3.04.050 Internal control standards.
   A.   Policy. The purpose of this policy is to communicate the common council's objectives of a reliable internal control system to all employees and elected officials of the city. Special consideration is being placed on the five key components of internal controls as established by the Indiana State Board of Accounts, which include seventeen key principles.
   B.   Component one: control environment.
   1.   Principle 1: The oversight body and management demonstrate a commitment to integrity and ethical values.
   a.   The city has the responsibility to promote confidence in city business regarding the official conduct of all areas of city government, including councilors, appointees, employees, and elected officials. As part of its commitment to an overall system of internal control, integrity, and ethical values, the common council developed and adopted a code of ethical conduct policy on May 7, 2013, Resolution No. 8, 2013.
   b.   The city also has the responsibility to establish and maintain an adequate system of internal control and to furnish to the common council, various boards and commissions, governmental agencies, creditors and others reliable financial information on a timely basis. An adequate system of internal control is necessary for the city to discharge these responsibilities.
   c.   Controls help ensure that assets are not exposed to unauthorized access and use, transactions are properly recorded in the financial records, and the financial information is reliable. External organizations and stakeholders of the city rely on financial information to make decisions toward appropriations, loans and other debt, grants, and other contractual relationships. city resources are dependent upon the system of internal control. Auditors are required annually to report upon the adequacy of the city's systems for control over financial reporting and compliance per I.C. 5-11-1-27(e). The safeguarding of city assets and the reliability which the city and others can place upon its financial records is dependent upon the effectiveness of the internal control process.
   d.   Many areas of the internal control system are covered within the accounting and uniform compliance guideline manual for cities and towns which was established by the state board of accounts, such as personal expenses, personal property use, political expenditures, private property usage, etc. This manual is a reference and guideline for all employees especially those in the city controller's office. The city's employee personnel booklet has also been designed to guide and train employees toward its mission of maintaining internal control.
   e.   The city controller's office has established safeguards to promote efficiency and minimize risks of asset loss, which helps ensure the reliability of financial information, and compliance with applicable laws, rules, and regulations. The office of the city controller and other city leaders periodically evaluate the city's internal control system for weaknesses, providing solutions to any discovered weaknesses, and inform employees of necessary changes in procedures.
   f.   The city, with assistance of the Human Resources Department, will establish a confidential reporting system for individuals to report suspected fraud and abuse of internal control policies. In addition to the confidential reporting, the Human Resources Department will institute procedures to address violations of policies and consequences for violations.
   2.   Principle 2: The oversight body oversees the entity's internal control system.
   a.   As the fiscal body for the city, the common council is responsible for setting internal control expectations for ensuring management is aware of the those expectations, requiring the upward communications channels are open through all levels of management, and evaluating management's effectiveness toward monitoring the control environment and implementing sound control policies and procedures.
   3.   Principle 3: Management establishes an organizational structure, assigns responsibility, and delegates authority to achieve the entity's objectives.
   a.   Individuals with delegated approval authority, e.g. elected officials and department heads are responsible for establishing, maintaining, and supporting a system of internal controls within their areas of responsibility and for creating the control environment that encourages compliance with city policies and procedures. They should provide common council with an organizational chart.
   b.   All levels of management and supervision are responsible for strengthening internal controls when weaknesses are detected. Department managers should periodically review departmental procedures to ensure that the general principles of internal control are being followed.
   c.   The clerk-treasurer has the primary responsibility for internal controls which provide reasonable assurance regarding the reliability of financial information and records, effectiveness and efficiency of operations, proper execution of management's objective, and compliance with laws and regulations. Segregation of duties, safeguarding controls over cash and all other assets and all forms of information processing are necessary for proper internal control. Internal controls should also be in place for receipting, disbursing, recording and accounting for the financial activities necessary to avoid substantial risk of invalid transactions, inaccurate records and financial statements.
   d.   The Human Resources Department is responsible for internal controls over employee recruitment, hiring, separation, promotion, job classification, employee rights, and salary administration. This department is the city's source for information and assistance on this topic and will make resources available to assist in administering this policy.
   e.   All levels of internal control are subject to examination by external auditors who are required to report on the adequacy of internal controls over finance and compliance.
   f.   Department heads and the Human Resource Department are responsible for prompt corrective action on all internal control findings and recommendations made by internal and external auditors. The audit process is completed only after department heads receive the audit results and take action to correct internal control weaknesses, improve systems, or demonstrate that management action is not warranted. Department heads have the responsibility to ensure that those who report to them have adequate knowledge, skills, and abilities to function within, and contribute to, an effective internal control environment. This includes providing access to appropriate training on topics relevant to their job responsibilities.
   4.   Principle 4: Management demonstrates a commitment to recruit, develop, and retain competent individuals.
   a.   City leaders determine skills necessary for each level of the organizational chart by creating job descriptions and requirements for each position. Hiring processes will be documented. Evaluations are completed on a regular basis and, if necessary, address any deficiency in skill level or performance. Prior to employment, individuals may be subject to pre-employment background screening and/or a credit history check. Department Heads will determine required training for employees, track the process and review courses with employees. The city will continue to assess the best recruitment pools and tools for the different skill sets of skills necessary to adequately implement and maintain quality internal controls.
   b.   Job descriptions will be updated where necessary to reflect internal control responsibilities and duties. Employees will be regularly trained in internal control methods and all training will be documented in employees' personnel files. Employees will be regularly evaluated by their supervisors on internal control duties and receive feedback on possible improvements.
   5.   Principle 5: Management evaluates performance and holds individuals accountable for their internal control responsibilities.
   a.   City leaders and the Human Resources Department have developed a formal employee evaluation system to assess performance and hold each individual accountable for their internal control responsibilities. Performance reviews will be filed in the Human Resources Department and kept as a permanent record.
   b.   City administration will address issues in specific departments and positions through regular communication with all departments.
   C.   Component two: risk assessment.
   1.   Principle 6: Management defines objectives clearly to enable the identification of risks and risk tolerances. Through the creation of standard operating procedures and accurate organizational reporting charts, management conveys and identifies objectives, missions, policies, and risk tolerances to employees.
   a.   City leaders will lead a risk analysis in three major areas:
   i.   Operations - Effectiveness and efficiency of operations.
   ii.   Reporting - Reliability of reporting for internal and external use.
   iii.   Compliance - Compliance with applicable laws and regulations.
   b.   City leaders will define objectives in specific measurable terms in order to enable the design of internal control for related risks, to increase understanding at all levels, and to assess performance. They will also identify what is to be achieved, who is to achieve it, how it will be achieved, and when it will be achieved. State statutes, and guidelines listed in the Accounting Uniform Compliance Manual will be incorporated in the objectives.
   2.   Principle 7: Management identifies, analyzes, and responds to risks related to achieving the defined objectives.
   a.   City leaders will identify, analyze, and respond to the risks identified in this principle by determining:
   i.   Insurance coverages;
   ii.   Worker safety training;
   iii.   How likely is the risk to occur?;
   iv.   How will it impact the objective?;
   v.   Is the risk based on complex or unusual transactions?; and
   vi.   Is the risk based on fraud?
   b.   Once each risk has been identified and analyzed, management will determine how to respond to each risk individually and design specific actions accordingly.
   3.   Principle 8: Management considers the potential for fraud when identifying, analyzing, and responding to risks.
City leaders are committed to fraud prevention through continual analysis of possible fraudulent financial reporting, misappropriation of assets, and illegal acts. Fraud responses will include statutorily required responses as directed under Ind. I.C. 5-11-1-27(l) relating to the report of misappropriation of funds to State Board of Accounts and Prosecuting Attorney. Report of material variances, losses, shortages, or thefts will be conveyed to the State Board of Accounts under I.C. 5-11-1-270). The city shall utilize a materiality threshold of $500.
   4.   Principle 9: Management identifies, analyzes, and responds to significant changes that could impact the internal control system.
   a.   City leaders and department heads will implement a training process of internal controls and employee policies for all new employees.
   b.   They will also regularly reevaluate policies and procedures to determine if existing controls will continue to be effective or if new controls need to be designed and implemented.
   D.   Component three: control activities.
   1.   Principle 10: Management designs control activities to achieve objectives and respond to risks.
   a.   The clerk-treasurer's office will establish and maintain a system of internal controls that satisfies the city's objectives and follows guidelines as established by the State Board of Accounts in the following categories:
   i.   Risks are identified and effectively managed;
   ii.   Safeguarding of city assets;
   iii.   Reliability and integrity of financial information;
   iv.   Compliance with city policy, plans, procedures, laws and regulations;
   v.   Economical and efficient use of city resources; and
   vi.   Meeting established objectives and goals for city operations and programs.
   b.   General internal control principles for departments are:
   1.   Separation of duties; and
   2.   Duties are separated so that one person's work routinely serves as a check on another's work.
   c.    No one person has complete control over more than one key function or activity (e.g., authorizing, approving, certifying, disbursing, receiving, or reconciling).
   d.   Authorization and approval.
   i.   Proposed transactions are authorized when proper and consistent with city policy and the department's plans.
   ii.   Transactions are approved by the person who has delegated approval authority, which is usually delegated on the basis of special competency or knowledge.
   e.   Custodial and security arrangements.
   i.   Responsibility for physical security/custody of city assets is separated from record keeping/accounting for those assets.
   ii.   Unauthorized access to city assets and institutional data is prevented.
   f.   Timely and accurate review and reconciliation.
   i.   Departmental accounting records and documents are examined by employees who have sufficient understanding of the city accounting and financial systems to verify that recorded transactions actually took place and were made in accordance with city policies and procedures.
   ii.   Departmental accounting records and documentation are compared with city accounting system reports and financial statements to verify their reasonableness, accuracy, and completeness.
   iii.   The general internal control principles should be applied to all departmental operations, especially accounting records and reports, payroll, purchasing/receiving/disbursement approval, equipment and supply inventories, cash receipts, petty cash and change funds, billing and accounts receivable.
   g.   The following internal control activities are adopted for use by city departments:
   i.   Payroll activities;
   ii.   Salaries and wage rates are verified by the Human Resources Department;
   iii.   The responsibilities for hiring, terminating, and approving promotions are segregated from those preparing payroll transactions or inputting data;
   iv.   The responsibilities for approving time sheets are segregated from those for preparing payroll transactions or inputting data;
   v.   Payroll adjustment reports are submitted by someone outside of the payroll process;
   vi.   Employees' time and attendance records are approved by their supervisors;
   vii.   Corrections to recorded time and attendance records are approved by the employee, employee's supervisor, and authorized by management;
   viii.   Procedures are in place to ensure that changes in employment status are promptly reported to the payroll processing unit, by completion of an Employee Status Change Form;
   ix.   Payroll disbursements are reviewed and approved by an authorized individual prior to payment;
   x.   Access to payroll applications is appropriately controlled by user logins and passwords;
   xi.   Changes to a payroll disbursement are approved by an individual other than the ones authorized to process the changes;
   xii.   Payroll checks are accounted for in numerical order and reconciled to the payroll check register;
   xiii.   Access to the signature stamp used to sign payroll checks is adequately controlled;
   xiv.   Payroll checks/deposit advices are mailed or distributed by someone outside the normal payroll distribution function;
   xiv.   Unclaimed payroll checks are returned to Finance Department via the Department Head;
   xv.   Employees are cross-trained on the payroll process.
   h.   Disbursement activities.
   i.   The responsibility for approving claims is segregated from those preparing the claims;
   ii.   Checks are written by an individual other than the one approving the claim;
   iii.   Checks are signed by an individual other than the one preparing them;
   iv.   Claims for payment are reviewed and approved by the governing body prior to payment;
   v.   A reconcilement is completed between the claims for payment approved by the board and the actual disbursements posted to the ledger;
   vi.   The responsibility for acknowledging the receipt of goods or services is segregated from those preparing claims and writing checks;
   vii.   Vendor checks are accounted for in numerical order and reconciled to the disbursement ledger.
   viii.   Invoices or other receipts are attached to each claim to support the disbursement;
   ix.   A review is completed by an individual outside the disbursement process in which the claim amount is compared to the supporting documentation attached to the claim and the amount of the check; and
   x.   Access to disbursement applications is appropriately controlled by user logins and passwords.
   i.   Receipting activities.
   i.   The responsibility for collecting money and issuing receipts is segregated from those preparing the bank deposit;
   ii.   The responsibility for making bank deposits is segregated from those preparing the monthly bank reconcilement;
   iii.   Pre-numbered receipts are issued for all money collected and the receipt is retained with supporting documentation;
   iv.   Receipts are reconciled to the cash receipts ledger by an individual other than the one collecting money and issuing receipts;
   v.   Posting of receipts to the ledger is completed by an individual other than the one who collects money and makes the deposit;
   vi.   Receipts indicate the type of payment received (cash, check, etc.) and this is reconciled to the make-up of the bank deposit;
   vii.   Accounts receivable records are maintained by an individual other than the one(s) involved in the billing process;
   viii.   The billing process is completed by an individual other than the one who collects cash payments from customers;
   ix.   Adjustments to customer accounts above our managerial threshold are approved by the governing body only after review; and
   x.   A periodic review is completed of all adjustments made to customer accounts by an individual independent of the billing and accounts receivable processes to ensure that all adjustments made have proper approval from the governing body.
   j.   Cash activities.
   i.   A reconcilement between the recorded cash balance and the bank balance is completed monthly by an individual separate from the receipting and disbursing processes.
   ii.   A reconcilement between the receipts ledger and the credits to the bank account is completed periodically by an individual separate of the receipting process.
   iii.   A reconcilement between the disbursement ledger and the debits to the bank account is completed periodically by an individual separate of the disbursement process.
   iv.   The monthly reconcilement between the cash balance and the bank balance is thoroughly reviewed and approved by the governing body.
   v.   Disbursements from and reimbursements to petty cash funds are periodically reviewed by an individual other than the one responsible for maintaining the petty cash fund.
   k.   Credit card transactions.
   i.   A designated official or employee oversees the issuance and use of the credit cards.
   ii.   A city policy specifically states the purposes for which the credit card may be used.
   iii.   A designated employee maintains a log which includes the names of individuals requesting usage of the cards, their position, estimated amounts to be charged, etc.
   iv.   A designated person separate from disbursement process reviews transactions listed on the credit card statements for sufficient documentation and inclusion in claim to the Board.
   3.   Principle 11: Management designs the political subdivision's information system and related control activities to achieve objectives and respond to risks.
   a.   City leaders, department heads, and clerk-treasurer's office have teamed up with the Information Technology Department to ensure that information technology is used as an integral part of the internal control system. Such as:
   i.   Setting permission such that only certain users may perform certain tasks;
   ii.   Using financial software technology to accomplish segregation of duties by forcing duties;
   iii.   To be completed by different users;
   iv.   Automating certain processes and calculations;
   v.   Physical security through locked cabinets, office doors, and city vault;
   vi.   Prohibiting user ID and password sharing among employees;
   vii.   Restricting the authority to correct or make adjustments to records by key employees;
   viii.   Requiring the use of prescribed forms or the approval of alternative forms;
   ix.   Requiring frequent password changes;
   x.   Established safeguards to prevent loss of data in the event of a failure of the IT system; and
   xi.   Procedures and calculations are performed by the IT system are checked to ensure they are functioning property.
   4.   Principle 12: Management implements control activities through policies.
   a.   The city employee handbook provides policies and information regarding internal controls. The handbook is given to all new employees, and will be placed on line in the future. Internal control procedures are communicated to all employees that are part of the financial or reporting process. Policies and procedures outline the steps to obtain and document the approval for the claim process. The clerk-treasurer's office regularly works with departments and employees who handle financial transactions to recommend and ensure best practices.
   E.   Component four: information and communication.
   1.   a.   Principle 13: Management uses quality information to achieve the political subdivision's objectives.
      b.   The city strives to lead in the areas of financial transparency and accountability. By adopting standards and investing in systems that exceed State mandated minimums, city management provides employees and stakeholders with high quality information. The city leaders attend training sessions to stay abreast of changes and developments in requirements and communicate that information effectively to impacted employees. The oversight body is made aware of any changes to reporting or compliance requirements that would require adjustments to the internal controls over information and communication.
   2.   a.   Principle 14: Management internally communicates the necessary quality information to achieve the political subdivision's objectives.
      b.   Internal communication and documentation of internal controls are communicated through offices, departments, adoption of formal policies by relevant boards and commissions and/or the legislative body and communicated to employees. Internal memos and reports are maintained to document communication.
   3.   a.   Principle 15: Management externally communicates the necessary quality information to achieve the entity's objectives.
      b.   Communications with the State Board of Accounts, other State agencies, grantor agencies, and regulatory agencies are documented by email, memos, letters, and other forms of written correspondence. Logs are kept for
information provided verbally. All documents are maintained in accordance with the city and State's record retention policies. Reports and policies are cross checked for accuracy, relevancy, and timeliness of information.
   F.   Component five: monitoring activities
   1.   Principle 16: Management establishes and operates monitoring activities to monitor the internal control system and evaluate the results.
   a.   Periodic checks are performed to determine if controls are in place and working effectively. City administration monitors and evaluates compliance with internal control policies through separation of duties, layered approval systems, monthly reports, and bank reconcilement.
   b.   Management will follow a system of monitoring that includes:
   i.   Periodic checks to determine if controls are in place and working effectively.
   ii.   Reviewing control activities to determine if the actual activities are in compliance with established procedures
Documenting any deficiencies in the internal control processes and remediation.
   c.   Monitoring activities will be documented by signatures, initials, or other appropriate methods.
   2.   Principle 17: Management remediates identified internal control deficiencies on a timely basis.
   a.    Internal controls deficiencies may be identified internally through monitoring or through audit reports. If informed of a material breach of internal controls, the city would address deficiencies immediately through the development of formal or informal corrective action plans.
   b.   The city, through an oversight committee, would work together to ensure a corrective action plan is implemented and the resulting changes are effective in correcting internal control weaknesses.
   G.   Policy Pursuant to 2 CFR 200, effective December 26, 2014, the final guidance on requirements for recipients of Federal financial assistance was implemented, the Uniform Grant Guidance. This guidance was codified at 2 CFR part 200 (Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards). The guidance is applicable to entities receiving Federal funding. As a consequence, when conducting the biennial audit, Indiana State Board of Accounts reviews the City's expenditures utilizing the Single Audit requirements found in 2 CFR part 200.500 - 200.521 of Uniform Grant Guidance including the Compliance Supplements for all Federal Funding sources to assure compliance with all grant agreements, rules, regulations, bulletins, directives, letters, letter rulings, court decisions, and filing requirements concerning reports and other procedural matters of Federal and State agencies.
   H.   A Single Audit or program-specific audit is required if the city receives $750,000 or more in Federal awards during its fiscal year. Subsequently, if the city has a non-federal governmental or nonprofit entity administering (holding) a contract with Federal funds that pass through the City, or a sub-recipient, the city must:
   1.   Ensure sub-recipients comply with all Federal laws including receipt and review of their single audits;
   a.   Send form requesting listing of Federal funds received in fiscal year;
   b.   If receiving $750,000+ a single audit is due 9 months of year end or within 30-days of completion whichever occurs first;
   2.   Monitor performance scheduled for achievement; and
   3.   Ensure the establishment and maintenance of effective internal controls for compliance.
(Ord. 33-2023, 2023; Ord. 22-2018, 2018; Ord. 8-2017, 2017)