Self-Assessment of Internal Controls for VA Affiliated Nonprofit Research and Education

Nonprofit Program Office (NPPO)

Office of Research and Development

Veterans Health Administration

Self-Assessment of Internal Controls

for

VA Affiliated Nonprofit Research and Education Corporations (NPCs)

February 15, 2011

Nonprofit Program Office (NPPO)

Office of Research and Development

Veterans Health Administration

U. S. Department of Veterans Affairs (VA)

Self-Assessment of Internal Controls

for VA-Affiliated Nonprofit Research and Education Corporations (NPCs) established pursuant to sections 7361-7366, title 38, United States Code

Table of Contents

Introduction...... iii

System of Internal Controls...... iii

Framework...... iv

Acknowledgement...... iv

Objectives and Risks...... iv

Instructions...... xiv

Internal Controls Questionnaire...... 1

A. Control Environment...... 1

B. Financial Reporting Cycle...... 7

C. Budget Reporting Cycle...... 9

D. Cash Receipts Cycle...... 10

E. Accounts Receivable Cycle...... 13

F. Purchasing/Accounts Payable Cycle...... 15

G. Human Resources Cycle...... 17

Introduction

The Self-Assessment of Internal Control, commonly referred to as the Internal

Control Questionnaire (ICQ) is a tool to be utilized by the NPPO and NPCs.

The ICQ can be used in two ways: 1) as a voluntary self-assessment; or 2) as a NPPO review or audit tool. If required by the NPPO, the purpose will be to confirm that internal controls are present and effective, or to identify areas requiring improvement. NPPO will make formal written recommendations for improvements to the NPC’s management, the related VA Medical Center Director, and the NPC’s board of directors where appropriate.

The NPPO estimates that it will take an average of two hours to answer this ICQ. However, because of the huge size disparities in the NPCs and other factors peculiar to some of the NPCs, more or less time may be required. If you would like to comment upon the estimated burden of answering this ICQ, or have any questions or suggestions, please contact Kimberly Collins, NPPO Administrator, at (816) 922-2043 or .

VA and the NPPO cannot ensure that the ICQ answers will be kept confidential or private. However, NPPO will make a reasonable effort to confine the answers to those within VA who have a need to know.

This ICQ does not contain any information that can reasonably be regarded as sensitive.

This ICQ will be made available to respondents electronically by email or for downloading from the NPPO Web site. If requested, answered ICQs can also be returned to NPPO electronically. There is no additional record-keeping requirement for this ICQ.

System of Internal Controls

A proper system of internal control provides reasonable assurance that the financial statements are fairly presented and that management’s goals are being properly pursued. Such a system includes fully documented policies and procedures that ensure, among other things, that:

A. Transactions are executed according to management's general or specific authorization.

B. Transactions are recorded, as necessary, to:

1. prepare the financial statements that conform with generally accepted

accounting principles, and

2. account for assets, liabilities, net worth, cash flow, revenues and

expenses.

C. Access to assets is permitted according to management's authorization.

D. Asset records are compared with the existing assets at reasonable intervals and action is taken to reconcile any differences.

The ultimate responsibility for a good system of internal control rests with management. Periodically, when submitting financial statement information, management must attest to the accuracy of that information along with the soundness of internal controls. This ICQ should be used as a key tool in making those assertions. Additionally, many aspects of internal control are currently documented in VHA Handbook 1200.17.

Framework

The ICQ consists of the following accounting cycles or sections:

A. Control Environment

B. Financial Reporting

C. Budget Reporting

D. Cash Receipts

E. Accounts Receivable

F. Purchasing/Accounts Payable

G. Human Resource

Acknowledgement

The framework for the ICQ is taken from sources both within and outside the NPPO and VA, particularly the State of North Carolina and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as published in Internal Control– Integrated Framework in 1992.

Objectives and Risks

Below are the objectives for each of the seven areas of the ICQ and the risks associated to the NPC when the objectives are not met. The ICQ will provide additional guidance to manage these areas of the NPC and set the basic framework for the ICQ that follows.

A - Control Environment

Objectives and Risks

Objectives / Risks
Management communicates through actions and in writing the importance of and commitment to the establishment and maintenance of a strong system of internal control.
Management adheres to a code of conduct and other policies regarding acceptable business practices, conflicts of interest, and expected standards of ethical and moral behavior. Management communicates these policies to all employees by means of intranet, posters, memorandum, or other modalities. /

Employees lack of knowledge of internal controls.

Code of conduct and/or ethics policy does not exist or has not been adequately communicated to employees.

Organizational structure is clearly defined and up to date to perform the necessary functions.
Appropriate reporting relationships have been established. /

Organizational chart is not current.
Employees are unaware of reporting relationship in the organizational structure.
Functions are duplicated by departments or employees.

Personnel are qualified and properly trained to ensure control procedures operate in the correct manner.
Job descriptions are current and detail the responsibilities and qualifications for each position. /

Personnel are not qualified to perform tasks assigned to them.
Personnel are not adequately trained.
There is a lack of continuing education for personnel.
Job descriptions are not coordinated with actual job performances.
Management goals are not communicated to employees.

Authority is delegated to ensure that responsibilities are effectively segregated. /

One employee controls all phases of a transaction and appropriate checks and balances are not in place.

Documented policies and procedures define the desired work flows and provide a basis for reviews, follow-up evaluations and audits. /

Functions are not performed uniformly among departments.
Statutory requirements are not met.
Functions and transactions are performed in an unsystematic manner.

Budgetary and reporting practices provide benchmarks by which management can measure accomplishments. /

Management does not have guidelines to measure performance.
Unusual transactions or events are not detected.
Management cannot determine whether goals are being achieved.

Organizational checks and balances minimize the potential for waste, fraud, abuse or mismanagement. /

The absence of checks and balances or the failure of organizational unitsto execute those responsibilities allows for waste, fraud, or abuse.

B - Financial Reporting Cycle

Objectives and Risks

Objectives Risks

All transactions are properly accumulated, classified and summarized in the accounts. /

General ledger is not in balance.
Subsidiary ledgers are not in balance with the general ledger.
Accounting policies and procedures are applied inconsistently.

All closing entries are initiated by authorized personnel and reviewed and approved in accordance with established policies and procedures. /

Inadequate closing procedures may result in confusion of responsibility and a delay in closure.
Inadequate cutoff procedures allow improper inclusion or exclusion of transactions.
Unauthorized, inadequately supported, or inappropriate journal entries may occur.

All necessary data is obtained and processed in accordance with established policies and procedures. /

Absence of adequate procedures may result in misclassification of balances, omission of an accounting unit, unacceptable delays and duplicative work.
Financial reports may be missing information and there is a lack of control over data the review process.

All internal and public financial reports are prepared on the basis of appropriate supporting data, provide required information, and are reviewed and approved before issuance. /

Financial reports are not supported by underlying accounting records.
Financial data is presented in an inconsistent manner.
Data reviews are incomplete, permitting possible errors or omissions.

C - Budget Reporting Cycle

Objectives and Risks

Objectives / Risks
An administrative budget that internally and externally communicates goals and objectives and serves as a "benchmark" against which actual performance is measured. /

There is notpractical means by which to measure performance.
Internal departments and staff are unsure of goals of the executive manager.
There is noteffective control over expenditures.

Expenditures are incurred in conformity with the budget and plan of operations. /

Contracts with funders may be violated.
Expenditures incurred in excess of budget authorization.
Transfers between budget categories are arbitrary or unauthorized.

Reports of budget versus actualis provided on a timely basis and explanations are provided for significant deviations. /

Corrective action cannot be instituted in a timely manner.
Managers are unaware of the status of their budget and potentially prohibited from executing plans.
Unbudgeted actual transactions may not be detected.

D - Cash Receipts Cycle

Note: Cash includes checks received, wires in, cash in banks, petty cash,

and currency

Objectives and Risks

Objectives / Risks
All collections are properly identified, control totals developed, and collections promptly deposited intact. /

Cash receipts may be withheld or recorded late.

All bank accounts and cash on hand are subject to effective custodial accountability procedures and physical safeguards. /

Funds may be misappropriated, diverted, or lost. Unauthorized cash disbursements may occur.

All transactions are promptly and accurately recorded in adequate detail. Records and appropriate reports are issued. /

Unauthorized transactions may be covered by substituting unsupported credits or fictitious expenditures. Cash or receivables may be over- or under-estimated.

All transactions are properly accumulated, correctly classified and summarized in the general ledger; balances are reconciled with bank statement balances in an accurate and timely manner. /

Cash balances may be misstated and unauthorized transactions may be covered up by falsifying bank reconciliation.

E - Accounts Receivable Cycle

Objectives and Risks

Objectives / Risks
Ensure that appropriate records are maintained for all funders and other sources of revenue. /

Revenue may be lost as a result of errors.
Employeesmaydivert revenue for personal use.

Billing of revenues is performed promptly and in proper amounts. /

Billings are inaccurate or incompletely prepared.
Revenue is lost due to inadequate procedures or improper accounts.

All collections are properly identified, control totals developed, and collections promptly deposited intact and applied to the proper accounts. /

Withholding or delaying the recording of cash receipts and application of funds to the proper accounts may be withheld or recorded in a delayed manner.
An employee may divert receipts for personal use.
Amounts may be improperly written-off and collections diverted for personal use.

Billings, adjustments and collections are properly recorded in individual receivable accounts. /

Account balances are reduced by unauthorized transactions.
Cash flow from payments is delayed by latebillings or deposits.

Revenues, collections and receivables are properly accumulated, classified and summarized in the accounts. /

Errors in transaction postings to detail or control accounts are not detected in a timely manner.
Problem accounts do not receive prompt attention, resulting in revenue or cash-flow loss.

F – Purchasing / Accounts Payable Cycle

Objectives and Risks

Objectives / Risks
All requests for goods and services are initiated and approved by authorized individuals, and are in accordance with budget guidelines. /

Purchases are from unauthorized vendors.
Purchases are in violation of a conflict of interest policy.
Purchases are not timely.
Purchases are not in accordance with budget provisions.

All purchase orders are based on valid, approved requests and are properly executed according to price, quantity and vendor. /

Payment in excess of price.
Quantities are not adequate or excessive.

All received materials and services agree with the original orders. /

Payment for materials or services not received.
Damaged or missing goods not reported.

All invoices processed for payment represent goods and services received and are accurate according to terms, quantities, prices and extensions. Account distributions are accurate and agree with established account classifications. /

Payment is based on improper price or terms.
Accounting distribution of cost is inaccurate.

All checks are prepared on the basis of adequate and approved documentation, compared with supporting data and properly approved, signed and mailed. /

Incorrect or duplicate payments.
Alteration of checks.
Disbursement for materials or services not properly documented orapproved.

All disbursement, accounts payable, encumbrance transactions are promptly and accurately recorded as to payee and amount. /

Improper cash, accounts payable, and encumbrance balances.

All entries to accounts payable, reserve for encumbrances, asset and expense accounts and cash disbursements are properly accumulated, classified and summarized in the accounts. /

Misstated financial statements.
Misstated internal financial data.

G - Human Resources Cycle

Objectives and Risks

Objectives / Risks
Additions, separations, wage rates, salaries and deductions are authorized and documented. Payroll and personnel policies are in compliance with grant agreements and federal and state laws. /

Unauthorized or fictitious names are added to the payroll.
Payments continue to employees who have been terminated.
Wage rates and salaries are at a higher rate than authorized.
Reimbursement of payroll from grant funds is denied.
Penalty for noncompliance with federal and state laws.

Employees' time and attendance data are properly reviewed and approved. /

Employees are paid for time that they did not work.
Employees are paid for time that was unnecessary or unauthorized.

Employees' time and attendance data are properly processed and documented and accurately coded for account distribution. /

Employees are paid for time that they were absent from work.
Erroneous coding of accounting distribution for payroll costs.

Computations for gross pay, deductions and net pay are accurate and based on authorized time and rates; the recording and summarization of payments to be made and cost to be distributed are accurate and agree with established account classifications. /

Employee compensation and payroll deductions are computed erroneously.
Payroll and related costs are not distributed in accordance with established account classification.
Reimbursable payroll costs are not recovered under grant or shared cost
programs.
Amounts paid at rates different than those authorized.

Payments for employee compensation and benefits are made to or on behalf of only bona fide employees for services performed as authorized. /

Payments are made to unauthorized individuals.
Employees are paid for unauthorized benefits.

Employee compensation and benefit costs are properly accumulated, classified and summarized in the accounts. /

The accounting distribution of payroll and related costs are classified improperly.
Accrued liabilities or disclosures for employee benefits are misstated.

Time sheets and procedures are in place to ensure that there is no dual compensation paid to joint VA/NPC employees for the same time worked. /

Violation of federal law and regulations prohibiting dual compensation to Federal employees.
Waste of NPC financial resources from overpaying employees.

Without compensation appointments (WOC’s) are made by VA to all VA and NPC employees engaged in NPC sponsored research and/or education. /

Possible loss of protection under the Federal Torts Claim Act.
Waste and loss of NPC financial resources in defending and paying claims.

Conflict of Interest statements are signed and maintained in the NPC’s files. Conflict of Interest statements are updated with respect to the NPC COI Policy. /

Losses to the NPC resulting from conflicts of interest.
Failure to meet VA Handbook requirements.

New board members are given an orientation manual and session to acquaint them with the board’s operations and the
responsibilities of board members. /

Misunderstandings, perhaps of a serious nature, of board member duties and responsibilities.

INSTRUCTIONS

The ICQ will be answered by the NPC’s Executive Director, Chief Executive Officer, Chief Financial Officer, Controller or other person with equivalent authority, ability and knowledge of the NPC’s operations and internal controls.

Fill out the required information at the top of page one and then circle the correct answer, i.e. yes, no, N/A. If you are uncertain about how to answer a question, leave it blank and go on to the next one. We will discuss the skipped questions as part of the NPPO Review.

OMB Number 2990-XXXX

Approval expiration 12/31/XX

Nonprofit Program Office (NPPO)

Office of Research and Development

Veterans Health Administration

U.S. Department of Veterans Affairs (VA)

Self-Assessment of Internal Controls

for VA Affiliated Nonprofit Research and Education Corporations (NPCs)

NPC:

City/State:

Telephone # and E-mail address:

Prepared by:

Title:

Date Prepared:

A - Control Environment

Control Policies and Procedures

I. Integrity and Ethical Values

Please circle correct answer.

Yes No N/A1. Does a written Conflict of Interest Policy(COI) exist and does it apply to all officers, employees and directors?

2. Does the Conflict of Interest Policy contain:

Yes No N/Aa. A definition of COI?

Yes No N/Ab. A training requirement for directors, officers and employees

about the policies within 90 days of hire or affiliation with

the NPC?

Yes No N/Ac. An annual refreshertraining requirement for directors,

officers and employees with decision-making authority

about the policy?

Yes No N/Ad. A requirement fordirectors, officers and employees with

decision-making authority to disclose potential conflicts of

interest?

Yes No N/Ae. A requirement that each director, officer and employee sign

a statement of acknowledgement of understanding and

agreement to comply with the policy upon hire or affiliation

with the NPC?

Yes No N/Af. A process for identifying and managing conflicts of