SHAPING A CULTURE OF ACCOUNTABILITY
STATE ACCOUNTING
A Division of Administrative Services
Providing quality services to our customers to support the effective,
efficient operation of State government
SHAPING A CULTURE OF ACCOUNTABILITY
MEMORANDUM OF UNDERSTANDING
This Memorandum of Understanding (MOU) is made and
entered into by and between Administrative Services (AS) and the (Agency).
Section 81-1111(4) of the Nebraska Revised Statutes provides
that Administrative Services - State Accounting (State Accounting) “management
systems and studies bureau shall be responsible for systematically reviewing on
a regular basis activities of state agencies and departments to determine that
adequate internal controls exist within all departments and agencies and to
assure that proper accounting methods are employed.”
To fulfill this Statutory obligation, State Accounting
General Policy #39 requires agencies to have an internal control plan over
financial reporting which has been approved by State Accounting. This plan shall be implemented, tested and
monitored by the Agency. This plan must
also include performing risk assessments.
Risks are events that threaten
the accomplishment of agency objectives and can ultimately impact an
organization's ability to accomplish its mission. The pre-audit function currently performed by
your agency is considered an integral part of an agency’s strong internal
control program. Such pre-audit function
is described later in this MOU.
The Agency understands the management of each State agency
bears full responsibility for establishing and maintaining a proper system of
internal control within the agency. By
signing this memorandum, the Agency shall be committed to achieving strong controls
through actions related to agency organization, personnel practices, communication,
protection and uses of resources and general leadership.
Internal Control Plan
Section 1. Responsibilities of the
Agency.
The
agency shall develop an internal control plan which will establish
comprehensive standards, policies, and procedures to ensure a strong and
effective system of internal control within their agency. These standards, policies, and procedures shall
include the following components (which are further defined in Appendix A): control environment, risk assessment, control
activities, information and communication, and monitoring.
Each principal executive officer and
each principal fiscal officer shall annually certify, in a manner prescribed by
the State Accounting Administrator, the agency has in place a proper system of
internal control.
To
assist in the process of maintaining adequate internal controls the Agency shall:
(a) Maintain documentation of the
internal control process within the Agency, as prescribed by the State
Accounting Administrator, and notify State Accounting of any changes to the
plan.
(b) Identify a person to be the Internal
Control Coordinator for the Agency; the responsibilities of the Internal
Control Coordinator shall include, but are not limited to the following:
(1)
being responsible for implementing and monitoring an
internal control plan for the Agency;
(2)
acting as the Agency liaison with State Accounting for all
matters relating to internal controls;
(3)
attending training provided by State Accounting;
(4)
training Agency staff on the internal control plan, the
importance of the plan and each employee’s part in the plan;
(5)
ensuring the Agency has proper risk assessment procedures in
place;
(6)
surveying Agency staff on the control environment and
reporting results to the Agency Director and/or appropriate staff;
(7)
review Agency procedures regarding distribution of
information and communication as it relates to processing and recording
financial data;
(8)
oversight to ensure control procedures are appropriate;
(9)
monitoring of the internal control plan;
Section
2. Responsibilities of State
Accounting.
State Accounting will provide training and assistance to the
Agency Internal Control Coordinator.
This assistance may include guidance on creating an internal control
plan and providing documents which the Agency may choose to use to implement
their plan.
State Accounting will review and test Agency procedures and
policies to determine that adequate internal controls exist at the Agency. Any weaknesses in such controls will be
communicated to the Agency along with information on corrective actions that
shall be implemented by the Agency.
Pre-Audit
Function
Section 81-1111.01 of the Nebraska Revised Statutes provides
the Director of AS authority to allow State agencies to conduct their own
pre-audit function in accordance with the provisions of subdivisions (3) (a)
through (f) of Section 81-1111, subject to monitoring by the State Accounting
Division. The State Accounting
Administrator is required by Section 81-1111(1) to manage all accounting
matters of the State’s central accounting system.
Section1. Responsibilities of the
Agency.
(a) The Agency agrees to designate appropriate
qualified employees to perform the pre-audit function as specified in
subdivision (3)(a) through (f) of Section 81-1111.
(b)
The Agency agrees to have such employees attend applicable training
conducted by State Accounting and become certified pre-auditors.
(c) All Agency employees
assigned responsibility for performing such pre-audit function shall:
(1)
be knowledgeable in regard to State laws, AS policies and
Agency accounting policies concerning the processing of all vouchers and
transactions;
(2)
ensure the Agency’s vouchers and transactions comply with
such laws and policies and are fiscally responsible, proper, and legal;
(3)
ensure accounting vouchers and transactions comply with the
processing requirements of the State’s current accounting system;
(d) The Agency agrees to provide proper and
effective reporting channels for the reporting of exceptions by such employees
for any violations identified through the pre-audit function.
(e) The Agency agrees
to provide State Accounting copies of requested vouchers and transactions and any
accompanying documentation (by hand delivery, facsimile or email) within two
(2) working days of a request for the same.
The Agency agrees further to provide State Accounting the requested
original vouchers and transactions and any accompanying documentation within
four (4) working days of a request for the same.
(f)
The Agency agrees to ensure necessary documentation for vouchers or
transactions is maintained as a record at the Agency for a period of three (3)
years or as required by the Secretary of State’s Records Retention and
Disposition Schedule.
Section 2. Responsibilities of State Accounting.
(a) Accounting shall retain its statutory
responsibility to monitor the pre-audit function performed by Agency employees,
subject to the confidentiality limitations imposed by law. Should State Accounting document that the
pre-audit function is not being performed properly at the requisite standards
established by statute and State Accounting, the AS Director can withdraw this
Memorandum of Understanding and have AS perform the pre-audit function
utilizing AS resources, for which the Agency will be assessed appropriately.
(b) State Accounting will provide, at its expense,
training to Agency employees assigned to perform pre-audit functions.
(c) State Accounting will determine the criteria
for selecting the vouchers or transactions that will be audited on a
post-processing basis. State Accounting
shall audit each selected voucher or transaction with at least the same level
of scrutiny that State Accounting would have used during a pre-audit of the
voucher or transaction.
(d) Should State
Accounting determine that the Agency has invalid vouchers or transactions, State
Accounting will require the Agency to take appropriate corrective action.
Section
3. Term.
This Memorandum of Understanding
shall be effective on the date of the Agency signature below and shall remain
in effect for three years at which time a new memorandum will be signed. This memorandum becomes void with the
appointment of a new Agency Director who shall be asked to sign a new
memorandum.
Section 4. Administration.
State Accounting and the Agency shall each name a staff
member to coordinate the implementation and performance of this Memorandum of
Understanding. All notices, and other
communications under this Memorandum of Understanding, shall be directed to
such individuals as follows:
State
Accounting: Lynda
Roesler, Audit Coordinator
Capitol
– Room #1309
Agency Internal Control Coordinator: ________________________________
________________________________
________________________________
Section 5. Amendments.
This Memorandum of Understanding may only be amended by
written instrument (which includes addendums) duly approved by both agencies.
ADMINISTRATIVE SERVICES: AGENCY:
By: ________________________________ By:
________________________________
Title:
State Accounting Administrator Title:
______________________________
Date:
______________________________ Date:
______________________________
APPENDIX
A
Internal Control Guidelines
There are five
internal control standards issued identified by the Committee of Sponsoring
Organizations (COSO). Your agency will address
these standards when documenting internal controls for your agency. The purpose of this document is to guide
agency management in carrying out their agency’s goals and objectives. This
guidance is not intended to take the place of management’s judgment or to
dictate how management chooses to carry out its responsibilities.
What are Internal
Controls?
Internal control or an internal control system
is the integration of the activities, plans, attitudes, policies, and efforts
of the people of an organization working together to provide reasonable
assurance that the organization will achieve its mission and objectives.
This definition establishes that:
o
internal
control impacts every aspect of an agency: all of its people, processes and
physical structures;
o
internal
control is a basic element that permeates an agency - not a feature that is
added on;
o
internal
control incorporates the qualities of good management;
o
internal
control is dependent upon people and will succeed or fail depending on the
attention people give to it;
o
internal control is
effective when all of the people and the surrounding environment work together;
o
internal
control provides a level of comfort to an agency; controls do not guarantee
success; and
o
internal control helps an agency achieve its
goals and objectives.
As stated in the
above definition, internal control is a means for achieving the agency's goals
and objectives. More specifically, there are four purposes of internal control:
o to promote orderly,
economical, efficient and effective operations and to produce quality products
and services consistent with the organization's mission;
o to safeguard
resources against loss due to waste, abuse, mismanagement, errors and fraud;
o to ensure adherence
to laws, regulations, contracts and management directives; and
o to develop and maintain reliable financial and
management data, and to accurately present that data in timely report.
If an agency
addresses each of these four purposes in developing its internal control
system, the agency will most likely achieve its goals and objectives. Failure
to adequately address any one of these purposes may put the organization at
risk.
The first internal control standard is
Control Environment.
Your Agency should
establish and maintain a positive and supportive attitude towards the
achievement of your agency objectives. While managers set the tone for the work
environment, all employees have input into the control environment. Over the years, studies have found that there
are two effective ways to reduce fraud.
One way is to lock up everything in your workplace and the other way is
to surround yourself with ethical people.
Employees make internal controls work. The values in place at your agency determine
your organization's ethical tone.
Control environment
is the attitude toward internal control and control consciousness established
and maintained by the management and the employees of an organization. It is a
product of management's philosophy, style and supportive attitude, as well as
the competence, ethical values, integrity, and morale of the organization's
people. The organization structure and accountability relationships are key
factors in the control environment.
The second internal
control standard is Risk Assessment.
All State
agencies should perform a risk assessment on an annual basis. This involves a review and analysis of
program operations to determine where risk exists, and what those risks
are. These risks are then measured
towards the impact on your operations. A
risk assessment also allows you to target high-risk areas or programs and focus
on where the greatest exposure exists.
Always reassess risk as a result of changing conditions, both internal
and external, in your workplace.
Risk identification
occurs as a result of findings from audits, evaluations and other testing or
assessments. Risk analysis includes
estimating the likelihood and frequency of occurrence of each risk and
determining whether it falls into the low, medium, or high-risk category. Once risk is identified, the potential impact
on programs should be measured and additional controls should be
developed. What are your risks from
downsizing your operations and personnel?
What are your risks relating to new legislation and/or regulations? Risk is not another thing to manage, but a
way of managing.
Risks are events that
threaten the accomplishment of objectives. They ultimately impact an
organization's ability to accomplish its mission. Risk assessment is the
process of identifying, evaluating and determining how to manage these events.
At every level within an organization there are both internal and external
risks that could prevent the accomplishment of established objectives. Ideally,
management should seek to prevent these risks. However, sometimes management
cannot prevent the risk from occurring. In such cases, management should decide
whether to accept the risk, reduce the risk to acceptable levels, or avoid the
risk. To have reasonable assurance that the organization will achieve its
objectives, management should ensure each risk is assessed and handled properly.
The third internal control
standard is Control Activities.
This is
using methods to reduce risk identified during the risk assessment process to
ensure that agency decisions and objectives are carried out. Methods used to control activities include
polices, procedures, networking, auditing and investigations. Control activities can include both
prepayment and/or post payment mechanisms to manage any improper payments.
Your agency should
have in place detection techniques to quickly identify and correct improper
payments. Detection techniques play a
large role in identifying improper payments and also provide information on why
these payments were made so that corrections in you process can be made. Good internal controls should ensure that
there is a proper segregation of duties, divided among different people to
reduce error, waste, or fraud. No one
individual should be allowed to control all key aspects on a transaction or
event.
An
agency's internal control activities should be flexible, weighing costs and
benefits, to allow agencies to tailor these activities to fit their special
needs. Once in place, control activities
will provide you useful information to meet the objectives of your agency.
Control activities
are tools - both manual and automated - that help prevent or reduce the risks
that can impede accomplishment of the organization's objectives and mission.
Management should establish control activities to effectively and efficiently
accomplish the organization's objectives and mission.
The fourth internal
control standard is Information and Communications.
For an
agency to run and control it's operations, it needs
fast, reliable and accurate information.
Also, the agency needs to make sure that the types of communications are
broad-based and that information technology management assures useful, reliable
and continuous communications.
How we communicate is
as important as what we communicate.
Effective communication should occur in a broad sense with information
flowing down, across, and up your agency’s organization. By asking questions, we should treat feedback
from employees as another way to consider if our internal controls are
effective.
Communication
is the exchange of useful information between and among people and
organizations to support decisions and coordinate activities. Within an
organization, information should be communicated to management and other
employees who need it in a form and within a time frame that helps them to
carry out their responsibilities. Communication also takes place with outside
parties such as customers, suppliers and regulators.
The fifth internal control standard is
Monitoring.
Monitoring
performance is a critical tool to the success of your agency. When your risk is identified, internal
control monitoring should be in place to measure the quality of performance
over time and ensure that the findings of audits and other reviews are promptly
resolved. Your organization should consider
continuous monitoring activities as well as specific events, such as audits,
special reviews or evaluations.
Monitoring should include policies and procedures for tracking audit
findings and other reviews brought to the attention of management to see they
are promptly resolved. Specific evaluations is a great method to look at your
internal controls by focusing on a specific event and time. At this point, you have your problem areas
and risk identified and procedures in place to treat problems. Proper monitoring and review allows you to
track the progress of your improvements and determine if deficiencies are
corrected.
Monitoring
your activities should be ongoing to aid in reducing improper payments. Your monitoring process should include
procedures for ensuring that results are communicated to the necessary people
within your agency so that they can be promptly resolved. Using data from monitoring will not only
improve your operations, it will allow management ways
to identify areas needing further attention or a shift in focus. Simply said, improper payments should not be
considered an acceptable cost towards operating your agency.
Monitoring is the
review of an organization's activities and transactions to assess the quality
of performance over time and to determine whether controls are effective.
Management should focus monitoring efforts on internal control and achievement
of organization objectives. For monitoring to be most effective, all employees
need to understand the organization's mission, objectives, responsibilities
and risk tolerance levels.