Internal Risk Assessment

 

 

 

 

Cash/Negotiable Instruments

 

 

For the Period

 

July 1, 1999 through June 30, 2000

 

 

AI-0700-1

 

June 4, 2002

 

 

 

 

To:	Richard H. Cate	Date:   June 4, 2002
From:	Daniel Tworek
Subject:	Audit Report of Internal Risk Assessment - Cash/Negotiable Instruments

 

            I write to transmit the internal risk assessment report (AI-0700-1) on the Department’s process for receiving cash/negotiable instruments for the period July 1, 1999 through June 30, 2000.  The review was conducted as part of the Office of Audit Services Tactical Audit Plan for the period July 1, 2000 through June 30, 2002.  It is consistent with the pursuit of Goal #5 of the Board of Regents/State Education Department Strategic Plan: "Resources under our care will be used or maintained in the public interest."

 

The Standards for Internal Control in New York State Government, issued by the Office of the State Comptroller, call for managers to assess and manage risk. The Standards further state "To have reasonable assurance that the organization will achieve its objectives, management should ensure each risk is assessed and handled properly." This report may be used by managers as a preliminary assessment of the work associated with the receipt of cash negotiable instruments.  However, a risk assessment of all functions should be conducted periodically to assess the risk associated with all of the office’s significant objectives.

 

Ninety days from the issuance of this report, the Program Manager will be asked to submit a report on actions taken as a result of this audit.  I appreciate the cooperation and courtesies extended to the staff during the audit.

 

Attachment

cc:       Commissioner Mills

            Terry Savo

            Thomas Sheldon

            Robert Arnold

            Robert Bentley

            Mary Daley

            Thomas Hamel

            Donald Juron

            Charles Mackey

 

 

This review of the Department’s processes for receiving cash/negotiable instruments was conducted in accordance with the Tactical Audit Plan covering the period July 1, 2000 through June 30, 2002.  The purpose was to conduct a risk assessment of the Department's internal controls over the process for receiving cash/negotiable instruments. We accomplished the review by gathering data and interviewing staff.  We did not test the information received or systems described in the attached report.

 

Background

 

Cash/negotiable instruments are not received in one central location in the Department. Most cash receipts are received in a program office or in a bank lock box, while some are received directly by the Bureau of Fiscal Management (BFM). When a program office receives the cash, it is eventually forwarded to BFM for deposit. BFM records the receipt on the Office of the State Comptroller's accounting system.

 

The receipt of cash/negotiable instruments can be classified into two categories: those received by the program office and those received by BFM on behalf of the program offices.  In addition to examining controls within BFM, we selected five offices with the largest amount of revenue regardless of the method of receipt, and reviewed the internal controls in place for recording the receipt and safeguarding of the revenue.  The offices selected for review were the: Division of Professional Licensing; Office of Teaching; State Archives Local Government Records Management Improvement Fund; Program Services Reimbursement Unit; and the Summer Institutes.

 

Internal Controls

 

The definition of internal controls has undergone significant change in the private and public sectors over the last decade.  At one time, the term “internal controls” was synonymous with accounting controls which were primarily designed to provide assurance that assets were controlled and accounting records were accurate.  Recently, the definition of internal controls has been greatly expanded to include all activities of an organization designed to accomplish goals and objectives.

 

The Committee of Sponsoring Organizations (COSO) expanded the definition of internal controls in response to instances of significant irregularities found in the private sector.  COSO defines internal controls as a process, effected by an entity's board of directors, management and other personnel, designed to provide assurance regarding the achievement of objectives in the following categories:

 

·      Effectiveness and efficiency of operations.

·      Reliability of financial reporting.

·      Compliance with applicable laws and regulations.

 

COSO describes five interrelated components of an internal control process.  They are Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.  We examined the Department's processes for receiving cash/negotiable instruments and assessed the extent that these components exist.

 

Results of the Review

 

Presented below is a summary of the observations developed as part of the risk assessment:

 

·       In many instances, offices have not established specific objectives for the cash/negotiable instrument receipt process.

·       The risk assessments that have been conducted did not assess the risk of failing to achieve specific objectives.

·       There is an opportunity to provide program offices with more information related to the level of cash/negotiable instruments received.

·       Some program offices lack written policies and procedures over the cash/negotiable receipt process.

·       Program offices should develop periodic summary reports to apprise managers of the status of cash receipts.

 

Conclusion

 

We believe the function is well controlled in receiving and recording cash/negotiable instruments. Controls are particularly strong in BFM.  However, there is a potential to strengthen the internal controls over the process in some of the offices that receive cash, and in providing better information to the Department offices on the status of cash/negotiable instruments received.  Formal objectives should be developed so that staff and management are aware of the responsibilities of receiving cash.  Objectives should be developed that focus on the economy and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.  Management should ensure that the objectives are measurable and attainable.

 

Introduction..................................................................................................................................................... 1

Background.................................................................................................................................................... 1

Assessment of Internal Controls..................................................................................................... 4

The Bureau of Fiscal Management.................................................................................................... 5

Establishment of Objectives................................................................................................................. 5

Control Environment............................................................................................................................... 6

Risk Assessment............................................................................................................................................. 6

Control Activities....................................................................................................................................... 7

Information and Communication...................................................................................................... 8

Monitoring....................................................................................................................................................... 9

New York State Summer Institutes.................................................................................................. 10

Control Environment............................................................................................................................. 10

Risk Assessment........................................................................................................................................... 11

Control Activities..................................................................................................................................... 11

Information and Communications.................................................................................................. 12

Monitoring.................................................................................................................................................... 12

Program Services Reimbursement Unit...................................................................................... 14

Control Environment............................................................................................................................. 15

Risk Assessment........................................................................................................................................... 15

Control Activities..................................................................................................................................... 16

Information and Communications.................................................................................................. 17

Monitoring.................................................................................................................................................... 17

Teacher Certification............................................................................................................................. 18

Control Environment............................................................................................................................. 19

Risk Assessment........................................................................................................................................... 19

Control Activities..................................................................................................................................... 19

Information and Communications.................................................................................................. 19

Monitoring.................................................................................................................................................... 20

State Archives................................................................................................................................................ 21

Control Environment............................................................................................................................. 22

Risk Assessment........................................................................................................................................... 22

Control Activities..................................................................................................................................... 22

Information and Communications.................................................................................................. 22

Monitoring.................................................................................................................................................... 23

Division of Professional Licensing Services........................................................................... 24

Control Environment............................................................................................................................. 25

Risk Assessment........................................................................................................................................... 25

Control Activities..................................................................................................................................... 25

Information and Communications.................................................................................................. 25

Monitoring.................................................................................................................................................... 26

Improvement Opportunities for Reducing Risk.................................................................... 27

Auditor’s Note............................................................................................................................................. 27

 

Appendix A – Contributors to the Report

Appendix B – Comments of Department Officials

 

This review of the Department's processes for receiving cash/negotiable instruments is the second to be conducted under the Office of Audit Services' (OAS) Tactical Audit Plan covering July 1, 2000 through June 30, 2002.  That plan calls for the conduct of a comprehensive risk assessment of the Department’s Fiscal and Data Analysis Processes. The purpose of this review is to conduct a comprehensive risk assessment of the Department's internal controls over the receipt of cash/negotiable instruments using the Committee of Sponsoring Organizations (COSO) model, which is the framework for the “Standards for Internal Control in New York State Government.”

 

Background

 

The definition of internal controls has undergone significant change in the private and public sectors over the last decade.  At one time, the term “internal controls” was synonymous with accounting controls, which were primarily designed to provide assurance that assets were controlled and accounting records were accurate.  Recently, the definition of internal controls has been greatly expanded to include all activities of an organization designed to accomplish goals and objectives.

 

COSO expanded the definition of internal controls in response to instances of significant irregularities found in the private sector.  COSO defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide assurance regarding the achievement of objectives in the following categories:

 

·       Effectiveness and efficiency of operations.

·       Reliability of financial reporting.

·       Compliance with applicable laws and regulations.

 

COSO describes five interrelated components of an internal control process.  They are as follows:

 

·       Control Environment;

·       Risk Assessment;

·       Control Activities;

·       Information and Communication; and

·       Monitoring.

 

Cash/negotiable instruments are not received in one central location in the Department. Most cash receipts are received in a program office or in a bank lock box, while some are received directly by the Bureau of Fiscal Management (BFM).  When a program office receives cash, it is forwarded to BFM for deposit.  BFM records the receipt on the Office of the State Comptroller's (OSC) accounting system.

 

Requirements for control over the receipt of cash/negotiable instruments are established by many sources including State Finance Law, the OSC, and the Division of the Budget. The Department has established policies and procedures to implement these laws, rules and regulations and they are available for program offices to review through the Cash Control Guidelines section of the Administrative Policy and Procedure Manual (Manual), and through information available on the BFM web page. The Manual and web page outline procedures that should be followed to ensure that resources are protected stating that "Strict controls over cash are essential for the protection of State resources."   These controls include:

 

·       Opening mail daily at designated times by two or more personnel with no other cash receipt related duties;

·       Checks should be made payable to the "NYS Education Department";

·       If several types of revenue are received simultaneously, the documents should be sorted by type;

·       Each document should be assigned a cash line number.  These numbers should be assigned in strict numerical order and should include a unique prefix;

·       The cash line number should be stamped on both the document and the remittance accompanying it;

·       If cash is received, a press-numbered receipt should be used;

·       Remittance received should be listed on a cash report summary; and

·       Funds collected should be transmitted to the Revenue Unit daily.  If the amount collected is minimal, transmittals may be made less frequently.

 

Objectives, Scope and Methodology

 

The purpose of this review was to provide an assessment of the adequacy of the internal controls over the receipt of cash/negotiable instruments.  In order to accomplish that, we examined the function in terms of the COSO definition of internal controls and the existence of the five components.  Due to the diversity of each unit, we examined them independently. As part of the assessment we also tested compliance with regulations governing cash receipts. The receipt of cash/negotiable instruments was selected because the activities associated with it crosscut Department offices. 

 

The review focused on current procedures and controls.  BFM, along with five program offices, were selected for review. The reason for the selection of multiple offices was to examine the decentralized nature of the process. For each office, we assessed the controls over receipts in terms of the following:

 

·       Control Environment;

·       Risk Assessment;

·       Control Activities;

·       Information and Communication; and

·       Monitoring.

 

The risk assessment began with a survey of the Department to identify the offices that receive cash/negotiable instruments and the value of those receipts. The survey was sent via e-mail to each Deputy Commissioner with a request that they forward it to the applicable offices under their responsibility. At the same time, OAS asked BFM to identify which program offices were receiving cash/negotiable instruments and the dollar value of those receipts. This information was used to ensure that responses were received from all program areas.

 

OAS reviewed the information received and observed the decentralized nature of the process.  The receipt of cash/negotiable instruments can be classified into two categories: those received by the program office; and those received by BFM on behalf of the program offices.  In addition to examining controls within BFM, we selected five offices with the highest revenue, regardless of the method of receipt, and then reviewed the procedures in place for recording the receipt and safeguarding of the revenue. The offices selected for review and the annual value of the receipts are shown on Chart 1.

Chart 1

Program Revenue

Program Offices Selected for Review

4/1/99 – 3/31/00

 

Office	Annual Receipt
Division of Professional Licensing	$51 Million
Office of Teaching	$5 Million
Local Records Management Improvement Fund	$12 Million
Program Services Reimbursement Unit	$20 Million
The Summer Institute	$ .5 Million

 

Following the selection of the offices, OAS performed a preliminary survey to determine if the cash receipt process was contained within the program office with receipts being transferred to BFM, or if the cash receipt process was being performed by BFM.  As will be shown later in this report, for each revenue stream selected, the entire process was reviewed and documented.

 

Assessment of Internal Controls

 

We believe the cash/negotiable instruments receipt process is well controlled.  However, there is a potential to strengthen the internal controls over the process and to provide more information to the Department offices.  These potential areas are discussed below.

 

Comments of Department Officials

 

Comments from Department managers who have responsibility for the receipt of cash/negotiable instruments have been included where appropriate. Their written response to this draft report will be included as Appendix B to the final report.

 

 

The key office in the cash receipt process is the BFM.  BFM provides direction to Department offices that may be receiving cash/negotiable instruments. They maintain Department procedures and communicate them through the manual and its web page.  It is through BFM that the funding is ultimately processed, recorded on OSC’s accounting system and deposited into the bank. BFM contributes to the control environment and control activities in the receipt of cash/negotiable instruments throughout the Department. As previously mentioned, the receipt of cash/negotiable instruments can be classified into two categories: those received by the program office and forwarded to BFM; and those received directly by the BFM on behalf of the program offices.

 

Establishment of Objectives

 

Internal controls exist to provide management with reasonable assurance regarding the achievement of objectives in the following categories:

 

·       Effectiveness and efficiency of operations;

·       Reliability of financial reporting; and

·       Compliance with applicable laws and regulations.

 

BFM has established goals and objectives related to the three areas suggested by COSO.  The objectives are not all formal and not specifically identified with the cash/negotiable instrument receipt process.  BFM established a goal for the Revenue Collection/Deposits process as part of their inventory of functions, products/services or activities.  The goal is to “audit and process all expenditure and revenue transactions ensuring compliance with Department policies, OSC rules and regulations, and applicable Federal regulations.”  Another objective, related to the Fiscal Information Dissemination/Reporting Systems, is to “Continuously improve fiscal processes, reporting and information systems and provide our customers with the guidance needed to ensure satisfactory compliance with fiscal policies and procedures.”  A third objective was not formal, but called for the processing and deposit of all funds within three days of receipt.  BFM officials should periodically discuss their expectations for the receipt of cash/negotiable instruments and amend or develop new formal objectives.

 

Control Environment

 

The control environment sets the tone of an organization, influencing the control-consciousness of its people.  It is the foundation for all other components of internal control, providing discipline and structure.  Control environment factors include: integrity and ethical values; commitment to competence; management participation; management philosophy and operating style; organization structure; assignment of authority; and human resource policies and practices.  Control environment can be viewed at both the entity level (the Department) and the unit level (BFM).

 

The control environment at the Department level is sound.  Integrity and ethical value is incorporated into the philosophy of management, a code of conduct exists, and officials have indicated that they would be quick to take action in the event that employee misconduct occurred.  Quarterly performance reviews are held with managers.  In addition, a process exists for mangers to conduct a self-assessment of internal controls.

 

Similarly, the control environment at the BFM level is also sound.  Management of the unit expressed their desire to ensure that the actions taken are done effectively and efficiently and in compliance with applicable laws, rules and regulations, while insuring that all customers and suppliers are treated with honesty and fairness. Management ensures that staff receive training and encourages personnel advancement opportunities.  Management periodically analyzes the timeframes for performing various tasks and compares them to the legal mandates.  Policies and procedures to guide the work of staff have been developed and guidelines for the program offices receiving revenue have been distributed.

 

Risk Assessment

 

Risk assessment is the entity's identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.  It should identify risk and analyze the likelihood of occurrence and impact.  This process allows management to determine how much risk they are willing to accept and to set priorities accordingly.

 

BFM has prepared a risk assessment of the revenue receipt function.  Although the risk assessment does not discuss risk in terms of its relevance to the achievement of its objectives, it does identify the risks associated with the revenue receipt function in general.  These risks include the reliability of the data, safeguarding the assets, and ensuring that the information is received and recorded in an efficient and effective manner.  The risk assessment also identifies the loss of staff and the failure of the automated systems as risk factors.

 

The risk assessment identifies various risks for revenue received by the program offices as well as themselves, the control activities in place, and the possible test of the control activity.  The conclusion of the risk assessment is that, although the likelihood of occurrence for 8 of the 11 risks identified is higher than average, sound controls are in place to allow the classification of the consequences of them occurring to be of minimal concern.

 

Control Activities

 

Control activities are the policies and procedures that help ensure that management directives are carried out.  They help ensure that necessary actions are taken to address risk to achievement of the entity's objectives.  Control activities occur throughout the organization at all levels and in all functions.  They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

 

BFM has policies and procedures in place for the processing of the various types of revenue and recording it on the Oracle and OSC systems.  The use of various computer systems and the procedures in place create a series of checks and balances that occur as a normal part of a transaction.

 

One area of risk noted during our review is the existence of various systems within program offices that serve as an initial record of the revenue, which is subsequently transmitted to OSC through BFM.  As will be discussed later, those program offices that rely on BFM to perform the process of receipt and recording of the data do not have procedures in place to verify its accuracy.

 

Information and Communication

 

The information and communication system consists of methods and records established to identify, assemble, analyze, classify, record and report an entity's transactions, and to maintain accountability for the related assets and liabilities.  The system should allow for the capture and exchange of information in a form and timeframe that enables people to carry out their responsibilities effectively.  The information system should produce reports containing operational, financial and compliance-related information that makes it possible to run and control the receipt of cash/negotiable instruments.

 

BFM is broken down into various units that are responsible for various tasks.  Our review focused on the operations of the Revenue Unit that is responsible for the receipt and processing of cash/negotiable instruments.  When we began to review the information and communication aspect of the receipt of cash/negotiable instruments and monitoring the deposits made by the unit, or the interest accrued as a result of the revenue deposited by them, we found that it became the responsibility of another unit.  For a program office attempting to access information and/or reconcile what has occurred, the separation of duties between the various units within BFM can be confusing.

 

Information systems within the Department vary in relation to who is the initial recipient of the revenue.  When the program office receives the revenue, it is recorded in the format established by that office and forwarded to BFM where it is credited to the appropriate cost center on the OSC system.  When the revenue is received by BFM on behalf of the program office, the information required by BFM is recorded and, if an application or other documentation is attached, it is forwarded to the program office.  If the revenue recorded on the documentation matches the revenue entered on the Oracle and OSC systems, the work of the unit is complete.

 

For a program office that has received and forwarded the revenue to BFM, procedures do not exist that would allow the program office to reconcile periodically the revenue it has recorded with that which is recorded on the OSC system.  For program offices that rely on BFM to process the revenue on their behalf, there are no procedures in place for the Revenue Unit to provide them with information on the revenue received on a daily or monthly basis.  Instead, the information on the total revenue received is prepared and transmitted to the program office in summary form on a quarterly basis by another unit.

 

An opportunity exists to improve the information and communication system related to the receipt of cash/negotiable instruments regardless of who is the initial recipient of the revenue.

 

Monitoring

 

Monitoring is a process that assesses the quality of internal control performance over time.  Monitoring involves assessing the design and operation of controls on a timely basis and taking necessary corrective action.  To ensure that controls are performing as intended, the Revenue Unit should continually monitor operations and have management perform periodic evaluations of the entire process, with the assistance of the internal or external auditors if needed.

 

The goal of the work performed by the Revenue Unit is to process all revenue within three days of receipt.  In reviewing the monitoring techniques within the Revenue Unit, we found that there are no procedures in place to monitor the time between receipt of the revenue in a program office and the final processing of it. Therefore, it is not possible to measure the time between the receipt of the revenue and the processing of it.