periodic updates and reports regarding the status or disposition of fraud activity?
6. Do those charged with governance retain documentation of the treatment of complaints received related to accusations of fraud?
7. Do those charged with governance oversee the response and disposition of reported or alleged incidents of fraud and other issues raised by employees or third parties?

8. Do those charged with governance discuss the effectiveness of internal controls with management and the external auditors, including oversight of any significant deficiency or material weakness, remediation efforts, and significant changes in the entity’s internal controls?

9. Do those charged with governance communicate with the external auditor and seek their opinion and views on the entity’s anti-fraud program and controls?
10. Do those charged with governance communicate with the external auditor regarding its perception of the entity’s fraud risks?

11. Do those charged with governance communicate any fraud matters identified through complaint or fraud hotlines or through other means, whether or not material, to the external auditor?

12. Do those charged with governance take responsibility for establishing, reviewing, approving and updating the complaint or fraud reporting program and Code including ensuring that complaints received are confidential and can be submitted anonymously?

13. Do those charged with governance ensure that external parties, such as vendors, have access to the entity’s complaint hotlines?
14. Do those charged with governance promote and encourage the internal monitoring function to express any concerns about management’s commitment to internal controls or suspicions of fraud?

15. Do those charged with governance hold private sessions with the external auditors to discuss matters, allegations, suspicions, resolutions of fraud related issues, and the risk of overriding controls by management?

16. Do those charged with governance have the authority and ability to independently conduct investigations into any fraud allegations or suspicions including the ability to utilize outside resources (i.e. legal, fraud investigators, etc.)?

17. Do those charged with governance consider fraud risks in the external audit plan, including the risk of management override of controls or inappropriate influence over the financial reporting process?

18. Do those charged with governance communicate with the external auditors regarding their evaluation of the effectiveness of the entity’s complaint or fraud reporting program?

19. Do those charged with governance communicate with the external auditor regarding their evaluation of the effectiveness of internal identification of addressing fraud risks?

20. Do those charged with governance review management’s treatment of significant estimates and non-routine transactions?

Code of Conduct

The promotion of a culture of honesty, integrity and ethical behavior is essential to an effective anti-fraud program.

1. Does a written Code exist and does it apply to all employees and individuals (internally and externally) who are in a position to influence the financial statements or compliance with laws and regulations, and is the Code applied throughout the entity?

2. Is the Code designed to prevent and detect violations of law including addressing issues such as: (a) conflicts of interest, (b) compliance with applicable governmental laws, rules and regulations, (c) illegal acts, (d) proper record keeping, (e) confidentiality, (f) payments to government personnel, (g) waivers of the Code, (h) prompt reporting of illegal or unethical behavior, (i) guidance to individuals on how to address issues, (j) accountability for adherence to the Code and (k) definition and description of what constitutes unethical and fraudulent behavior?

3. Is the Code in accordance with rules established by applicable regulators (e.g., DOL etc.), including disclosures that the entity has adopted a Code and that it applies to the appropriate people?

4. Does the entity frequently review and update the Code (the Code should be reviewed on at least an annual basis)?

5. Does the Code apply and is it made available (i.e. through the entity’s website, intranet, contracts, etc.) to third parties (vendors, banks, etc.)?
6. Is the Code reviewed and approved by those charged with governance?
7. Do those charged with governance evaluate management and employee adherence to the Code and are deviations from the Code addressed in a timely manner?

Complaint or Fraud Hotlines (e.g., Whistleblower Policy)

The Whistleblower policy should be established to provide employees and outside third parties with a confidential and anonymous method of submitting concerns regarding matters related to financial and compliance with laws and regulations.

1. Does the Whistleblower Policy address fraud or deliberate error in the recording and maintaining of financial records of the entity?

2. Does the Whistleblower Policy address fraud or deliberate error in the preparation, evaluation, review or audit of the financial statements of the entity?
3. Does the Whistleblower Policy address deficiencies in or noncompliance with the entity’s internal accounting controls including management’s override of controls?
4. Does the Whistleblower Policy address matters related to misrepresentations or false statements made by the entity contained in financial reports, records or audit reports?

5. Does the Whistleblower Policy address noncompliance with laws and regulations?

6. Does the Whistleblower Policy describe how issues can be communicated to the entity including anonymously?

7. Does the Whistleblower Policy address how advice can be obtained before making decisions that may have ethical implications?
8. Does the Whistleblower Policy address how the program operates independently from management (e.g., a neutral party)?

Awareness of the Code and Whistleblower Policy

The entity’s Whistleblower and Code should be sufficiently communicated throughout the organization.

1. Are those subject to the Code required to annually review and confirm that they have read and complied with the Code?

2. Are new employees required to read and sign the Code and Whistleblower policy before beginning work?

3. Is training provided to employees on ethical conduct and the entity’s Whistleblower policy and Code including emphasizing the employee’s obligation to report actual or suspected fraud?

4. Does the entity maintain evidence of employee receipt and confirmation of reading the Code and Whistleblower policy?

5. Does the entity promote the Code including promoting the entity’s commitment to respond to matters reported through internal communication of the anti-fraud program (i.e. entity website, intranet, email, posters, training, employee hand book, etc.)?

6. Are methods whereby employees can raise questions and concerns about the entity’s Code and Whistleblower policy promoted throughout the entity?

Assessing Fraud Risks

1. Does the entity consider the potential for fraud in assessing risks to the achievement of objectives?

2. When assessing risks of fraud, does management consider various types of fraud that may occur?

3. When assessing risks of fraud, does management assess incentives and pressures; opportunity for fraudulent behavior; and attitudes and rationalizations?
4. Does management take the primary responsibility for establishing and monitoring controls and programs related to fraud?

5. Does management identify the risks of fraud throughout the entity including risks related to the environment the entity is in, technology risks, potential fraud schemes and fraud risks related to financial reporting, misappropriation of assets, unauthorized or improper receipts and expenditures?
6. Does management consider the likelihood of the occurrence and impact of fraud risks identified and the linking of risks to controls that are designed to address the identified fraud risks?

7. Does management periodically update fraud risks previously identified including consideration of new fraud risks?

8. Does management ensure that there are adequate and appropriate resources dedicated to compliance and that the resources have been instructed to evaluate the fraud risks?

9. Is management’s risk analysis adequately documented?

Management Oversight

Management has the primary responsibility for establishing, communicating and monitoring programs and controls related to fraud.

1. Does management report to those charged with governance and external auditors on any fraud for which they become aware of, whether or not material, that involves management or other employees who have a significant role in the entity’s internal controls?

2. Does management consistently set an appropriate “tone at the top” by acting ethically and with integrity and communicating the importance of the same to all employees?

3. Has management implemented procedures to ensure that all employees are aware of the Code and the Whistleblower Policy?

4. Does management or those charged with governance oversee the documentation and testing of internal controls over financial reporting, including reviewing observations and implementing corrective actions?
5. Does management ensure that background investigations are performed for candidates for employment or for promotion to a position within the financial reporting function?

6. Does management perform background investigations related to new vendors?
7. Does management ensure that proper controls are in place and adequate segregation of duties exists for the preparation, review and posting of journal entries?

8. Has management established, with the oversight of those charged with governance, structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives?

Addendum C – GFOA Best Practice

BEST PRACTICE

Encouraging and Facilitating the Reporting of Fraud and Questionable Accounting and Auditing Practices
BACKGROUND:

Statement on Auditing Standards (SAS) No. 112, Communicating Internal Control Related Matters Identified in an Audit, emphasizes the need for governments to have a financial reporting system in place that is sufficient to provide reasonable assurance that management can prepare financial statements in conformity with generally accepted accounting principles (GAAP). To meet that objective, a financial reporting system must be designed to detect not only material fraud or abuse, but also any questionable accounting or auditing practices that could jeopardize the integrity of financial reporting. SAS No. 112 instructs independent auditors that inadequate anti-fraud programs and controls constitute, at a minimum, a significant deficiency that would need to be reported.

In most cases, potential instances of fraud or abuse and questionable accounting or auditing practices come to the attention of responsible parties thanks to employees or citizens who become aware of such practices. Governments can and should take practical steps to encourage and facilitate such reporting.

RECOMMENDATION:

GFOA recommends that every government establish policies and procedures to encourage and facilitate the reporting of fraud or abuse and questionable accounting or auditing practices. At a minimum, a government should do all of the following:

Formally approve, and widely distribute and publicize an ethics policy that can serve as a practical basis for identifying potential instances of fraud or abuse and questionable accounting or auditing practices.
Establish practical mechanisms (e.g., hot line) to permit the confidential, anonymous reporting of concerns about fraud or abuse and questionable accounting or auditing practices to the appropriate responsible parties.1
A government should regularly publicize the availability of these mechanisms and encourage
individuals who may have relevant information to provide it to the government.
Since ensuring or enhancing confidentiality can significantly increase costs, consider minimizing those costs by providing a separate reporting mechanism for employees, who typically desire greater assurance of confidentiality than do outside parties. In this regard, a government may wish to explore the possibility of engaging the services of an outside vendor
to receive complaints from employees. The use of an outside vendor offers a number of potential advantages, including the following:
Employees may be more readily persuaded of the confidentiality of their calls if they are made directly to a party outside the government.
Vendors may be able to provide extended hours of service, thus avoiding the need to place a call during regular working hours (i.e., while the employee is still at work).

Train those answering calls from the general public to recognize calls that are reporting fraud or abuse and direct them appropriately to ensure that reports of instances of fraud or abuse by outside parties receive the appropriate disposition even when they are not made through the mechanism established for that purpose.
Make internal auditors (or their equivalent) responsible for the mechanisms used to report instances of potential fraud or abuse and questionable accounting or auditing practices. Emphasize that they should take whatever steps are necessary to satisfy themselves that a given complaint is without merit before disposing of it. Further, they also should document the disposition of each complaint received so it can be reviewed by the audit committee.
Have the audit committee, as part of its evaluation of the governments internal control framework, examine the documentation of how complaints were handled to satisfy itself that the mechanisms for reporting instances of potential fraud or abuse, and questionable accounting or auditing practices are in place and working satisfactorily.

Notes:

1While providing mechanisms to promote the reporting of fraud is an important element of an overall fraud prevention program there are other elements necessary for a complete program that are outside the scope of this recommended practice.
203 N. LaSalle Street – Suite 2700 | Chicago, IL 60601-1210 | Phone: (312) 977-9700 – Fax: (312) 977-4806
Addendum D – GFOA Best Practice
BEST PRACTICE
Audit Committees
BACKGROUND:

Three main groups are responsible for the quality of financial reporting: the governing body,1 financial management, and the independent auditors. Of these three, the governing body must be seen as first among equals because of its unique position as the ultimate monitor of the financial reporting process.2 An audit committee is a practical means for a governing body to provide much needed independent review and oversight of the governments financial reporting processes, internal controls, and independent auditors. An audit committee also provides a forum separate from management in which auditors and other interested parties can candidly discuss concerns. By effectively carrying out its functions and responsibilities, an audit committee helps to ensure that management properly develops and adheres to a sound system of internal controls, that procedures are in place to objectively assess managements practices, and that the independent auditors, through their own review, objectively assess the governments financial reporting practices.3

RECOMMENDATION:

GFOA makes the following recommendations regarding the establishment of audit committees by state and local governments:

The governing body4 of every state and local government should establish an audit committee or its equivalent;
The audit committee should be formally established by charter, enabling resolution, or other appropriate legal means and made directly responsible5 for the appointment, compensation, retention, and oversight of the work of any independent accountants engaged for the purpose of preparing or issuing an independent audit report or performing other independent audit, review, or attest services.6 Likewise, the audit committee should be established in such a manner that all accountants thus engaged report directly to the audit committee. The written documentation establishing the audit committee should prescribe the scope of the committee’s responsibilities, as well as its structure, processes, and membership requirements. The audit committee should itself periodically review such documentation, no less than once every five years, to assess its continued adequacy;7
Ideally, all members of the audit committee should possess or obtain a basic understanding of governmental financial reporting and auditing.8 The audit committee also should have access to the services of at least one financial expert, either a committee member or an outside party engaged by the committee for this purpose. Such a financial expert should through both education and experience, and in a manner specifically relevant to the government sector, possess 1) an understanding of generally accepted accounting principles and financial statements; 2) experience in preparing or auditing financial statements of comparable entities;
3) experience in applying such principles in connection with the accounting for estimates, accruals, and reserves; 4) experience with internal accounting controls; and 5) an understanding of audit committee functions;9
All members of the audit committee should be members of the governing body. To ensure the
committees independence and effectiveness, no governing body member who exercises managerial responsibilities that fall within the scope of the audit should serve as a member of the audit committee;
An audit committee should have sufficient members for meaningful discussion and deliberation, but not so many as to impede its efficient operation. As a general rule, the minimum membership of the committee should be no fewer than three;10
Members of the audit committee should be educated regarding both the role of the audit
committee and their personal responsibility as members, including their duty to exercise an appropriate degree of professional skepticism;
It is the responsibility of the audit committee to provide independent review and oversight of a governments financial reporting processes, internal controls and independent auditors;11
The audit committee should have access to the reports of internal auditors, as well as access
to annual internal audit work plans;
The audit committee should present annually to the full governing body a written report of how it has discharged its duties and met its responsibilities. It is further recommended that this report be made public and be accompanied by the audit committees charter or other establishing documentation;
The audit committee should establish procedures for the receipt, retention, and treatment of complaints regarding accounting, internal accounting controls, or auditing matters. Such procedures should specifically provide for the confidential, anonymous submission by employees of the government of concerns regarding questionable accounting or auditing matters.12 The audit committee also should monitor controls performed directly by senior management, as well as controls designed to prevent or detect senior-management override of other controls13;
The audit committee should be adequately funded and should be authorized to engage the services of financial experts, legal counsel, and other appropriate specialists, as necessary to fulfill its responsibilities14; and
In its report to the governing body, the audit committee should specifically state that it has
discussed the financial statements with management, with the independent auditors in private,15 and privately among committee members,16 and believes that they are fairly presented, to the extent such a determination can be made solely on the basis of such conversations.

Notes:

1 For the purposes of this recommended practice, the term governing body should be understood to include any elected officials (e.g., county auditor, city controller) with legal responsibility for overseeing financial reporting, internal control, and auditing, provided they do not exercise managerial responsibilities within the scope of the audit. The term governing body also is intended to encompass appointed bodies such as pension boards.
2 Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, Overview and Recommendations.
3 Securities and Exchange Commission (SEC) Regulation 33-8220, Background and Overview of the New Rule and Amendments.
4 For the purposes of this recommended practice, the term governing body should be understood to include any other elected officials (e.g., county auditor, city controller) with legal responsibility for overseeing financial reporting, internal control, and auditing, provided they do not exercise managerial responsibilities within the scope of the audit. The term governing body also is intended to encompass appointed bodies such as pension boards.
5 Nothing in this recommended practice should be interpreted so as to limit the full governing body from exercising ultimate authority.
6 Sarbanes Oxley Act, Section 301.
7 Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, Recommendation 4.
8 Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, Recommendation 3. Continuity typically is a positive factor in achieving this goal, a fact that should be kept in mind when considering the appropriate length of service for audit committee members.
9 Sarbanes-Oxley Act, Section 407.
10 In certain limited instances, as noted later, the audit committee will need to meet privately to achieve its goals. If the audit committee constitutes a majority of the governing body, such private meetings may be hampered by sunshine laws and similar open meetings legislation.
11 SEC Regulation 330-8220, Background and Overview.
12 Sarbanes Oxley Act, Section 301.
13 Internal Control Integrated Framework: Guidance on Monitoring Internal Control Systems
(Discussion Document of the Committee of Sponsoring Organizations COSO, 2007), page 10.
14 Nothing in this recommended practice should be interpreted so as to limit the full governing body from exercising ultimate authority.
15 It is important that the audit committee be able to meet privately with the independent auditors, as needed, to ensure a full and candid discussion. Governments are urged to amend sunshine laws and similar open meetings legislation to permit such encounters in these limited circumstances.
16 It is important that audit committee members be able to meet privately among themselves, as needed, to ensure a full and candid discussion. Governments are urged to amend sunshine laws and similar open meetings legislation to permit such an encounter in these limited circumstances.
203 N. LaSalle Street – Suite 2700 | Chicago, IL 60601-1210 | Phone: (312) 977-9700 – Fax: (312) 977-4806
Addendum E – GFOA Best Practice

BEST PRACTICE
Creating a Comprehensive Risk Management Program
BACKGROUND:

Risk management is a program designed to identify potential events that may affect the government and to protect and minimize risks to the government’s property, services, and employees. Effective risk management ensures the continuity of government operations. The importance of risk management has been growing steadily over the last several years for a variety of reasons including legal, political, and medical liability, increased use of technology, and higher litigation costs.

Risk management is geared to achieving a government’s objectives through strategic decisions that flow through high-level goals, effective use of resources, reliability of reporting, and compliance with applicable laws and regulations.

RECOMMENDATION:

GFOA recommends that governments develop a comprehensive risk management program that identifies, reduces or minimizes risk to its property, interests, and employees. Costs and consequences of harmful or damaging incidents arising from those risks should be contained.
Adequate and timely compensation for restoration and recovery is another consideration. The following steps should be included in an effective risk management program.
1. Risk Identification – An essential component in identifying risk is to understand the sources, types, and likelihood of risk. Risk identification should identify at a minimum the exposures in each of these areas.

Physical environment (natural or man -made disasters and infrastructure)
Legal environment (laws and legal precedents)
Operational environment (day-to-day activities and actions within the local government, including services provided and workforce demographics)
Political environment (legislative activity, elections)
Social environment (socio-economic composition of the community)
Economic environment (market trends, interest rates)
Internal environment (the attitude of individuals towards risk)

2. Risk Evaluation – The frequency and severity of claims should be monitored and modifications made as necessary. Risk evaluation reports often include such information as the number of open claims, the amount paid out, and the amount reserved. Report results should be communicated in a form and timeframe that enable employees to carry out their responsibilities. Over time, these reports reveal a government’s risk profile. The Public Risk Management Association (PRIMA) has a variety of risk evaluation data available to governments.
3. Risk Treatment – After identifying and evaluating risk exposures, the next step is to decide how best to treat the exposures. Management may select a variety of risk responses avoiding, accepting, reducing, sharing, or transferring risk. A risk management program should be a well-rounded combination of preventative and control measures, risk transfer, and risk retention. The latter two methods refer to a government either shifting the financial burden of risk to another entity or performing the task of risk financing in-house. In addition to these three methods, governments may occasionally choose not to provide a service altogether, a risk management technique known as risk avoidance.

Loss prevention and control training, workshops, and inspections are common loss control measures.
Risk transfer. Two basic types of risk transfer involve financial or contractual risk.
Financial risk transfer may involve the use of an insurance company or risk managements pools. The criteria for procuring insurance should involve quality and scope of service, breadth of coverage (level of deductibles), financial stability, and cost. Most governments typically begin with three basic types of coverage.
Property insurance protects against damage or loss of property.
Liability insurance covers losses related to a government being found negligent in the performance of operations.
Workers compensation provides employees with coverage for all medical bills resulting from job-related injuries or disabilities as well as lost income.
Risk management pools may be classified through various factors like type of service, lines of coverage, or type of government. Additional information on risk management pools can be found through the Association of Government Risk Pools (AGRiP). A government can also transfer risk by having a contractor pick up the liability.
Risk retention When a government retains risk (i.e., self insures) it assumes financial responsibility for some losses. Retaining some risk (e.g., paying a deductible) can lower the governments premiums. However, the government needs to be aware of its exposures through self-insurance.
Risk avoidance – Governments may avoid providing specific services if the risk management costs are excessive.

4. Risk Management Implementation – To implement a risk management program, consideration should be given to the establishment of risk management policies and procedures that includes a statement of the organizations goals, identifies officials charged with carrying out risk-related functions (e.g., planning, organizing, coordinating, implementing, monitoring, and controlling the governments risk management program), and contains guidelines for making decisions about fundamental activities (e.g., risk control and risk finance). It is essential that government officials are aware of not only the policies and procedures, but that the risk responses are implemented and effectively carried out.

5. Risk Program Review – In the environment of shrinking budgets and increased accountability within the government, it is essential that organizations review the effectiveness and efficiency of the risk management programs functioning within their organizations and make changes or modifications as necessary.

References:
Risk Management, Elected Officials Guide, GFOA, 2001
Enterprise Risk Management-Integrated Framework, The Committee of Sponsoring Organizations of the Treadway Commission, September 2004 (http://www.coso.org/).
GFOA Best Practice, Business Preparedness and Continuity Guidelines, 2005 and 2008.
Association of Government Risk Pools (AGRiP) (http://www.agrip.org/).
Public Risk Management Association (PRIMA) (http://www.primacentral.org/).
203 N. LaSalle Street – Suite 2700 | Chicago, IL 60601-1210 | Phone: (312) 977-9700 – Fax: (312) 977-4806
Addendum F – Elements of Governance Checklist

The checklist below provides points to consider in evaluating the effectiveness of the entity’s governance at the entity level.

Composition of the Board and Related Subcommittees
An effective system of governance should consider the composition of the Board, and related committees, including the necessary skills of members, independence, and assessment of performance. The composition of the Board and related subcommittees should consider the following:

1. Is the independence of Board members periodically (i.e. annually) reviewed, including affiliations, relationships, and transactions with the District?
2. Are committee members subject to a formal selection process, including qualifications, background checks, and approval by members independent of management?

3. Does the Board have the authority to establish, appoint, approve, and replace subcommittees of the Board (i.e. audit and governance committee).

4. Are subcommittees, as applicable, made up of a majority of independent members (i.e. audit and governance committee)?

5. Is an annual review of executive officers performed on a periodic basis including addressing questions of independence, financial literacy (Audit Committee Chair)?

6. Does the Board utilize a formal Governance Committee made up of a majority of independent members to identify individuals to serve as members, review the composition of the committee, and annually review the number of boards served and affiliations of members in order to help ensure that members have required time to serve?

Audit Committee

The District establishes an Audit Committee or equivalent that is responsible for the oversight of the District’s financial reporting and internal controls. Oversight of the Audit Committee should consider the following:

1. Are the majority of the members of the Audit Committee independent of the District?

2. Does the Audit Committee have a written charter approved by the Board, which is reviewed, confirmed and updated on an annual basis?
3. Is the charter periodically tracked for compliance by someone independent of management?

4. Does the Audit Committee meet privately with the external auditors?
5. Does the Audit Committee discuss the reasonableness of the financial reporting process, system of internal controls, significant comments and recommendations, and management’s performance with external auditors?
6. Does the Audit Committee meet privately with the entity’s chief accounting officer?

7. On an annual basis, does the external auditor confirm their independence in writing to the Audit Committee?

8. Is the Audit Committee responsible for approving all audit and non-audit services with the external auditors?

9. Does the external auditor report directly to the Audit Committee?
10. Is the Audit Committee responsible for the appointment, approval, removal and oversight of the external auditor?

11. Is the Audit Committee required to resolve any disputes between management and the external auditor?

12. Does the Audit Committee review the effectiveness of the entity’s internal controls, including any significant deficiencies, material weaknesses and significant changes in internal controls with management and the external auditor?

13. Does the Audit Committee ensure that significant deficiencies and material weaknesses identified have been or are in the process of being remediated, including obtaining an understanding of the remediation being implemented?
14. Does the Audit Committee review with management and the external auditor the methodology, fluctuations and reasonableness of significant estimates, appropriateness and quality of accounting principles and policies, treatment of significant non-routine transactions and any significant issues or deficiencies?
15. Does the Audit Committee meet with the auditors on a yearly basis to discuss required communications, including, the reasonableness of accounting principles, recommendations, results of work performed, and any other significant matters?

16. Does the Audit Committee discuss with management and the auditors the results of the audit before releasing the financial statements?
18. Is the Audit Committee involved in approving the hiring and promotion of senior personnel with financial statement oversight?

20. Does the Audit Committee seek the external auditor’s opinion and views on the entity’s fraud program and controls?

21. Does the Audit Committee communicate with the external auditor regarding its perception of the entity’s fraud risks?

22. Does the Audit Committee communicate any fraud matters identified through the Whistleblower hotline or through other means, whether or not material, to the external auditor?

Oversight by Board

An effective system of governance should consider the oversight and involvement by the Board. Oversight of the Board should consider the following:
1. Does the Board oversee the Code and Whistleblower hotline complaints, including receiving complaints directly or from an individual(s) independent (i.e. general counsel) of financial management?

2. Does the Board hold strategy meetings on a periodic basis to review objectives set by senior management?

3. Are meeting agendas reviewed with management prior to Board meetings?
4. Does the Board review the financial performance of the entity on a periodic basis?
5. Does the Board participate in the creation of and approve a formal detailed budget that is based on the overall strategy of the District which is compared to actual results?

6. Does the Board review and approve any significant transactions including reviewing any related party contracts?

7. Does the Board periodically review the organizational structure?
8. Does the Board approve policies and procedures for authorization and approval of transactions and periodically review such policies and authorization limits?
9. Does the Board have a process in place to receive key pieces of information on a regular and timely basis, such as significant negotiations or contracts, financial statements, and changes in strategy?
Addendum G – GFOA Best Practice

BEST PRACTICE
Best Practices in School District Budgeting
BACKGROUND:

GFOA has developed a series of Best Practices in School District (District) Budgeting, which clearly outline steps to developing a budget that best aligns resources with student achievement goals. This document summarizes the key themes from those Best Practices which are available at www.gfoa.org.1
The budgeting process presented in these Best Practices is focused on optimizing student achievement within available resources. It encompasses a complete cycle for long-term financial planning and budgeting, including planning and preparing to undertake the budget process, developing a budget, evaluating how the budget process worked, and adjusting accordingly. Within this cycle, the district’s instructional priorities provide a guide for decision-making.

RECOMMENDATION:

GFOA recommends that all districts go through the following steps as part of their planning and budgeting process.

Step 1. Plan and Prepare. The planning and budgeting process begins with mobilizing key stakeholders, gathering information on academic performance and cost structure, and establishing principles and policies to guide the budget process.

1. Establish a partnership between the finance and instructional leaders. A collaborative process increases the likelihood that the decisions made will be supported after the budget process is over.
2. Develop principles and policies to guide the budget process. Budget principles and policies formalize standards and fundamental values that should govern the budgeting process.
3. Analyze current levels of student learning. The current state of academic performance must be assessed to determine what course of action to take.
4. Identify communications strategy. The budget process should include a plan to inform participants, stakeholders, and the general public about how the budget process works, why each decision was made and how to provide input in the process.

Step 2. Set Instructional Priorities. The budget needs to be rooted in the priorities of the district. Intentionally created instructional priorities provide a strong basis for developing a district’s budget and strategic financial plan, as well as presenting a budget document.

1. Develop goals. Goals should be thoughtfully developed and structured to be specific, measurable, and reasonable in order to provide a strong foundation for the budget process.
2. Identify root cause of gap between goal and current state. By finding root causes of problems, a district can identify the most effective solutions to achieving its goals.
3. Research & develop potential instructional priorities. The district’s instructional priorities should be informed by practices proven by research and also be limited in number to focus on items critical to optimizing performance.
4. Evaluate choices between instructional priorities. A district needs to weigh its different options for achieving its goals against one another in order to focus on those with the greatest potential for student achievement impact.

Step 3. Pay for Priorities. Current resources and expenditures must be thoroughly analyzed in order to find capacity to pay for top instructional priorities.

1. Apply cost analysis to the budget process. A cost analysis and staffing analysis are essential to identifying how the district might allocate its limited resources.
2. Evaluate & prioritize expenditures to enact the instructional priorities. Instructional priorities need to be thoroughly quantified as a first step to determining how much money is needed to implement the priorities and where that money will come from. Trade-offs need to be weighed to examine whether the costs, financial or otherwise, of implementing an instructional priority are viable.

Step 4. Implement Plan. The “strategic financial plan” is the long-term road map for implementing the district’s instructional priorities. A “plan of action” describes how the strategic financial plan will be translated into coherent actionable steps.

1. Develop a strategic financial plan. A strategic financial plan provides a three to five year perspective on how the district will pursue its instructional priorities and how success will be determined.
2. Develop a plan of action. Roles and responsibilities for implementing the strategic financial plan should be made clear for greater accountability.
3. Allocate resources to individual school sites. Resources have the most direct impact at school sites and should be allocated transparently and consistent with the district’s overall strategy.
4. Develop budget document. A budget document needs to be well organized and also clearly lay out the challenges the district is facing and how the district’s strategies and financial plan will address these challenges.

Step 5. Ensure Sustainability. The planning and budgeting process should be one that can be replicated in the future in order to ensure the district remains focused and plans accordingly for reaching its student achievement goals.

1. Put the strategies into practice and evaluate results. To ensure timeliness and accountability, the district should establish a system to implement the plan and monitor its progress while making necessary adjustments to stay on track.

Notes:

1 Note that titles of the practices described under each step in the recommendation are clickable links to more detailed guidance.
203 N. LaSalle Street – Suite 2700 | Chicago, IL 60601-1210 | Phone: (312) 977-9700 – Fax: (312) 977-4806

Addendum H – Procurement Policies Example (Uniform Guidance Compliant)

The following procurement policies shall apply to all contracts for and purchases of goods and services.
All procurements made with Federal funds will be consistent with 2 CFR §200.317 through §200.326 Procurement Standards. These policies are to ensure that goods and services are procured at the best available price consistent with high quality, that sound business and ethical practices are adhered to in all business transactions, and that all transactions are completed in a manner that provides for open and free competition.
The Business Administrator has primary responsibility and oversight for purchasing activities of the District and has the authority to delegate purchasing responsibilities as appropriate. The Business Administrator will periodically review and evaluate these procedures to ensure the best internal controls possible.
All purchases shall comply with appropriate and relevant federal, state and local laws as well as with the District’s policies. In the event that federal, state or local laws, regulations, grants or requirements are more restrictive than this policy, such laws, regulations, grants or requirements shall be followed.

Procurement Standards

To ensure open and free competition:
Unreasonable requirements shall not be placed on firms and/or individuals in order for them to qualify to do business.
No geographical preferences shall be used in the evaluation of bids or proposals unless State/Federal statutes expressly mandate or encourage a geographic preference.
Contract specifications or statements of work may not unduly restrict competition and must identify the requirements that proposing firms or individuals must fulfill and the factors to be used in evaluating bids or proposals.
Splitting purchases or contracts to avoid competition is prohibited.
Purchase Types and Proposal Evaluation Requirements:
Micro Purchase (under $3,500): competition is not required; however, a good faith effort should be made to compare prices with comparable suppliers.
Small Purchase ($3,501-$150,000): competition is required to establish a competitive price. Preferably, price or rate quotes from at least three qualified sources must be documented. If three price or rate quotes are not possible, document attempts. For recurring expenses, price or rate quotes may be obtained and documented every two to three years. This can be through a formal RFP process or requesting quotes from potential vendors. When a competitive proposal method is not feasible for a small purchase, a sole source purchase may be made. This would require either the item or service is only available from a single source, an emergency situation that does not allow additional time for a competitive process, the granting agency authorizes noncompetitive negotiations, or competition is deemed inadequate after solicitation of a number of sources.
Competitive Proposals (all purchases over $150,000): Competitive proposals are required through a sealed bid process. All qualified sources must submit formal written bids, proposals or qualifications. RFPs or RFQs may be used. If only one proposal is received, the procurement may qualify as a single source and would require review by the Business Administrator. documentation must include:
Formal written bids, proposals, or qualifications from all qualified sources.
The method of procurement.
The evaluation and selection process.
The basis for the contract price.
Final labor, overhead rates.

Requirements for Requests for Proposals/Qualifications
Request for Proposals (RFP) are used when the specific requirements and/or technical specifications of a project are unclear and criteria, in addition to pricing, are needed. The proposal is a solution which typically includes a scope of project and/or service, approach, technical capabilities, financial information and references.
Request for Qualifications (RFQ) are used to evaluate the qualifications of firms and/or consultants to determine which are most qualified to provide the service needed. RFQs are evaluated on technical factors and qualifications including education, experience, management and other applicable criteria. RFQs may be used in conjunction with RFPs.
The following requirements apply to RFPs and RFQs:
All RFP/Qs must be reviewed and approved by the Business Administrator before being issued;
The RFP/Q must be publicized and identify the evaluation factors and their relative importance, and state that all complete and timely submittals will be considered;
All RFP responses must contain cost or price estimates;
The primary selection criterion will be the ability of the firm/consultant to understand the issues and accomplish the tasks described in the RFP/Q;
For RFPs, the proposal most advantageous to the program will be selected, even when the preferred proposal is not the lowest priced; and
For RFQs, competitors’ qualifications will be evaluated and the most qualified competitor will be selected, subject to negotiation of fair and reasonable compensation.

Procurement Process

1. Determine the applicable purchase type and requirements based upon the anticipated total cost. Costs shall not be divided in an attempt to create a lower total cost to avoid a procurement method or competition requirements. If one item being purchased requires another item to be complete or make a whole, the total cost of the two items together should be considered to determine the procurement method, unless the two items cannot be acquired from a single supplier. Total quantity, taxes, freight, and installation costs, as well as the total costs expected for all phases of a multi-phase project are to be included when estimating the anticipated total costs.
2. Complete and document all requirements for the applicable purchase type.
3. Have materials reviewed and approved by the Business Administrator.
4. After steps 1-3 are complete, purchase the goods and/or services.

Contracts

Contracts funded directly under State/Federal grants shall adhere to State/Federal statutory and regulatory requirements. The Business Administrator shall sign all contracts and contract amendments. Documentation in the contract file must include:

The method of purchase or procurement.
The evaluation and selection process.
The basis for the contract price.
Final labor, overhead rates.
Regarding contract texts, all contracts shall include:

Termination clause for cause or convenience if over $10,000.
Remedies for breach of contract if over $50,000.
Byrd Anti-Lobbying Amendment (31 U.S.C. 1352) certification for contracts exceeding $100,000.

Legal counsel review may be required for certain contracts.
All contracts over $10,000 require a RFP or RFQ. The RFP/Q must be publicized and identify the evaluation factors and their relative importance. All RFP/Qs must contain cost or price estimates. Proposals or qualifications must be solicited from at least three qualified sources. For RFQs specifically, competitors’ qualifications will be evaluated and the most qualified competitor will be selected, subject to negotiation of fair and reasonable compensation.
A contract will not be executed with parties listed on the government wide exclusions in the System for Award Management (SAM).

Protest Procedure

Unsuccessful proposers will be afforded the opportunity of a debriefing conference if they so request. The request for a debriefing conference must be made within three days of receipt of the notification indicating that their proposal was not selected. Discussions will be informal and limited to a critique of the requesting consultant’s proposal. The District representatives will explain the scoring of a consultant’s proposal. Debriefings may be conducted in person or by telephone and may be limited to a specific period of time.

Records of the RFP/Q solicitation, evaluation, scoring, and selection process shall be kept on file for the life of the project.

Contract Oversight

District staff will be responsible for day to day contract administration and will report any aberrations to the Business Administrator.
The District will ensure that contractors meet their responsibilities by making certain that contracts:
know and understand applicable federal requirements.
have adequate project delivery systems.
have sufficient accounting controls to manage Federal funds properly.

The District will provide adequate monitoring of the contracts administrative actions to assure compliance with Federal and/or agreement requirements.
In the event that a contractor is unable to satisfactorily complete the work, and after unsuccessful attempts to remedy the situation, a contract may be terminated. The District will reimburse the contractor for all costs incurred, but not those in excess of the contract, in the performance of the project up to and including the effective date of termination.

Conflicts of Interest

No employee, commissioner or agent of the District shall participate in the selection, award or administration of a contract or authorization of a purchase if a conflict of interest, real or perceived, would be involved.

Such a conflict could arise when:
The employee, officer or agent,
Any member of his or her immediate family,
His or her partner, or
An organization which employs or is about to employ any of the above has:
a financial or other interest in the firm selected for award,
directly or indirectly given his/her opinion on the matter,
formed an opinion on the matter, or
prejudged the matter to any degree.

>