Do you know how your government organization would handle a cybersecurity breach? Or what the procedure is to address an employee’s mismanagement of funds? For entities that have a governing board, it’s important to have documented answers to questions like these. Sound policies and procedures are critical to effective operation.
When effectively applied, strong policies help achieve desired service levels, minimize inconsistent or inappropriate uses, and could help the organization in resolving, or defending itself against, disputes. Specifically, policies adopted by the governing body serve as the foundation for implementing a proper internal control structure within organizations, setting the tone from the top.
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) established a model that has become the generally accepted framework for internal control structure. Within that model, COSO defines internal control as the processes employed by the board, managers and others within an organization, to “provide reasonable assurance of achievement of objectives in the following categories:
- Effectiveness and efficiency of operations,
- Reliability of financial reporting, and
- Compliance with applicable laws and regulations.”
To adhere to the COSO model, properly established internal controls would address activities at five different levels: 1) control environment, 2) risk assessment, 3) control activities, 4) information and communication and 5) monitoring activities. Board policies and procedures play an integral part of each level of internal control activities; from the structure of organization and assignment of authority to the daily management control activities that establish how the organization will operate, as well as the procedures that will be used to monitor the effectiveness of the organization’s on-going operations. Policies and procedures that are clearly written and properly enforced provide employees with a sense of how the day-to-day responsibilities and tasks should be completed. Overall, the internal control structure established by an organization should focus on limiting the risk associated ineffective or inefficient operations, improper financial management or reporting, and ensuring compliance with applicable laws and regulations.
The Government Finance Officers Association (GFOA) has deemed certain accounting and reporting policies as either essential or high advisable for governmental organizations.
- Fund balance and reserve
- Operating budget
- Capital budgeting and planning
- Debt management
- Long-range financial planning
- Accounting and financial reporting
- Internal controls
- Risk management
- Cyber Security and Personally Identifiable Information (PII)
Policies deemed more significant would contain a higher level of oversight or monitoring than other policies. As with any internal control, the overall cost of adhering to board policies and procedures should not outweigh the desired benefit.
Furthermore, Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) includes references to specific control elements contained within the COSO model as adopted by the Federal Government (Green Book). With the recent implementation of the Uniform Guidance requirements, organizations receiving federal grant awards must now have certain written policies related to administration of federal award programs in place, including:
- Cash management (200.305) – written policy to minimize the time between the receipt of and disbursement of funds by the organization, and a financial management system that meets standards and fund control and accountability as established by this section.
- Allowable cost (200.302) – written procedures for determining the allowability of program costs in accordance with Subpart E – Cost Principles.
- Procurement (200.320) – written method for conducting technical evaluations of the proposals received and for selecting recipients.
- Time and effort (200.430) – written policy defining what compensation (wages and fringe benefits) level is reasonable for services rendered, consistently applied to both federal and non-federal activities.
Proper implementation of the required policies reduce the risk organizations will be deemed noncompliant with federal grant requirement during the audit process.
Effective policies should be in writing, clearly defined and concise in content, easily accessible to all vested parties, and regularly reviewed and updated when needed. Complete and up-to-date board policies will help the organization run more smoothly while staying in compliance. If your organization needs help establishing sounds policies and procedures, contact your CSH advisor or request a consultation.