newark central school district risk assessment and internal … · 2019. 1. 22. · we appreciate...

Newark Central School District Risk Assessment and Internal Audit Plan August 8, 2018

RISK ASSESSMENT AND INTERNAL AUDIT PLAN

August 8, 2018 Audit Committee Edward Gnau, Assistant Superintendent for Business Newark Central School District Newark, New York 14513 Dear Audit Committee: This report, as expressed in the risk assessment ratings, provides you, the District's management, and the audit committee with the assessment of the need for controls and a means to prioritize risk mitigation efforts. The risk assessment is an initial step in your risk management program of assessing risk, evaluating controls, reviewing control effectiveness, and adapting measures to achieve an acceptable level of risk. The risks noted in the risk assessment should be evaluated in light of your existing policies and practices to identify potential improvements or changes in the control structure based on the level of risk presented. To assist you in establishing review programs for these activities, a potential internal audit plan and schedule for the entities are provided. We appreciate the opportunity to prepare this risk assessment for Newark Central School District and are available to assist you in carrying out other portions of the risk management program including the work plan. We are also available to answer your questions. Please contact Kathryn Barrett at 585-344-1967 or Christopher Piedici at 585-271-2300. Sincerely,

Freed Maxick CPAs, P.C.


TABLE OF CONTENTS

SECTION PAGE EXECUTIVE SUMMARY

EXECUTIVE SUMMARY ................................................................................................................ 1 RESULTS OF REVIEW OF INTERNAL CONTROLS AND ON-SITE VISIT ................................................ 2-3 RISK ASSESSMENT SUMMARY..................................................................................................... 4-5 INTERNAL AUDIT PRIORITIES ....................................................................................................... 6

RISK ASSESSMENT AND INTERNAL AUDIT STRATEGY

BUDGETING, GOVERNANCE AND REPORTING ............................................................................... 7-8 STATE AID ................................................................................................................................ 9 STAC PROCESSING .................................................................................................................. 10 MEDICAID ................................................................................................................................. 11-12 GRANTS .................................................................................................................................... 13-14 CENTRALIZED CASH RECEIPTS ................................................................................................... 15-16 DECENTRALIZED CASH RECEIPTS - SCHOOL LUNCH ..................................................................... 17-18 DECENTRALIZED CASH RECEIPTS - COMMUNITY EDUCATION ......................................................... 19 PURCHASING AND CASH DISBURSEMENTS ................................................................................... 20-21 PAYROLL .................................................................................................................................. 22-23 EMPLOYEE BENEFITS AND PAID TIME OFF ................................................................................... 24-26 GENERAL LEDGER MAINTENANCE ............................................................................................... 27-28 WIRE TRANSFERS ...................................................................................................................... 29 FIXED ASSETS ........................................................................................................................... 30 FUEL DEPOT ............................................................................................................................. 31-32 INFORMATION SYSTEMS ............................................................................................................. 33-34

INTERNAL AUDIT PLAN ................................................................................................................ 35

APPENDIX – RISK CATEGORY DEFINITIONS .............................................................................. 36-38


1

EXECUTIVE SUMMARY In December 2006, the audit committee requested that Freed Maxick CPAs, P.C. perform an initial risk assessment and prepare an internal audit plan for Newark Central School District. This report represents an update to the initial risk assessment that was performed for the Newark Central School District. It has been updated for all modifications made to the internal controls since the initial risk assessment was performed, and the 2013 revisions of the COSO framework. This risk assessment and internal audit plan will then be used to develop the scope and direction of the internal audit program to be deployed by Newark Central School District and Freed Maxick CPAs, P.C. during the current fiscal year. Establishment of a comprehensive internal audit program, under the guidance of the 2013 COSO framework, will enable Newark Central School District to align its mission and vision with its operational structure and environment, assess risk as it relates to materiality, opportunity, and organizational objectives, control risk mitigation, improve organizational functionality through value-added communication and information resourcing, and vigilantly monitor the effectiveness of internal control to promptly counteract any shortfalls. It can also be used to determine what resources will be needed to complete the identified higher risk internal audits. This report summarizes the risk assessment and internal audit plan for Newark Central School District. Intrinsic in the risk assessment of the Newark Central School District is the concept of materiality. Those areas of the Newark Central School District that deal with more significant dollars or a higher volume of transactions will most likely score as higher risk merely due to the dollars and number of transactions passing through those transaction cycles. The objective of this report is to ensure that Newark Central School District has sufficient and continuous internal audit coverage of those areas judged as having a relatively higher risk profile or that otherwise require internal audit attention for regulatory or management reasons. Additional concentration, as per the 2013 COSO update, focuses on the effectiveness and suitability of internal control. The three areas of newly emphasized focus surround adequate and functional monitoring of the organizational activities, improved reporting both externally and internally, and a thorough understanding of the importance and interrelatedness between a well-tailored internal control framework and the concept of risk management. The scope of the risk assessment and internal audit plan has been reviewed and approved by the Audit Committee of Newark Central School District, who in turn has final responsibility and authority for the satisfactory execution of the internal audit plan. The risk assessment and internal audit plan is primarily risk-based and is organized around the District’s major internal control cycles. The plan was developed based on detailed interviews with employees, management personnel, the results of previous internal and external audits, and our cumulative knowledge of Newark Central School District’s internal control risks. Our interviews with employees and management were directed toward gaining a thorough understanding of the objectives and related risks in each internal control area, from the perspective of the individuals responsible for controlling such risks. Using this information and input, we evaluated the level of risk (low, moderate or high) present in each area; across a standard spectrum of risk categories (see Appendix for risk category definitions). A summary of this risk analysis by control cycle is included subsequently. The risk assessment process also drives the planned scope of the internal audit coverage, which is summarized by internal control area.


2

RESULTS OF REVIEW OF INTERNAL CONTROLS AND ON SITE VISIT During our review of the internal controls of the District we noted the following: Budgeting

The District has a formalized long-range financial plan and reserve plan that have been adopted by the Board. In accordance with Chapter 514 of the Laws of New York – 2016 this information should be included on the District’s website. We recommend the District update its website to ensure that it is in compliance with the law.

Management response: The District is in the process of posting to their website the information to

comply with Chapter 514 of the Laws of New York. Cash Receipts (Business Office, School Lunch and Community Education)

Currently, multiple employees have access to cash collected by district personnel for purpose or reconciliation and recounting. Adequate segregation of duties and strong internal controls limits access to physical cash to as few people as possible. While we understand the District put in additional processes and procedures, we still recommend the District continue to evaluate the risks and benefits associated with allowing multiple employees to have access to cash collections. We recommend cash should be counted at the point of collection and a verification count by a supervisor or designated employee at that location then secured in a locked bank bag or tamper resistant bag with no other district personnel having access. This should be done before money is sent to the business office for deposit to ensure what was counted at collection is the same as what gets deposited. Management response: The money is currently counted at the specific area by the individual responsible (lunch supervisor, community education coordinator). It is then sent to the Treasurer. This process was put in place as there were errors and continues to be errors in the amount of money that is counted and sent to the District Office. The Treasurer is able to correct the errors before the bank receives the deposit.

School Lunch Inventory

There are no camera systems positioned to observe the storage facilities of food (cold or dry). We recommend the District install cameras that are positioned where inventory is stored to reduce potential for theft to go missing without the ability to identify source. Currently cameras are not in positions to be able to make determinations if such action should occur.

Management response: As the District moves forward with increased security for all buildings, evaluation

of these concerns will be looked into further.


3

Internal Claims Auditor

We noted that although the District has been actively searching for training, the newly appointed Internal Claims Auditor has not received training; although, the employee’s background was in accounts payable function within a school district. We recommend that training is attended on a periodic basis to allow the Internal Claims Auditor to update their knowledge implement best practices as identified by other professionals in the area of claims auditing.

Management response: As trainings become available to the business office, they are shared with the auditor to determine if they can attend.

Payroll and Human Resources

The District has no formal exit interview process in place for employees who retire, resign or are terminated. We recommend that a process be put in place, or a check list be utilized so that information regarding deactivation from network, collection of keys, badges, lap tops, etc. is documented and provided to human resource personnel in a timely manner.

Management response: With the switch to nVision Financial Software we are reviewing procedures at the District and building levels to see how this would be best handled. As the buildings are charged with handling keys and the technology department is charged with laptops, etc. this is something that will have to be worked through at both the building level and District level. The following stakeholders will be responsible to implement this process by June 30, 2019: Assistant Superintendent for Business, District Office Staff, and Building Principals.

Information Technology and Accounting Software

The roles and responsibilities for technology support services are not clearly defined between the personnel at the District and Edutech. It is also noted that no formal service agreement exists between these two parties. Such an agreement should include policies and procedures for change management, response times for Edutech personnel, and guarantees for system availability. We recommend that the District and Edutech personnel meet to determine the responsibilities of each group and create a formal document.

Management Response: No specific corrective action plan has been established at this time.

The District has developed a formal disaster recovery plan that is pending board approval. The plan takes

into consideration the outsourced functions of Edutech. Best practices indicates that a technology vulnerability management and penetration testing process to protect itself from cybersecurity threats should be part of this plan. The District is utilizing the services of LakeNet, a division of Edutech, to identify areas of vulnerability at the District level to mitigate this issue. However, LakeNet is the same source who designed the system. While evaluating areas of vulnerability at the District level is a good first step, we recommend the District consider next evaluating the design and security of the systems managed on behalf of the District by Edutech. The District may want to consider utilizing an independent third party for this next phase.

Management Response: The District will work with Edutech and LakeNet to evaluate the services offered and determine the appropriate next steps.


4

RISK ASSESSMENT SUMMARY

Risk Factors>>> (Definitions of the Risk Categories can be found in the Appendix) E

xt Mk

t Rep

Fina

ncial

Ope

ratio

nal

Lega

l/Reg

ulator

y

Stra

tegic

Tec

h/Sys

tem

Peo

ple/C

ultur

e

Frau

d

Monit

oring

Info/C

ommu

nicati

ons

Contr

ol Ac

tivitie

s

Risk

Ass

essm

ent

Con

trol E

nviro

.

Curre

nt Ye

ar R

isk S

core

Curre

nt Ye

ar R

ating

Prior

Yea

r Risk

Sco

re

STAC Processing L M L L L L L L S S S S S 212 11 212 Medicaid Billing L L L L L L L L S S S S S 200 12 222 Grants L L L L L L L L S S S S S 200 13 210 Centralized Cash Receipts L L L L L L L L S S M S S 223 6 223 School Lunch Cash Receipts L L L L L L L L S S M S S 223 7 223 Community Education Cash Receipts L L L L L L L L S S M S S 223 8 223 Purchasing and Cash Disbursements L H L L L L M L S S S S S 237 2 224 Payroll Processing L H L L M L L L S S S S S 232 4 255 Employee Benefits and Paid Time Off L M L L M L L L S S S S S 220 10 220 General Ledger Maintenance L L L L L L L L S S S S S 200 14 200 Wire Transfers L L L L L L L L S S S S S 200 15 200 Fixed Assets L L L L L L L L S S S M M 236 3 236 Fuel Depot L L L L L L L L S S S S S 200 16 200


5

Inherent Risk Factors Control Risk Factors

Risk Factors>>> (Definitions of the Risk Categories can be found in the Appendix)

Conti

nuan

ce of

Bus

iness

Comm

unica

tions

/Netw

ork

Busin

ess U

nits S

erve

d

Comp

lexity

of E

nv.

Staff

ing

Avail

abilit

y/Res

pons

e

Comp

uting

Plat

form

Infor

matio

n Sen

sitivi

ty

Monit

oring

Info/C

ommu

nicati

ons

Contr

ol Ac

tivitie

s

Risk

Ass

essm

ent

Con

trol E

nviro

.

Curre

nt Ye

ar R

isk S

core

Curre

nt Ye

ar R

ating

Prior

Yea

r Risk

Sco

re

Information Systems L M L L M M L M S S M S S 273 1 288


6

INTERNAL AUDIT PRIORITIES In order to address the higher risk activities and other areas of concern identified during the business risk assessment process, the following internal audit activities need to occur in the near future:

Information Systems and Accounting Software – Information systems and accounting software was identified as an area of high risk due to the importance of the systems in place, software used in the District’s internal controls over accounting systems, risk to personal identifiable information and third party provider contract. This area was last tested in April 2016 and corrective actions are in process.

Purchasing and cash disbursements - Due to the inherent risks associated with purchasing and cash disbursements for school districts in general and recent challenges experienced by the District due to lack of cross training, this area has been identified as a high risk within the District. We will include selection and testing of cash disbursements from throughout the District to verify the purchases were reasonable and necessary, were properly approved, and there were available appropriations. We will also verify all District purchasing policies and internal controls have been followed and the transaction was supported by appropriate bid or quote information.

Fixed Assets – Due to a lack of performance of periodic physical inventories of the District’s fixed assets

other than technology assets, fixed assets was identified as an area of higher risk. Internal audit will include review of the District's policies and procedures for identifying assets to be added or removed from the inventory listing maintained by the District. Internal audit may also include a physical inventory of all assets that are at higher risk of being lost or stolen.

Payroll - Due to the financial and inherent risks associated with payroll for school districts in general, this area has been identified as a high risk within the District. We will test payroll registers for selected employees to verify that employees listed are employed by the District and are paid in accordance with their contract. We will test hourly employees to verify that the hours paid are supported by time sheets and that the time sheets have been approved by a supervisor and that they have been paid the correct rates. This area was last tested in October 2007.

State aid - Due to the financial and strategic impact that state aid has on the District and the lack of

segregation of duties over reporting information used by the State Education Department to generate state aid and individuals involved in monitoring state aid, this area has been identified as being of higher risk within the District. We will test the data reported to the State Education Department to verify that it is accurate and verify ST-3 expenditures to ensure that the District spent the maximum amount of state aid provided.


7

BUSINESS RISK ASSESSMENT AND INTERNAL AUDIT STRATEGY BUDGETING, GOVERNANCE AND REPORTING Overview of Business Area Various employees of the District assist in the preparation of the annual budget. The budget is presented, modified and eventually approved by management, the Board and ultimately the voters of the District. The budget outlines the financial goals and objectives of the District for the year. In October, the Assistant Superintendent for Business and the Superintendent, upon approval of the Board, establishes the budget calendar that identifies key dates for budget development. The budget calendar is distributed to key employees in the District (Superintendent, 5 Building Principals, 2 Assistant Principals, Director of Pupil Services, Director of Technology, Transportation Supervisor, Assistant Superintendent for Curriculum and Instruction, Assistant Superintendent for Business, and the Athletic Director). Key employees receive the previous two years of historical expenditure data, the approved current year budget, year to date budget expenditures, guidance for the following year's budget and a blank column for subsequent year's budget. Key employees also have access in nVision to view their budget and expenditure detail. Each building is given a preliminary budget allocation. Employee needs are identified by mid-December and also major impact items. The major impact items are initially approved or cut. The Superintendent and the Assistant Superintendent for Business work together to determine the budget impact of staffing changes and the major impact items. The Assistant Superintendent for Business is responsible for preparing the revenue budget. The revenue budget, with the exception of property taxes and state aid, is based on historical data and projections of anticipated events. The state aid budget is based on the Governor's proposal until more accurate figures are available from the State Education Department. BOCES aid is projected based on prior year actual BOCES expenditures and transportation aid is compared to ST-3 data. The tax cap is calculated by the Assistant Superintendent of Business. The tax cap calculation for the 2015/2016 fiscal year was reviewed by OSC with no findings reported. The Board is provided with a preliminary budget in March with the final budget being adopted by the Board in mid-April. The District Clerk is responsible for preparing for budget presentations and the budget vote. During the fiscal year, actual financial results are compared to the approved budget by both management and the Board at least monthly. The Board has authorized the Assistant Superintendent for Business (or District Treasurer in his absence) to approve all budget transfers but reviews a report of budget transfers on a monthly basis. General ledger activity is updated frequently to ensure the accounting system contains information that is accurate and current so it may be relied upon to make decisions.


8

On a monthly basis the Board receives the Appropriation Status Report, the Revenue Status Report, the Treasurer's reports, and Budget Transfers for review. The District has a Code of Ethics/Code of Conduct Policy and a Whistleblower Policy that is reviewed with new employees at the beginning of each school year. The ethics policy has been added to the District’s online mandatory training that is sent to all staff and tracked to ensure that they have reviewed all mandatory policies. District policies are readily available on the District's website. Business Objectives The budget accurately reflects the goals and objectives of the District and is reasonable. Monitoring of District activities occurs on a routine basis so issues can be addressed in a timely manner. Potential Significant Risks There is a potential risk the budget does not accurately reflect the goals and objectives of the District and is not reasonable. If the District exceeds its budget, it would result in a compliance finding reported to SED, this could have a negative impact on fund balance, and could impact future budgets and voter support. There is a potential risk financial information produced by the general ledger cannot be relied upon, which would hinder the District's ability to make appropriate financial decisions. There is a potential risk that monitoring of District activities does not occur on a regular basis impeding the District's ability to address issues in a timely manner. Internal Audit Strategy Internal audit will review the budget process and historical budget to actual data to gain comfort that the budgets developed by the District are reasonable. We will review budget presentations to ensure they are in compliance with New York State regulations. We will review with the Board their practices for monitoring the financial operations of the District and verify they understand the information that is provided to them.


9

STATE AID Overview of Business Area State aid consists of many component areas. These areas include the following:

Per capita aid (library, hardware, textbook, and software aid) - based on pupil counts times a state derived rate.

Building aid - based on debt service payments times an aid ratio. Transportation aid - based on costs associated with providing transportation services times an aid ratio. Foundation aid - calculated by the state based on information provided by the District. BOCES aid-based on previous year's BOCES expenditures times an aid ratio.

Some aids (transportation) may be increased by allocating administrative and overhead costs to the function. The District attempts to allocate as much overhead and administrative costs to the transportation department as possible to maximize transportation aid. Other aids (categorical) require that the number of students submitted to the state be accurate. The amount of aid per student for these categorical aids are determined by the State Legislature. Still other aids (foundation) are determined by the state. The Assistant Superintendent for Business and the District Treasurer monitor State aid output reports on a monthly basis for unanticipated changes in state aid. Beginning in the middle of the year, the Assistant Superintendent for Business will review the appropriation status report monthly to ensure all expected aid dollars are spent/encumbered before year-end. Business Objectives To ensure the District is receiving the maximum amount of aid available and the information submitted to the state that generates aid is accurate. Potential Significant Risks There is a potential risk that the information submitted to the state used in the state aid calculations is not accurate, which may result in the District receiving more or less state aid than they are entitled to. There is a potential risk the District has not allocated all of the costs allowed, including indirect costs, to certain functions that will result in maximum state aid. Internal Audit Strategy Internal audit will include review of student counts to verify the number of students submitted to the state is accurate. We will obtain per capita state aid amount and verify the amount of state aid received is reasonable. We will review ST-3 expenditures to verify the District spent the maximum amount of state aid provided. We will verify cost allocations for the transportation department to verify all eligible costs have been allocated to the department. We will review other aid calculations to determine if they are reasonable.


10

STAC PROCESSING Overview of Business Area STAC forms are submitted based on Individualized Education Programs (IEPs) developed by the Committee on Special Education (CSE). Students can receive services through outside private agencies, the BOCES, or can receive in-district services. The service provider will be identified on the IEP along with all of the services to be provided and the frequency of the service. The District uses IEP Direct to track and monitor student progress. STAC forms are processed by the Secretary of Pupil Services. Estimated costs for in-district placements are calculated by the business office. Estimated costs for BOCES placements are based on the BOCES catalog of services and estimated costs for agency placements are based on state approved rates for the agency. STACs are prepared for only those students who are likely to exceed the District's qualifier. The Secretary of Pupil Services enters in all cost information and student demographics into the State Aid website and creates the STAC form. The Secretary of Pupil Services receives a "Notice of Commissioner's Approval for Reimbursement." Periodically the Director of Pupil Services will review and sign the STACs denoting her review. In February of the following year the District will receive the verification forms (AVL). The Secretary of Pupil Services will update student cost information based on updated payroll, contract and related services cost information received from the business office. The Director of Pupil Services reviews the completed AVLs and the Secretary of Pupil Services will submit the AVLs to the State STAC Unit verifying the student special education costs. The Pupil Services Secretary and Director of Pupil Services review the unverified and Gold Star reports and discuss them with the Assistant Superintendent for Business. Business Objectives To ensure the District is receiving the maximum amount of aid available and the information submitted to the state that generates aid is accurate. Potential Significant Risks There is a potential risk the information submitted to the state that is used in state aid calculations may not be accurate. There is also a risk the District may not allocate all of the costs allowed, including indirect costs, to certain functions that may result in the District not receiving the maximum state aid. Internal Audit Strategy The internal audit will include examining a sample of STAC forms and verifying the services listed on the STAC forms agree to the services listed on the student's IEP. We will review the calculation of the costs submitted on the STAC form to determine if they appear reasonable. We will verify SED has the STAC form on file.


11

MEDICAID Overview of Business Area The Medicaid requirements implemented in 2010 require additional training and professional qualifications for most providers and also documentation requirements. Providers are subject to audits by the Medicaid Inspector General. All employees in the District providing Medicaid services have attended compliance training and the District is considered a qualified provider. For the services to be eligible for reimbursement, the services must be provided by licensed providers and the providers must maintain session notes with the specific type of service provided, dates and time the services were provided, referrals for certain services, etc. The District uses a third party, EduTech, a service of the Wayne Finger Lakes BOCES, to process and submit claims for reimbursement. Once claims are entered, the EduTech consultant and the CSE Director monitor claims submitted and claims paid. The District uses Medicaid Direct as its data warehouse and the consultant at EduTech has access to the system. The Director of Pupil Services/CSE Director receives a list of all Medicaid eligible students from EduTech. Once received consent letters are sent to the parents to obtain consent to seek reimbursement for Medicaid eligible services. If any of the students do not have a parental consent on file, the Director of Pupil Services/CSE Director sends a request to the parent/guardian for their consent. There is no need to obtain a new parental consent for changes to the IEP or any other time that the student has an unbroken enrollment in our District. The only time a new parental consent is needed would be if the student leaves/un-enrolls with the District and then returns. The Edutech consultant will track the status of the claims and will follow-up on any claims not approved for payment by Medicaid. The Director of Pupil Services/CSE Director also monitors rejected claims and how they are resolved. The Edutech consultant will send the CSE Director and Medicaid Supervisor a monthly report of all claims submitted. This information is then forwarded to the District Treasurer. When Medicaid payments are received, the District Treasurer will match the payment to the list of submitted claims. The District has requested that EduTech prepare reports of rejected claims and status of those claims for their (District's) review and follow-up as needed. The Internal Claims Auditor also audits Medicaid claims submitted. Samples of 5-6 random students are picked to review that an IEP is in place; that all providers are properly licensed and consent forms are on file. A copy of the audit findings are filed with the Assistant Superintendent for Business and the Medicaid Supervisor. Business Objectives The District is complying with the Medicaid requirements and maximizing their Medicaid aid.


12

Potential Significant Risks There is a potential risk the District is not complying with the Medicaid requirements and may be subject to fines and/or penalties. There is also a potential risk the District is not maximizing their Medicaid aid. Internal Audit Strategy We will test the District's compliance with Medicaid documentation requirements and professional qualifications and training.


13

GRANTS Overview of Business Area The District Treasurer with the Grants Coordinator (IDEA grants) or the Assistant Superintendent for Curriculum and Instruction (all other grants) prepare the budgets (FS-10) for all grants. There are few deadlines for submission of financial data relating to grant applications. Processing interruptions will not have a significant impact on the grants. Funds are budgeted in the following order: Pass through funds for out-of-District placements; salary; other costs. Budgets are submitted to the SED for approval by the Assistant Superintendent for Curriculum and Instruction. Once approved by the state, the District Treasurer inputs the program budgets into nVision. On a monthly basis, the Grants Coordinator, Director of Pupil Services and the Assistant Superintendent for Curriculum and Instruction reviews the Budget Status Reports to monitor spending. The District Treasurer prepares the monthly/quarterly draw down requests (FS-25) based on actual year-to-date program expenditures reported in nVision. Budget amendments (FS-10A) are prepared by the District Treasurer as needed. The District Treasurer also monitors account balances to ensure appropriate amount is expended. The final expenditure reports (FS-10F) are prepared and submitted to the State Education Department by the District Treasurer. Payroll certifications are prepared by the employees charged to the federally funded programs on a monthly basis. The Secretary to the Assistant Superintendent for Business is responsible for ensuring payroll certifications are completed and monitors the process. Business Objectives Grant programs are delivered in compliance with grant provisions. The goal is to ensure program services are provided to eligible participants, eligible participants are receiving program services, and the grant program results can be measured to ensure the program is achieving the desired results. Potential Significant Risks There is a potential risk grant programs are not delivered in compliance with grant provisions. There is a potential risk the costs of the program incurred are disallowed by the granting agency and the District may be required to return the funds. There is a potential risk grant program results are not measured to ensure the program is achieving the desired results.


14

Internal Audit Strategy Internal audit will include a review of various grants and the goals and objectives of these grants. We will test program expenditures to ensure the expenditures are provided for in the budget, are reasonable, and benefit the program. We will test eligibility to ensure program services are provided to eligible participants. We will review program reports to granting agencies to see if program objectives are met and measurable goals are obtained.


15

CENTRALIZED CASH RECEIPTS Overview of Business Area The County prepares the tax bills based on tax rate data provided by the Assistant Superintendent for Business. The County sends the tax bills to the Town Tax Collector for mailing. The County updates the tax information in the Williamson Law Book tax collection software. School taxes are collected by the Town of Newark Tax Collector at the Town's offices. Property taxes are either mailed to the Town Tax Collector or taken to the Town Tax Collector's office at the Town. Checks received by the Town Tax Collector are verified against the tax bill. The checks are then input into the tax collection software by the Town Tax Collector. At least daily, deposits are prepared by the Town Tax Collector and taken to the bank by courier. On a daily basis, the Town Tax Collector reconciles the daily receipts entered into the tax collection software to the cash and checks received for the day. The Town Tax Collector then prints a report that totals the day's collections, and saves the daily receipts to a USB. The USB, the report, and a carbon copy of the deposit ticket are forwarded to the District Treasurer. On a daily basis, the District Treasurer loads the data from the USB into the Williamson Law Book program, runs a report totaling the receipts, and verifies the receipts match the Town Tax Collector's Report and the bank receipt. The appropriate cash receipt entries are recorded in nVision by the District Treasurer. The Town Tax Collector prepares the uncollected tax report and reconciles it to the tax levy. The District Treasurer will review collection reports regularly to monitor the collections process and will review/verify the Tax Collector’s reconciliations to the uncollected tax report. Periodically the Assistant Superintendent for Business will review the documents to verify accuracy. All other cash and checks received by the Business Office are logged and counted by two people, the Assistant Treasurer and the Payroll Clerk. Receipts are issued to payers upon request or for any receipts received in person. Incoming cash is recorded on a "cash received log" by the Assistant Treasurer and is subsequently verified by the District Treasurer. The District Treasurer codes and posts the general fund, extracurricular and school lunch fund receipts into nVision, while the Assistant Treasurer posts health insurance premium receipts and scholarship money cash receipts into nVision. The District Treasurer prepares the bank deposit which is brought to the bank by Loomis. The District Treasurer attaches the nVision receipt to the bank deposit receipt. The Assistant Superintendent for Business reviews the deposits and cash receipts log against the bank statement monthly. Cash and checks received at the High School are locked in the high school vault until they are forwarded to the Business Office for posting to the general ledger and deposit at the bank. A cash log and vault log are now used at the high school for tracking of all receipts. For retiree health insurance, the School Personnel Assistant calculates the amount each retiree owes based upon the contract in effect at the time of retirement. The School Personnel Assistant maintains a spreadsheet of retiree premiums that is used as support for the receivable record recorded in nVision for each retiree by the District Treasurer. Retiree bills are generated and mailed by the School Personnel Assistant. The District does not have issues with retirees not paying their share of the premium. The Assistant Treasurer posts checks received against the receivable recorded in nVision.


16

The Assistant Superintendent for Business also monitors the retiree health insurance receivable process. The District Treasurer or Assistant Treasurer are responsible for contacting retirees for any unpaid premiums. Business Objectives To ensure all receipts of the District are properly safeguarded and recorded. Potential Significant Risks There is a potential risk of misappropriation of cash receipts. Internal Audit Strategy Internal audit will include reviewing source documents, tracing source information to the bank deposit, and posting to the general ledger. We will verify the selected cash receipt was properly recorded in the general ledger and verify the corresponding deposit was made in a timely manner.


17

DECENTRALIZED CASH RECEIPTS - SCHOOL LUNCH Overview of Business Area The District uses the NutriKids Point of Sale (POS) system. Students have an ID card and account number. A student's free or reduced lunch eligibility is programmed into the student's account in the POS system by Secretary to the Assistant Superintendent for Business. Cash is collected in the lunch line or prepaid either through the lunch line or on-line through MySchoolBucks.com. At the end of each meal, each cashier will count their own cash drawer, enter the cash count into Nutrikids, and close out the meal. The cash count is a blind count. The designated supervisor (a Cashier) at each building reviews the Nutrikids system to verify cash counts are accurate. After lunch, each building supervisor combines all of the cash received during the day (for breakfast & lunch), prepares the deposit slip, and places the cash and deposit slip into a locked bag for courier pick-up. There are five deposits made each day, one from each building. The bags are delivered to the Assistant Treasurer and Payroll Clerk who re-count the cash and verify to the deposit slip, then place the cash and deposit slip into a tamper-resistant bag. Deposits are taken to the bank by Loomis. The District Treasurer verifies the deposits made to the Nutrikids Daily Cash and Count Report, then inputs the receipts into nVision. The Assistant Superintendent for Business reviews the deposits against the bank statement monthly. The School Lunch Manager or Lead Supervisor print a Daily Cash and Count/Deposit Report from Nutrikids, which details the monies received for the day and all over/short amounts. Over/shorts greater than $5 are researched. The cashiers are not allowed to void/cancel transactions and the Daily Cash and Count Deposit Report is reviewed for this. Any adjustments needed are noted and made by the School Lunch Manager in the Business office. The District has one vending machine and monies are collected and the machine restocked by two assigned cafeteria staff members. The School Lunch Manager or Lead Supervisor complete a monthly report of all school lunch counts by building. The report shows the total number of meals served by type, and is utilized to complete Federal and State reimbursement forms. The School Lunch Manager files the reimbursement requests online and monitors the claims and the payments. Copies of the claims are provided to the District Treasurer who also monitors cash receipts. The Secretary to the Assistant Superintendent for Business receives and processes all paper applications for free and reduced meals. Verification of a sample of all applications received is performed each fall as required. Business Objectives The cash receipts of the District are adequately safeguarded.


18

Potential Significant Risks There is a potential risk for misappropriation of cash receipts. Internal Audit Strategy Internal audit will include observation of cash receipt procedures at randomly selected locations. We will review the cash counts and reconciliations to the Nutrikids system.


19

DECENTRALIZED CASH RECEIPTS - COMMUNITY EDUCATION Overview of Business Area Decentralized cash receipts include receipts from athletic and other school events, family swim, and community education. The cash for these activities are collected outside the Business Office and remitted to the Business Office for deposit by the Community Education Director and/or event supervisors or advisors/proctors. The Community Education Director is responsible for collecting monies and registration forms for community education programs/classes. Receipts are given to the registrant. Cash and checks received are reconciled to the class/registration lists, a deposit slip is prepared and all are delivered to the High School Secretary who performs a second verification count before putting the deposit slip and money in a locked bank bag. If the deposit is held overnight in the High School vault, it is then also entered on a vault log. The Courier picks up the deposit and delivers to the District Assistant Treasurer in the Business Office where the receipt is logged in. The District Treasurer and Payroll Clerk verify the receipts to the deposit slip and registration list and then the District Treasurer prepares the deposit and places in a plastic, tamper proof bank bag. Loomis will pick up the deposit and deliver to the bank. The Assistant Superintendent for Business reviews the deposits against the bank statement monthly. The Business Office also receives deposits for the family swim program. A sign-in sheet is utilized, with reconciliation of the cash received to sign in sheets first by the respective supervisor and then by the District Treasurer in the Business Office when preparing the deposit. Pre-numbered tickets are utilized for athletic events and other events and a reconciliation of ticket sales is provided to the Business Office with each deposit. The reconciliation is reviewed, approved and signed by the event proctor or supervisor. Business Objectives The cash receipts of the District are adequately safeguarded. Potential Significant Risks There is a potential risk for misappropriation of cash receipts. Internal Audit Strategy We will review the cash counts, ticket reconciliations, sign-up sheets or community education registration forms. We will trace deposits for a number of days and events to the bank statement.


20

PURCHASING AND CASH DISBURSEMENTS Overview of Business Area Most purchasing occurs through BOCES cooperative bid or state contract. At the end of each year, the Assistant Superintendent for Business prints a Vendor Over Report from nVision that lists all vendors that had District purchases in the current year exceeding General Municipal Law bid requirements. The Assistant Purchasing Agent is responsible for preparing bids (mining bid specifics from purchasers within the District), soliciting bids, receiving the bids, and preparing bid comparisons to the State & BOCES bids. The comparisons are presented to the Board of Education for vendor approval. Once approved, bid specifications are sent to employees responsible for purchasing supplies, materials and services by the Assistant Purchasing Agent. Manual requisition forms are completed by the employee and forwarded to the Building Secretary for entry into nVision. The Building Principal then reviews the requisition online for appropriateness and available appropriations. The requisition is then electronically forwarded to the Purchasing Agent (Assistant Superintendent for Business) for approval. Once approved, the requisition is forwarded electronically to the Accounts Payable Clerk who will confirm that all required documentation is attached, including vendor quotes, then converts the requisition into a purchase order. The purchase order is printed by the Accounts Payable Clerk in three parts: a vendor copy, an accounting copy, and a receiving copy. When the goods are received, the Building Secretaries review the order, sign the packing slip, and attach it to the receiving copy of the purchase order. Both are forwarded to the Accounts Payable Clerk. The Accounts Payable Clerk will assemble and review the voucher packet once the invoice is received. The Accounts Payable Clerk enters the invoices into nVision once the voucher packet is complete. The voucher package includes a copy of the requisition, a copy of the purchase order, the shipping receipt, the invoice, and quotes/contract (if applicable). The voucher package is then sent to the Internal Claims Auditor for review and approval. The Internal Claims Auditor compares the receipt of items to the purchase order for completeness. Once audited and approved for payment, the Internal Claims Auditor returns the voucher packet to the Accounts Payable Clerk, who enters the claim into nVision for payment. The Accounts Payable Clerk prints the Checks Waiting to Print Summary report showing the total of all the voucher packages, manually totals the vouchers and reconciles to the manual total to the total on the Checks Waiting to Print Summary report. The Accounts Payable Clerk will then print the checks and Detailed Warrant report. The Detail Warrant report, the voucher packets, and the check stubs are then forwarded to the Internal Claims Auditor for review and approval. The Internal Claims Auditor audits the vouchers and compares the payment information to the Final Warrant Report. The Assistant Superintendent for Business also reviews the Final Warrant Report. The Internal Claims Auditor meets with, as well as emails, the Audit Committee a monthly report of her findings.


21

The District Treasurer's signature is on a flash drive and is password protected. The District Treasurer authorizes accounts payable to access the signature by email, after receiving check sequence from the Accounts Payable Clerk. Business Objectives To ensure purchases are reasonable, necessary and benefit the District and are provided for in the budget. The District's goal is to have procedures in place that will allow for an effective purchasing system that prohibits circumvention of the internal controls over cash disbursements. Potential Significant Risks There is a potential risk purchases are not reasonable, necessary, or do not benefit the District. Purchases are not properly approved or provided for in the budget. There is a potential risk employees do not follow the District's purchasing policies or circumvent the internal control policies and procedures over purchasing. Internal Audit Strategy Internal audit will include selection and testing of cash disbursements from throughout the District to verify the purchases were reasonable and necessary for the District, were properly approved, supported by the appropriate documentation, and there were available appropriations. We will also verify the employee has followed all District purchasing policies and the transaction was supported by appropriate bid or quote information. Open purchase orders will be reviewed for frequency of renewal in addition to the procedures listed above. We will test claim forms submitted for reimbursement to verify the expenditure is reasonable and necessary for the District and that employees are not submitting claim forms for expenditures to circumvent the internal control policies and procedures over purchasing. We will also include tests of specific types of disbursements such as travel, conferences, credit card purchases, and meals that may be at higher risk of not complying with the District's policies and specific vendors that may be more susceptible for fraud. We will review a series of warrants and verify there is no break in the check sequence.


22

PAYROLL Overview of Business Area The District moved the payroll processing back in-house during the 15-16 school year from the Wayne-Finger Lakes BOCES Central Business Office (CBO). The Personnel Assistant is responsible for obtaining the necessary paperwork for new employees and for entering all relevant information into nVision. All employees of the District are fingerprinted and approved by the Board. The most significant payroll updates occur when the contract salaries and calendars are updated annually. The Payroll Clerk is responsible for pulling the prior years' payroll from the nVision payroll module into the nVision negotiations module. The Payroll Clerk will then apply the increases from the signed contract and update the total payroll for the current year. After review by the Assistant Superintendent for Business, within the Negotiations Module of nVision, the payroll is uploaded into the payroll module by the Payroll Clerk. Payroll deduction tables for federal and state withholdings in nVision are updated annually by nVision. All other deductions are updated by the Payroll Clerk. Annual salary notices are prepared by the Payroll Clerk within nVision and electronically signed by the Assistant Superintendent for Business. The employee is required to sign and return the salary notice to the Personnel Clerk. Payroll data files are updated daily by the Payroll Clerk for employee additions, deletions, changes to withholdings, salary, etc. The Payroll Clerk is also responsible for processing the biweekly payroll. The processing of data files is routine and appears to be maintained by experienced employees. Payroll processing includes processing all contract salaried employees, hourly employees, and all payroll claim forms. Payroll is processed biweekly and is a routine process, but the data entry of employee hours and payroll claim forms is labor intensive. Timesheets are used for all employees (other than hourly and cafeteria employees, who use a time clock system) and require the approval of a Supervisor. Salaried employees submit a timesheet for any extra duties or hours worked outside of their contracted position (i.e. summer work or stipend positions). Timesheets are re-calculated prior to input into nVision by the Payroll Clerk. The Payroll Clerk inputs the timesheets into nVision. Hourly and cafeteria employees use Time Piece (a time clock system), that requires entry of the employee's employee number and a bio-metric fingerprint scan. Information from Time Piece is exported into nVision for processing of biweekly payroll. Time Piece will eventually be used by all District employees. The Payroll Clerk follows a payroll checklist to verify each time sheet has been received and that the payroll is complete. Timesheets are reconciled to attendance logs by the Payroll Clerk to verify substitutes are accurately paid. The Payroll Clerk prints the Time Sheets by Account Report to verify the accuracy of the input payroll. Various reports are run after input of the timesheets and reports imported from Time Piece and other adjustments to payroll and compared to the timesheets and attendance logs for completeness and accuracy. The District Treasurer's signature is hard written in nVision. The Payroll Clerk contacts the District Treasurer for authorization to access the signature, and permission is given by e-mail after the District Treasurer is given the check sequence.


23

The Payroll Clerk then prints the checks and direct deposit stubs. The Payroll Clerk posts the payroll in the payroll module of nVision, and then the District Treasurer posts payroll in the general ledger module of nVision. The payroll is certified by the Superintendent every pay period. The Assistant Superintendent for Business prints and thoroughly reviews the Payroll Change Report/Payroll Audit Trail Report each pay period and notes his review. Physical payroll distributions are performed annually by the Personnel Assistant and the Internal Claims Auditor. Final payout calculations are completed by Payroll Clerk for employees who leave the District. These calculations are reviewed by the Human Resources Personnel Assistant. Business Objectives To ensure employees of the District are paid in accordance with their contract for the hours worked, benefits earned and available, and internal controls prevent fictitious employees from being entered into the District's payroll system. Potential Significant Risks There is a potential risk employees of the District are not paid in accordance with their contract for the hours worked and the time sheets and other stipends are paid without proper authorization. There is a potential risk the employees receive more PTO benefits than they are entitled to under their contract or they may exceed the benefits available to them. There is a potential risk the internal controls do not prevent fictitious employees from being entered into the District's payroll system. Internal Audit Strategy Internal audit will include testing payroll registers for selected employees to verify employees listed are employed by the District and are paid in accordance with their contract. Special attention will be paid to management and employees who have access to the payroll system. We will be testing hourly employees to verify the hours paid are supported by time sheets, the time sheets have been approved by a supervisor, and they have been paid the correct rates. We will also test claim forms to verify the claim form is for hours worked or stipends approved, the claim forms have been approved by a supervisor and they have been paid the correct rates. We will verify stipends have been approved and are paid in accordance with contracts or have been approved by the Board. We will also review a series of payroll registers to ensure there has been no break in the check sequence. We will verify the payroll registers have been certified in a timely manner.


24

EMPLOYEE BENEFITS AND PAID TIME OFF Overview of Business Area PTO: Employees wishing to utilize vacation or PTO submit a form (either online or in hard copy) to their Supervisor or Building Principal for approval. Once approved, the form is sent to the Assistant Treasurer, who verifies the employee has the time available to take off, and signs off at the bottom of the form. The Assistant Treasurer then enters the requested days off into nVision. The form is also sent to the Superintendent or Assistant Superintendent for Business for approval. Extended leave is approved by the Board. An attendance log is maintained by each Building's Secretary for vacation, personal, sick, and other excused absences. The log is forwarded to the Assistant Treasurer at the end of every week. Sick days are entered into nVision from the log. The Assistant Treasurer will verify the personal and vacation days taken per the attendance log (or for hourly and cafeteria employees, from time reports generated in Time Piece) to the time off request forms. SICK BANK: A sick bank has been established to aid unit members who suffer prolonged illness and have exhausted their sick leave. Participants contribute one sick day a year up to a maximum of approximately 200 days. No more days shall be added until the bank is depleted to 125 days, except for new members. There are established rules for participation and eligibility of the sick bank, which is administered by a committee. The Superintendent of Schools makes the final decision for granting sick leave allowance. HEALTH INSURANCE: Employees have an open enrollment period to change their benefits effective for July 1st of the following year. If an employee makes a change to their insurance, the employee completes a new application and forwards it to the Personnel Assistant who enters the information online with the insurance company. Employees must complete an affidavit certifying the dependents they are covering qualify for coverage, and must provide supporting documentation. The Personnel Assistant updates the employee co-pay information in nVision based on this information. The Personnel Assistant will review the insurance bills to ensure changes to employee coverage are reflected in the bill and compares the benefits listing to nVision to verify the rates are accurate. Retirees are tracked on an Excel spreadsheet, as well as in the nVision accounts receivable module. 403B/TSAs Employees have the option of contributing to their 403b, which is administered by the OMNI Group. The employee completes an application on-line or manually including the percentage they want withdrawn every pay period. Once OMNI receives the application, they will input the employee's information and send an OMNI Changes/Approved Report or confirmation to the Payroll Clerk, listing the effective date, employee name, social security number, fund name, percentage of salary to be deducted, and the maximum amount they are allowed to contribute. The Payroll Clerk will input this information to nVision to initiate the deductions. After every pay period, a detailed 403b Deduction Report is generated from nVision indicating the amount withheld from each employee's paycheck.


25

The Payroll Clerk agrees the detailed report to the nVision Payroll Deduction Report. Once they agree, the detailed 403b Deduction Report is uploaded to OMNI and the Payroll Clerk will generate an ACH transfer to be sent to OMNI for the total amount deducted from employees. The District Treasurer will verify the correct amount is withdrawn from the District bank account. FLEXIBLE SPENDING ACCOUNTS The District offers flexible spending accounts (FSA) for dependent care and health care expenses. The plan is administered by Health Economics who monitors contributions, claims, and payouts. The employees complete an application which is forwarded to Health Economic and the Personnel Assistant. The Personnel Assistant receives a listing from Health Economics of all participants and the total amount to be withheld. The Payroll Clerk inputs the amounts into nVision, dividing by 20 or 25 pay periods to calculate the per pay period deduction. The employee submits a claim form with receipts to Health Economics, who reimburses the employee via check for the claim forms submitted. Health Economics will do an ACH withdrawal from the District's flexible spending account at Chase for claims paid. The District funds the Flex account as expenses are submitted. ERS/TRS Employees complete an application to participate in the Employee Retirement System (ERS) or the Teacher Retirement System (TRS) and forwards the application to the District Treasurer, who notarizes the application and sends it to ERS or TRS. The Payroll Clerk will receive notification as to when the payroll deductions can begin, and the employee's required contribution will be input into nVision. Once the information has been input to nVision, monthly reports are uploaded to ERS/TRS of employee contributions. ERS will complete an electronic withdrawal from the District's bank account on a monthly basis for the employee's contributions and then invoices the District at the end of the fiscal year for the District's portion of contributions for the year. The District Treasurer verifies the amount withdrawn by ERS agrees to the nVision Payroll Report on a monthly basis. TRS will deduct the employee's and the District's portion of the contributions from state aid received the following fiscal year. At the end of the school year, the Annual Report is used by the District Treasurer to determine the year-end entry required to balance the amount due to TRS. Business Objectives Internal controls are properly designed and operating effectively to ensure employees of the District are paid in accordance with their contract for benefits earned and available. The appropriate controls are in place to ensure employees, retirees, and resigned/terminated employees pay the correct amount towards their insurance premiums and are properly covered. That there are adequate internal controls over contributions to and use of the employee sick banks. For the 403b plan, we will ensure the appropriate funds are withheld from employee's paychecks and subsequently transferred to the 403b plan sponsor/administrator and employee contributions are within allowable legal limits. For flexible spending and medical reimbursement accounts, we will ensure the correct amounts are withdrawn from the employee's pay and the correct amounts are remitted to the plan administrator for claims. For ERS/TRS contributions, we will ensure the correct amounts are withheld from the employee and remitted to ERS/TRS.


26

Potential Significant Risks There is a potential risk employees may receive more PTO benefits than they are entitled to under their contract or they may exceed the benefits available to them. There is a potential risk employees, retirees, and resigned/terminated employees are not paying the correct amount towards their insurance premium or are improperly covered. There is a risk that internal controls over contributions to and use of the employee sick banks are not functioning properly. There is a potential risk an incorrect amount is transferred to the 403b plan sponsor and employees are contributing beyond the allowable legal limits. There is a potential risk that the incorrect amounts are withdrawn from employee's pay and remitted to the plan sponsor for flexible spending and medical reimbursement accounts. There is a potential risk the incorrect amounts are withheld from the employee and remitted to ERS/TRS. Internal Audit Strategy Internal audit will include testing of the benefits made available to employees on an annual basis and the benefits used do not exceed the benefits available. We will also test individuals covered by health, dental, prescription, and vision insurance to ensure the correct premiums are withheld from their paychecks, paid directly to the District for retirees and individuals electing COBRA benefits, and only eligible employees are receiving coverage. We will test internal controls over contributions to and use of the employee sick banks. We will also ensure the correct percentage and maximum limits have been input to the system for 403b contributions. We will ensure the correct amounts are withheld from employee's pay for flexible spending accounts and the proper amounts are withdrawn from the District's bank account by the plan administrator. We will review amounts withheld from employee's pay for ERS/TRS contributions to ensure the correct amounts have been withdrawn by ERS/TRS.


27

GENERAL LEDGER MAINTENANCE Overview of Business Area Journal entries are prepared and posted by the District Treasurer. Journal entries are maintained in folders with supporting documentation and include the Assistant Superintendent for Business's sign off that he has reviewed and approved the journal entries. Only Lyons Bank provides statements in paper that are received unopened by the Assistant Superintendent of Business to view bank activity prior to the bank reconciliation. The other bank statements are only available electronically from the bank’s website, and the District Treasurer or Assistant Treasurer are the only one with access to on-line banking applications. The Assistant Superintendent of Business has read-only rights to the online accounts to see activity. The District Treasurer reviews the online activity and prepares bank reconciliations of all accounts on-line and they monitor the accounts for any unusual activity and review cleared checks. The District Treasurer prepares the bank reconciliations and treasurer's reports for all accounts including the extraclassroom, scholarships, and T & A accounts. The District Treasurer agrees the bank reconciliations to the general ledger. The treasurer's reports are reviewed by the Assistant Superintendent for Business, who verifies balances, signs off and returns them to the District Treasurer to copy and give to the Board along with other monthly reports. Supervisors or Principals complete budget transfer forms and forward them to the Accounts Payable Clerk, who then submits them to the Assistant Superintendent for Business for approval. Upon approval, the Assistant Superintendent for Business forwards the approved request form to the Accounts Payable Clerk who inputs the transfer into nVision. The District Treasurer is responsible for entering payroll transfers into nVision. On a monthly basis, the Board is sent a Budget Transfer Report for review of all transfers. The Board has authorized the Assistant Superintendent for Business to approve all transfers, and in his absence, the District Treasurer. There is no dollar limit on the authorization. The only approved signatures for checks are the Assistant Superintendent for Business and District Treasurer. Checks only require one signature. Signatures are maintained on a flash drive. Prior to receiving permission to use the District Treasurer's signature to print checks, the District Treasurer must have the check sequence from the requesting department. The signature will then be authorized for use to the Payroll Clerk by email and to the District Accounts Payable Clerk in writing. The District Treasurer maintains a signature log and she verifies check sequence prior to checks being run and after they are ran. The Board receives the treasurer reports, appropriation status report, revenue status report, Budget transfer report and bank statements on a monthly basis for their review and approval. Business Objectives Internal controls over general ledger maintenance are properly designed and operating effectively to ensure financial information can be relied upon. Monitoring of District activities occurs regularly so that issues can be addressed in a timely manner.


28

Potential Significant Risks There is a potential risk the internal controls over general ledger maintenance are not properly designed or are not operating effectively. This may subject the District to the risk of fraud. There is a potential risk the financial information generated from the general ledger cannot be relied upon, which would hinder the District's ability to make appropriate financial decisions. There is a potential risk the monitoring of District activities may not occur on a regular basis impeding the District's ability to address issues in a timely manner. There is a risk that assets may be misappropriated. Internal Audit Strategy We will review general journal entries prepared by District personnel to verify they have a business rationale, are supported by appropriate documentation and are approved by management. We will review with the Board their practices for monitoring the financial operations of the District and discuss with them their understanding of the information that is provided to them.


29

WIRE TRANSFERS Overview of Business Area Wire transfers are initiated by the District Treasurer or the Assistant Treasurer. Wire transfers are limited to specific banks and accounts and the District has established ACH blocks with the banks on these accounts. There is a $10 million limit per transaction and per day on wires. The bank has received an approved listing of receivers of wire transfers from the District with pre-approval for release from the Assistant Superintendent for Business. A call back confirmation from the bank is not required as long as the wire transfer is to a preapproved vendor. If a vendor/payee is not on the list, the bank will not send the transfer without authorization from the Assistant Superintendent of Business. New vendors can be set up by the District Treasurer and Assistant Superintendent of Business. They provide the bank with the vendor ACH routing and bank information, initiates the wire in writing, and the bank releases after receiving confirmation of the new vendor from the Assistant Superintendent for Business. All wire transfers are now bank verified lines, which are vendors that the District has pre-established with the bank for wire transfers and that the bank has verified and approved. Business Objectives Internal controls over and wire transfers are properly designed and operating effectively to ensure assets of the District are adequately safeguarded. Potential Significant Risks There is a potential risk the internal controls over wire transfers are not properly designed or are not operating effectively. This may subject the District to the risk of fraud. There is a potential risk the monitoring of District activities may not occur on a regular basis impeding the District's ability to address issues in a timely manner. There is a risk that assets may be misappropriated. Internal Audit Strategy We will review a sample of wire transfers to ensure they are appropriate and properly authorized.


30

FIXED ASSETS Overview of Business Area The District has contracted with Asset Control Solutions to maintain the District's fixed asset inventory and depreciation. The last complete physical inventory was performed in the winter of 2017. The Assistant Purchasing Agent (who is also Secretary to the Assistant Superintendent for Business) will report asset additions (via Purchase Orders and Invoices for capital asset purchases) and deletions (via Board Reports of approved asset disposals) to Asset Control Solutions. The District has contracted with Asset Control Solutions to perform a complete inventory biennially and "soft" inventories every year. (A soft inventory is where ACS updates the inventory annually with deletions and purchases as provided by the District.) The Assistant Superintendent for Business reviews fixed asset reports from year-to-year, and researches significant discrepancies. The Assistant Superintendent for Business also reconciles the fixed asset inventory report to the annual audited financial statements annually. Technology assets are tracked by serial number, whether BOCES owned or District owned, and the IT Director places a District label on each asset. A sign-out sheet with serial numbers is utilized for laptops that are borrowed. The IT Director also completes monthly inventories of technology assets. Asset Control Solutions tags all assets valued at the capitalization threshold or greater when they do the complete inventory.. The District provides all staff with written process in regards to asset disposals. Business Objectives To ensure all assets of the District are safeguarded from risk of loss to theft. Potential Significant Risks There is a potential risk assets are not adequately safeguarded and are misappropriated. By not performing periodic physical inventories, there is a potential risk the District is reporting assets to their insurance carrier they no longer have, thereby potentially overpaying on their insurance premiums. Internal Audit Strategy Internal audit will include review of the District's policies and procedures for identifying assets to be added or removed from the inventory listing maintained by the independent appraisal firm. Internal audit may also include a physical inventory of assets that are at higher risk of being lost or misappropriated.


31

FUEL DEPOT Overview of Business Area The District uses Phoenix OPW K800 software to track fuel usage. Although there is a password needed to log onto the one network account that has access to the software, the program itself is not password protected. The Director of Transportation and the Transportation Secretary have access to the system. The software is easy to use and fuel use is monitored daily. To use a fuel pump, the user must have a key fob that is specific to the department and vehicle, and a pin number that is specific to each employee. The user inserts the fob, inputs a PIN number, and enters the vehicle mileage prior to filling. The system will not operate if odometer reading is outside preset parameters. All keys to buses stored outside are returned to the bus garage at the end of the day. The only exception is for those buses that have late runs for sporting events or field trips, or are stored inside the transportation barn. These keys are kept in the buses and the buses are locked in the transportation barn that is armed with a security system. The Director of Transportation will verify that all buses are present at the end of the day. Fuel deliveries are only accepted during normal business hours. The tanks are equipped with a Veeder Route system that tracks the fuel level in the tanks and monitors fuel delivered and beginning and ending inventory. The system has an automatic measurement reading system. The Transportation Supervisor updates the cost per gallon every time there is a delivery. The delivery person performs stick readings to verify the amount delivered and records it on the delivery receipt. A transportation employee verifies the reading at the time of delivery and compares it to the system. The Mechanic reconciles the Veeder Route tank volume readings to Phoenix inventory reports on a monthly basis. The District sells fuel to the Village of Newark, WFL BOCES, Newark Education Center, the Marbletown Fire Department and the local Volunteer Ambulance. The Transportation Supervisor prepares a monthly report by entity, of the fuel purchased for the month. The report is forwarded to the Business Office and the Secretary to the Assistant Superintendent for Business generates invoices for fuel usage by these municipalities from nVision. The District Treasurer maintains a copy of the bill for tracking the receivable. Tanks have anti-siphon locking mechanisms on them and there are cameras on the pumps. In addition, there are various reports generated from the Phoenix program that would detect unauthorized use of the pumps that are routinely monitored. Business Objectives To ensure access to the fuel pumps is restricted to only authorized users and ensure fuel is only used for school vehicles.


32

Potential Significant Risks There is a potential risk fuel is inappropriately used for personal use. Internal Audit Strategy Internal audit will reconcile fuel usage reports produced by the Phoenix system to fuel delivery reports and tank stick readings, over a period of several weeks. We will also track vehicle usage and compare the mileage on the vehicles to the total gallons pumped over a period of time to ensure the fuel usage is within acceptable parameters for miles per gallon used.


33

INFORMATION SYSTEMS Overview of Business Area The District has contracted with a third party, EduTech, a service of the Wayne Finger Lakes BOCES, to share administrative functions for applications, backup, and over sight over its information technology (IT). The District is protected from external threats via anti-virus software and firewall systems. The District files are backed nightly by EduTech and brought to the District and a daily tape backup by the District. Both of which are stored in a vault at the District. The District utilizes SchoolDude for their ticketing system to track internal end-user requests and IT administration items. Separate communications are sent to Edutech for their support when needed. The District utilizes Microsoft Active Directory for directory services and user authentication to District information systems and resources. Active Directory governs all authentication at the District, which includes both students and teachers. The District uses a web-based system School Tool, as its primary student information management system and student grades, and nVision as the business management and accounting system. nVision is an Accounting System which is specifically designed for school districts and appears to be a strong accounting tool. Employees appear to be adequately trained and vendor support is available when needed. User access to the network, the School Tool student management system, and the nVision application are authorized by the District and administered by EduTech. Access rights to the nVision application are administered by Edutech and authorized in writing via a nVision form by the Assistant Superintendent for Business. Access rights are reviewed annually by the Assistant Superintendent for Business. Software changes to nVision and School Tool are managed by Edutech and the developers of the applications. All patches and updates are reviewed prior to implementation. Other changes to the District’s network and servers running the applications are managed by Edutech. nVision and the network are password protected and passwords must be changed every 90 days, meet varying degrees of complexity, cannot be repeated, include time out periods after thirty minutes of inactivity and are subject to lockout parameters for unsuccessful login attempts. The District uses firewalls and runs anti-virus protection software continually on their systems as does Edutech. The District requires an Acceptable Computer Use Policy to be signed and a Disaster Recovery and Business Continuity Plan has been developed. Business Objectives Information systems must be able to produce accurate, timely and reliable data when needed. The District's information systems are adequately protected from cyber security threats, disasters and unauthorized access.


34

Potential Significant Risks New vulnerabilities and new attacker exploits occur almost daily, thus the District could be susceptible to attack which could cause significant disruption or loss of sensitive and valuable data. In addition, it can be difficult for IT departments to keep systems current on frequent security upgrades released by hardware and software vendors. As with any entity there is a potential risk the accounting system may not produce accurate, timely, and reliable data when needed. If this were to occur, it could inhibit the District's ability to monitor the District's finances and their ability to effectively manage business operations. Internal Audit Strategy Internal audit of Systems and Technology could be performed to cover:

A risk assessment of all significant information systems Computer server and data security controls. Business resumption and disaster recovery plan assessment. Internal and external vulnerability and penetration testing Computer desk-top management and physical security. The assessment of computer server and data security controls will establish the need for extended

application control reviews in selected business units or operational audits. The disaster recovery plan assessment will assure all major operations and computer systems/products have satisfactory contingency plans in place that are well designed and periodically tested. The internal and external vulnerability and penetration testing will identify specific information systems that are at risk for breach.


35

INTERNAL AUDIT PLAN

The Internal Audit Plan summarized below, illustrates the detailed yearly plan estimated to complete the Internal Audit Strategy outlined in the Business Area Risk Assessment and Internal Audit Strategy section of this report. No internal audits were performed during the fiscal years ended June 30, 2014, 2015, or 2018. Business Area 2016 2017 2019 2020 2021

Lines of Business

Budgeting, Governance and Reporting

State Aid X

STAC Processing and Excess Cost Aid

Medicaid

Grants

Centralized Cash Receipts

Decentralized Cash Receipts - School Lunch

Decentralized Cash Receipts - Community Education

Purchasing and Cash Disbursements X

Payroll X

Employee Benefits and Paid Time Off

General Ledger Maintenance

Wire Transfers

Fixed Assets

Fuel Depot

Information Technology

Information Systems X X

The above schedule represents the District’s three year internal audit plan based on the risk assessment results identified in this report, with only one internal audit performed each year. The District is required to perform a reassessment of risk on an annual basis. The results of the annual reassessment will be the basis for identifying internal audit priorities and determining the internal audit plan in future years.


36

APPENDIX - RISK CATEGORY DEFINITIONS INHERENT RISKS EXTERNAL/MARKET REPUTATION Negative Publicity – The risk of public disclosure of operations will negatively influence public perception that impacts the District’s ability to pass a budget and meet its strategic objectives. FINANCIAL Achieving Financial Goals – The risk that the District will be unable to meet their financial goals and be pressured by the Board or management to take unwise or inappropriate actions to report results which meet market expectations. Materiality – The risk that any financial reporting activity will misrepresent results by an amount that would reasonably change voter or other external third party assessments of the District’s performance. Volatility – The risk that financial reporting will be inaccurate, incomplete or untimely. Use of Significant Estimates – The risk that financial reporting activity will misrepresent actual business results due to heavy reliance on estimates, accruals, adjustments or reserves that are subjective and difficult to accurately quantify and/or associate with the occurrence of business events.

OPERATIONAL Inefficient/Ineffective Internal Controls – The risk of inadequate or poorly designed internal controls and accountability. Employee Error – The risk of unintentional errors by employees due to a lack of competence or training or unfamiliarity with policies and procedures. Inappropriate Data Usage – The risk of the misuse of sensitive or confidential information by employees or other outside parties. Non-Routine/Complex Transactions – The risk that incorrect or inconsistent handling of infrequent or complex activities could cause inconsistent financial reporting. Compliance with Policies and Procedures – The risk that staff responsible for executing business activities will fail to comply with the District’s policies and procedures, whether due to lack of training, failures of communication or mindful disregard.

LEGAL/REGULATORY Legal and Economic Impacts – The risk of direct or indirect impact on activities from changes in the regulatory environment. Unresponsive to Legal/Regulatory/Compliance Changes – The risk that District is unaware of or does not respond to changes in laws and regulations to ensure compliance.


37

Litigation Issues – Lawsuits can result in expensive settlements, litigation costs and corrective action (e.g. employee/customer litigation, contract/fiduciary liability, etc.). STRATEGIC Insufficient or Inadequate Strategic Planning – The risk that an inefficient and ineffective strategic planning process, including poor assumptions, results in the District’s inability to meet their goals and objectives. Lack of Appropriate Governance – The risk that senior management or Board members commit actions that are detrimental to voter’s’ interests, including misrepresenting the District’s intentions or business results. People or Key Resources – The risk that barriers (e.g. high turnover, inexperienced staff/skill limitations, excessive reliance on a key staff member, insufficient staffing/resources, etc.) can increase business risk impact and likelihood of its occurrence. Organization Reputation – The risk that the District’s reputation could be exposed based on lack of voter satisfaction with services, or ability to provide new and innovative educational programs; negative public reaction due to identified regulatory, compliance or legal issues.

TECHNOLOGY/SYSTEMS Lack of Information Integrity – The risks associated with the authorization, completeness, timeliness and accuracy of transactions/data as they are entered into, processed and reported by various systems. Lack of Timely, Reliable, and Relevant Information for Decision Making – The risk that relevant internal and external information necessary for decision making is not available on a timely basis and/or is unreliable. Inadequate Data Security and Access – The risk of not adequately restricting access to and protecting information. Sensitivity of Data – The risk that the District will divulge, inappropriately use or fail to control student or employee data which is confidential or private. PEOPLE/CULTURE Lack of Clear Roles and Responsibilities – The risk that roles and responsibilities are not clearly defined, communicated, and understood by employees. Deficient Values, Integrity, and Ethics – The risk of an employee breach of District values and Code of Conduct standards related to integrity, ethics and discrimination. Inappropriate Performance Incentives – The risk of either insufficient performance incentives or incentives that are unrealistic or misunderstood causing employees to act in an inappropriate manner.


38

FRAUD Misappropriation of Assets – The risk that the District engages in external and/or internal schemes, such as embezzlement, payroll fraud and theft. Misconduct/Abuse – The risk that transactions or activities could be susceptible to management override (e.g. conflicts of interest, code of ethics violations, etc.). District could be directly or indirectly involved in monitoring and identifying misconduct and/or abuse. External Crime – The risk that activities could be exposed to external theft and destruction (e.g. robbery, asset/information theft, etc.). District could be directly or indirectly involved in monitoring and identifying external crime. EXTERNAL FRAUD – The risk that transactions and activities could be exposed to external fraud (e.g. check frauds and kiting). District could be directly or indirectly involved monitoring and identifying external fraud. COSO CONTROL RISKS Monitoring – This category includes identifying a mechanism or process to assess internal controls on an ongoing basis to ensure that changes are incorporated effectively. Information and Communication – This category includes the assessment of the technology environment and includes an assessment of the reporting internally and externally. The internal communication to manage the business on a daily basis is assessed to determine the effectiveness and reliability of the financial information that is used. Control Activities – These controls are at the process level and include preventive and detective controls. The assessment for control activities requires a selection of key processes and a review of the transaction flow to identify and test the critical controls to determine the effectiveness. Risk Assessment – These controls are the overall management and strategic planning methods that are in place. The process for strategic planning for the District and each department and how the plan is executed during the year is the subject of this review. Material changes in the legislation or regulations and the process that management performs to execute a transaction will be assessed. Control Environment – The controls in this category include integrity/ethical values, code of conduct, disciplinary action, structure of organization, involvement of the Board of Education, human resources and other actions that control the tone of the organization.

newark central school district risk assessment and internal … · 2019. 1. 22. · we appreciate...

Documents