CPA Tools

Email Updates
Please enter your email address
below to sign up for periodic updates.


 32 Board Oversight Recommendations

Auditor of Public Accounts Recommendations for Public and Nonprofit Boards

The Auditor of Public Accounts, as a result of recent investigations, makes the following recommendations to assist public and nonprofit boards in designing and implementing internal controls. These recommendations should assist board members in providing appropriate financial oversight. The following is a brief summary of various financial policy areas that board members should consider. After each control area is considered, a policy should be developed to address the specific business model of the organization.

1. The board should have a well defined, clear mission statement to serve as a platform for policies, operational plans, and resource allocations that further the interest of its organization’s members.

2. The board should facilitate the development of an annual orientation program and manual for new and returning board members to ensure an understanding of the board’s structure, operations, and their legal and fiduciary responsibilities. An explanation of the budget and accounting structure, as well as revenue and investment information should also be included. If possible, the orientation should be facilitated by a knowledgeable, independent party, such as a board attorney or consultant.

3. The board should ensure that its organizational structure maintains a flexibility that allows for multiple sources of information. The board should request reports from individuals having responsibility for various program areas rather than from just the chief executive.

4. The board meeting minutes should document the exact nature of the financial reviews conducted by the board. Any issues that result from these reviews and action taken to resolve the issues should also be documented.

5. For boards who fall under the open meetings law, sessions closed to the public should be entered into in accordance with KRS 61.810. Any conclusions or decisions reached during a session closed to the public must be documented in the board meeting minutes as stated in KRS 61.815, clarified in OAG 81-387.

6. The board should establish an independent process to receive, analyze, investigate, and resolve concerns related to the organization including anonymous concerns. Employees, business associates, customers, or the general public may have significant, beneficial information that they are uncomfortable reporting directly to the board. A toll-free complaint number or an advertised email and postal address for feedback would allow the transmission of this information. In addition, where applicable, the board’s policy should include a reference to Kentucky law (KRS 61.102) notifying employees, as defined in KRS 61.101, of their rights to protection against retaliation for reporting violations to certain authorities. A whistleblower policy should be adopted and distributed to employees. The policy should include reporting procedures and management’s responsibility to address issues reported.

7. An internal audit function could be used to ensure that board concerns are independently investigated. The individual designated to perform internal audits should be given the authority to investigate and examine any area designated by the board and the responsibility to report the audits findings directly to the board.

8. A board audit committee should appoint and compensate the audit firm and ensure the rotation of the lead audit partner and the audit partner reviewing the audit, as required by the Sarbanes Oxley Act (SOX) for companies with publicly traded stock. The board should also consider whether rotating audit firms would be beneficial given the facts and circumstance of the organization. Further, if possible, the board audit committee should be comprised of at least one member who has an understanding of generally accepted accounting principles and financial statements, experience with internal controls and in preparing or auditing financial statements, and an understanding of audit committee functions, as suggested in Section 407 of SOX. In addition, reviews of internal controls should be conducted to ensure that controls are functioning as designed or needed. The review of internal controls could be conducted by an internal auditor, board designee, or included in the engagement of an auditing firm. Any concerns noted by the board should be disclosed to the auditor and included in the audit scope for review.

9. The board should adopt a code of ethics that includes standards of conduct for its board members, officers, and employees related to business conduct, integrity, and ethics. The policy should include the requirement to sign a form stating that the individuals have received and understand the code of ethics. The code should include statements regarding moral and ethical standards, confidentiality, conflicts of interest, nepotism, gifts, honoraria, and assistance with applicable audits and investigations. Violations of the code of ethics should be reported to the board or designated committee of the board.

10. The board should adopt a financial disclosure policy for board members and executive management. A policy should also be developed requiring board members and executive management to disclose any conflicts of interests. The disclosure form should be completed by a specified date and returned to the appropriate committee of the board.

11. The board should establish and approve a detailed, equitable personnel and compensation policy. The policy should include that the board or a designated board committee annually review the salary increases and bonus payments made to all staff. This review should be documented in the board meeting minutes.

12. The board should define and document all employee benefits in a fair and equitable manner. Benefits received that result in taxable income should be properly accounted for and accrued to each applicable employee. Employee benefits should also be reviewed to ensure they provide a reasonable business purpose. Also, membership fees to organizations or associations should provide a reasonable business benefit.

13. The board should approve the compensation package of the organization’s primary executive and be aware of the compensation provided to other Executive Staff. In determining the compensation for the primary executive, the board should consider the organizations financial resources, current economic conditions, employee performance, and salary data for similar positions at relevant organizations within the region.

14. The board should ensure a well-defined employee evaluation system is implemented within the organization to consistently assess employee performance. The results of the employee’s evaluation should be used for employee advancement or salary adjustments.

15. The board should adopt policies to ensure all forms of employee leave are properly approved and accurately recorded.

16. The board should have sick and vacation leave policies that address the accrual, use, and the payment to employees for any unused sick, vacation, or compensatory time.

17. The board policy should include a transparent, competitive selection process for the procurement of goods and services. The policy should outline the circumstances under which quotes or competitive bids are required and the process to be followed. The board should have policies that require a formal contract for purchases over a specified amount and that all contracts over a specified dollar amount require board approval.

18. A review of budget to actual expenditures should be performed regularly by the board or a designated board Committee to monitor costs in each account. The name and number of budget categories or line items should provide transparency and sufficient detail to allow board members to accurately identify the types of expenses being attributed to each category. If expenditures occur at an unexpected rate, additional detail should be requested to ensure that incurred expenditures are reasonable and necessary.

19. At least quarterly, the board or a designated board committee should receive and review a listing of payments that includes, at a minimum, the payee, dollar amount, and date of each expenditure. This review would assist in identifying inappropriate, unusual, or excessive expenditures.

20. Executive management traveling out of state should present their plans and estimated costs to the board for prior approval. The approval of these activities and associated costs should be addressed at the board meetings to ensure proper documentation in the minutes. Subsequent to attending approved conferences or activities, the amount expended should be reported to the board.

21. To minimize and control the cost of travel, a travel expense policy should be developed that specifically defines the allowable costs related to lodging, meals, entertainment, personal mileage reimbursement, rental cars, and airfare. The travel expense policy should state the invoice requirements for the reimbursement of certain expenditures such as taxi fees, tips, parking, or tolls. The policy should provide examples of expenditures that are to be paid for by the employee, such as costs incurred by family members or the attendance at events not approved by the board. This policy should explicitly state that expenses not in compliance with the travel expense policy would not be reimbursed or paid by the board.

22. In lieu of credit cards, the board should consider the following: The use of purchasing cards that would allow the board to restrict the types of purchases that can be made on the card based on industry codes. Casinos, specialty retail outlets, and food and beverage establishments are examples of these restrictions. The amount spent on a single purchase can also be restricted through the use of a purchasing card. Reimburse employees personal credit card charges when the use is necessary. Procedures and supporting documentation requirements should be developed to facilitate this type of reimbursement.

23. If the use of credit cards is needed, the board should implement the following oversight controls: A board member or committee of the board should be assigned to review, at a minimum, credit card statements of Executive Staff prior to payment. Credit card charges should be supported by detailed receipts, documented business purpose, and supervisory approval. The employee should be responsible for the timely payment of any unsupported credit card charges or disallowed expenses. Policies established by the board should ensure that all review procedures are performed in a timely manner to avoid late fee and finance charges.

24. Expenses classified as gifts or entertainment should be documented to include the name and title of the person(s) involved and a description of why the expense was needed and how it relates to business operations.

25. A policy related to reimbursements made by employees to the organization should be developed to ensure that any expenses that should be paid by an employee are monitored. This policy should include the timeframe allowed for making the reimbursement and the alternative actions that will be taken if reimbursement is not made.

26. Business expense reimbursements requested by executive management should be reviewed by the board or a designated board committee to ensure supporting documentation is provided. This documentation should be retained to ensure that duplicate payments are not made to the employee.

27. Specific marketing goals should be developed to monitor the success of any business promotions approved by the board. Marketing expenditures incurred should be coded to that goal so that board members will know the expenses involved in a specific marketing
promotion. Further, documentation should be maintained detailing the recipients of promotional prizes including tickets, trips, or merchandise.

28. A board policy should be developed to address the authorization process to purchase vehicles and the method used to dispose of vehicles. The use and assignment of vehicles owned by the organization should be addressed within this policy. In addition, the practice of providing a vehicle should be reviewed and monthly vehicle allowances considered. The policy should include following the IRS guidelines for personal use of a vehicle.

29. The personal use of business equipment should be addressed within board policy to determine when appropriate. The policy should require that equipment being used inappropriately or that is missing should be reported directly to the board.

30. The board should establish a policy detailing the process to report lost or missing financial information or records. To avoid lost or stolen financial information, electronic images of financial records should be created and retained, if possible.

31. A formal policy should be developed that identifies what equipment is a fixed asset and should be included as inventory. Once this designation has been made, the existing inventory listing should include the following identifying information related to each piece of equipment: The name of the individual in receipt of equipment; Description of equipment; Vendor name; Model number; Serial number; Acquisition date; and, Acquisition cost. Once the inventory listing has been validated, any acquisitions and dispositions of computer equipment that fall within the fixed asset policy should cause an appropriate update to the inventory listing.

32. An information system policy should be developed that explicitly defines a user’s responsibilities as they relate to information system resources and applications. These policies should cover, at a minimum: Securing of user id and password; Protection against computer virus or mal-ware infection; Legal notice at logon indicating system is to be used for authorized purposes only; Securing unattended workstations; and, Securing portable devices, such as laptops, Blackberries, cell phones, etc.