(A) Policy. The purpose of this policy is to communicate Boone County Board of Commissioners' and the Boone County Auditor's internal control objectives to all employees and elected officials of Boone County ("county") and to firmly commit the county to the 17 key principles of internal controls as established by the Indiana State Board of Accounts.
(B) Component one: control environment.
(1) (a) Principle 1. the oversight body and management demonstrate a commitment to integrity and ethical values. The county has the responsibility to establish and maintain an adequate system of internal control and to furnish to the Boone County Commissioners ("Commissioners"), Boone County Council ("Council"), various boards and commissions, governmental agencies, creditors and others reliable financial information on a timely basis. An adequate system of internal control is necessary for the county to discharge these responsibilities.
(b) Controls help ensure that assets are not exposed to unauthorized access and use, transactions are properly recorded in the financial records, and the resultant financial information is reliable. External organizations and stakeholders of the county rely on financial information to make decisions toward appropriations, loans and other debt, grants, and other contractual relationships. County resources are dependent upon the system of internal control. Auditors are required annually to report upon the adequacy of the county's systems for control over financial reporting and compliance per I.C. 5-11-1-27(e). The safeguarding of county assets and the reliability which the county and others can place upon its financial records is dependent upon the effectiveness of the internal control process.
(c) The Commissioners and Council expect the county administration to implement an internal control environment with policies and procedures necessary to provide reasonable assurance that practices cause effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations.
(d) The system of internal control is meant to keep the county on course toward its mission and to minimize surprises. The system promotes efficiency, minimizes risks of asset loss, helps ensure the reliability of financial information, and compliance with applicable laws, rules, and regulations.
(e) Internal control is a process; a means to an end, and not an end unto itself. The control environment is the foundation upon which all components of internal control are based. It sets the tone for county operations. Internal control is about people, operations, communications, and the work environment. It is not about policies and forms though it takes shape through the implementation of relevant policies, procedures, and practices. Internal control can provide reasonable assurance, but no system of control can provide absolute assurance to the Commissioners, Council and other users of financial information.
(f) The Auditor of Boone County ("Auditor") shall be charged with:
1. Conveying periodic messages of the county's internal control philosophy and expectations to all employees;
2. Evaluating the county's internal control system for weaknesses on a periodic (but no less frequently than annual) basis, providing solutions to any discovered weaknesses, and inform employees of necessary changes in procedures;
3. Working with the county offices and departments to establish a confidential reporting system for individuals to report suspected fraud and abuse of internal control policies; and
4. Working with the county offices and departments to institute procedures to address violations of policies and consequences for violations.
(2) Principle 2: the oversight body oversees the entity's internal control system. The Commissioners are responsible for setting the institutional expectations for internal control, ensuring elected officials ("Office-Holders"), department heads and management are aware of the those expectations, requiring the upward communications channels are open through all levels of management, and evaluating management's effectiveness toward monitoring the control environment and implementing sound control policies and procedures. The auditor will be the Commissioners' chief agent in implementing and managing the internal control policies and procedures.
(3) (a) Principle 3: management establishes an organizational structure, assigns responsibility, and delegates authority to achieve the entity's objectives.
(b) Individuals with statutorily assigned or delegated approval authority, (e.g. office-holders and department heads) are responsible for establishing, maintaining, and supporting a system of internal controls within their areas of responsibility and for creating the control environment that encourages compliance with county policies and procedures.
(c) Adequate supervision is necessary to monitor that internal controls are operating as intended, and to help ensure the reliability of accounting and operational controls by pointing out errors, omissions, exceptions, and inconsistencies in procedures. Staff in leadership roles are responsible for the application of this policy and the design, development, implementation, and maintenance of systems of internal controls focusing on the effectiveness of operations and the safeguarding of assets within their respective areas of responsibility. All levels of management and supervision are responsible for strengthening internal controls when weaknesses are detected. Office-holders and department managers should periodically review departmental procedures to ensure that the general principles of internal control are being followed.
(d) The auditor's office has the primary responsibility for internal control over financial reporting and compliance with applicable laws, rules, and regulations. The auditor is the county's chief source for information and assistance to staff, office-holders, and department heads on this topic and will make resources available to assist in administering this policy.
(e) The auditor's office is responsible for internal controls over employee recruitment, hiring, separation, promotion, job classification, employee rights, and salary administration. The auditor's office and the county's employee handbook and supporting policies and procedures for each office or department are the sources for information and assistance on this topic and will make resources available to assist in administering this policy.
(f) All levels of internal control are subject to examination by external auditors who are required to report on the adequacy of internal controls over finance and compliance.
(g) Office holders and department heads are responsible for prompt corrective action on all internal control findings and recommendations made by internal and external auditors. The audit process is completed only after office-holders and department heads receive the audit results and take action to correct internal control weaknesses, improve systems, or demonstrate that management action is not warranted. Office-holders and department heads have the responsibility to ensure that those who report to them have adequate knowledge, skills, and abilities to function within, and contribute to, an effective internal control environment. This includes providing access to appropriate training on topics relevant to their job responsibilities.
(4) (a) Principle 4: management demonstrates a commitment to recruit, develop, and retain competent individuals.
(b) The county employee handbook provides a roadmap for recruiting and maintaining quality employees. Prior to employment individuals may be subject to pre-employment background screening and/or a credit history check. While employed, county employees are entitled to a benefits package including health and disability Insurance and certain other employment benefits. The county will continue to assess the best recruitment pools and tools for the different skill sets of skills necessary to adequately implement and maintain quality internal controls.
(c) Job descriptions will be updated where necessary to reflect internal control responsibilities and duties. Employees will be regularly trained in internal control methods and all training will be documented in employees' personnel files. Employees will be regularly evaluated by their supervisors on internal control duties and receive feedback on possible improvements.
(5) Principle 5: management evaluates performance and holds individuals accountable for their internal control responsibilities. Individuals are held accountable for their internal control responsibilities through a recognized structure which includes relevant job descriptions, operating procedures, periodic reviews, regular feedback, and a progressive disciplinary policy. Additionally, county administration seeks to address issues in specific offices and departments and positions through regular one-on-one meetings with office-holders and department heads.
(C) Component two: risk assessment.
(1) (a) Principle 6: management defines objectives clearly to enable the identification of risks and risk tolerances. Through the creation of standard operating procedures and accurate organizational reporting charts management conveys and identifies objectives, missions, policies, and risk tolerances to employees. The auditor's office will lead a risk analysis of three major areas:
1. The effectiveness and efficiency of operations.
2. The reliability of reporting for internal and external use.
3. Compliance with applicable laws and regulations.
(b) For each category, the auditor's office will define objectives in specific measurable terms in order to enable the design of internal control for related risk, increase understanding at all levels, assess performance, identify what is to be achieved, who is to achieve it, how it will be achieved, when it will be achieved and incorporate external requirements.
(2) (a) Principle 7: management identifies, analyzes, and responds to risks related to achieving the defined objectives. The auditor's office will identify, analyze and respond to the risks identified in Principle 6 by determining:
1. How likely is the risk to occur?
2. How will it impact the objective?
3. Is the risk based on complex or unusual transactions?
4. Is the risk based on fraud?
(b) Once each risk has been identified and analyzed, the auditor's office will work with office-holders and department heads to determine how to respond to each risk with a specific solution and action.
(3) Principle 8: management considers the potential for fraud when identifying, analyzing, and responding to risks. Management is committed to fraud prevention by utilizing a "trust but verify" approach. The potential for fraud, misappropriation, and outright theft are contemplated as controls are designed for various county divisions. Fraud responses will include statutorily required responses to fraud, including, but not limited to I.C. § 5-11-1-27(1) relating to the report of misappropriation of funds to State Board of Accounts and prosecuting attorney and I.C. § 5-1 l-l-27(j) relating to the report of material variances, losses, shortages or thefts to the State Board of Accounts. The county shall utilize a materiality threshold of $500.
(4) Principle 9: management identifies, analyzes, and responds to significant changes that could impact the internal control system. The auditor's office, in coordination with office-holders and department heads, will regularly evaluate and adjust internal control policies in order to accommodate for the impact of future changes, including but not limited to, personnel changes, newly elected officials, new programs, new technology, new laws and regulations, and financial fluctuations.
(D) Component three: control activities.
(1) (a) Principle 10: management designs control activities to achieve objectives and respond to risks.
(b) The auditor's office will establish and maintain a system of internal controls that satisfies the county's objectives in the following categories:
1. Risks are identified and effectively managed;
2. Safeguarding of county assets;
3. Reliability and integrity of financial information;
4. Compliance with county policy, plans, procedures, laws and regulations;
5. Economical and efficient use of county resources; and
6. Meeting established objectives and goals for county operations and programs.
(c) General internal control principles for offices and departments are:
1. Separation of duties.
A. Duties are separated so that one person's work routinely serves as a check on another's work.
B. No one person has complete control over more than one key function or activity (e.g., authorizing, approving, certifying, disbursing, receiving, or reconciling).
2. Authorization and approval.
A. Proposed transactions are authorized when proper and consistent with county policy and the office or department's plans.
B. Transactions are approved by the person who has delegated approval authority, which is usually delegated on the basis of special competency or knowledge.
3. Custodial and security arrangements.
A. Responsibility for physical security/custody of county assets is separated from record keeping/accounting for those assets.
B. Unauthorized access to county assets and institutional data is prevented.
4. Timely and accurate review and reconciliation.
A. Departmental and office accounting records and documents are examined by employees who have sufficient understanding of the county accounting and financial systems to verify that recorded transactions actually took place and were made in accordance with county policies and procedures.
B. Departmental and office accounting records and documentation are compared with county accounting system reports and financial statements to verify their reasonableness, accuracy, and completeness.
5. The general internal control principles should be applied to all office and departmental operations, especially accounting records and reports, payroll, purchasing/receiving/disbursement approval, equipment and supply inventories, cash receipts, petty cash and change funds, billing and accounts receivable.
(d) All county systems, processes, operations, functions, and activities are subject to evaluations of internal control systems. The results of these evaluations provide information regarding the county's overall system of control.
(e) Information and communication. Information must be timely and communicated in a manner that enables people to carry out their responsibilities.
1. All covered employees must be trained on internal controls according to I.C. § 5-11-1-27(g). All personnel must receive a clear message from the county's administration that control responsibilities are to be taken seriously. Failure to comply with established practices will subject individuals to the terms of disciplinary action or dismissal.
2. Employees must understand their own roles in the internal control system, as well as how individual activities relate to the work of others. To this end, whenever a new budgetary unit, financial activity, etc. is set up, the auditor will provide notification to the appropriate parties of the responsibilities incumbent on them for good business practices and sound financial management, including reference to the principles within this policy.
3. Employees must have a means of communicating significant information to the county's administration.
4. The county must communicate effectively with external parties, such as auditors, creditors, contractors, suppliers, regulators and other stakeholders.
(f) Internal control is meant to keep the county focused on achieving its mission while avoiding surprises. There is a balance between effective controls and mission accomplishment. Costs associated with internal controls should not exceed their benefit, nor should controls be allowed to stifle mission effectiveness and timely action. All levels of management must assess the costs, benefits, and risks when designing controls to develop a positive control environment and compensate for the risks of non-compliance, loss of assets, or unreliable reporting while accomplishing the county mission.
(g) The following specific internal control policies are adopted for use by county offices and departments:
1. Payroll activities.
A. Salaries and wage rates are verified by the office-holder or department head and auditor's office.
B. The responsibilities for hiring, terminating, and approving promotions are segregated from those preparing payroll transactions or inputting data.
C. The responsibilities for approving time sheets are segregated from those for preparing payroll transactions or inputting data.
D. Payroll adjustment reports are submitted by someone outside of the payroll process.
E. Employees' time and attendance records are approved by their supervisors.
F. Corrections to recorded time and attendance records are approved by the employee and employee's supervisor.
G. Procedures are in place to ensure that changes in employment status are promptly reported to the auditor's office.
H. Payroll disbursements are reviewed and approved by an authorized individual prior to payment.
I. Access to payroll applications is appropriately controlled by user logins and passwords.
J. Changes to a payroll disbursement are approved by an individual other than the ones authorized to process the changes.
K. Payroll checks (to the extent utilized) are accounted for in numerical order and reconciled to the payroll check register.
L. Access to the signature stamp used to sign payroll checks is adequately controlled.
M. Payroll checks for full-time employees are electronically deposited (EFT) in the employee's bank account. Unless authorized by the office-holder/department head and requested by the employee, written payroll checks are only utilized for seasonal or part-time employees and are mailed or distributed by someone outside the normal payroll distribution function.
N. Unclaimed payroll checks are returned to the auditor's office by the office-holder or department head.
O. Employees are cross-trained on the payroll process; those assigned to payroll take regular vacations.
2. Disbursement activities.
A. The responsibility for approving claims is segregated from those preparing the claims.
B. Checks are written by an individual other than the one approving the claim.
C. Checks are signed by an individual other than the one preparing them.
D. Claims for payment are reviewed and approved by the Commissioners prior to payment (except for those claims authorized as "pre-pay" by virtue of an ordinance).
E. A reconciliation is completed between the claims for payment approved by the Commissioners and the actual disbursements posted to the ledger.
F. The responsibility for acknowledging the receipt of goods or services is segregated from those preparing claims and writing checks.
G. Vendor checks are accounted for in numerical order and reconciled to the disbursement ledger.
H. Invoices or other receipts are attached to each claim to support the disbursement.
I. A review is completed by an individual outside the disbursement process in which the claim amount is compared to the supporting documentation attached to the claim and the amount of the check.
J. Access to disbursement applications is appropriately controlled by user logins and passwords.
3. Receipting activities.
A. The responsibility for collecting money and issuing receipts is segregated from those preparing the bank deposit.
B. The responsibility for making bank deposits is segregated from those preparing the monthly bank reconcilement.
C. Pre-numbered receipts are issued for all money collected and the receipt is retained with supporting documentation.
D. Receipts are reconciled to the cash receipts ledger by an individual other than the one collecting money and issuing receipts.
E. Posting of receipts to the ledger is completed by an individual other than the one who collects money and makes the deposit.
F. Receipts indicate the type of payment received (cash, check, etc.) and this is reconciled to the make-up of the bank deposit.
G. Accounts receivable records are maintained by an individual other than the one(s) involved in the billing process.
4. Cash activities.
A. A reconciliation between the recorded cash balance and the bank balance is completed monthly by an individual separate from the receipting and disbursing processes.
B. A reconciliation between the receipts ledger and the credits to the bank account is completed periodically by an individual separate from the receipting process.
C. A reconciliation between the disbursement ledger and the debits to the bank account is completed periodically by an individual separate of the disbursement process.
D. The monthly reconciliation between the cash balance and the bank balance is thoroughly reviewed and approved by the auditor or appropriate office.
E. Disbursements from and reimbursements to petty cash funds are periodically reviewed by an individual other than the one responsible for maintaining the petty cash fund.
5. Credit cards transactions.
A. A designated official or employee oversees the issuance and use of the credit cards.
B. An ordinance or resolution specifically states the purposes for which the credit card may be used.
C. A designated person separate from disbursement process reviews transactions listed on the credit card statements for sufficient documentation and inclusion in claims to the Commissioners.
(2) Principle 11: management designs the political subdivision's information system and related control activities to achieve objectives and respond to risks. The auditor's office, office-holders and department heads will work with the Information Technology Department (or designated IT contractor) to ensure that information technology is used as an integral part of the internal control system. This may include, but not be limited to:
(a) Setting permission such that only certain users may perform certain tasks;
(b) Using technology to accomplish segregation of duties by forcing duties to be completed by different users;
(c) Automating certain processes and calculations;
(d) Limiting the authority to access different components of various software to employees with duties specifically related to that component;
(e) Prohibiting user ID and password sharing among employees;
(f) Restricting the authority to correct or make adjustments to records to key employees; and
(g) Requiring the use of prescribed forms or the approval of alternative forms
(3) Principle 12: management implements control activities through policies. The county has an employee handbook that is periodically updated to communicate policies to employees. Additionally, certain offices and departments (e.g. sheriff’s office) have SOG's, policies and procedures for their individual employees. The auditor's office regularly works with offices, departments and employees who handle financial transactions to recommend and ensure best practices. All procedures are in writing and communicated frequently to all relevant employees.
(E) Component four: information and communication.
(1) Principle 13: management uses quality information to achieve the political subdivision's objectives. The county strives to lead in the areas of financial transparency and accountability. By adopting standards and investing in systems that exceed state mandated minimums, county management provides employees and stakeholders with high quality information and informatics systems. The auditor's office attends training and industry seminars to stay abreast of changes and developments in requirements and communicate that information effectively to impacted employees.
(2) Principle 14: management internally communicates the necessary quality information to achieve the political subdivision's objectives. Internal communications on internal controls are communicated through adoption of formal policies by relevant boards and commissions and/or the legislative body or documented through memos from the auditor's office or relevant office-holder or department head. Internal memos and reports are maintained to document communication.
(3) Principle 15: management externally communicates the necessary quality information to achieve the entity's objectives. Communications with the State Board of Accounts, other state agencies, grantor agencies, and regulatory agencies are documented by email, memos, letters, and other forms of written correspondence. All documents are maintained in accordance with the county and state's record retention policies. Reports and policies are cross checked for accuracy, relevancy, and timeliness of information.
(F) Component five: monitoring activities.
(1) (a) Principle 16: management establishes and operates monitoring activities to monitor the internal control system and evaluate the results. County administration monitors and evaluates compliance with internal control policies via multiple vectors. Separation of duties, redundancy polices, layered approval systems, monthly reports, and physical controls such as video monitoring allow management to both review and evaluate control systems.
(b) The auditor's office shall implement a system of monitoring that includes:
1. Periodic checks to determine if controls are in place and working effectively;
2. Reviewing control activities to determine if the actual activities are in compliance with established procedures; and
3. Documenting deficiencies in the internal control processes and remediating them quickly.
(c) Monitoring activities will be documented by signatures, initials, or other appropriate methods.
(2) Principle 17: management remediates identified internal control deficiencies on a timely basis. Breaches of internal controls are subject to significant levels of internal scrutiny. If informed of a material breach of internal controls, the Commissioners or auditor's office will actively investigate and address the alleged breach and adjust policies and procedures to prevent such occurrences in the future, if a material breach is substantiated. Once breaches are identified and investigated, a formal or informal corrective action plan will be developed.
(Ord. 2016-03, passed 6-20-2016)