Policies and Procedures for General Internal Controls



Policies and Procedures for General Internal ControlsBACKGROUND INFORMATIONInternal control is a process designed by the Board of Commissioners, PHA management and other PHA personnel to provide reasonable assurance that the PHA can achieve the agency’s goals and objectives in a cost-effective manner. Internal controls affect the following areas:Operations – The effective and efficient use of the PHA’s resources to ensure that the agency’s operational objectives are achieved.Financial reporting – Preparation of reliable financial pliance – Compliance with applicable laws and regulations.Internal control requirements applies to all Federally-funded entities. The U.S. Office of Management and Budget (OMB) has prescribed the requirements for all non-Federal entities that receive federal funding (including PHAs) to follow. The requirements as set forth by OMB must be followed by all Federally-funded entities regardless of the size of the entity or the amount of funding received.The first OMB internal control requirement is straight-forward and requires that entities, in this case a PHA, have effective controls to assure that the funds are used in compliance with Federal statutes, regulations and other terms and conditions of the funding award.The second OMB internal control requirement requires that the entity’s internal control systems must be in compliance with guidance in “Standards for Internal Control in the Federal Government” as issued by the Comptroller General of the United States and the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).This document provides a sample of a PHA general internal controls policy and procedures.All PHAs. This sample provides an example general internal controls policy for all PHAs, regardless of size or complexity.PHAs can simply cut and paste the sample into their policy and procedures document and modify as needed.ITEMS FOR CONSIDERATIONThe following provides items that the PHA needs to consider when developing the policy and procedures for general internal controls and the major assumptions that were used to develop the sample policy and procedures.Reminder – If the PHA does not have enough staff for proper internal controls, the Board of Directors may provide additional authorizations or approvals. (Small PHAs Only)Reminder – There are certain limitations in any internal control system and management should understand these limitations when designing their own policy and procedures. Limitations may include the following items.Lack of Judgment – Even managers in a well-controlled organization can make bad decisions.Breakdowns – People with control responsibilities may not carry them out effectively or efficiently.Management Override – Managers may purposefully go outside established practices for illegitimate reasons.Cost vs. Benefit – Resources are limited. Managers properly accept a degree of risk when the cost of controlling the risk exceeds the benefit.Inadequate Segregation of Duties – Systems in place may not adequately separate the responsibility for physical custody of an asset from the related record keeping.Lack of Knowledge of Policies and Procedures – Having a system of internal controls is not sufficient if all personnel are not knowledgeable of the proper policies and procedures.Inherent Limitation – Due to the size of the PHA, segregation of duties and other risk controls may not be feasible.Collusion – If personnel are in collusion to perform fraudulent activities, control activities that should be in place may be intentionally overlooked or ignored.Reminder – COSO does not require a specific timeframe / schedule for risk assessments and control activities to be reviewed and updated. Best practices would be to have the risk assessments and control activities completed annually. Once a PHA has established a baseline of policies and procedures for all activities, PHAs should conduct an annual review. This sample policy assumes PHA’s have a good baseline of all needed policies and procedures.SAMPLE 1 – ALL PHAsGENERAL INTENRAL CONTROLS POLICYThe PHA will establish general internal controls that will be applied to all programs to: 1) mitigate the threat of theft, fraud, or misappropriations of company assets, and 2) to ensure the PHA administers its programs in a manner to obtain reasonable assurance that the goals and objectives of the PHA and programs are met in a cost-effective way. The internal controls will include procedures related to authorizations, approvals, reconciliations and monitoring activities designed to safeguard all assets of the PHA.The PHA will ensure compliance with the “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).GENERAL INTENRAL CONTROLS PROCEDURESThe PHA’s internal control program and framework are outlined below.General Internal Control ProgramAll staff will be involved in carrying out the processes and procedures related to the operations of the PHA. However, it is ultimately the responsibility of the Executive Director to make sure the PHA is operating as effectively and efficiently as possible. The Executive Director will be responsible for the design and implementation of the internal controls of the agency, and he/she is the one who will set the ethical tone of the PHA.The Executive Director is accountable to the Board of Commissioners, who will provide governance and oversight to the PHA. An active and knowledgeable Board will foster and reinforce the positive control environment of the agency.The PHA may choose to have an internal audit function to assist in monitoring the control activities of the agency. The internal auditor will assess the effectiveness of controls and make recommendations to the Executive Director and Board of Directors.It is understood that:Internal control is a process and is not complete once controls have been established but is ongoing and is to be continually assessed in order to meet the goals and objectives of the agency.Internal control is affected by people.? Internal control is not simply a collection of policies and procedures as personnel at every level should be informed on the policy and procedures that are ultimately approved and execute the policy and procedures.Internal control can be expected to provide only reasonable assurance, not absolute assurance, to management and the Board of CommissionersRequired COSO Internal Control-Integrated FrameworkA system of internal controls involves certain components as outlined by the COSO Internal Control-Integrated Framework. According to COSO, there are five (5) components of internal control:Control Environment. The control environment is the foundation for all other components of internal control. The control environment sets the tone for the PHA and is the attitude taken by management on how business operations should be handled at the organization. There is an expectation of integrity and ethical values in the completion of the PHA’s business and mission, including how the PHA communicates and is viewed by the public, employees, their vendors, and the program participants. The expectation starts at the top and works its way down through the agency. If top management is not ethical in its decisions and the way they treat others, it is likely that all other components of the internal control framework will fail. To instill a proper control environment:The Board of Commissioners and top management will implement a system of internal controls that will be periodically reviewed and updated as needed.The Board of Commissioners and management will oversee the internal control system through a collection of reports. These reports can be used to evaluate the effectiveness of management and staff for key performance indicators such as leasing or the PHA/program’s financial position.Only competent and capable individuals will be recruited and hired by the agency.Conflict of interest and ethic training is required training for all new staff and Board of Commissioners. All staff and Board of Commissioners will periodically re-take such training.All employees, including the Executive Director will be fairly disciplined when they fail to adhere to established procedures and policies and for poor performance.The agency’s structure is designed to meet the key needs of each program within the funding levels.Risk Assessment. This component requires the PHA to identify the risks that are relevant to each program. Example of risks are: theft of cash if the PHA accepts cash for payment of rent; the existences of fictitious landlords or inaccurate check amounts associated with HAP processing for the Housing Choice Voucher program; the creation of phony tenant files with fake landlords for the Housing Choice Voucher program; personal use of PHA vehicles or other assets; and timecards not signed by supervisors.All areas of the PHA will undergo a risk assessment annually. New programs or activities or major changes to a program or activity will require a risk assessment to be performed immediately.Management will assess and document the risk associated with the respective area under review. The risk item identified through this process will be ranked by priority order.Risks shall be assessed not just in terms of financial and performance impact and probability, but also using subjective criteria such as health and safety impact, reputational impact, vulnerability, and speed of onset.Control Activities. Once risks have been identified, control activities are the processes and procedures to mitigate the threat of those risks and to ensure the PHA directives are to be carried out in an effective and efficient manner. Examples of control activities include authorizations, approvals, reconciliations, reviews, analysis, segregation of duties, physical safeguards, and security settings for software. For most PHAs, these control activities are documented in the PHAs policy and procedures.After the risk assessment is completed, management will review the current applicable policy and procedures and modify them as necessary, to reduce the identified risk. If there is not a current policy or procedure that mitigates the risk, management and the Board of Commissioners will create the necessary policy and procedure.In establishing the policy and procedures, the PHA will perform a cost benefit analysis.The procedures for the policy should be documented to provide evidence that the internal control system is performing and functioning as intended.All applicable staff will be trained on the policy and procedures.Hard copies or electronic copies of the policy and procedures will be made disseminated to respective staff.The PHA will ensure that the various policy and procedures are current and are properly rmation and Communication. Appropriate and relevant information needs to be communicated within and between departments and programs to confirm that all staff are working toward the same goals and objectives of the PHA.PHAs will establish appropriate reporting to ensure that required parties are provided necessary data and information. This data and information will be timely and rmation and communication can take the form of written documents, emails, electronic files, electronic data sets, and oral communication.Monitoring. Assesses the effectiveness of the internal control policies and procedures. The internal controls should be reviewed from time to time to ensure that they work properly and are not obsolete. Where a process or procedure is no longer working effectively, the processes and procedures will need to be updated to reflect the current workflow or eliminated to reduce confusion. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download