PART FIVE - Internal Controls
Activities Allowed or Unallowed |
Cash Management | Eligibility |
Equipment and Real Property Management |
Matching | Period of Availability of
State Funds | Reporting |
Subrecipient Monitoring
Section 215.97(10), Florida
Statutes, The Florida Single Audit Act, requires auditors conducting a state
single audit of recipients or subrecipients to obtain an understanding of
internal controls, assess control risk and, unless the controls are deemed to
be ineffective, perform tests of controls. Additionally, auditors are to
determine whether the nonstate entity has internal controls in place to provide
reasonable assurance of compliance with the provisions of laws, regulations,
and other rules, pertaining to state awards that have a material effect on each
major state project.
Part Five is intended to assist
auditors in complying with these requirements by describing for each type of
compliance requirement, the objectives of internal control and certain
characteristics of internal control that when present and operating effectively
may ensure compliance with project requirements. However, the categorizations
reflected in Part Five might not necessarily reflect how an entity considers
and implements internal control. Also, this part is not a checklist of required
internal control characteristics. Nonstate entities could have adequate
internal control even though some or all of the characteristics included in
Part Five are not present. Further, nonstate entities could have other
appropriate internal controls operating effectively that have not been included
in Part Five. Nonstate entities and their auditors will need to exercise
judgment in determining the most appropriate and cost effective internal
control in a given environment or circumstance to provide reasonable assurance
for compliance with state project requirements.
The characteristics of internal
control are presented in the context of the components of internal control as
incorporated in the Statement on Auditing Standards No. 78 (SAS 78), Consideration
of Internal Control in a Financial Statement Audit, issued by the
Auditing Standards Board of the American Institute of Certified Public
Accountants. Thus, Part Five describes characteristics of internal control
relating to each of the five components of internal control that should
reasonably assure compliance with the requirements of state laws, rules, and
project compliance requirements. A description of components of internal
control as defined by SAS 78 is listed below, as well as examples of
characteristics common to the 10 compliance requirements. Objectives of
internal control and examples of characteristics specific to each of the
compliance requirements (except Special Tests and Provisions) follow this
introduction.
Control Environment sets the
tone of an organization, influencing the control consciousness of its people.
It is the foundation for all other components of internal control, providing
discipline and structure.
-
A sense of conducting operations ethically, as evidenced by a code of conduct
or other verbal or written directive, is established.
-
Management responds in a positive manner to control recommendations.
-
Management exhibits respect for and adherence to project compliance
requirements.
-
Key managers’ responsibilities are clearly defined.
-
Key managers have adequate knowledge and experience to discharge their
responsibilities.
-
Staff is knowledgeable about compliance requirements and able to communicate
all instances of noncompliance to management.
-
Management’s commitment to competence ensures that staff receive adequate
training to perform their duties.
-
Management supports an adequate information and reporting system.
Risk Assessment is the
entity’s identification and analysis of relevant risks to the achievement of
its objective, forming a basis for determining how the risks should be managed.
-
Project managers and staff understand and have identified key compliance
objectives.
-
Organizational structure provides identification of risks of noncompliance:
-
Key managers have been given the responsibility to identify and communicate
changes.
-
Employees who require close supervision are identified.
-
Management has identified and assessed complex operations, programs, or
projects.
-
Management is aware of the results of monitoring, audits, and reviews and
considers related risk of noncompliance.
-
A process is established to implement changes in project objectives and
procedures.
Control Activities are the
policies and procedures that help ensure that management directives are carried
out.
-
Operating policies and procedures are clearly written and communicated.
-
Procedures are in place to implement changes in laws and rules.
-
Management prohibits intervention or overriding established controls.
-
Adequate segregation of duties provided between the performance, review, and
record-keeping of a task.
-
Computer and project controls include:
-
Data entry controls.
-
Exception reporting.
-
Access controls.
-
Reviews of input and output data.
-
Computer general controls and security controls.
-
Supervision of employees is commensurate with their level of competence.
-
Personnel has adequate knowledge and experience to discharge responsibilities.
-
Equipment, inventories, cash, and other assets are secured physically and are
periodically counted and compared to recorded amounts.
Information and Communication
are the identification, capture, and exchange of information in a form and time
frame that enable people to carry out their responsibilities.
-
The accounting system provides for separate identification of state and
nonstate transactions.
-
Adequate source documentation exists to support amounts and items reported.
-
A record keeping system is established to ensure that accounting records and
documentation retained for the time period required by laws, rules, and
contracts or grant agreements applicable to the project.
-
Reports are provided timely to managers for review and appropriate action.
-
Accurate information is accessible to those who need it.
-
Reconciliations and reviews ensure accuracy of reports.
-
Internal and external communication channels are established.
-
Employees’ duties and control responsibilities are effectively communicated.
-
Channels of communication for people to report suspected improprieties are
established.
-
Actions are taken as a result of communications received.
-
Channels of communication with subrecipients are established.
Monitoring is a process that
assesses the quality of internal control performance over time.
-
Ongoing monitoring is established through independent reconciliations, staff
meeting feedback, rotating staff, supervisory review, and management review of
reports.
-
Periodic site visits are performed at decentralized locations (including
subrecipients) and checks are performed to determine whether procedures are
being followed as intended.
-
Irregularities and deficiencies are followed up to determine causes.
-
Internal quality control reviews are performed.
-
Management meets with project monitors, auditors, and reviewers to evaluate the
condition of the project and controls.
-
Internal audit routinely tests for compliance with state requirements.
Return To Top
A./B. Activities Allowed or
Unallowed and Allowable Costs
Control Objectives
To provide reasonable assurance
that state financial assistance is expended only for allowable activities and
that the costs of goods and services charged to state awards are allowable and
in accordance with applicable cost principles.
Control Environment
-
Management sets reasonable budgets for state and nonstate projects so that no
incentive exists to miscode expenditures.
-
Management enforces appropriate penalties for misappropriation or misuse of
funds.
-
An organization-wide cognizance of the need for separate identification of
allowable costs exists.
-
Management provides personnel approving and pre-auditing expenditures with a
list of allowable and unallowable expenditures.
Risk Assessment
-
There exists a process for assessing risks resulting from changes to cost
accounting systems.
-
Key managers have sufficient understanding of staff, processes, and controls to
identify where unallowable activities or costs could be charged to a state
project and not be detected.
Control Activities
-
Accountability is provided for charges and costs between state and nonstate
activities.
-
Computations are checked for accuracy.
-
Supporting documentation is compared to a list of allowable and unallowable
expenditures.
-
Adjustments to unallowable costs are made where appropriate and follow-up
action taken to determine the cause.
-
There exists adequate segregation of duties in the review and authorization of
costs.
-
Accountability for authorization is fixed in an individual who is knowledgeable
of the requirements for determining activities allowed and allowable costs.
Information and Communication
-
Reports, such as a comparison of budget to actual, are provided to appropriate
management for review on a timely basis.
-
Communication channels on activities and costs allowed have been established.
-
Training programs provide knowledge and skills necessary to determine
activities and costs allowed.
-
Management and staff interact regarding questionable costs.
-
Grant agreements (including referenced project laws, rules, guidelines, etc.)
and the Department of Financial Services' Reference Guide for State
Expenditures Handbook are available to staff responsible for determining
activities allowed and allowable costs.
Monitoring
-
Management reviews supporting documentation of allowable cost information.
-
There is a flow of information from the state agency to appropriate management
personnel.
-
Comparisons are made with budget and expectations of allowable costs.
-
Analytical reviews (e.g., comparison of budget to actual or prior year
expenditures to current year expenditures) and audits are performed.
Return To Top
C. Cash Management
Control Objectives
To provide reasonable assurance
that advances and reimbursements comply with state law and that interest income
is correctly recorded and returned to the state agency or applied against the
contract or grant agreement unless a waiver is obtained from the Chief
Financial Officer.
Control Environment
-
There exists appropriate assignment of responsibility for approval of
reimbursement requests.
Risk Assessment
-
Management has identified projects that receive cash advances and is aware of
interest income requirements.
Control Activities
-
There exists an appropriate level of supervisory review of cash management
activities.
-
There is a written policy that provides repayment of excess interest earning
where required.
Information and Communication
-
Variance reporting of expected versus actual cash disbursements of state
financial assistance occurs.
Monitoring
-
Entity cash management, budget and actual results, and repayment of excess
interest earnings are periodically evaluated.
Return To Top
D. Eligibility
Control Objectives
To provide reasonable assurance
that only eligible individuals and organizations receive assistance under state
projects, that subawards are made only to eligible subrecipients, and that
amounts provided to or on behalf of eligibles were calculated in accordance
with project requirements.
Control Environment
-
Staff size and competence provides for proper making of eligibility
determinations.
-
Realistic caseload/performance targets are established for eligibility
determinations.
-
Lines of authority are clear for determining eligibility.
Risk Assessment
-
The risk that eligibility information prepared internally or received from
external sources could be incorrect is identified.
-
Conflict of interest statements are maintained for individuals who determine
eligibility.
-
Process for assessing risks resulting from changes to eligibility determination
systems is established.
Control Activities
-
Written policies provide direction for making and documenting eligibility
determinations.
-
Procedures to calculate eligibility amounts are consistent with project
requirements.
-
Eligibility objectives and procedures are clearly communicated to employees.
-
Authorized signatures on eligibility documents are periodically reviewed.
-
Access to eligibility records is limited to appropriate persons.
-
Manual criteria checklists or automated processes are used in making
eligibility determinations.
-
Process for periodic eligibility re-determinations are in accordance with
project requirements.
-
The accuracy of information used in eligibility determinations is verified.
-
Procedures to ensure the accuracy and completeness of data used to determine
that eligibility requirements are in place.
Information and Communication
-
Information system meets the needs of eligibility decision-makers and project
management.
-
Processing of eligibility information is subject to edit checks and balancing
procedures.
-
Training programs inform employees of eligibility requirements.
-
Channels of communication exist for people to report suspected eligibility
improprieties.
-
Management is receptive to suggestions to strengthen the eligibility
determination process.
-
Documentation of eligibility determinations is in accordance with project
requirements.
Monitoring
-
Management performs periodic analytical reviews of eligibility determinations.
-
Project quality control procedures are performed.
-
Periodic audits of detailed transactions are performed.
Return To Top
E. Equipment and Real Property
Management
Control Objectives
To provide reasonable assurance
that proper records are maintained for equipment acquired with state financial
assistance, equipment is adequately safeguarded and maintained, and disposition
or encumbrance of any equipment or real property is in accordance with state
requirements.
Control Environment
-
Management is committed to providing proper stewardship for property acquired
with state financial assistance.
-
No incentives exist to undervalue assets at time of disposition.
-
Sufficient accountability exists to discourage the temptation of misuse of
state assets.
Risk Assessment
-
Procedures are in place to identify risk of misappropriation or improper
disposition of property acquired with state financial assistance.
-
Management understands the requirements and operations sufficiently to identify
potential areas of noncompliance.
Control Activities
-
Accurate records are maintained on all acquisitions and dispositions of
property acquired with state financial assistance.
-
Property tags are placed on equipment.
-
A physical inventory of equipment is periodically taken and compared to
property records.
-
Property records contain description (including serial number or other
identification number), source, titleholder, acquisition date and cost,
percentage of state participation in the cost, location, condition, and
disposition data.
-
Policies and procedures are in place for the responsibility of record keeping
and the authority for disposition.
Information and Communication
-
Accounting system provides for separate identification of property acquired
wholly or partly with state funds and with nonstate funds.
-
A channel of communication exists for people to report suspected improprieties
in the use or disposition of equipment.
-
Project managers are provided with applicable requirements and guidelines.
Monitoring
-
Management reviews the results of periodic inventories and follows up on
inventory discrepancies.
-
Management reviews dispositions of property to ensure appropriate valuation and
reimbursement to state awarding agencies.
Return To Top
F. Matching
Control Objectives
To provide reasonable assurance
that matching requirements are met using only allowable funds or in-kind
contributions that are properly calculated and valued.
Control Environment
-
Commitment from management to meet matching requirements (e.g., adequate budget
resources to meet a specified matching requirement or maintain a required level
of effort) is demonstrated.
-
The budgeting process addresses and provides adequate resources to meet
matching requirements.
-
Official written policy exists outlining:
-
Responsibilities for determining required amounts or limits for matching.
-
Methods of valuing matching requirements.
-
Allowable costs that may be claimed for matching.
-
Methods of accounting for and documenting amounts used to calculate amounts
claimed for matching.
Risk Assessment
-
Areas where estimated values will be used for matching have been identified.
-
Management has sufficient understanding of the accounting system to identify
potential recording problems.
Control Activities
-
Evidence has been obtained or other procedures performed to identify whether
matching contributions:
-
Are from nonstate sources.
-
Involve state funding, directly or indirectly.
-
Were used for another state-assisted project.
Note: Generally, matching contributions must be from a nonstate source
and may not involve state funding or be used for another state-assisted
project.
-
Monthly cost reports and adjusting entries are adequately reviewed.
Information and Communication
-
Accounting system is capable of:
-
Separately accounting for data used to support matching amounts, limits or
calculations.
-
Ensuring that expenditures or expenses, refunds, and cash receipts or revenues
are properly classified and recorded only once as to their effect on matching.
-
Documenting the value of "in-kind" contributions of property or services,
including:
-
Basis for local labor market rates for valuing volunteer services.
-
Payroll records or confirmation from other organizations for services provided
by their employees.
-
Quotes, published prices, or independent appraisals used as the basis for
donated equipment, supplies, land, buildings, or use of space.
Monitoring
-
Supervisory review of matching activities is performed to assess the accuracy
and allowability of transactions and determinations.
Return To Top
G. Period of Availability of State
Funds
Control Objectives
To provide reasonable assurance
that state funds are used only during the authorized period of availability.
Control Environment
-
Management understands and is committed to complying with the period of
availability requirements.
-
Entity's operations are such that it is unlikely there will be state funds
remaining at the end of the period of availability.
Risk Assessment
-
The budgetary process considers the period of availability of state funds as to
both obligation and disbursement.
-
The period of availability cut-off requirements as to both obligation and
disbursement is identified and communicated.
Control Activities
-
Accounting system prevents obligation or expenditure of state funds outside of
the period of availability.
-
The review of disbursements is by a person knowledgeable of the period of
availability of funds.
-
End of grant period cut-offs are met by such mechanisms as advising project
managers of impending cut-off dates and review of expenditures just before and
after the cut-off dates.
-
Unliquidated commitments at the end of the period of availability are
cancelled.
Information and Communication
-
The period of availability requirements and expenditure deadlines, including
automated notifications of pending deadlines, are timely communicated to
individuals responsible for project expenditures.
-
Periodic reporting of unliquidated balances is communicated to appropriate
levels of management.
Monitoring
-
Expenditures before and after the cut-off date are periodically reviewed to
ensure compliance with the period of availability requirements.
-
Management reviews reports showing budget and actual for period.
Return To Top
H. Reporting
Control Objectives
To provide reasonable assurance
that reports of state financial assistance submitted to the state awarding
agency include all activity of the reporting period, are supported by
underlying accounting or performance records, and are fairly presented in
accordance with project requirements.
Control Environment
-
Persons preparing, reviewing, and approving the reports possess the required
knowledge, skills, and abilities.
-
Management's attitude toward reporting promotes accurate and fair presentation.
-
The responsibility and delegation of authority for reporting decisions is
appropriately assigned.
Risk Assessment
-
Mechanisms exist to identify risks of faulty reporting caused by such items as
lack of current knowledge of, inconsistent application of, or carelessness or
disregard for standards and reporting requirements of state awards.
-
The underlying source data or analysis for performance or special reporting
that may not be reliable is identified.
Control Activities
-
A written policy exists that establishes responsibility and provides the
procedures for periodic monitoring, verification, and reporting of project
progress and accomplishments.
-
A tracking system is in place that reminds staff when reports are due.
-
The general ledger or other reliable records are the basis for reports.
-
Supervisory review of reports is performed to assure accuracy and completeness
of data and information included in reports.
-
The required accounting method is used (e.g., cash or accrual).
Information and Communication
-
An accounting or information system that provides for the reliable processing
of financial and performance information for state financial assistance is
operating.
Monitoring
-
Communications from external parties corroborate information included in the
reports for state financial assistance.
-
Periodic comparison of reports to supporting records is performed.
Return To Top
I. Subrecipient Monitoring
Control Objectives
To provide reasonable assurance
that state financial assistance information and compliance requirements are
identified to subrecipients, subrecipient activities are monitored,
subrecipient audit findings are resolved, and the impact of any subrecipient
noncompliance on the project is evaluated. Also, the recipient should perform
procedures to provide reasonable assurance that the subrecipient obtained
required audits and takes appropriate corrective action on audit findings.
Control Environment
-
Management's commitment to monitoring subrecipients is established.
-
Management's intolerance of overriding established procedures to monitor
subrecipients is exhibited.
-
Entity's organizational structure and its ability to provide the necessary
information flow to monitor subrecipients are adequate.
-
Sufficient resources are dedicated to subrecipient monitoring.
-
Knowledge, skills, and abilities needed to accomplish subrecipient monitoring
tasks are defined.
-
Individuals performing subrecipient monitoring possess the knowledge, skills,
and abilities required.
-
Subrecipients demonstrate that:
-
They are willing and able to comply with the requirements of the award and
-
They have accounting systems, including the use of applicable cost principles,
and internal control systems adequate to administer the award.
-
Appropriate sanctions are taken for subrecipient noncompliance.
Risk Assessment
-
Key managers understand the subrecipient's environment, systems, and controls
sufficient to identify the level and methods of monitoring required.
-
Mechanisms exist to identify risks arising from external sources affecting
subrecipients, such as risks related to:
-
Economic conditions.
-
Political conditions.
-
Regulatory changes.
-
Unreliable information.
-
Mechanisms exist to identify and react to changes in subrecipients, such as:
-
Financial problems that could lead to diversion of grant funds.
-
Loss of essential personnel.
-
Loss of license or accreditation to operate project.
-
Rapid growth.
-
New activities, products, or services.
-
Organizational restructuring.
Control Activities
-
The state financial assistance information (e.g., CSFA title and number,
project name, name of state agency, amount of award) and applicable compliance
requirements are identified to subrecipients.
-
Agreements with subrecipients include the requirement to comply with the
requirements applicable to the state project including the audit requirements
of Section 215.97, Florida Statutes, and the applicable rules of
the Department of Financial Services and the Auditor General.
-
Subrecipient's compliance with audit requirements are monitored using
techniques such as the following:
-
Determining by inquiry and discussions whether the subrecipient met thresholds
requiring an audit under Section 215.97, Florida Statutes.
-
If an audit is required, assuring that the subrecipient submits the financial
reporting package required by Section 215.97, Florida Statutes.
-
If a subrecipient was required to obtain an audit in accordance with Section
215.97, Florida Statutes, but did not do so, following up with the subrecipient
until the audit is completed, taking appropriate actions until the subrecipient
meets the audit requirements.
-
Subrecipient's compliance with state project requirements are monitored using
such techniques as the following:
-
Monitoring findings to inform the subrecipient whether the corrective action
planned is acceptable.
-
Maintaining a system to track and following-up on reported deficiencies related
to projects funded by the recipient and ensure that timely corrective action is
taken.
-
Regular contacts with subrecipients and appropriate inquiries concerning the
state project.
-
Monitoring subrecipient budgets.
-
Performing site visits to the subrecipient to review financial and programmatic
records and observe operations.
-
Offering subrecipients technical assistance where needed.
-
Written policies and procedures exist establishing:
-
Communication of state project requirements to subrecipients.
-
Responsibilities for monitoring subrecipients.
-
Process and procedures for monitoring.
-
Methodology for resolving findings of subrecipient noncompliance or weaknesses
in internal control.
-
Requirements for and processing of subrecipient audits.
Information and Communication
-
Standard award documents used by the nonstate entity contain:
-
A listing of state requirements that the subrecipient must follow. Items can be
specifically listed in the award document, attached as an exhibit to the
document, or incorporated by reference to specific criteria.
-
The description and project number for each project as stated in the Catalog of
State Financial Assistance (CSFA).
-
A statement signed by an official of the subrecipient, stating that the
subrecipient was informed of, understands, and agrees to comply with the
applicable compliance requirements.
-
A record keeping system is in place to assure that documentation is retained
for the time period required by the recipient.
-
Procedures are in place to provide channels for subrecipients to communicate
concerns to the recipient.
Monitoring
-
A tracking system is established to assure timely submission of required
reporting, such as: financial reports, performance reports, audit reports,
on-site monitoring reviews of subrecipients, and timely resolution of audit
findings.
-
Supervisory reviews are performed to determine the adequacy of subrecipient
monitoring.
|