SHAPING A CULTURE OF ACCOUNTABILITY
A Division of Administrative Services
Providing quality services to our customers to support the effective, efficient operation of State government
SHAPING A CULTURE OF ACCOUNTABILITY
MEMORANDUM OF UNDERSTANDING
This Memorandum of Understanding (MOU) is made and entered into by and between Administrative Services (AS) and the (Agency).
Section 81-1111(4) of the Nebraska Revised Statutes provides that Administrative Services - State Accounting (State Accounting) “management systems and studies bureau shall be responsible for systematically reviewing on a regular basis activities of state agencies and departments to determine that adequate internal controls exist within all departments and agencies and to assure that proper accounting methods are employed.”
To fulfill this Statutory obligation, State Accounting General Policy #39 requires agencies to have an internal control plan over financial reporting which has been approved by State Accounting. This plan shall be implemented, tested, and monitored by the Agency. This plan must also include performing risk assessments. Risks are events that threaten the accomplishment of agency objectives and can ultimately impact an organization's ability to accomplish its mission. The pre-audit function allowed by State Statute 81-1111.01 is considered an integral part of an agency’s strong internal control program. Pre-audit functions are described within this document.
The Agency understands that each State agency’s management bears full responsibility for establishing and maintaining agency internal controls. By signing this memorandum, the Agency shall be committed to achieve strong controls through actions related to agency organization, personnel practices, communication, protection and uses of resources and general leadership.
Internal Control Plan
Section 1 Agency Responsibilities.
The agency shall develop an internal control plan which will establish comprehensive standards, policies, and procedures to ensure a strong and effective system of internal control within their agency. These standards, policies, and procedures shall include the following components (which are further defined in Appendix A): control environment, risk assessment, control activities, information and communication, and monitoring.
Each principal executive and fiscal officer shall annually certify, in a manner prescribed by the State Accounting Administrator, the agency has in place a proper system of internal control.
To assist in the process of maintaining adequate internal controls the Agency shall:
(a) Maintain documentation of the internal control process within the Agency, as prescribed by the State Accounting Administrator, and notify State Accounting of any changes to the plan.
(b) Identify a person to be the Internal Control Coordinator for the Agency; the responsibilities of the Internal Control Coordinator shall include, but are not limited to:
(1) implement and monitor the agency’s internal control plan;
(2) act as the Agency’s liaison with State Accounting for all matters relating to internal controls;
(3) attend training provided by State Accounting;
(4) train Agency staff on the internal control plan (ICP), the importance of the plan and each employee’s part in the plan;
(5) ensure the Agency has proper risk assessment procedures in place;
(6) survey Agency staff on the control environment and report results to the Agency Director and/or appropriate staff;
(7) review Agency procedures regarding distribution of information and communication as it relates to processing and recording financial data;
(8) oversee the ICP to help ensure that control procedures are appropriate; and
(9) monitor the internal control plan;
Section 2 State Accounting Responsibilities.
State Accounting will provide training and assistance to the Agency Internal Control Coordinator. This assistance may include guidance on creating an internal control plan and providing documents which the Agency may choose to use to implement their plan.
State Accounting will review and test Agency procedures and policies to determine that adequate internal controls exist at the Agency. Any weaknesses in such controls will be communicated to the Agency along with information on corrective actions that shall be implemented by the Agency.
Section 81-1111.01 of the Nebraska Revised Statutes provides the Director of AS authority to allow State agencies to conduct their own pre-audit function in accordance with the provisions of subdivisions (3) (a) through (f) of Section 81-1111, subject to monitoring by the State Accounting Division. The State Accounting Administrator is required by Section 81-1111 (1) to manage all accounting matters of the State’s central accounting system.
Section 1 Agency Responsibilities.
(a) The Agency agrees to designate appropriate qualified employees to perform the pre-audit function as specified in subdivision (3) (a-f) of Section 81-1111.
(b) The Agency agrees
to have such employees attend applicable training conducted by State Accounting
to become certified pre-auditors.
(c) All Agency employees assigned the responsibility for performing such pre-audit function shall:
(1) Be knowledgeable in regard to State laws, AS and Agency accounting policies concerning voucher and transaction processing;
(2) Ensure the Agency’s vouchers and transactions comply with such laws and policies are fiscally responsible, proper, and legal;
accounting vouchers and transactions comply with State accounting system
The Agency agrees to provide proper and effective reporting
channels for the reporting of exceptions by such employees for any violations
identified through the pre-audit function.
The Agency agrees to provide State Accounting copies of
requested vouchers and transactions and any accompanying documentation (by hand
delivery, facsimile or email) within two (2) working days of a request for the
same. The Agency agrees to provide State
Accounting the requested original vouchers and transactions and any
accompanying documentation within four (4) working days of a request for the
(f) The Agency agrees to ensure necessary documentation for vouchers or transactions is maintained as a record at the Agency for three (3) years or as required by the Secretary of State’s Records Retention and Disposition Schedule.
Section 2 State Accounting Responsibilities.
(a) Accounting shall retain its statutory responsibility to monitor the pre-audit function performed for the Agency subject to the confidentiality limitations imposed by law. Should State Accounting document that the pre-audit function is not being performed at the requisite standards established by statute and State Accounting, the AS Director can withdraw this MOU and have AS perform pre-audit functions using AS resources, for which the Agency will be assessed appropriately.
(b) State Accounting will provide, at its expense, training to Agency employees involved with financial transactions.
(c) State Accounting will determine the criteria for selecting vouchers or transactions that will be audited on a post-processing basis. State Accounting shall audit each selected voucher or transaction with the same level of scrutiny that State Accounting would have used during a pre-audit of the voucher or transaction.
(d) Should State Accounting determine that the Agency has invalid vouchers or transactions, State Accounting will require the Agency to take appropriate action.
Section 3 Terms.
This Memorandum of Understanding shall be effective on the date of the Agency signature below and shall remain in effect for three years at which time a new memorandum will be signed. This memorandum becomes void with the appointment of a new Agency Director who shall be asked to sign a new memorandum.
Section 4 Administration.
State Accounting and the Agency shall each name a staff member to coordinate the implementation and performance of this Memorandum of Understanding. All notices, and other communications under this Memorandum of Understanding, shall be directed to such individuals as follows:
State Accounting: E Curtis Youngman, Audit Coordinator
Capitol – Room #1309
Agency Internal Control Coordinator: ________________________________
Section 5 Amendments.
This Memorandum of Understanding may only be amended by written instrument (which includes addendums) duly approved by both agencies.
ADMINISTRATIVE SERVICES: AGENCY:
By: ________________________________ By: ________________________________
Title: as State Accounting Administrator Title: ______________________________
Date: ______________________________ Date: ______________________________
Internal Control Guidelines
There are five internal control standards issued by the Committee of Sponsoring Organizations (COSO). Your agency will address these standards when documenting internal controls for your agency. The purpose of this document is to guide agency management in carrying out their agency’s goals and objectives. This guidance is not intended to take the place of management’s judgment or to dictate how management chooses to carry out its responsibilities.
What are Internal Controls?
Internal control or an internal control system is the integration of the activities, plans, attitudes, policies, and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its mission and objectives.
This definition establishes that:
o internal control impacts every aspect of an agency: all of its people, processes and physical structures;
o internal control is a basic element that permeates an agency - not a feature that is added on;
o internal control incorporates the qualities of good management;
o internal control is dependent upon people and will succeed or fail depending on the attention people give to it;
o internal control is effective when all of the people and the surrounding environment work together;
o internal control provides a level of comfort to an agency; controls do not guarantee success; and
o internal control helps an agency achieve its goals and objectives.
As stated in the above definition, internal control is a means for achieving the agency's goals and objectives. More specifically, there are four purposes of internal control:
o to promote orderly, economical, efficient and effective operations and to produce quality products and services consistent with the organization's mission;
o to safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud;
o to ensure adherence to laws, regulations, contracts and management directives; and
o to develop and maintain reliable financial and management data, and to accurately present that data in timely report.
If an agency addresses each of these four purposes in developing its internal control system, the agency will most likely achieve its goals and objectives. Failure to adequately address any one of these purposes may put the organization at risk.
The first internal control standard is Control Environment.
Your Agency should establish and maintain a positive and supportive attitude towards the achievement of your agency objectives. While managers set the tone for the work environment, all employees have input into the control environment. Over the years, studies have found that there are two effective ways to reduce fraud. One way is to lock up everything in your workplace and the other way is to surround yourself with ethical people. Employees make internal controls work. The values in place at your agency determine your organization's ethical tone.
Control environment is the attitude toward internal control and control consciousness established and maintained by the management and the employees of an organization. It is a product of management's philosophy, style and supportive attitude, as well as the competence, ethical values, integrity, and morale of the organization's people. The organization structure and accountability relationships are key factors in the control environment.
The second internal control standard is Risk Assessment.
All State agencies should perform a risk assessment on an annual basis. This involves a review and analysis of program operations to determine where risk exists, and what those risks are. These risks are then measured towards the impact on your operations. A risk assessment also allows you to target high-risk areas or programs and focus on where the greatest exposure exists. Always reassess risk as a result of changing conditions, both internal and external, in your workplace.
Risk identification occurs as a result of findings from audits, evaluations and other testing or assessments. Risk analysis includes estimating the likelihood and frequency of occurrence of each risk and determining whether it falls into the low, medium, or high-risk category. Once risk is identified, the potential impact on programs should be measured and additional controls should be developed. What are your risks from downsizing your operations and personnel? What are your risks relating to new legislation and/or regulations? Risk is not another thing to manage, but a way of managing.
Risks are events that threaten the accomplishment of objectives. They ultimately impact an organization's ability to accomplish its mission. Risk assessment is the process of identifying, evaluating and determining how to manage these events. At every level within an organization there are both internal and external risks that could prevent the accomplishment of established objectives. Ideally, management should seek to prevent these risks. However, sometimes management cannot prevent the risk from occurring. In such cases, management should decide whether to accept the risk, reduce the risk to acceptable levels, or avoid the risk. To have reasonable assurance that the organization will achieve its objectives, management should ensure each risk is assessed and handled properly.
The third internal control standard is Control Activities.
This is using methods to reduce risk identified during the risk assessment process to ensure that agency decisions and objectives are carried out. Methods used to control activities include polices, procedures, networking, auditing and investigations. Control activities can include both prepayment and/or post payment mechanisms to manage any improper payments.
Your agency should have in place detection techniques to quickly identify and correct improper payments. Detection techniques play a large role in identifying improper payments and also provide information on why these payments were made so that corrections in you process can be made. Good internal controls should ensure that there is a proper segregation of duties, divided among different people to reduce error, waste, or fraud. No one individual should be allowed to control all key aspects on a transaction or event.
An agency's internal control activities should be flexible, weighing costs and benefits, to allow agencies to tailor these activities to fit their special needs. Once in place, control activities will provide you useful information to meet the objectives of your agency.
Control activities are tools - both manual and automated - that help prevent or reduce the risks that can impede accomplishment of the organization's objectives and mission. Management should establish control activities to effectively and efficiently accomplish the organization's objectives and mission.
The fourth internal control standard is Information and Communications.
For an agency to run and control its operations, it needs fast, reliable and accurate information. Also, the agency needs to make sure that the types of communications are broad-based and that information technology management assures useful, reliable and continuous communications.
How we communicate is as important as what we communicate. Effective communication should occur in a broad sense with information flowing down, across, and up your agency’s organization. By asking questions, we should treat feedback from employees as another way to consider if our internal controls are effective.
Communication is the exchange of useful information between and among people and organizations to support decisions and coordinate activities. Within an organization, information should be communicated to management and other employees who need it in a form and within a time frame that helps them to carry out their responsibilities. Communication also takes place with outside parties such as customers, suppliers and regulators.
The fifth internal control standard is Monitoring.
Monitoring performance is a critical tool to the success of your agency. When your risk is identified, internal control monitoring should be in place to measure the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved. Your organization should consider continuous monitoring activities as well as specific events, such as audits, special reviews or evaluations. Monitoring should include policies and procedures for tracking audit findings and other reviews brought to the attention of management to see they are promptly resolved. Specific evaluations are a great method to look at your internal controls by focusing on a specific event and time. At this point, you have your problem areas and risk identified and procedures in place to treat problems. Proper monitoring and review allows you to track the progress of your improvements and determine if deficiencies are corrected.
Monitoring your activities should be ongoing to aid in reducing improper payments. Your monitoring process should include procedures for ensuring that results are communicated to the necessary people within your agency so that they can be promptly resolved. Using data from monitoring will not only improve your operations; it will allow management ways to identify areas needing further attention or a shift in focus. Simply said, improper payments should not be considered an acceptable cost towards operating your agency.
Monitoring is the review of an organization's activities and transactions to assess the quality of performance over time and to determine whether controls are effective. Management should focus monitoring efforts on internal control and achievement of organization objectives. For monitoring to be most effective, all employees need to understand the organization's mission, objectives, responsibilities, and risk tolerance levels.