Presented by:Nonprofit Program Office

VHA Office of Research and Development

Over the last seven years, from 2005 through 2012:

Governmental revenues (NIH, DoD, etc.) are up by………………………………………………………………. + 54%

Non-governmental revenues (CRADAs, private grants, & other) are down by……………………… - 28%

Total revenues are $263,000,000 for 2012 and are up by a net of…………………………………………… +16%

2

NPPO Reports To:Nonprofit Program Oversight Board (NPOB)

VHA CFO and CFO’s audit staff

Office of Research and Development

Occasionally as required, to the Secretary

3

What NPPO does

Performs audits and reviewsPrepares Annual Report to CongressFollow-ups on NPC audit action itemsConsults with and gives advice to NPCsProvides training and educationDrafts VHA Handbook 1200.17

4

Why audits and reviews?OIG Report No. 07-00564-121 dated May 5, 2008Recommendation No. 4

“We recommended that the Under Secretary for Health develop and implement oversight procedures to perform substantive reviews of NPC financial and management controls to ensure NPCs fully comply with Federal laws, VHA policies, and control standards.”

5

NPPO Audits and ReviewsRoutine reviews of the NPCs are done in triennial cyclesFirst triennial cycle was F2011 through F2013A Review Report is written for each reviewRecommendations and suggestions are madeThe first triennial cycle resulted in 585 recommendations and 219 suggestionsObjectives of the triennial reviews are to improve operations and improve internal controls

6

Definition of Internal Control

“Internal control is a process effected by an entity’s Board of Directors, management and other personnel designed to provide reasonable assurance regarding the achievement of the entity’s objectives.”

7

1. Effectiveness and efficiency of operations (including risk assessment and the need to monitor risk)

2. Reliability of financial reporting

3. Compliance with applicable laws and regulations

Objectives of Internal Control

8

Safeguarding of Assets

Is a subset of each of the 3 objectivesInternal control should provide assurance that assets are safeguarded from:

• Ineffective or inefficient use

•Unauthorized acquisition, use, disposal, or theft (fraud)

• Illegal use

9

Who sets the IC standards?Committee of Sponsoring Organizations of the

Treadway Commission (COSO)

Developed Internal Control – Integrated Framework in 1992 (COSO Framework)

Since then the COSO Framework has been universally adopted, both in Government and the Private Sector

10

The Federal Government & COSOFederal Managers Financial Integrity Act of 1982

Empowered Office of Management and Budget (OMB) to set IC standards for the Executive Branch

OMB published Circular A-123, Management’s Responsibility for Internal Control

Circular A-123 requires the COSO Framework for the U.S. Government’s Executive Branch

11

Components of Internal Control1. Control environment

2. Risk assessment

3. Control activities

4. Information and communication

5. Monitoring

12

1. Control Environment

• Integrity and ethical values of management, i.e., the

“Tone at the Top”• Commitment to competence and training• Board oversight and interaction with auditors• Management philosophy regarding risk• Supportive attitude toward internal controls• Organizational structure• Assignment of authority and responsibility• Human resource policies• Documentation of policies and procedures

13

2. Risk Assessment• Organization’s identification and analysis of relevant risks in relation to the achievement of objectives,

such as:

• Vulnerability of assets, risk of loss• Changes in regulatory environment• New personnel• New systems or technology• Rapid growth or downsizing• New programs, grants, and services• New types of transactions• Changes in the economy, interest rates, etc.

14

4. Information and communication Methods and records used to record, process,

summarize, and report transactions and to maintain accountability over assets, liabilities, and net assets:

• Communication of employee duties and responsibilities

• Accounting records• Accounting processes• Financial and budget reporting process• Disaster recovery

15

5. Monitoring• Ensure that internal control continues to

operate effectively over time

• Identify deficiencies before they materially affect the achievement of the organization’s objectives

• Assess the quality of internal control performance over time, including taking corrective action using:

• Internal audit (NPPO and your own) • External audit• Special assessments of internal controls• Input from employees• Input from third parties, such as, donors,

grantors, vendors, etc.

16

CONTROL ENVIRONMENT

RISK ASSESSMENT

CONTROL ACTIVITIES

MONITORING

THE FIVE INTERRELATED COMPONENTS OF INTERNAL CONTROL

INFORMATION AND COMMUNICATION

17

Application of Internal Controls• Each of the five inter-related components have

application to each of the three objectives of internal control:

• Operations• Financial reporting• Compliance with laws and regulations

• Each of the five components may apply on an organization-wide basis or may differ by:

• Location• Function• Department, division, unit, or program

18

Deficiencies in Internal Control

• Deficiency in the design of internal control

• Deficiency in the application of internal control (A subset of this may be deficiencies in the documentation of internal controls)

• Intentional over-ride of internal control

19

Four Types of Internal Controls• Preventive controls

• Designed to prevent errors, inefficiencies, noncompliance, or illegal acts from being committed before the fact, such as, by requiring two signatures on checks.

20

Four Types of Internal Controls

•Detective controls•Designed to detect errors, frauds, inefficiencies, noncompliance, or illegal acts after the fact while allowing for corrective action in a timely manner, such as, monthly bank reconciliations or quarterly financial statement reviews.

21

Four Types of Internal Controls

• Directive controls• Proactive controls that cause or encourage a

desirable event to occur, such as, incentive programs, training, and providing written policies and procedures.

22

Four Types of Internal Controls

• Mitigating or compensating controls• Controls that compensate for the lack of an expected

control and lessen the severity of a weakness in controls, such as, independent review of cancelled checks instead of having two check signers.

23

Segregation of Duties• Try to separate incompatible duties as much as

possible

• For example, if one person makes a mistake, another person is in a position to identify and correct the mistake.

• One important goal is to make it impossible for a single person to both commit and conceal a fraud

• For example, functions involved in the handling of funds should be separated from those involved in the recording of the funds transactions in the accounting records.

24

Segregation of Duties in Small NPCs• Segregate the most essential detective duties

• For example, have the Board or Audit Committee review the quarterly financial statements in detail.

• May need to involve an individual Board member

• For example, have the monthly bank statements mailed directly to a board member for his or her review prior to returning them to the bookkeeper.

25

Polices and ProceduresInternal controls should be documented in the form

of written policies and procedures. They should be made conveniently available

throughout the organization.

Model NPC policies are available from NPPO.

26

Policy

• A statement of an organization’s approach to a particular issue

• It is a guide or governing principle

• Rules that govern either:• the organization taken as a whole, or• individual departments or functions

27

Procedure• Each procedure should be linked to a policy

• Describes the detailed implementation of a policy: Who, What, When

• Describes the exact steps that are expected to be taken in order to properly implement and comply with the policy

• Procedures may also indentify the forms, if any, used in connection with a procedure and policy

28

Why do we need policies and procedures?

29

Purposes of Policies & Procedures• Facilitates training of staff

• New staff• Fill-ins while staff is away on vacation• Job rotation• Temporary workers

• Demonstrates commitment to sound internal controls

• Reduces organizational risk in the event of harm to third parties or noncompliance with laws, regulations, or grant provisions

30

Purposes of Policies & Procedures• Help us to get organized and to stay organized• Provide a clearer audit trail for purposes of audits,

investigations, etc.• Increase consistency• Decrease error rates• Simplify access to information• Facilitate replication and growth• Demonstrate conformity with IRS expectations and

VHA and other compliance requirements

31

12 Key Financial P&P for Every NPC 1. Control Environment (Code of ethics, conflict of

interest policy, importance of maintaining internal controls)

2. Financial Reporting (periodic financial statements compared to prior periods for the board at least quarterly, project reports to P.I.s at least quarterly)

3. Budgeting (budget approved in detail by the board and periodically compared to actual with explanations of major variances)

4. Cash Receipts (segregation of duties)5. Accounts Receivable (follow-up to collect)6. Purchasing/ Accounts Payable/ Cash Disbursements

32

12 Key Financial P&P for Every NPC Continued…..7. Human Resources and Payroll (including Employee

Handbook)8. Capital Assets (tangible assets useful for at least one

year)9. Computer Security (Controlled access and disaster

plan)10.Investments (U. S. securities or U.S. insured)11.Tax Compliance (Annual Form 990 and year-end

1099’s)12.Records Retention

Please note: In our on-site reviews, NPPO will look for all of these policies and procedures

33

Other Important NPC P&P

• Whistleblower Protection• Use of IPA assignments• Project residual funds disposition• Transfers-out of project funds• Hiring and supervision of related parties

Please note: In our on-site reviews, NPPO will look for all of these policies and procedures

34

P&P and the Control Environment• A strong control environment is established through

both policies and procedures and through behavior, that is, by maintaining the right “Tone at the Top” and ethical behavior throughout the organization

35

Test your Policies and Procedures and Your Internal Controls

•Use NPPO’s self-assessment questionnaire, available on NPPO Web-site at: http://www.research.va.gov/programs/nppo

•Consider having employees check and verify each others’ work periodically.

•Compare your policies with NPPO’s model policies

36

NPC AccountingMust be accurate and transparent, keeping all of the

following adequately informed:Board of directorsManagementPrincipal investigatorsExternal auditorsNPPOIRS

37

ManagementAccounting system should provide up-to-date

information regarding cash balances, other assets, and liabilities and be readily available for management purposes.

Must permit management to have current information regarding project account balances.

Should make it easy for management to determine that it is operating within budgeted amounts.

38

Principal InvestigatorsEach project must have an individual account.

Statements of each project account must be given to the PI’s at least quarterly, or better monthly.

Project accounts should never be allowed to become overdrawn.

Details of the amounts in project accounts should be made readily available to the PI’s if requested.

PI’s should understand that the funds belong to the NPC for the benefit of the PI’s conduct of the research.

39

External AuditorsWill usually require complete financial statements at

year-end, including footnotes, from the NPC.

Need reconciliations of detail amounts of assets and liabilities to the general ledger balances.

May need to confirm receivables and bank balances.

Will note and report upon internal control weaknesses and deficiencies.

Audit expense can be minimized by your doing as much of the audit work for the auditors as possible.

40

NPPOWe will need a completed NPC Annual Report in Excel

format emailed to us by June 1 for the prior year.

Also send us your audited financial statements, auditors’ management letter(s), Form 990 tax return, and signed certifications page by June 1.

Be prepared to explain what has been done to correct any internal control weaknesses, deficiencies, or auditor recommendations.

In on-site reviews, be able to provide all records and documents requested.

41

IRSBe aware that IRS has, in fact, audited one of our

NPCs and may want to audit others in the future.

File your Form 990 Annual Information Return with IRS on a timely basis.

Be sure you can show evidence that each member of the Board of Directors had an opportunity to review the Form 990 prior to filing.

Most of the NPCs have their external auditors or an outside accountant prepare the annual Form 990.

42

NPC Accounting SystemsMost of our NPCs use the QuickBooks accounting

system which has many advantages.

The accounting system should be kept on the VA IT system so that security and daily backups are assured.

Limit access to the accounting system to those who have a real need to use it.

43

Questions, Comments, Feedback?

44