STATE ACCOUNTING
A Division of Administrative Services
Providing quality services to our customers to support the effective,
efficient operation of State government
SHAPING A CULTURE OF ACCOUNTABILITY
MEMORANDUM OF UNDERSTANDING
This Memorandum of Understanding (MOU) is made and
entered into by and between Administrative Services (AS) and the (Agency).
Section 81-1111(4) of the Nebraska Revised Statutes provides
that Administrative Services - State Accounting (State Accounting) “management
systems and studies bureau shall be responsible for systematically reviewing on
a regular basis activities of state agencies and departments to determine that
adequate internal controls exist within all departments and agencies and to
assure that proper accounting methods are employed.”
To fulfill this Statutory obligation, State Accounting
General Policy #39 requires agencies to have an internal control plan over
financial reporting which has been approved by State Accounting. This plan shall be implemented, tested, and
monitored by the Agency. This plan must
also include performing risk assessments.
Risks are events that threaten
the accomplishment of agency objectives and can ultimately impact an
organization's ability to accomplish its mission. The pre-audit function allowed by State
Statute 81-1111.01 is considered an integral part of an agency’s strong
internal control program. Pre-audit
functions are described within this document.
The Agency understands that each State agency’s management
bears full responsibility for establishing and maintaining agency internal
controls. By signing this memorandum,
the Agency shall be committed to achieve strong controls through actions
related to agency organization, personnel practices, communication, protection
and uses of resources and general leadership.
Internal Control Plan
Section 1 Agency Responsibilities.
The
agency shall develop an internal control plan which will establish
comprehensive standards, policies, and procedures to ensure a strong and
effective system of internal control within their agency. These standards, policies, and procedures shall
include the following components (which are further defined in Appendix A): control environment, risk assessment, control
activities, information and communication, and monitoring.
Each principal executive and fiscal officer
shall annually certify, in a manner prescribed by the State Accounting
Administrator, the agency has in place a proper system of internal
control.
To
assist in the process of maintaining adequate internal controls the Agency shall:
(a)
Maintain
documentation of the internal control process within the Agency, as prescribed
by the State Accounting Administrator, and notify State Accounting of any
changes to the plan.
(b)
Identify
a person to be the Internal Control Coordinator for the Agency; the
responsibilities of the Internal Control Coordinator shall include, but are not
limited to:
(1)
implement and monitor the agency’s internal control plan;
(2)
act as the Agency’s liaison with State Accounting for all
matters relating to internal controls;
(3)
attend training provided by State Accounting;
(4)
train Agency staff on the internal control plan (ICP), the
importance of the plan and each employee’s part in the plan;
(5)
ensure the Agency has proper risk assessment procedures in place;
(6)
survey Agency staff on the control environment and report
results to the Agency Director and/or appropriate staff;
(7)
review Agency procedures regarding distribution of
information and communication as it relates to processing and recording
financial data;
(8)
oversee the ICP to help ensure that control procedures are
appropriate; and
(9)
monitor the internal control plan;
Section 2
State Accounting Responsibilities.
State Accounting will provide training and assistance to the
Agency Internal Control Coordinator. This assistance may include guidance on
creating an internal control plan and providing documents which the Agency may
choose to use to implement their plan.
State Accounting will review and test Agency procedures and
policies to determine that adequate internal controls exist at the Agency. Any weaknesses in such controls will be
communicated to the Agency along with information on corrective actions that
shall be implemented by the Agency.
Pre-Audit
Function
Section 81-1111.01 of the Nebraska Revised Statutes provides
the Director of AS authority to allow State agencies to conduct their own
pre-audit function in accordance with the provisions of subdivisions (3) (a)
through (f) of Section 81-1111, subject to monitoring by the State Accounting Division. The State Accounting Administrator is
required by Section 81-1111 (1) to manage all accounting matters of the State’s
central accounting system.
Section 1 Agency
Responsibilities.
(a) The Agency agrees to designate appropriate
qualified employees to perform the pre-audit function as specified in
subdivision (3) (a-f) of Section 81-1111.
(b) The Agency agrees
to have such employees attend applicable training conducted by State Accounting
to become certified pre-auditors.
(c) All Agency employees assigned the
responsibility for performing such pre-audit function shall:
(1) Be
knowledgeable in regard to State laws, AS and Agency accounting policies
concerning voucher and transaction processing;
(2) Ensure the
Agency’s vouchers and transactions comply with such laws and policies are
fiscally responsible, proper, and legal;
(3) Ensure
accounting vouchers and transactions comply with State accounting system
processing requirements.
(d)
The Agency agrees to provide proper and effective reporting
channels for the reporting of exceptions by such employees for any violations
identified through the pre-audit function.
(e)
The Agency agrees to provide State Accounting copies of
requested vouchers and transactions and any accompanying documentation (by hand
delivery, facsimile or email) within two (2) working days of a request for the
same. The Agency agrees to provide State
Accounting the requested original vouchers and transactions and any
accompanying documentation within four (4) working days of a request for the
same.
(f)
The Agency agrees to ensure necessary documentation for
vouchers or transactions is maintained as a record at the Agency for three (3)
years or as required by the Secretary of State’s Records Retention and
Disposition Schedule.
Section
2 State Accounting Responsibilities.
(a) Accounting shall retain its statutory
responsibility to monitor the pre-audit function performed for the Agency
subject to the confidentiality limitations imposed by law. Should State Accounting document that the pre-audit
function is not being performed at the requisite standards established by
statute and State Accounting, the AS Director can withdraw this MOU and have AS
perform pre-audit functions using AS resources, for which the Agency will be
assessed appropriately.
(b) State Accounting will provide, at its expense,
training to Agency employees involved with financial transactions.
(c) State Accounting will determine the criteria
for selecting vouchers or transactions that will be audited on a
post-processing basis. State Accounting
shall audit each selected voucher or transaction with the same level of
scrutiny that State Accounting would have used during a pre-audit of the
voucher or transaction.
(d) Should State
Accounting determine that the Agency has invalid vouchers or transactions, State
Accounting will require the Agency to take appropriate action.
Section 3
Terms.
This Memorandum of Understanding
shall be effective on the date of the Agency signature below and shall remain
in effect for three years at which time a new memorandum will be signed. This memorandum becomes void with the
appointment of a new Agency Director who shall be asked to sign a new
memorandum.
Section 4 Administration.
State Accounting and the Agency shall each name a staff
member to coordinate the implementation and performance of this Memorandum of
Understanding. All notices, and other
communications under this Memorandum of Understanding, shall be directed to
such individuals as follows:
State
Accounting: E
Curtis Youngman, Audit Coordinator
Capitol
– Room #1309
Agency Internal Control Coordinator: ________________________________
________________________________
________________________________
Section 5 Amendments.
This Memorandum of Understanding may only be amended by
written instrument (which includes addendums) duly approved by both agencies.
ADMINISTRATIVE SERVICES: AGENCY:
By: ________________________________ By:
________________________________
Title:
as State
Accounting Administrator Title:
______________________________
Date:
______________________________ Date:
______________________________
APPENDIX
A
Internal Control Guidelines
There are five
internal control standards issued by the Committee of Sponsoring Organizations
(COSO). Your agency will address these
standards when documenting internal controls for your agency. The purpose of this document is to guide
agency management in carrying out their agency’s goals and objectives. This
guidance is not intended to take the place of management’s judgment or to
dictate how management chooses to carry out its responsibilities.
What are Internal
Controls?
Internal control or an internal control system
is the integration of the activities, plans, attitudes, policies, and efforts
of the people of an organization working together to provide reasonable
assurance that the organization will achieve its mission and objectives.
This definition establishes that:
o
internal
control impacts every aspect of an agency: all of its people, processes and
physical structures;
o
internal
control is a basic element that permeates an agency - not a feature that is
added on;
o
internal
control incorporates the qualities of good management;
o
internal
control is dependent upon people and will succeed or fail depending on the
attention people give to it;
o
internal control is
effective when all of the people and the surrounding environment work together;
o
internal
control provides a level of comfort to an agency; controls do not guarantee
success; and
o
internal
control helps an agency achieve its goals and objectives.
As stated in the
above definition, internal control is a means for achieving the agency's goals
and objectives. More specifically, there are four purposes of internal control:
o to promote orderly,
economical, efficient and effective operations and to produce quality products
and services consistent with the organization's mission;
o to safeguard
resources against loss due to waste, abuse, mismanagement, errors and fraud;
o to ensure adherence
to laws, regulations, contracts and management directives; and
o to develop and maintain reliable financial and management
data, and to accurately present that data in timely report.
If an agency
addresses each of these four purposes in developing its internal control
system, the agency will most likely achieve its goals and objectives. Failure
to adequately address any one of these purposes may put the organization at
risk.
The first internal control standard is
Control Environment.
Your Agency should
establish and maintain a positive and supportive attitude towards the
achievement of your agency objectives. While managers set the tone for the work
environment, all employees have input into the control environment. Over the years, studies have found that there
are two effective ways to reduce fraud.
One way is to lock up everything in your workplace and the other way is
to surround yourself with ethical people.
Employees make internal controls work. The values in place at your agency determine
your organization's ethical tone.
Control environment
is the attitude toward internal control and control consciousness established
and maintained by the management and the employees of an organization. It is a
product of management's philosophy, style and supportive attitude, as well as
the competence, ethical values, integrity, and morale of the organization's
people. The organization structure and accountability relationships are key
factors in the control environment.
The second internal
control standard is Risk Assessment.
All State
agencies should perform a risk assessment on an annual basis. This involves a review and analysis of
program operations to determine where risk exists, and what those risks
are. These risks are then measured
towards the impact on your operations. A
risk assessment also allows you to target high-risk areas or programs and focus
on where the greatest exposure exists.
Always reassess risk as a result of changing conditions, both internal
and external, in your workplace.
Risk identification
occurs as a result of findings from audits, evaluations and other testing or
assessments. Risk analysis includes
estimating the likelihood and frequency of occurrence of each risk and
determining whether it falls into the low, medium, or high-risk category. Once risk is identified, the potential impact
on programs should be measured and additional controls should be developed. What are your risks from downsizing your
operations and personnel? What are your
risks relating to new legislation and/or regulations? Risk is not another thing to manage, but a
way of managing.
Risks are events that
threaten the accomplishment of objectives. They ultimately impact an
organization's ability to accomplish its mission. Risk assessment is the
process of identifying, evaluating and determining how to manage these events.
At every level within an organization there are both internal and external
risks that could prevent the accomplishment of established objectives. Ideally,
management should seek to prevent these risks. However, sometimes management
cannot prevent the risk from occurring. In such cases, management should decide
whether to accept the risk, reduce the risk to acceptable levels, or avoid the
risk. To have reasonable assurance that the organization will achieve its
objectives, management should ensure each risk is assessed and handled
properly.
The third internal control
standard is Control Activities.
This is
using methods to reduce risk identified during the risk assessment process to
ensure that agency decisions and objectives are carried out. Methods used to control activities include
polices, procedures, networking, auditing and investigations. Control activities can include both
prepayment and/or post payment mechanisms to manage any improper payments.
Your agency should
have in place detection techniques to quickly identify and correct improper
payments. Detection techniques play a
large role in identifying improper payments and also provide information on why
these payments were made so that corrections in you process can be made. Good internal controls should ensure that
there is a proper segregation of duties, divided among different people to
reduce error, waste, or fraud. No one
individual should be allowed to control all key aspects on a transaction or
event.
An
agency's internal control activities should be flexible, weighing costs and
benefits, to allow agencies to tailor these activities to fit their special
needs. Once in place, control activities
will provide you useful information to meet the objectives of your agency.
Control activities
are tools - both manual and automated - that help prevent or reduce the risks
that can impede accomplishment of the organization's objectives and mission.
Management should establish control activities to effectively and efficiently
accomplish the organization's objectives and mission.
The fourth internal
control standard is Information and Communications.
For an
agency to run and control its operations, it needs fast, reliable and accurate
information. Also, the agency needs to
make sure that the types of communications are broad-based and that information
technology management assures useful, reliable and continuous
communications.
How we communicate is
as important as what we communicate.
Effective communication should occur in a broad sense with information
flowing down, across, and up your agency’s organization. By asking questions, we should treat feedback
from employees as another way to consider if our internal controls are
effective.
Communication
is the exchange of useful information between and among people and
organizations to support decisions and coordinate activities. Within an
organization, information should be communicated to management and other
employees who need it in a form and within a time frame that helps them to
carry out their responsibilities. Communication also takes place with outside
parties such as customers, suppliers and regulators.
The fifth internal control standard is
Monitoring.
Monitoring
performance is a critical tool to the success of your agency. When your risk is identified, internal
control monitoring should be in place to measure the quality of performance
over time and ensure that the findings of audits and other reviews are promptly
resolved. Your organization should
consider continuous monitoring activities as well as specific events, such as
audits, special reviews or evaluations.
Monitoring should include policies and procedures for tracking audit
findings and other reviews brought to the attention of management to see they
are promptly resolved. Specific
evaluations are a great method to look at your internal controls by focusing on
a specific event and time. At this
point, you have your problem areas and risk identified and procedures in place
to treat problems. Proper monitoring and
review allows you to track the progress of your improvements and determine if
deficiencies are corrected.
Monitoring
your activities should be ongoing to aid in reducing improper payments. Your monitoring process should include
procedures for ensuring that results are communicated to the necessary people
within your agency so that they can be promptly resolved. Using data from monitoring will not only
improve your operations; it will allow management ways to identify areas
needing further attention or a shift in focus.
Simply said, improper payments should not be considered an acceptable
cost towards operating your agency.
Monitoring is the
review of an organization's activities and transactions to assess the quality
of performance over time and to determine whether controls are effective.
Management should focus monitoring efforts on internal control and achievement
of organization objectives. For monitoring to be most effective, all employees
need to understand the organization's mission, objectives, responsibilities,
and risk tolerance levels.