1 Slide 1: (Title Slide) Module 5: Effective Internal Controls
Welcome to the Public Housing Authority Financial Management Training. This session provides the general requirements for and definition of an internal control system and the process of developing an internal control system for your PHA.
Slide 2: Module 5 Topics
Module 5 starts with the definition and requirements of an internal control system. The session then transitions to a discussion of how PHAs can develop and implement an internal control system. To aid in the development of the internal control system, examples of approaches to the development of individual financial policies and procedures are discussed.
Slide 3: (Section Break) Definition of Internal Controls
This section titled, “Definition of Internal Controls” provides a formal definition of and the requirements for maintaining an effective internal control structure and system.
Slide 4: Internal Control Requirements
Internal control requirements relate to all Federally funded entities. The U.S. Office of Management and Budget (OMB) has prescribed the requirements for all non-Federal entities that receive federal funding (including PHAs) to follow. The requirements as set forth by OMB must be followed by all Federally funded entities regardless of the size of the entity or the amount of funding received.
The first OMB requirement is straight-forward, requiring that entities, in this case a PHA, have effective controls to assure that the funds are used in compliance with Federal statutes, regulations and other terms and conditions of the funding award.
The second bullet pertains to the requirement that the internal control systems must be in compliance with guidance in “Standards for Internal Control in the Federal Government” as issued by the Comptroller
General of the United States and the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Does your PHA’s internal control structure comply with these requirements? Most PHAs are unlikely to be
able to answer this question, which could be the cause for the reporting of an internal control deficiency by an auditor. One of the objectives of this module is to provide PHAs with an understanding of internal controls to ensure compliance with the Federal requirement.
2 Slide 5: Internal Control Requirements (continued)
An internal control system requires that PHAs have established policies and procedures that address the following items:
• The effective and efficient administration of the program;
• The establishment and attainment of operational and financial performance goals; • The safeguarding of assets against loss;
• The reliability (i.e., the information is correct), timeliness, and transparency in both internal and external reports; and
• The adherence to laws and regulations to which the entity is subject.
Looking at these areas, it is understood that the size, programs administered, and funding levels will impact the design of the policies and procedures.
Effective administration refers to the ability to manage the program according to the guidelines and
regulations. Efficient administration means being able to manage the program in a quick, concise, and organized manner. For instance, effectiveness can relate to the proper calculations related to rent calculation where efficiency relates to the organization and checklists used during the actual rent calculation in the tenant file.
The establishment of goals, both financial and non-financial, is important for the monitoring of program management. Goals could relate to leasing efforts, timeliness of completing the Capital Fund Program awards, etc.
When thinking about protecting assets, most of us think about cash. But for most PHAs, the actual buildings represent the largest asset. Therefore, issues such as dedicating sufficient resources to maintenance and modernization of projects also relate to safeguarding the asset.
Reliability and timeliness of information is critical for monitoring. Questions arise such as, “Is the VMS data
estimated?” or, “Is the financial statement prepared in a timely manner for Board review?” These questions
directly relate to the reliability of information.
Finally, PHAs need to develop procedures and protocols to ensure adherence to laws and regulations. Simply stated: Are the program requirements being followed?
Slide 6: Components of Internal Control
Here we show a cube that illustrates the required components of an effective internal control system. The required components include:
• Control environment; • Risk assessment; • Control activities;
3
• Information and communication; and • Monitoring activities.
Larger agencies can divide the cube into additional segments related to the overall entity, specific departments, or functions. Smaller agencies, without segmented departments, will concentrate on the overall entity and perhaps specific functions such as HAP processing in the Housing Choice Voucher (HCV) Program. In addition, a PHA must create an efficient and effective control environment related to daily operations, reporting, and compliance.
We will discuss each component in more depth in the upcoming slides.
Slide 7: What is the Control Environment?
The control environment is the foundation of the entity. Many believe the control environment is
expressed through the overall attitude of the agency. For example, a reviewer visits a PHA. The reviewer arrives early in the morning to find most of the senior management is not present. The agency was unaware of the reviewer’s visit even though multiple emails were sent to the Executive Director, offices are
unorganized with papers loose on most desks, checklists are not used or followed, and there is a lack of monitoring reports prepared by department heads. Just from the initial review, how would you rate the control environment?
Principles used to demonstrate a sound control environment include the following:
1. The expectation of integrity and ethical values in the completion of the PHA’s business and mission, including how the PHA communicates, is viewed by the public, employees, their vendors, and the program participants;
2. The governing body oversees the internal control system through a collection of reports. These reports can be used to evaluate the effectiveness of management for key performance indicators such as leasing, financial position, etc.;
3. The organization structure is designed to meet the key needs of each program within the funding levels;
4. Competent individuals are recruited for the agency;
5. Employees are disciplined when they fail to adhere to established procedures and policies; and 6. Management follows policies and procedures as an example to all others in the agency.
Slide 8: What is Risk Assessment?
Risk assessment is the process of stepping back and reviewing the weaknesses (risks) at the PHA. A risk is an event that may occur and that would adversely affect the achievement of an objective.
4
Risks could relate to financial controls, compliance controls, or reporting.
• For example, timecards not signed by the supervisor would be a financial risk – improper payment of wages. The PHA could easily correct this problem via training, monitoring and follow through of disciplinary action when warranted.
• An example of a compliance risk could be the lack of understanding the type of procurement actions or requirements that are needed to purchase different goods and services.
• In the past, the operating budget has been prepared at the last minute which demonstrates a risk related to reporting.
During the risk assessment process, the identified risk items are noted along with a plan of action to lower the risk. For example, additional training can be acquired during the next fiscal year to lower the risk related to procurement actions. A schedule for the preparation of the operating budget can be established requiring documentation and discussion with individuals prior to the required approval of the operating budget.
No entity can alleviate all risks due to resource constraints. It is understood that all risks cannot be
eliminated due to limited staff and financial resources. PHAs should focus on establishing needed controls around their highest risk areas.
Slide 9: What are Control Activities?
Control activities can be described as the actual policies and procedures used to achieve the objectives to reduce or eliminate the identified risk factors. These procedures represent the actions developed by management to address the risk item whether it be a manual control or a control within the PHA’s information system.
These procedures represent actions that management believes are necessary to operate efficiently and effectively. An example related to the previous slide noted risk related to payroll, the payroll policy is changed to include the approval of all timesheets by the supervisor, as evidenced by their signature. The procedure now requires the supervisor to initial and date each timesheet or, if automated, the software system requires each supervisor to mark the electronic timesheet as approved. In addition, the payroll clerk is to verify that all timesheets are signed before processing payroll. The updated policy and procedure represents a control activity.
While the finance office or accountant may be consulted, it is important to understand that it is the responsibility of management to design and implement the controls used for the PHA.
The size of the PHA should be considered when implementing control activities. While a larger agency may have the staffing available to provide adequate control procedures to mitigate the identified risks, a smaller agency may not have the staffing or funds to be able to put in place proper management controls. The PHA should conduct a cost benefit analysis to determine which control activities are reasonable given the PHA size and resources available.
5 Slide 10: What is Information and Communication?
The information and communication component refers to the process of communicating key information to individuals to achieve the objectives. Information should not only flow upwards but also down or even across departments to achieve the objectives of the agency.
For example, it would be difficult for a property manager to collect past due accounts if information is only provided to them from the finance office at the end of the month. This would be an example of sharing information with the necessary individuals to achieve the noted objective (in this case, reducing tenant accounts receivable). Management may be required to also summarize the tenant accounts receivable balance for reporting to the Executive Director or Board of Commissioners each month. This is an example of communicating the information upwards for review. In both cases, the information related to the account balances must be accurate.
In another sample scenario is a property manager mails a 14-day eviction letter based on information noted in the system. The disgruntled tenant states a payment was made in full in the previous week. Upon more careful review, it is realized that the cash receipt clerk was out sick during the past week and receipts had not been posted. This represents a breakdown of communication between the finance office and the property manager.
Slide 11: What are Monitoring Activities?
Monitoring activities relate to the evaluation and inspection of the internal control system to determine whether the procedures are operating effectively.
Here is an example of monitoring: management noted missing documentation in the tenant files as a high-risk item. To lower the high-risk of missing items, a detailed checklist was developed for case managers to use for each rent change. Management is happy with the spreadsheet and has determined that this risk has been eliminated. However, during a review of the tenant files, it was noted that the checklist was not used consistently by the case managers. The control activity to use a checklist was a good management solution. However, due to a lack of monitoring, the checklist was never implemented. It is important that the
deficiency of not using the checklist be identified and once again stressed to the case managers. As part of the monitoring effort, a small sample can be taken each month to verify that the checklist is being used. As another example, upon monitoring of the tenant files it is noted that the software system also prints out a checklist similar to the one adopted by management. The checklist created by management is now obsolete. Monitoring of control activities will discover this duplication and the control procedures should be revised to eliminate the manual checklist and implement the checklist that is currently available in the software system.
6 Slide 12: (Section Break) Development and Implementation of Internal Control System
While the previous section outlined the requirements of OMB for an internal control system, this section discusses the actual development and implementation of an internal control system that can be used by a PHA, with an emphasis on financial management.
Slide 13: Development of Internal Control System
The development of an internal control system can be divided into 4 steps. These steps are as follows: 1. Identify risks related to transaction types, accounts, and compliance items;
2. Identify possible resources or personnel to mitigate the risk;
3. Develop control policies and procedures that target noted risk items; and 4. Monitor the implemented policies and procedures.
The next slides discuss in more depth each of these steps.
Slide 14: Step 1 – Identify Risks
First, every PHA is unique and therefore PHAs will have different risk items. Differences between PHAs include the following possible risk factors:
• Types of programs managed by the PHA; • The size of the programs;
• The type of accounting, whether the PHA has a dedicated finance office or if they use a fee accountant; and
• The experience level of employees.
These demonstrate just a few examples of differences between PHAs. What is important to understand is that procedures must be based on the individual risk factors related to a specific PHA. In most cases, merely copying a set of procedures and policies from another PHA will not reduce the risk associated with your PHA.
Slide 15: Step 1 – Identify Risks (Continued)
Understanding the control environment (that is, programs, experience of staff, size) is the first step towards identifying specific risk items related to financial controls. Many of these risk items can be categorized into types of risks as follows:
• PHA-wide compliance • Program level compliance • Organizational risk
• Financial/Budget • Data
7
Here we provide a generic example for each risk category. By organizing risk factors into these buckets, a PHA can focus on items related to these categories during the initial risk assessment.
Slide 16: Examples of Risk Factors
This slide provides some examples of risk items related to PHA-wide compliance and specific items related to the Public Housing and the HCV Programs. The slide emphasizes that when identifying risk, a PHA needs to view its agency from different levels and viewpoints to help identify all the areas of risk. Again, not all items of risk shown pertain to every PHA.
Slide 17: Step 2 - Identify Resources/Personnel
Once the risk items have been recognized, the next step is to identify resources available to aid in the elimination or reduction of the risk item. Resources can be scarce for some PHAs. As such, PHAs need to be creative in bringing resources to the table to aid in the internal control procedures. Obviously, a PHA should start with the employees of the PHA. In many cases, program managers can be cross-trained to provide additional controls for other programs. For example, a HCV Program Manager may be requested to view a small sample of tenant files from the Public Housing Program for compliance, filing, and rent
calculation purposes.
For many small PHAs, the number of employees is limited, and other resources must be identified. In these cases, other resources may need to be located and used. This process is sometime referred to as
“compensating controls”. Additional resources that can be used may include board members, neighboring PHAs, contractors, and perhaps fee accountants. For example, a PHA may have an accountant on the Board of Commissioners that can review quarterly and annual payroll tax returns before they are submitted to the state and IRS or the PHA can have a board member review bank reconciliations or payment voucher prior to signing checks.
One of the primary objectives of this session is for the PHA to manage efficiently and effectively. A cost benefit analysis should be conducted prior to the decision to hire an additional employee or contractor for the sole purpose of increasing internal control procedures. As an example, many PHAs would like to employ an internal auditor as part of their internal control structure. However, due to the cost of this position, it is typically not practical to hire this position.
Slide 18: Step 3 – Develop Control Policies & Procedures
Once the available resources have been identified, management has the task of designing an internal control system that works in an effective and efficient manner. The actual procedures, policies, and techniques established by management form the core standard operating procedures (SOP) that achieve the control objectives.
8 Slide 19: Control Activities
Control activities can consist of many techniques. These techniques can basically be categorized into two separate control types, preventive controls and detective controls.
Preventive controls represent a control type to discourage the errors or irregularities from occurring in the first place. These controls are proactive because they are conducted prior to and during the process. A detective control represents a control type that focuses on finding errors after they have occurred. An example of a preventive control would be: upon every recertification, the Executive Director is required to review and sign off on the rent calculation before it can be processed to verify the accuracy of the amount.
An example of a detective control would be: the Executive Director selects a sample of 10 files processed during the month to verify that rent calculations have been processed accurately. A list is maintained as proof that the review was conducted.
While both controls strive to meet the same objective, the processes are different. There is no right or wrong answer. Obviously, there are items that must be considered before the control type is selected such as the amount of available time for review, the experience level of the tenant file case manager, the
number of errors noted in previous reviews, etc.
Question: Would the controls need to be changed if the tenant file case manager is new to the PHA? Obviously, the risk of a miscalculation has risen; therefore, controls may need to be increased to achieve the objective of maintaining accurate rent calculations.
Slide 20: Control Examples
Here we provide examples of controls that relate to preventive and detective controls. The key is to establish a balance of control types that is considered reasonable for an efficient and effective internal control system. In some cases, agencies may exceed the level of controls needed to accomplish the objective. The PHA should aim to balance controls in order to meet the stated objective. The cost in establishing controls should be considered as funding is always an overarching factor. The overall goal of providing the service to the PHA clients must be considered before establishing time consuming procedures – otherwise thought of as red tape.
Slide 21: Documentation of Control Procedures
Once the procedures are established, they should be documented throughout the process to provide evidence that the internal control system is functioning. This can be accomplished by simply initialing a form as proof of approval.
9
Referring to the rent calculation procedures, if the preventive control has been established that every file will be reviewed by the program manager prior to implementation, one may expect to see the program manager’s initials and date on the rent calculation form as evidence of approval.
For the detective control of pulling a sample of files, one may expect to see the list of the files reviewed and the results. Dating and signing the form would provide evidence of the internal control system operations.
Slide 22: Step 4 – Monitor Policies & Procedures
Monitoring relates to the continued effort to determine whether the controls are having the desired effect in meeting the objective. Monitoring can occur through a review of automated tools, use of quality control reviews, and the use of auditors. Monitoring also can mean review ing the purchase order log to verify the controls and the accuracy of the log to meet the reporting component of the control.
Slide 23: Internal Control System Limitations
No internal control system can eliminate all risk. There are limitations.
Management Override - Hopefully, this does not happen, but in certain situations managers may
purposefully bypass the established control system. As an example, a manager may not provide receipts from credit card purchases, noting the purchases have been self-approved by the manager when given to the accounts payable clerk.
Breakdowns – While the control system has been formally established and documented, the controls are
not followed. This happens occasionally when the required tasks are not completed prior to a deadline. For example, the recertifications have not been reviewed for accuracy as required, but due to the deadline of processing HAP payments, all changes were accepted without review.
Cost vs. Benefit – For smaller PHAs, financial resources are limited. A certain amount of risk must be
accepted as the cost simply exceeds the benefit.
Inadequate Segregation of Duties – The control system must be evaluated to determine whether adequate
segregation of duties have been established. In certain cases, duties may be concentrated to a specific individual. A risk analysis should be performed to determine whether there is a risk related to a specific individual because of their duties. Are there sufficient resources (employees) available to segregate some of these duties? It is important to understand that during this phase that an employee is not accused of fraud, but procedures are being changed for future staffing.
Similar to the previous example, the internal control system may not be sufficient due to inadequate segregation of duties which is a direct result of available funding. Many agencies will incur an audit finding related to an inadequate internal control system. PHAs are encouraged to establish an effective and efficient internal control system that fits their size and financial resources. However, if an agency is very small, consisting of one administrative employee, this finding may be reported in the audit.
10
For example, as a very small PHA, does the PHA have controls in place to verify data backups? Review of payroll tax returns? Verification of HUD 50058 submissions?, etc. In most cases, a PHA will answer “No” to these questions. There is no additional staffing or resources to verify that these requirements are met. The independent auditor is only noting that many of the procedures simply rely on only one administrative employee in meeting these requirements due to the size of the agency.
Slide 24: (Section Break) Examples of Individual Financial Policies and Procedures
The next section provides a list of potential policies and procedures that a PHA may consider necessary based on an identification of risks. Also, this section will take three potential risk areas and demonstrate how the identified risk is translated into policy and procedures.
Slide 25: Financial Policies and Procedures
Financial policies and procedures direct how a housing authority will use and manage its money. To standardize the PHA’s financial management process, PHAs establish a set of policies and procedures from which to manage. The goal is to have a complete set of financial policies and procedures for each
important risk item noted.
The policies and procedures provide documented financial controls within the housing authority that help ensure accuracy, timeliness, and completeness of financial data by:
• Helping to bring order and cohesiveness to the housing authority (everyone knows what is expected);
• Preventing or reducing fraud and theft within the housing authority; • Providing a system of checks and balances;
• Keeping financial and management information organized; and • Helping the housing authority reduce errors.
These same policies and procedures also have the following additional benefits of: • Demonstrating to HUD the policy and procedures used at the PHA, if needed; • Serving as training materials for future staff; and
• Helping alleviate any internal controls findings that could be issued by the auditor.
Because every PHA is different, there is no single set of policies and procedures that will meet the needs of every PHA. Each PHA will need to tailor the individual policies to meet their needs and risks.
Most housing authorities should have between 20 to 30 financial policies, depending on how the policies are grouped.
11 Slide 26: Financial Management Policies & Procedures(Continued)
There are several areas that typically should have a set of policies and procedures depending upon the size and complexity of your PHA. Here we provide a general list of fundamental areas to be covered by policies and procedures. Some PHAs may have the need for additional policies, while some of these areas will not pertain to your PHA.
Slide 27: Policy Development
HUD understands that the development and drafting of an overall set of financial management policies is time-consuming and can be a daunting task. Therefore, HUD is providing a set of the sample policies as shown on the previous slide. The goal is to provide various examples of these financial procedures in a Microsoft Office Word file format to allow for individual tailoring. Several of these sample policies are developed with different scenarios to take into consideration common differences between PHAs. For example, three different policy and procedure scenarios for maintenance inventory are provided by HUD based on the size of PHA and the PHA’s software accounting system (common differences for this control item). The goal of securing the inventory and verifying the accuracy of financial reporting for
maintenance materials is the same for all PHAs. How a PHA accomplishes the goal is different. Therefore, a PHA’s design of the internal control system for achieving this goal will be different.
In this case, HUD provides three different variations for a policy and procedure for maintenance inventory: 1. Small PHA with a Manual System – Provides a policy and procedure for a small PHA that does not
track inventory using a software system;
2. Large PHA with a Manual System – Provides a policy and procedure for a large PHA that does not track inventory using a software system; and
3. Large PHA with a Software System – Provides a policy and procedure for a large PHA with a software system that tracks maintenance inventory in real-time.
Again, HUD provides different sample policies and procedures drafted with some variations. While not every variation between PHAs can be accounted for, the goal is to provide for some key fundamental differences. The PHA will have the ability to copy sections from each of the different examples to develop a specific policy for their individual PHA.
Slide 28: Key PHA Differences in Policy Development
Besides size of the PHA, when discussing or developing individual PHA’s policies and procedures, basic differences between functions also include the following:
• Use of different software systems;
• Implementation of the asset management model; • Use of a fee accountant or in-house finance office; and • Cost allocation models.
12
These basic differences will impact the design of the internal control system for specific areas of risk.
Slide 29: Example 1. Bank Reconciliation Policy
For example, the bank reconciliation policy will be different for PHAs that use a fee accountant and PHAs that maintain their own in-house accounting department. The risk factors may be the same, such as:
• Late financial reporting, or
• Missing bank transactions in the financial statement, etc.
However, the procedures will be slightly different. An example of a key control procedure that should be addressed in the policy includes:
• A timeline for preparation of bank reconciliations, • Process for reviewing reconciliations; and
• The prescribed software system to be used.
Slide 30: Example 1. Bank Reconciliation Policy (Continued)
To comply with the required internal control procedures, risk factors are first noted. Once the risk factors are identified, the PHA will need to determine what type of procedures need to be implemented to curtail the noted risk and if the policy and procedures require preventive type controls, detective type controls, or a combination of both?
In this example, preventive controls could require:
• Bank accounts to be reconciled by the 15th of the following month;
• The bank reconciliation to be signed and dated to certify that the reconciliation matches the general ledger and is free of discrepancies;
• The Executive Director to sign and date the bank reconciliation to identify that a review was completed; and
• The bank reconciliations to be made available to the board members or finance committee members.
Detective controls could require:
• Having an audit conducted on an annual basis; and
• Discussing with fee accountant any issues or concerns related to bank reconciliations.
There is no definitive answer; management must establish a list of controls that they believe will cover the identified risk areas. The development of these procedures is the responsibility of management.
13 Slide 31: Example 2. Budgeting Policy
As another example, a budget policy has been developed. Again, we first start with noting the risk factors associated with the operating budget. There are two basic types of PHAs noted in this topic, small and large PHAs. Both PHA types have a set of common issues related to the budget, an established timeline, a process of monitoring actual performance compared to the budget, and the responsibilities of the
individuals in preparing the budget.
From this point, differences between the two types of PHAs become apparent. For a larger PHA, several program/project managers are required to submit budgets for their individual projects or programs. These budgets are then rolled up into a larger PHA-wide budget.
Slide 32: Example 2. Budgeting Policy (Continued)
A set of risk factors is noted for smaller PHAs here along with potential controls, both preventive and
detective. Again, the controls selected by management will need to be incorporated into the budget policy. Risk factors could include:
• Lack of management input (i.e., the finance officer or fee accountant drives the budget process); • Budgets are not used as a forecasting tool to prevent funding shortages;
• Budgets are prepared late; and
• Budgets are not used throughout the fiscal year for monitoring Preventive controls to alleviate the risk could require:
• The Executive Director to have significant input into the preparation of the budget including an assessment of the financial condition and impact of the budget for all programs;
• The Board of Commissioners have established and documented agency goals; and • A budget preparation timeline to be established.
Detective controls to alleviate the risk could require:
• The annual auditor to verify that controls are followed; and
• A requirement that the Executive Director provide an explanation of significant budget variances noted in the financial statements to the Board of Commissioners.
Slide 33: Example 2. Budgeting Policy (Continued)
The set of risk factors and controls here are developed for larger PHAs. These risk factors and controls will normally differ slightly from the previous scenario developed for smaller PHAs. This example illustrates the fact that risk and controls will be different for different PHAs and a PHA cannot simply copy another PHA’s policy and procedures.
14
• Lack of management input, meaning the finance officer or fee accountant drives the budget process;
• Budgets are not used as a forecasting tool to prevent funding shortages; • Budgets are prepared late; and
• Budgets are not used throughout the fiscal year for monitoring Preventive controls to alleviate the risk could require:
• That project and program managers have significant input into the preparation of the budget including the assessment of the financial condition and impact of the budget on their program area (not the Executive Director);
• The Executive Director, program managers and Board of Commissioners have established and documented goals; and
• A budget preparation timeline to be established. Detective controls to alleviate the risk could require:
• The use of the annual auditor or possible internal auditor to verify that controls are followed; and • A requirement that the Executive Director and program managers provide an explanation of
significant budget variances noted in the financial statements to the Board of Commissioners. PHAs may use key risks and controls from both sample polices to tailor the policy to meet their individual PHA needs. The goal is to provide PHAs a starting point in the development of these policies.
Slide 34: Example 3. Board Reporting
This final example discusses the board reporting policy. The board reporting requirements is identical for both small and large PHAs. The board reporting policy will need to be revised to meet the individual State requirements.
Again, the first step is to identify risks. In this example, two risks have been identified:
• Board members are not provided key information to fulfill its oversight responsibilities; and • Board package and minutes are not properly archived.
The key control procedures to help alleviated the risk are:
• The Board should meet at regular intervals consistent with state law, with the best practice being monthly;
• An established list and schedule of required reports and information to be included in the board packet; and
• Monthly financial statements, including budget to actuals, and monitoring reports should be part of the Board packet.
15 Slide 35: Example 3. Board Reporting (Continued)
Now that general risks and controls have been decided, more key detail risks can be determined. In this example key risk items related to board reporting have been determined to be:
• The board is not fulfilling its oversight role (i.e., not meeting on a timely basis);
• The Board is not provided with timely reports and information needed to properly fulfill its oversight and monitoring duties;
• Board meeting agenda is not included in the Board Package resulting in the Board delaying action or approval (Note: not using an agenda is typically a violation of state law); and
• The PHA is not maintaining accurate minutes of Board meetings and not archiving the Board package and minutes.
Preventive controls to alleviate the risk could require:
• The establishment of a schedule of Board meetings that is compliant with state bylaws.
• The preparation of monthly financial statements, other monitoring reports and information to be prepared five days in advance of the meeting, allowing for adequate review time of the reports by the agency. The Executive Director will review the package to make sure all required reports and information are contained in the Board package.
• The requirement that the reporting package is provided to the Board at least three days prior to the meeting; and
• That the Executive Director will ensure that the Board package is provided to all Board members at the scheduled time.
• The Executive Director review the board meeting minutes and ensure that the Board package and minutes are archived;
Detective controls could include:
• The requirement that the annual auditor will review a sample of Board meeting materials and meeting minutes against the PHA policy and procedures for board reporting.
The previous three example policies and controls are designed as a general guide and do not represent all absolute risks, controls, etc. PHAs also need to keep in mind that there can always be additional
requirements imposed by state and other local governing bodies.
Slide 36: Development of Financial Management Policies
The development and drafting of an overall set of financial management policies can be quite daunting and time consuming. However, the future long-term benefits outweigh the initial effort. Remember, OMB requires all non-federal entities (including PHAs) to maintain an internal control system that meets the requirements previously discussed.
16
So how should a PHA get started? First, prepare a reasonable schedule to develop the procedures. Perhaps start with one or two a month. Next, identify the high-risk items that may need to be addressed
immediately.
During the development stage, meet with key employees and board members to discuss the procedures. Through open dialogue, they may be able to provide helpful suggestions for the procedures. Make sure employees understand the purpose and importance of establishing financial procedures. Stress the point that the process is not designed to simply add additional responsibilities to the employees. Use this as an opportunity to streamline the current procedures with their input.
After approval, discuss the policies with the employees. Verify that all employees understand the procedures through training. Consider having employees sign a form accepting and understanding the policies. Remember the previous example of the PHA implementing a checklist for rent calculations. Procedures, especially new ones, must be monitored by management to verify that they have been implemented and that they are operating efficiently and effectively.
If the procedures do not bring the expected result, change them. In many cases, the policy may need to be slightly adjusted. Follow through with perhaps a meeting with the employees to determine how the new procedures are working.
And finally, use the policy! In so many cases, a PHA may draft a beautiful set of bound policies and procedures only to find out that they were never implemented or used.
Slide 37: (Section Break) Internal Controls: Other Items to Consider
This section focuses on some additional items to consider in the development of a PHA’s internal control system.
Slide 38: Use of a Fee Accountant
Smaller PHAs will often use a fee accountant for much of their financial operations. Standard fee accounting services include the following:
• Maintaining accounting records;
• Processing and submitting the Financial Data Schedule (FDS); • Reconciling bank accounts; and
• Preparing the operating budget.
Slide 39: Use of a Fee Accountant (Continued)
While the services of the fee accountant as noted in the previous slide are highly valued, PHAs and Board members must understand the limitations of the actual services provided. Fee accounting services typically concentrate on maintaining accounting records and preparing the financial statements based on
17
information provided by the PHA. The fee accountant is not acting in a capacity of an auditor or fraud examiner.
Several board members are under the erroneous assumption that the contracting of a fee accountant provides assurance that fraud issues or budget issues will be detected and reported.
• Typically, fee accountants are not reviewing items for fraud;
• In many cases, fee accountants do not review the invoices and therefore are not looking for ineligible costs;
• With the ability to import transactions, many fee accountants do not receive copies of the checks much less the accompanying invoices;
• Fee accountants are not responsible for the timely obligating and expending of CFP grants; and • In addition, fee accountants do not typically discuss the financial concerns of the PHA with the
Board of Commissioners.
Slide 40: Establish an Annual Management Plan
To aid small PHAs, the establishment of an annual management plan is a tool that strengthens the internal control structure. The management plan not only aids the PHA in planning its work but can be used by the Board of Commissioners to verify that major items are accomplished within the required time period. The annual management plan is merely a calendar listing items required during the year that can be
monitored. The plan can be used to determine that CFP contracting is conducted, tax returns are filed, and financial audits are conducted on time, just to name a few items.
The annual management plan can be adapted to add additional items for the PHA to implement during the fiscal year. For example, the Board of Commissioners may request an annual salary survey to be conducted during the next fiscal year before the start of the budget process. The plan provides a roadmap of issues and requirements for the PHA to follow.
Slide 41: Abbreviated Management Plan Example
This slide provides an example of an abbreviated plan that can be prepared and presented before the start of the fiscal year. The plan can be updated periodically as new items are required or were not thought about previously. Items can be deleted if no longer valid. Within a year, the PHA will have a usable tool that can also be monitored by the Board of Commissioners.
Slide 42: End of Module
18
Learning Activity 3 & 4: Effective Internal Controls
Slide 43: (Title Slide) Learning Activity 3 & 4: Effective Internal Controls
Welcome to the Public Housing Authority Financial Management Training. The purpose of this learning activity is to help you identify financial and management risk areas at a public housing project for the Anywhere Housing Authority and then develop appropriate policy and procedures that limit the risk. As you work through the learning activity, think about your PHA, its performance and risk areas and the policies and procedures that your PHA has in place to improve and monitor performance and mitigate risk.
Slide 44: Learning Activity 3 & 4: Effective Internal Controls - Background
In this learning activity, you continue your role of a new Board Commissioner for the Anywhere Housing Authority. Based on your first impressions and information provided as part of your first Board meeting, there seems to be some financial and / or management issues surrounding East Farm Road Apartments, one of the public housing projects.
You think that some of the issues are related to outdated or nonexistent internal control policies which are compromising the operations of the PHA, especially at East Farm Road Apartments. As part of your
monitoring and governance duties, you are looking to improve the PHA by helping to perform a risk
assessment of East Farm Road Apartments with other Board members, and reviewing and developing some key policies.
Slide 45: Learning Activity 3 & 4: Effective Internal Controls - Instructions
Question 1 of Learning Activity 3 assumes that you have completed Learning Activity 1 and 2, which introduce the Anywhere Housing Authority and East Farm Roads Apartments and provides financial statements and basic performance metrics.
If you have not yet completed Learning Activity 1 and 2, it is suggested that you complete them prior to starting this learning activity. If it has been a while since you completed Learning Activity 1 and 2 or you do not have time to complete them, please review the two learning activities before proceeding with question 1 in Learning Activity 3. Note - Only question 1 of Learning Activity 3 is dependent on the prior completion / knowledge of Learning Activity 1 and 2.
• Learning Activity 1: Identification of Risk can be found at the training website associated with Module 2.
• Learning Activity 2: Identifying Financial and Management Concerns: can be found at associated with Module 3.
19 Slide 46: Learning Activity 3 & 4: Effective Internal Controls – Instructions (continued)
When you are ready to complete the learning activities, download and print – Learning Activity 3 & 4:
Effective Internal Controls that can be found at the training website. These learning activities are designed
to assist you in the process of establishing an internal control system for a PHA. There are two learning activities presented in this module:
• Learning Activity 3, starts on page 2 of the document, and has you identify risk and then develop policies to mitigate that risk.
• Learning Activity 4, starts on page 6 of the document, and has you review and update already existing PHA policies.
Slide 47: Learning Activity 3: Effective Internal Controls – Question 1 and 2
Question 1 of Learning Activity 3 has you perform a risk assessment of East Farm Road Apartments. Based on your knowledge of East Farm Road Apartments from the information provided in Learning Activity 1 and 2, you are asked to list any items or areas of risk or concern.
Question 2 then leads you to the next step in the development of internal controls. Now that you have determined “high risk” areas from question 1, you will be asked to list key control procedures related to three identified “high risk” areas. Determining control procedures is one of the first steps in creating a policy and associated procedures. For example, a key control procedure for a credit card policy would be to establish a spending limit.
Slide 48: Learning Activity 3: Effective Internal Controls – Question 3
Question 3 of Learning Activity 3 requires that you finalize a policy, in this case Anywhere Housing
Authority’s credit card policy. For this question, a mostly completed credit card policy is provided. You are asked to read the credit card policy and complete / fill in the blank areas of the credit card policy which have not been finalized.
Slide 49: Learning Activity 4: Effective Internal Controls
Learning Activity #4 asks you to review two PHA policies which the Executive Director has submitted to the board for approval:
• Policy 1 – Purchase and Use of PHA Vehicles; and • Policy 2 – Financial Control and Analysis Policy.
You are asked to review the two policies and list any questions, comments, or concerns that you have for each policy. When you are finished answering the questions, return to the video for the answers and explanations.
20 Slide 50: End of Learning Activity 3 & 4
21
Learning Activity 3 & 4: Solutions to Effective Internal Controls
Slide 51: (Title Slide) Learning Activity 3 & 4: Solutions to Effective Internal Controls
Let’s talk about the solutions to Learning Activities 3 & 4 – Effective Internal Controls.
Slide 52: Goal of Learning Activity 3 & 4
The goal of these learning activities is to demonstrate the process for developing an internal control system from assessing risk items, to making a list of key components associated with a policy, to the development of a policy. Learning activity #3 is taken from the general background information of the Anywhere Housing Authority, specifically the East Farm Road Apartments.
Learning Activity #3 illustrates a methodology for developing internal controls that would be in compliance with OMB requirements.
Learning activity #4 is intended to increase your skill in reviewing the existing policies of a PHA.
Slide 53: General Solution
The solutions provided in the next slides can also be found on pages 10 through 15 of the Learning Activity document.
The answers presented are not the only answers to these exercises and different responses by other participants are common. There may be differences in opinion on the items to include in the different policies.
Slide 54: Learning Activity 3 - Solution to Question 1
Learning Activity #3 - Question 1 states: As a Board member that has an understanding of the control environment, identify the risk items associated with East Farm Road Apartments and list them in the table below.
Based on the information provided, there are several risk items. The risk items we noted as part of the solution do not represent an absolute number of items. You may have answered the question with different concerns or possibly more items.
1. Unauthorized Maintenance Purchases and Possible Improper Use of Maintenance Inventory. As noted in the financial statements, significant budget overruns occurred in maintenance materials. It was also noted that controls were probably not as tight as they should be related to the purchasing and receiving of maintenance items at East Farm Road Apartments.
22
2. Improper Use of Credit Cards. It was noted that the credit card limit was extremely high for a property manager. It was also noted that there was no guidance as to the type of items that could be purchased with the credit card.
3. Lack of Safeguarding of Tools and Equipment. It was noted that equipment and maintenance materials were not organized or secured at East Farm Road Apartments.
4. Payment of Rent in Cash and Use of Manual Receipts. With the acceptance of cash, risk is heightened. Accompanied with the use of manual receipts, the risk of potential fraud is high. 5. High Purchase Authorization Limits. The purchasing level for the property manager is $20,000. This
limit without review is very high. An amount more consistent with industry norms and a historic review of previous purchases should be established.
6. Vacant Units Are Not Turned in an Acceptable Timeframe. Vacant units are currently not turned within an acceptable time frame. In addition, there appears to be no plan to address the 6 long term vacancies. Vacant units impact not only the occupancy rates, but the financial condition of the project in the loss of dwelling rent and potential Operating Fund amounts. As part of a monitoring effort, the cause for the delays should be investigated.
7. Equipment and Other Materials May Be Disposed of Improperly. At East Farm Road Apartments, the procedures related to the disposition of materials equipment may not be understood or
followed. This along with the safeguarding of equipment noted in item #3 impacts the safeguarding of assets.
8. Financial Monitoring Not Properly Conducted. Numerous budget overruns in maintenance
materials and other line items are reported in the financial statements. These overruns are a result of a failure to adhere to the approved operating budget.
9. Improper or Lack of a Budget Policy. Similar to Item #8, the monitoring of the budget is lacking. This could signify a lack of attention to detail in the preparation of a realistic operating budget. 10. Inadequate Oversight of East Farm Road Apartments. With limited contact with the property
manager of East Farm Road Apartments, the monitoring efforts seem to be lacking. Several key performance indicators are decreasing without notice or attention provided from senior
management.
Slide 55: Learning Activity 3 - Solution to Question 2a
Learning Activity 3 - Question 2a asks you to develop key control procedures that should be addressed and included in the credit card policy.
These items should all be addressed in a credit card policy: 1. The authorized users of the credit card;
2. Permitted use of credit cards, including disciplinary actions for mis-use; 3. Credit card limits;
4. Limitation on the type of credit cards (prohibition of cards accumulating points/incentives/etc.); 5. Documentation of the purchases/return of goods and purchases;
6. Reconciliation of purchased items to approved purchase orders; and 7. Notification of lost or stolen credit cards.
23 Slide 56: Learning Activity 3 - Solution to Question 2b
Learning Activity 3 - Question 2b asks you to develop key control procedures that should be addressed and included in the maintenance inventory policy.
These items represent fundamental areas that should be addressed in a maintenance inventory policy: 1. Specified level/quantity of inventory of materials on-hand;
2. Approval of purchases; 3. Security of inventory;
4. List of materials used in work orders; 5. Monitoring and inspection of inventory; 6. Annual inventory count; and
7. Accounting for materials and year-end closing.
Slide 57: Learning Activity 3 - Solution to Question 2c
Learning Activity 3 - Question 2c asks you to develop key control procedures that should be addressed and included in the disposition of equipment policy.
Once again, these items represent the basic items that need to be included in the policy for disposition of equipment:
1. Authorization/approval to dispose;
2. Listing/documentation of items to be disposed;
3. Disposal methods (formal advertising, auction style, etc.); 4. Disposal of hazardous materials;
5. Disposition/disposal if there is no buyer; 6. Use of disposal income;
7. Prohibition of sale/disposal to PHA staff (conflict of interest); and 8. Documentation of sale and update of accounting records.
Slide 58: Learning Activity 3 - Solution to Question 3
Learning Activity 3 - Question 3 asked you to create the policy / procedures for AHA for those items that were blank in the example credit card policy.
Question #3 was intended to provide insight into the development of the actual policy. As previously noted, all PHAs are different and therefore have different risk factors that must be addressed. Through the risk assessment process, the use of the credit card was determined to be a risk to the PHA. Upon discussing the risk, key items were noted that should be addressed in the drafting of a credit card policy.
With the development of the policy, key management decisions must be made. The first point is should the credit card be available for personal use? The answer key notes that personal use of the PHA credit card is
24
strictly prohibited. This is not only an internal control issue but may represent a compliance issue related to ineligible costs.
The next point requiring a decision relates to the establishment of adequate but reasonable credit card limits. The answer key listed an overall PHA limit of $8,000 with individual limits of $5,000 for the Executive Director and $1,500 per property manager. There is no definitive answer for this point and your limits may be different.
Slide 59: Learning Activity 3 - Solution to Question 3 (continued)
The next point to be addressed is to determine the positions at the PHA that will be authorized credit card holders. The answer key noted the Executive Director and Property Managers. However, you may have added the HCV Program Manager.
The final point that must be addressed is to determine what items cannot be purchased with the credit card. The answer key lists office equipment, maintenance tools, and equipment over $250, and any personal item. Conversely, the policy could provide a list of items that are permitted to be purchased with a credit card.
Slide 60: Solution to Learning Activity 4 – Policy 1
In many cases, policies are vaguely and poorly written in such a manner that recognized procedures cannot be established. In certain cases, policies are worded in a way to favor a few employees. The following two policies (Policy 1 - Purchase and Use of PHA Vehicles, and Policy 2 - Financial Control and Analysis Policy) are actual examples of approved policies from PHAs.
In Learning Activity #4, the ED has provided two policies that have been taken to the Board of
Commissioners for approval. As a board member, you are asked to approve, modify, or reject the policy. What questions or concerns would you require to be answered by the Executive Director?
Policy 1 – Purchase and Use of PHA Vehicles
Answer – First, the PHA need and use of federal funding for a vehicle for the Executive Director is
questionable. The proceeds from the sale of the vehicle and cost savings for the maintaining of the vehicle could be used for other pressing issues at the PHA (e.g., perhaps used to address vacant units).
Needed changes to the policy would include the following items:
1. The Internal Revenue Service determines the regulations regarding the taxable benefit of using company vehicles for commuting. Commuting is a taxable benefit to be included on the W-2 form. A policy, even if approved by the Board of Commissioners, does not override federal regulation.
2. There should be a requirement that a mileage log be maintained for each PHA vehicle. The mileage log should provide odometer readings along with the purpose of each trip. In addition, the mileage log
25
should be signed by a supervisor or a board member in the case of the Executive Director on a monthly basis.
3. A section should be added to the policy noting that at no time should the PHA vehicle be used for personal purposes.
4. A section should be added requiring that the vehicle must be operated in a safe and reasonable manner.
5. A section should be added noting that only authorized staff, who hold a valid driver’s license, can operate the vehicle (no contractors or family members are permitted to operate the vehicle).
6. A section should be added requiring that any accident must be promptly reported within 24 hours to the Executive Director.
Another item to consider is the current policy statement which requires that a PHA vehicle be taken to the employee’s residence. The policy was approved years ago, it should be re-confirmed that security is still an issue at the properties.
Basically, this policy appears to be unreasonable for the operation of the PHA. One of the steps in creating a policy is to list the key items that must be included in the policy. It appears that a list of required items to be included in the policy was not provided or addressed.
The policy is to protect the PHA by safeguarding the assets and managing the programs in an efficient and effective manner. It is questionable as to whether this goal is met based on a review of the policy.
Slide 61: Solution to Learning Activity 4 – Policy 2
Policy 2 – Financial Control and Analysis Policy
Answer – First, this policy is too vague and general. It appears that little thought or attention has been put into the development of the policy. Details as to the processes used by the PHA are not included. There are several concerns, with the probable outcome is to require a substantial revision to the policy.
The policy is drafted as a single document. Most financial policies will be detailed separately, outlining these functions as separate policies. The policy lacks detail, and policies for items such as disbursements, bank reconciliations, accounts payable processing, and revenue and expenditure cycles are not included. Needed changes to the policy would include the following items:
1. Financial statements from the fee accountant should also be reviewed by the Board of Commissioners. 2. The norm is that financial statements are prepared on a monthly basis, not quarterly.
3. The financial reports provided to the Board of Commissioners should include a balance sheet, statement of revenue and expenses with budget comparison, and a bank reconciliation.
4. The term audit and review appear to be used interchangeably but are two different items. A review is less in scope than an actual audit. An annual audit should be included as it serves as a control for the board. Additionally, the shared cost of the audit to the Low Rent Housing Program is paid for by HUD as an add-on to the next year’s Operating Fund calculation.
26
Additional items to consider would include the following items:
1. Establish a procedure for the fee accountant to attend a board meeting to answer questions or concerns. If cost prohibitive, require a member of the board of commissioners to call the fee accountant. This procedure will provide valuable insight to the financial condition of the PHA.
2. Establish a procedure that the chairman of the board will attend the exit conference with the auditor on an annual basis.
Both the fee accountant and auditor are valuable outside resources other than the Executive Director that can provide the Board with important information on the PHA operations, financial condition, and
compliance with federal and state regulations.
Slide 62: End of Learning Activities 3 & 4 Solutions
