State Agencies Bulletins

Capital Assets - General Information

Capital Assets - Software

Compliance Supplement

Cybersecurity Incidents

CAPITAL ASSETS - GENERAL INFORMATION

Each agency must account for and report capital assets in accordance with the State of Indiana Policies and the State Board of Accounts (SBOA) uniform compliance guidelines.

The State of Indiana Capital Asset Policy is located on the Auditor of State website: https://www.in.gov/auditor/files/Capital-Asset-Policy-July-2009-Final.pdf

Accounting for capital assets is covered in Chapter 8 of the SBOA State Agency Accounting and Uniform Compliance Guidelines Manual: https://www.in.gov/sboa/files/CH08-Capital-Asset-Accounting.pdf

Internal Control considerations related to the purchase, safeguarding, and disposal of capital assets are covered in Chapter 2 of the SBOA State Agency Accounting and Uniform Compliance Guidelines Manual: https://www.in.gov/sboa/files/CH02-Internal-Control.pdf

CAPITAL ASSETS - SOFTWARE

State Agencies often design and develop software programs for use in their day-to-day operations to meet the needs of employees, customers, or other end-users. Once the development of the software program is completed and ready for use, the costs associated with the development should be aggregated and recorded as a single capital asset in the PeopleSoft Asset Management (AM) module. For financial statement reporting purposes, each of these completed assets is depreciable and should be reported at cost less the accumulated depreciation as of fiscal year end.

If a software program is still being developed and is not yet in use at fiscal year-end, the accumulated costs are to be reported as Software Work-in-Progress (SWIP), a component of the non-depreciable capital assets on the State’s balance sheet.

Statewide SWIP is manually compiled by the Auditor of State (AOS) compilation team based on data provided by the State Agencies developing the software programs. The AM module is not designed or utilized to track the accumulating costs for each software program being developed. Rather, personnel at each agency are responsible for tracking the SWIP costs outside of AM until project completion, when the completed asset is recorded in AM.

The AOS relies on each State Agency to provide accurate and complete data for each project under development. Each state agency should implement internal controls to ensure that amounts submitted to the AOS are accurate and complete.

COMPLIANCE SUPPLEMENT

The Code of Federal Regulations, 2 CFR Part 200 Subpart F, sets forth standards for obtaining consistency and uniformity among federal agencies for the audit of non-federal entities expending federal awards. Appendix XI is the Compliance Supplement for audits of fiscal years beginning after June 30, 2021. Auditors must consider the Supplement and the referenced laws, regulations, and OMB Circulars/Uniform Guidance in determining the compliance requirements subject to the audit that could have both a direct and material effect on the programs included. For the programs included, the Supplement provides a source of information for auditors to understand the federal program’s objectives, procedures, and compliance requirements subject to the audit as well as audit objectives and suggested audit procedures for determining compliance with these requirements. The Compliance Supplement is updated annually.

If you would like to review specific audit requirements related to your grants, you can view the Compliance Supplement at https://www.whitehouse.gov/wp-content/uploads/2022/05/2022-ComplianceSupplement_PDF_Rev_05.11.22.pdf

CYBERSECURITY INCIDENTS

IC 4-13.1-2-9 states:

“A state agency (as defined in IC 4-1-10-2), other than state educational institutions, and a political subdivision (as defined in IC 36-1-2-13) shall:

(1) report any cybersecurity incident using their best professional judgment to the office without unreasonable delay and not later than two (2) business days after discovery of the cybersecurity incident in a format prescribed by the chief information officer; and

(2) provide the office with the name and contact information of any individual who will act as the primary reporter of a cybersecurity incident described in subdivision (1) before September 1, 2021, and before September 1 of every year thereafter.

Nothing in this section shall be construed to require reporting that conflicts with federal privacy laws or is prohibited due to an ongoing law enforcement investigation.”

State agencies are required to report any cybersecurity incident, using their best professional judgement, to the Indiana Office of Technology (IOT) without unreasonable delay and not later than two business days after discovery of the cybersecurity incident.

A cybersecurity incident may consist of one or more of the following categories of attack vectors: (1) Ransomware, (2) Business email compromise, (3) Vulnerability Exploitation, (4) Zero-day exploitation, (5) Distributed denial of service, (6) Web site defacement, (7) Other sophisticated attacks as defined by the chief of information officer and that are posted on the officer’s Internet web site. (IC 4-13.1-1-1.5)

Cybersecurity incidents can be reported on IOT’s web site at the following webpage. https://www.in.gov/cybersecurity/report-a-cyber-crime/

Daily Deposit Law

Disaster Recovery

DAILY DEPOSIT LAW

Indiana Code (IC) 5-13-6-1(b) states in part: “all public funds collected by state officers . . . shall be deposited with the treasurer of state, or an approved depository selected by the treasurer of state, not later than the business day following the receipt of the funds . . . Deposits do not relieve any state officer from the duty of maintaining a cashbook under IC 5-13-5-1.”

IC 5-13-4-20 defines public funds as "all fees and funds of whatever kind or character coming into the possession of any public officer by virtue of that office."

IC 35-44.2-2 notes that failure to deposit public funds as required is a Class A misdemeanor. “However, the offense is a Level 6 felony if the amount involved is at least seven hundred fifty dollars ($750), and a Level 5 felony if the amount involved is at least fifty thousand dollars ($50,000).”

IC 5-13-6-1(f) states: “An office of: (1) the department of natural resources; or (2) the department of state revenue; that is detached from the main office of the department is not required to deposit funds on the business day following receipt if the funds on hand do not exceed five hundred dollars ($500). However, the office must deposit the funds on hand not later than the business day following the day that the funds exceed five hundred dollars ($500).”

IC 5-13-6-1(g) states: “The following are not required to deposit funds on the business day following receipt if the funds on hand do not exceed five hundred dollars ($500): (1) An office of the legislative branch of state government . . . However, the funds on hand must be deposited not later than the business day following the day that the funds exceed five hundred dollars ($500).”

DISASTER RECOVERY

A disaster recovery plan is a written plan that contains detailed instructions on how an entity will respond to incidents such as a natural disaster, cyber-attack, or other disrupting events. The plan will allow for continuity of service despite these events. This includes access to data as well as access to critical documents and resources. One of the key components for protecting data is adequate backup of the data.

A disaster recovery plan should include procedures for backing up financial data frequently, if not daily, and for storing those backups in a separate and secure location. Backups that are saved on the same server as the financial software will most likely be affected by the same malware as the main data, leaving the backup useless. Storing the backup in a secure location not connected to the main server is the safest option. A disaster recovery plan should also include procedures to test this data regularly to ensure that the backup system is working. Storage of back-ups may be on an isolated server, in the cloud or on a server maintained by software vendors. Being able to quickly restore access to the financial and other data of an entity will greatly aid the entity’s ability to continue to provide services. Additionally, all transactions that occur in an agency’s accounting system must be recorded and accessible upon request for audit purposes or a public records request.

The Indiana Office of Technology has many resources related to disaster recovery. For more information about requirements related to disaster recovery and the services IOT provides please see IOT’s disaster recovery webpage at https://www.in.gov/iot/security/disaster-recovery/.

Additionally, governmental entities should keep their anti-virus software up-to-date and apply security patches in a timely manner. Additional training for staff in recognizing and avoiding malware is beneficial in avoiding a disruption to services from a cyber-attack. The Indiana State Office of Technology provides training and has a website with a wealth of information about cybersecurity. Their cybersecurity webpage can be found at www.in.gov/cybersecurity/

Federal Grants - Sub-State Agency V. Subrecipients

FFATA Reporting

Filing of State Audit Reports

Fraud Awareness Training

Fraud Risk Management

Fraud Series - Part 1

Fraud Series - Part 2

FEDERAL GRANTS - SUB-STATE AGENCY V. SUBRECIPIENTS

The responsibilities of all parties are very similar when a primary agency provides federal funding to either a sub-state agency or subrecipient. The primary agency must have sufficient monitoring processes in both cases. However, especially from the federal perspective, there are significant differences that must be considered.

Federal money transferred from an agency to a sub-state agency is still wholly the responsibility of the State of Indiana. The Federal Government does not distinguish based on different agencies and does not provide specific requirements recognizing such a transfer. It is the expectation that the State has sufficient controls to ensure that all federal requirements are met regardless of which agency is performing the function. It is critical that all MOUs clearly detail responsibilities in such a way that there is no miscommunication as to what each agency’s duties are. The primary agency should not make any assumptions and clearly state expectations, such as which agency will be performing federal reporting and what these reports will be. The primary agency must develop and implement processes to monitor sub-state agency compliance. These processes will vary depending on the nature of the program and the primary agency’s risk assessment.

If the sub-state agency is responsible for the expenditure process of the federal funds transferred to them, the sub-state agency must ensure that the expenditures are identified properly so that the expenditures will be accurately included on the State’s grants schedule. This extends to ensuring that information is sufficient for any processing that may be done by centralized accounting.

Processes and related internal controls may have agency specific variances; consideration must always be given to the flow from one agency to another. There must be processes and controls developed to ensure the proper execution of all elements of the program between the agencies. These controls are no longer agency specific but interagency in nature. An important, relevant component of internal control is communication, and it is necessary to maintain documentation of communications.

Federal dollars are the responsibility of the State, it is incumbent on the State to exert appropriate controls and processes no matter which agency is responsible for certain segments of the federal program.

In contrast, for Federal money expended to a subrecipient, there are specific requirements by the Federal Government placed on both the grantor and grantee that are found in 2CFR200.

The State must make sure that the grantees are properly performing their agreed upon responsibilities.

Before entering into an agreement, the grantor agency must perform their due diligence to determine that the potential grantee is a viable entity. The agreement must be detailed and clear.

A monitoring process must be in place including a process that details the steps to determine when a subrecipient is noncompliant, when funds will be required to be returned, and how recoupment will take place.

FFATA REPORTING

The Federal Funding Accountability and Transparency Act (FFATA) requires the Office of Management and Budget (OMB) to maintain a single, searchable website that contains information on all Federal spending awards. That site is www.USAspending.gov.

The Code of Federal Regulations, 2 CFR Part 170, provides guidance to federal awarding agencies on the information to be reported. A federal awarding agency must include reporting requirements in each federal award to a recipient under which the total funding is anticipated to equal or exceed $30,000 in federal funding; the reporting requirements are in 2 CFR Part 170 Appendix A – Award Term.

FFATA prescribes specific pieces of information to be reported:

1. The following data about sub-awards

• a. Name of entity receiving award
• b. Amount of award
• c. Funding agency
• d. NAICS code for contracts / CFDA program number for grants
• e. Program source
• f. Award title descriptive of the purpose of the funding action
• g. Location of the entity (including congressional district)
• h. Place of performance (including congressional district)
• i. Unique identifier of the entity and its parent; and
• j. Total compensation and names of top five executives (same thresholds as for primes)

2. The Total Compensation and Names of the top five executives if:

• a. More than 80% of annual gross revenues from the Federal government, and those revenues are greater than $25M annually and
• b. Compensation information is not already available through reporting to the SEC.

Please be sure to check your award for the FFATA reporting requirement and file those reports through fsrs.gov.

FFATA REPORTING UPDATES

Per 2 CFR 170, recipients of federal awards are required to report awards equal to or exceeding $30,000. This information must be reported no later than the end of the month following the month in which the subaward was made.

FFATA report(s) must now be filed through SAM.gov. The subaward information can be filed manually or in bulk. In order to file, you need a SAM.gov account. IOT can then assist your agency with bulk filing through SAM.gov using GoAnywhere Services. If your agency has a GoAnywhere account, log in to your account and submit a request. If your agency does not have a GoAnywhere account, follow the instructions on IOT’s most recent Products and Services Catalog to request this service. You can also contact the IOT service owner listed in the catalog.

SBOA has developed a training video for state employees to better understand the FFATA Reporting Requirement and how to report in SAM.gov. You can find the video on our YouTube channel or by clicking here.

The General Services Administration has released a training video that explains how to enter data or use the bulk upload option.

IOT has created a guide that explains the two reporting options in more detail.

FILING OF STATE AUDIT REPORTS

The Federal Single Audit Report for the period July 1, 2020 through June 30, 2021 was filed on September 14, 2022 (Report Number B59787) and is available on our website at this link: https://www.in.gov/sboa/WebReports/B59787.pdf

The ACFR for the period July 1, 2020 through June 30, 2021 was filed on March 30, 2022 (Report Number 58951) and is available at this link: https://www.in.gov/sboa/WebReports/B58951.pdf

If your agency has findings to resolve, please feel free to contact our State Agency Advisory Services team for suggestions at stateagencyadvisory@sboa.in.gov

FRAUD AWARENESS TRAINING

Fraud awareness training is crucial for organizations of all sizes to assist in identifying, preventing, detecting, and reporting of potential fraud. Studies have shown that organizations that provide their employees with fraud awareness training experience fewer financial losses and have lower risks to their reputation than organizations without fraud training.

By educating employees about different types of fraud, and the red flags to look for, training programs can help mitigate risks and protect the State from financial exploitation and reputational damage. Additionally, during an audit, auditors are required to assess fraud risk. Any fraud awareness training provided to employees and any implemented fraud preventative programs would be considered in the evaluation of fraud risk by an auditor.

If your agency does not provide fraud awareness training, please consider sharing the short video we created below with your employees.

Fraud Awareness Training – Video Link

In the video references were made to the Association of Certified Fraud Examiner’s (ACFE) report on fraud. You can read more about their interesting study at the link below.

Occupation Fraud 2024: A Report to the Nations – ACFE Report Link

FRAUD RISK MANAGEMENT

The Committee on Sponsoring Organizations of the Treadway Commission (COSO) partnered with the Association of Certified Fraud Examiners (ACFE) to create the Fraud Risk Management Guide. The report is designed to aid organizations in effectively establishing a comprehensive fraud risk management program. It specifically identifies how they can:

• Establish fraud risk governance policies
• Perform fraud risk assessments
• Design and deploy fraud prevention and detection control activities
• Conduct fraud investigations
• Monitor and evaluate the effectiveness of the fraud risk management program

You can view an executive summary of the guide on the ACFE’s website.

SBOA will be providing fraud training to Internal Control Officers in December. If you are interested in the presentation slides, these will be posted on our website in the “Presentations and Training Materials” section.

FRAUD SERIES - PART 1

In the last bulletin we introduced concepts of fraud risk management.

But what exactly is fraud risk management and how can this be implemented? This is the first in a series of articles on establishing and maintaining a system of internal controls related to managing fraud risk.

In this segment, we are focusing on the first phase of a 5-phased approach to create a robust anti-fraud program.

Fraud Risk Governance (Phase 1) - Understand where you are and where you want to be.

Fraud risk management should be tailored to the unique needs of the agency. Business units with limited fraud exposure may not need rigorous or time consuming procedures in place to combat fraud. The level of maturity in an agency’s fraud risk framework should be considered when deciding how to address fraud. It is important to ensure resources are effectively utilized in areas of high impact and high priority.

If there are no fraud mitigation procedures in place, the first step is to understand where your agency’s fraud risks lie and what controls are currently implemented. Once you understand the current environment you can identify long-term goals and a vision to work towards a mature fraud risk management program.

We recommended creating a roadmap that leads towards the future goal of having a strong fraud risk management program. Any previously identified gaps should be immediately remedied if feasible. An effective way to develop a roadmap is by conducting a maturity assessment. Below are some key questions to assist in identifying how mature your current fraud risk management program is.

• Is the organization aware of the need of a formal fraud risk management program?
• Are fraud risk management processes organized, reviewed periodically, and updated to reflect updates in processes?
• Are internal controls developed and documented specifically to address both external and internal fraud?
  • Are fraud controls monitored for effectiveness?
• Is information about prior known fraud instances aggregated and analyzed to improve procedures?
• Is ongoing anti-fraud training provided to all employees?
  • Do employees understand what fraud is?
  • Have the consequences of fraud been made clear?
  • Do employees know where to seek advice on potential unethical situations?
  • Has a zero-tolerance policy been communicated through words/actions?
• Is an effective fraud reporting mechanism in place?
  • Do employees know how to use it?
  • Is there more than one reporting channel?
  • Do employees trust reports are confidential?
  • Has it been made clear that reports will be acted upon promptly?
  • Do reporting policies extend to external parties?
• To increase employees’ perception of detection, are these measures being taken?
  • Is fraud sought out rather than dealt with passively?
  • Are internal surprise audits performed?
  • Are data analytics used to identify variances?
  • Are controls reviewed and monitored?
• Is management’s tone at the top one of honesty and integrity?
  • Are employees surveyed to determine if management acts with integrity?
  • Are performance goals realistic?
  • Have fraud prevention goals been identified?
  • Have internal control policies been implemented and tested?
• Are fraud risk assessments performed to proactively identify and mitigate the agency’s vulnerabilities to fraud?
• Are strong anti-fraud controls in place and operating effectively? This could include:
  • Proper Segregation of Duties
  • Use of Authorizations
  • Physical Safeguards
  • Job Rotations
  • Mandatory Vacations
• Does the internal audit department, if one exists, have adequate resources and authority?
  • Does the internal audit department operate without undue influence from management?
• Is an open-door policy in place that allows employees to speak freely about pressures?
• Are regular, anonymous surveys conducted to assess employee morale?

In the next bulletin, we will be discussing fraud risk assessment in part 2 of this fraud series.

FRAUD SERIES - PART 2

In the last bulletin we discussed fraud risk management and how a fraud risk management framework could be implemented.

This is the second in a series of articles on establishing and maintaining a system of internal controls related to managing fraud risk.

In this segment, we are focusing on the second phase of a 5-phased approach to create a robust antifraud program.

Fraud Risk Governance (Phase 1 Part 2) – Create a Culture.

Promoting fraud awareness throughout your agency from the top down is vital to creating a strong antifraud culture, enhancing fraud awareness, and encouraging employees to discuss fraud risks openly and thoughtfully. Fortunately, there are many ways to promote and enhance fraud awareness at your agency, including developing a comprehensive fraud risk governance policy, developing an anti-fraud training program, hosting fraud awareness events or activities periodically, and communicating roles and responsibilities related to Fraud Risk Management (FRM). There is not a one-size-fits-all model when it comes to promoting fraud awareness. It is important for every agency to tailor these efforts to be relevant to its specific fraud risks and the strategic goals of the agency.

The key to the success of these efforts is a strong, strategic, and consistent message that can translate fraud awareness into action. Enter the Integrity Triangle. Serving as the counterbalance to the Fraud Triangle, the Integrity Triangle emphasizes the values that encourage people to do what is right for the State.

The three elements of the Integrity Triangle are responsibility, accountability, and authority. When a person understands and appreciates that they have a responsibility, that they are accountable the agency’s mission, and that they have the authority to affect positive change, a culture intolerant of improper or inappropriate conduct, such as fraud, is more likely to persist.

The foundation of this concept is awareness. Promoting awareness among your employees about both the threat of fraud and their capacity to combat it is essential for creating an anti-fraud culture and can be a vital tool in fighting fraud in your organization.

Below are some key questions to assist in achieving a strong anti-fraud culture by establishing a robust anti-fraud governance structure and implementing targeted fraud awareness efforts.

• Do you have a comprehensive FRM policy in place?
• Have you established, documented, and communicated roles and responsibilities related to FRM across all levels of your agency, including reporting mechanisms?
• Is messaging about fraud risk management communicated throughout your organization, from leadership down to employees at all levels? How do you assess the effectiveness of these efforts?
• Do you have fraud awareness initiatives in place? How often are fraud topics discussed throughout all levels of your organization and across key stakeholders? * Do you periodically assess the effectiveness of your organization’s fraud awareness efforts and track progress or gaps over time?

In the next bulletin, we will be discussing fraud risk assessment in part 3 of this fraud series.

Glossary of Accounting and Audit Terms

Grants Receivable - Quarterly Reconciliations

GLOSSARY OF ACCOUNTING AND AUDIT TERMS

We have created a glossary of accounting and auditing terms that are relevant to the audit work conducted within the State of Indiana and our agency, which can be found on our website. The glossary contains definitions of accounting, reporting, and auditing terms that are commonly used while conducting our engagements and often appear in the reports issued by our agency. We have provided sources for these definitions for further reference. The most authoritative source is provided, but additional sources may be available. There are terms listed within this glossary that are not explicitly defined in authoritative guidance. In these instances, the State Board of Accounts has compiled definitions based on research and our staff's knowledge and experience. To find the glossary, you can visit our website (www.in.gov/sboa) and navigate to the ‘About Us’ section on the left navigation pane and select ‘SBOA Glossary of Accounting and Audit Terms’ or click on the following link. SBOA Glossary of Accounting and Audit Terms

GRANTS RECEIVABLE – QUARTERLY RECONCILIATIONS

A grants receivable is automatically created when federal expenses are posted in the projects module of the State's PeopleSoft accounting system. Periodic reconciliations are required to detect errors in grants receivable balances. After the final fourth quarter reconciliation of grants receivable, each agency is required to certify to the State Comptroller’s Office that their grants receivable balances at June 30 are correct. The State Comptroller's Office provides details to each agency as of June 30, requesting the agency to confirm that each line item should remain as a receivable.

In addition to reconciling the grants receivable balances quarterly, agencies should correct reconciling items in a timely manner.

Internal Controls

Internal Control Series - Part 1

Internal Control Series - Part 2

Internal Control Series - Part 3

Internal Control Series - Part 4

Internal Control Series - Part 5

Internal vs External Audits

INTERNAL CONTROLS

All state agencies have a mission to accomplish certain goals and objectives. The overall purpose of internal control is to help each department achieve its mission. An effective internal control system helps an agency (or department) to:

• Promote orderly, economical, efficient, and effective operations.
• Produce quality products and services consistent with the department's mission.
• Safeguard resources against loss due to waste, abuse, mismanagement, errors, and fraud.
• Promote adherence to statutes, regulations, bulletins, and procedures.
• Develop and maintain reliable financial and management data, and accurately report that data in a timely manner.

During the audit, our field examiners will ask for your written internal controls, and they will test those controls, which will determine the nature, timing, and extent of testing. Your written internal controls must incorporate a process to maintain tangible evidence that the controls are functioning as intended. For example, if an internal control states that eligibility will be verified in accordance with an agency checklist by Person B, then the SBOA will be asking for the checklist and evidence that Person B performed the verification process.

Each chapter in the Accounting and Uniform Compliance Guidelines Manual for State and Quasi Agencies has information on internal controls for the processes discussed in that chapter; an overview of the five components and seventeen principles of internal controls is in Chapter 2.

If you need any assistance as you work through the process of establishing internal controls, please feel free to contact our State Agency Advisory Services team at stateagencyadvisory@sboa.in.gov.

INTERNAL CONTROLS SERIES - PART 1

What are internal controls, and why are they important? This is the first in a series of articles on establishing and maintaining a system of internal control to promote government accountability and transparency. Our goal is to provide you with information needed to achieve a system of internal controls that will foster service with responsibility, integrity, and efficiency.

Internal control is a process executed by officials and employees that is designed to provide reasonable assurance that the mission and objectives of the organization will be achieved in the following categories:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

The internal control process includes any policy, system, or action that corresponds directly to the objectives of the organization and adjusts to change when necessary. In government, missions and objectives change and evolve as a result of various factors such as new management, change in staff, rapid growth, technological advances, and new programs or services. As missions and objectives change, internal controls must be monitored and evaluated for applicability in the new context and adjusted accordingly. Ultimately it is the people at every level of the organization that are instrumental in ensuring the success of the internal control process.

There are many benefits of a well-defined, relevant internal control process.

• Internal control procedures produce accountability and transparency that is evident both internally and externally.
• Internal control procedures encourage efficient uses of government time and resources through the establishment of baselines and other measurable goals.
• Internal control procedures reduce costs by enabling timely completion of responsibilities as well as prevention of waste, abuse, or fraud.
• Internal control procedures reduce audit costs as documented processes exist to reasonably ensure that operational, reporting, and compliance objectives are achieved.
• Internal control procedures generate inherent savings and goodwill through proper stewardship of assets.

The internal control process is based on well-established and widely recognized fundamental principles that operate as an integrated whole but are best understood when analyzed individually. Each of the five components of internal control is necessary to form a complete internal control process:

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a framework that includes principal characteristics of these five components and three categories of generalized objectives. The U.S. Government Accountability Office has adapted these components and principles for the Federal government through its Standards for Internal Control in the Federal Government, otherwise known as the "Green Book."

Chapter 2 of the Accounting and Uniform Compliance Guidelines Manual for State Agencies (State Accounting Manual) also discusses the importance of internal controls in the day-to-day operations of state agencies. In addition, each chapter of the State Accounting Manual contains basic internal control procedures for the handling of transactions described in that chapter. For example, the basic internal control procedures for the handling of receipts are in section 4.3.2 of the State Accounting Manual.

In future State Agency Bulletin articles, we will look forward to sharing more in-depth information on each component of internal control.

INTERNAL CONTROLS SERIES - PART 2

In the January 2023 State Agency Bulletin (Internal Control Series - Part 1), we briefly discussed the five components of internal controls:

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

Each agency must aim to make the most effective and efficient use of its resources in rendering services. A sound internal control system provides reasonable assurance that the agency will accomplish its mission and objectives with accountability and transparency.

For each component of internal control COSO developed principles that must be present for an effective internal control system. Each principle is supported by 4-6 points of focus to help with the design, implementation, and monitoring of internal controls. Points of focus are not required, but they do provide valuable insight.

In this segment, we are focusing on the Control Environment. The control environment is defined in FMC 6.1 as “the foundation for an internal control system that provides the discipline and structure to help a state agency achieve its objectives.” The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control for all objectives.

This component is static in that its underpinnings do not generally change with a given objective. The control environment sets the tone of the organization and influences the effectiveness of internal controls within the government. Five principles pertain to the control environment:

Principle 1. The organization demonstrates a commitment to integrity and ethical values.

Management demonstrates these values through directives, attitudes, and behavior. Established standards of conduct are expected to be observed by all throughout the agency and are used when evaluating adherence to agency values. The State Ethics Policy is an example of the State’s commitment to integrity and ethical values.

Principle 2. Leadership exercises oversight of the development and performance of internal control.

An example for Principle 2 would be leadership’s commitment to the establishment of written internal controls and standard operating procedures for the handling of cash by the agency.

Principle 3. Management establishes an organizational structure, assigns responsibility, and delegates authority to achieve the agency's objectives.

Organizational structure is designed, responsibilities are assigned, and authority is delegated to enable the achievement of objectives. An organizational chart is a good example for Principle 3.

Principle 4. Management demonstrates a commitment to recruit, develop, and retain competent individuals.

Management determines the skills necessary for each level of the organizational chart and assesses each employee for skills necessary to accomplish the assigned responsibilities. Examples include creating job descriptions and determining skills necessary to perform jobs, developing a training plan, assessing the best recruitment pools, etc.

Principle 5. Management evaluates performance and holds individuals accountable for their internal control responsibilities.

Individuals are held accountable for their internal control responsibilities through a recognized, understood structure which includes corrective action procedures.

An example for Principle 5 would be the establishment of a formal employee evaluation to assess the performance of each employee’s internal control responsibilities.

In the next bulletin article, we will discuss the principles related to the component of Risk Assessment.

INTERNAL CONTROLS SERIES - PART 3

In the April 2023 State Agency Bulletin (Internal Control Series - Part 2), we briefly discussed the Control Environment component of internal controls and the first five principles developed by COSO.

In this segment, we are focusing on Risk Assessment, which includes Principles 6 through 9 from the COSO Framework.

Risk assessment is the process used to identify, analyze, and manage potential risks to the governmental entity's objective. When performing a risk assessment, management considers the effects of change and inherent risk.

During times of change, events can occur that expose the government to increased risk, such as change in management or responsibilities of management; rapid growth; new technology or information systems; or new programs or services. Certain activities have a greater potential for loss from fraud, waste, unauthorized use, or misappropriation. For example, the handling of cash has a much higher inherent risk for theft than data entry activities. When evaluating inherent risk, some items to consider include:

• The complexity of the activity itself or the calculations for the activity.
• The susceptibility of the activity to fraud or misappropriations.
• The extent of judgment involved for the activity.
• The size and volume of individual items comprising the activity.

Once identified, risks should be analyzed for likelihood and impact. Many risks are accepted or avoided by implementing effective controls.

Principle 6. Management defines objectives clearly to enable the identification of risks and risk tolerances.

Objectives falls within three major categories:

• Operations - Effectiveness and efficiency of operations.
• Reporting - Reliability of reporting for internal and external use.
• Compliance - Compliance with applicable laws and regulations.

As part of this process, the oversight body may consider the following:

• Defining objectives in specific, measurable terms in order to enable the design of internal control for related risks, to increase understanding at all levels, and to assess performance.
• Identifying what is to be achieved, who is to achieve it, how it will be achieved, and when it will be achieved.
• Incorporating external requirements, such as state statutes and Uniform Compliance Guidelines.
• Including a subset for the three categories which addresses the safeguarding of assets.

Principle 7. Management identifies, analyzes, and responds to risks related to achieving the defined objectives.

In the identification process, management recognizes the various types of risks at the entity and transaction levels for each objective. For example, risk factors may include the organizational structure, new technology, complexity of a program or transaction, new or amended laws, or economic instability.

Management analyzes identified risk to estimate the effect of the risk on achieving the defined objectives at the entity level and transaction level. For example,

• How likely is the risk to occur?
• How will it impact the objective?
• Is the risk based on complex or unusual transactions?
• Is the risk based on fraud?

Risks may be analyzed individually or collectively. Once the risks have been identified and analyzed, management determines how to respond to each risk and design specific actions accordingly. For example, management may accept the risk and take no action in response; choose to eliminate certain processes to avoid the risk; reduce the risk by instituting controls; or transfer the risk.

Principle 8. Management considers the potential for fraud when identifying, analyzing, and responding to risks.

Management considers the types of fraud which can occur, such as fraudulent financial reporting, misappropriation of assets, and illegal acts. In addition to fraud, management assesses the likelihood of other types of misconduct such as waste or abuse. Various risk factors may need to be evaluated as well as allegations from internal or external parties.

Principle 9. Management identifies, analyzes, and responds to significant changes that could impact the internal control system.

Internal control procedures require evaluation and adjustment on a regular basis to accommodate the impact of future changes; for example, personnel changes, new programs, new technology, new laws, and financial fluctuations. For example,

• New employees receive training on internal controls and employee policies.
• New software requires a reevaluation of policies and procedures to determine if existing controls will continue to be effective and if new controls need to be designed and implemented. (Procedures that worked well under a manual or a previous software system may no longer be applicable under the new system).
• A change in reporting requires a review of internal controls over the compilation of the report.

INTERNAL CONTROLS SERIES - PART 4

In the July 2023 State Agency Bulletin (Internal Control Series - Part 3), we briefly discussed the Risk Assessment component of internal controls and principles 6 through 9 from the COSO framework.

In this segment, we are focusing on Control Activities, which includes Principles 10 through 15 from the COSO Framework.

Principle 10. Management designs control activities to achieve objectives and respond to risks.

Control activities are designed to fulfill defined responsibilities and address identified risks. An evaluation of the purpose of the control activity is performed as well as an evaluation of the effect a deficiency would have on objectives. Control activities may be either automated or manual. The Green Book identifies a list of control activity categories that are meant only to illustrate the range and variety of control activities; the list is by no means all inclusive, but is reproduced here for reference purposes:

• Top-level reviews of actual performance.
• Reviews by management at the functional or activity level.
• Management of human capital.
• Controls over information processing.
• Physical control over vulnerable assets.
• Establishment and review of performance measures and indicators.
• Segregation of duties.
• Proper execution of transactions.
• Accurate and timely recording of transactions.
• Access restrictions to and accountability for resources and records.
• Appropriate documentation of transactions and internal control.

Principle 11. Management designs the political subdivision's information system and related control activities to achieve objectives and respond to risks.

Control activities are designed to support the completeness, accuracy, and validity of information processing by technology including the design of security management. Management evaluates changes to systems and updates control activities in response. For example,

• Disaster Recovery ensures that critical accounting information will be processed in the event of interruption of computer processing capacity.
• Back-Up Processing provides for accounting information to be backed up on a periodic basis sufficient to allow restoration of the information in a timely manner.
• Physical Security protects the computer system and the associated telecommunications equipment from environmental damage and unauthorized access.
• Logical Security requires access to accounting information and processes be controlled by operating system software and by the computerized accounting application through user identification codes and passwords.
• Change Controls are internal controls over changes made to the accounting system's computer programs.
• Audit Trails allow for sufficient documentation to trace all transactions from the original source of entry into the system, through all system process, and to the results produced by the system.
• Input Controls provide input edits and controls to assure that information entered into the system is accurate, that all appropriate information is entered into the system.
• Segregation of Duties can be achieved within information technology systems by appropriate assignment of security profiles that define the data the users can access and the functions they can perform.
• Output Controls are features that assure all accounting information is reported accurately and completely.
• Interface Controls allow for information generated in one computer application system to be transferred to another computer application system accurately and completely.
• Internal Processing provides written verification procedures and actual verification results that document accurate calculating, summarizing, categorizing, and updating of accounting information on a periodic basis.

Principle 12. Management implements control activities through policies.

Management works with each office or department in determining the policies necessary to address the objectives and related risks for the operational process. Further defined policies through day-to-day procedures may be warranted. These policies are periodically reviewed for continued relevance and effectiveness.

INTERNAL CONTROLS SERIES - PART 5

In the October 2023 State Agency Bulletin (Internal Control Series - Part 4), we briefly discussed the Control Activities component of internal controls and principles 10 through 15 from the COSO framework.

In this segment, we are focusing on Monitoring Activities, which includes Principles 16 through 17 from the COSO Framework.

Principle 16. Management establishes and operates monitoring activities to monitor the internal control system and evaluate the results.

A baseline of the current state of the internal control system is compared against the original design of the internal control system. The baseline consists of issues and deficiencies identified in the internal control system. The results of the monitoring process are evaluated and documented.

Potential changes to the internal control system are identified. Control and monitoring activities may be the same, but it is the intent of the activity that distinguishes which component the activity is supporting. For example, a review of reconciliation with the intent to detect errors would be a control activity while a review of the same reconciliation with the intent to determine if internal control procedures are in place and functioning properly would be a monitoring activity.

Principle 17. Management remediates identified internal control deficiencies on a timely basis.

Management establishes a mechanism for personnel to report internal control issues identified while performing their responsibilities. These issues are documented and evaluated on a timely basis.

Management remediates identified issues. Corrective actions include resolution of audit findings.

INTERNAL VS EXTERNAL AUDITS

Have you ever wondered what the difference is between an internal audit and an external audit? If so, you can view a short video we created that explains key similarities and differences between these important, but different, audit functions.

Internal vs. External Audits - Video Link

Major Programs

MAJOR PROGRAMS

Do you wonder what the major programs will be for the audit period of July 1, 2023 to June 30, 2024? Those listed in this article will be Type A programs – there may be others depending on the SEFA information, so stay tuned for more information in the future. If you have any questions, please contact David Parker, State Audits Coordinator at dparker1@sboa.in.gov.

Remember, you can be prepared by reviewing specific audit requirements related to your grants in the Federal OMB Compliance Supplement. The Compliance Supplements can be found on the State Agencies’ page of our website under “Compliance Supplements."

7/1/24

The major programs scheduled to be audited for the State’s Single Audit are listed below. – there may be others, depending on the Schedule of Expenditures of Federal Awards (SEFA) information, so stay tuned for more information in the future. If you have any questions, please contact David Parker, State Audits Coordinator at dparker1@sboa.in.gov.

Remember, you can be prepared by reviewing specific audit requirements related to your grants in the Federal OMB Compliance Supplement. The Compliance Supplements can be found on the State Agencies’ page of our website under “Compliance Supplements.”

New Legislation

NEW LEGISLATION

The following is a Digest of some of the laws passed by the 2024 Regular and Special Sessions of the General Assembly affecting the State of Indiana from a compliance and/or audit perspective. This Digest is not intended as an expression of legal interpretation. The Digest is also not intended to be all inclusive. The final version of each Public Law can be found on the Indiana General Assembly website (http://iga.in.gov/).

Senate Enrolled Act 180 P.L. 21-2024

Bill Digest: Prohibits a governmental body (defined in IC 5-27-2 as the state or a state agency) from: (1) accepting payment made with a central bank digital currency; or (2) requiring payment to be made with a central bank digital currency; for any service, tax, license, permit, fee, information, or other amount due the governmental body.

Prohibits an administrative branch governmental body (defined in IC 5-27-2-1.1) from advocating for or supporting the testing, adoption, or implementation of a central bank digital currency by the United States government.

The term "central bank digital currency" is defined in IC 5-27-2-1.7.

Senate Enrolled Act 221 P.L. 78-2024

Bill Digest: Provides that an internal audit or risk assessment conducted by or on behalf of the state shall remain confidential, and that the state and other individuals may not divulge information related to an internal audit or risk assessment unless required to do so in accordance with a judicial order. Provides an exception allowing the state and other individuals to divulge information related to an internal audit or risk assessment to: (1) the state examiner; (2) the director of the office of management and budget; (3) an external auditor, in accordance with professional auditing standards; or (4) any other individual for any reason that constitutes good cause as determined by the state examiner and approved by the director of the office of management and budget.

IC 5-11-1-28 was amended, as follows:

(c) An internal audit or risk assessment conducted by or on behalf of the state shall remain confidential, except as provided in subsection (e).

(d) Except as provided in subsection (e), or in accordance with a judicial order:

(1) the state;

(2) an employee of the state;

(3) a former employee of the state;

(4) counsel to the state;

(5) an agent of the state; or

(6) any other person; may not divulge information related to any internal audit or risk assessment conducted by or on behalf of the state.

(e) Notwithstanding subsection (d), an entity or individual listed in subsection (d) may divulge information related to an internal audit or risk assessment conducted by or on behalf of the state to:

(1) the state examiner or the state examiner's designee;

(2) the director of the office of management and budget or the director of the office of management and budget's designee;

(3) an external auditor, in accordance with professional auditing standards; or

(4) any other individual for any reason that constitutes good cause as determined by the state examiner and approved by the director of the office of management and budget.

Record Retention

Resource Library

RECORD RETENTION

Public officials or agencies may not dispose of government records except under an approved Records Retention Schedule or with the written consent of IARA.

Generally, basic accounting records cannot be transferred to the Records Center until issuance of the applicable state audit report and satisfaction of any unsettled charges.

The issuance of the State of Indiana’s Single Audit Report fulfills the requirement to receive a State Board of Accounts (SBOA) audit report as required by the record retention schedules.

State Single Audit reports can be found on the SBOA website, on the State Agencies page, under the Audit Reports area.

If you have any questions, email Stateagencyadvisory@sboa.IN.gov.

To assist agencies in the proper disposal of government records, IARA offers the services of the State Records Center for temporary storage; the Imaging Lab for scanning and microfilming; State Archives for permanent/historical storage; and the Conservation Lab for restoration and preservation of records.

For more information see IARA’s website.

Retention schedules can be found at www.in.gov/iara/2766.htm. Before records are transferred to the State Archives, retention schedules should be reviewed carefully to ensure all retention requirements have been met.

RESOURCE LIBRARY

The State Board of Accounts (SBOA) is pleased to present an online resource library for our clients and the citizens of Indiana. We have received many requests in the past to provide the information available on our website in a searchable format. The following information can now be searched in the resource library.

• SBOA Uniform Compliance Guidelines
• State Examiner Directives
• Best Practice Documents
• Indiana Code Section Summaries
• Frequently Asked Questions
• Other Miscellaneous Materials

SBOA Resource Library Home Page

We recommend you review the short tutorial video linked below. This video addresses how to navigate the resource library and what information is included in the library. This video was originally made for local government units, but it is still a good reference tool that shows how to navigate and search the library.

SBOA Resource Library Tutorial

If you have any questions about how to use this library or would like additional information on a topic you were unable to find, you can contact Stateagencyadvisory@sboa.IN.gov.

Standard Operating Procedures

State Accounting Manual

State Agency Internal Control Manual

Subrecipient Monitoring

STANDARD OPERATING PROCEDURES

Developing Standard Operating Procedures (SOPs) is a good way to document your agency’s processes for audit purposes. SOPs are also important to ensure that processes are consistent, errors are reduced, and they allow for the identification of potential improvements or efficiencies that can be made to processes. SOPs help new employees learn effectively and they assist with the knowledge transfer and retention processes as new employees leave State employment or are reassigned.

We have created a short training video that explains what SOPs are, the benefits, and how you can develop SOPs for your agency.

SOP Training - Video Link

If you need assistance with developing SOPs, or have any other questions for SBOA, please contact StateAgencyAdvisory@sboa.IN.gov.

We have developed an SOP template that agencies can utilize, and this can be found on our website.

SOP Template - Link

STATE AGENCY INTERNAL CONTROL MANUAL

We are pleased to present guidance on internal controls through a new publication that is linked below:

Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies.

The Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies forms a basis of common understanding for agencies in establishing an internal control system. These uniform compliance guidelines define the necessary components of an internal control system for state agencies and provide a measure for which controls will be evaluated.

Here is a short introductory video: Internal Control (short)

The Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies has three parts. Part One explains the five components of internal control based on conceptual frameworks of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework and the U.S. Government Accountability Office Standards for Internal Control in the Federal Government, otherwise known as the "Green Book."

See this video for a brief Overview of Part One.

Part Two addresses each component of internal control individually, addressing why it is important, where to start, and how to develop controls to provide reasonable assurance that agency objectives will be achieved.

Part Three provides optional tools and examples to generate ideas for management on the best method to evaluate existing controls and develop controls when necessary.

Video overviews of Parts Two and Three are coming soon!

7/1/24

In the last quarterly bulletin, we announced the release of the Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies, and we provided a video that reviewed Part One of the manual.

Part One explains the five components of internal control based on conceptual frameworks of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework and the U.S. Government Accountability Office Standards for Internal Control in the Federal Government, otherwise known as the "Green Book."

See this video for a brief Overview of Parts Two and Three.

Part Two addresses each component of internal control individually, addressing why it is important, where to start, and how to develop controls to provide reasonable assurance that agency objectives will be achieved.

Part Three provides optional tools and examples to generate ideas for management on the best method to evaluate existing controls and develop controls when necessary.

STATE ACCOUNTING MANUAL

The Accounting and Uniform Compliance Guidelines Manual for State and Quasi Agencies is published by the State Board of Accounts in consultation with the Auditor of State, Treasurer of State, and State Budget Agency.

In addition to general guidelines and policy, the manual covers important topics, such as:

Chapter 1 – Accounting System and Processes…An explanation of various accounting terms, basic accounting theory, and examples of acceptable accounting entries in Peoplesoft (Encompass).

Chapter 2 – Internal Controls…The 5 components of internal control and applications of each in the governmental environment.

Chapter 3 – Accounting for Budgets…The State of Indiana budget structure; how it works and how it is implemented in Peoplesoft (Encompass).

Chapter 4 – Accounting for Revenues…A description of the various types of revenue and how transactions for each should be recorded.

Chapter 5 – Procurement…A summary of State of Indiana purchasing rules and regulations.

Chapter 6 – Accounting for Expenses, Expenditures…Defines and details regulations and business processes for the various types of payments from the State of Indiana to vendors.

Chapter 7 – Accounting for Federal Funds…General requirements relating to federal financial assistance programs.

Chapter 8 – Accounting for Capital Assets… Addresses the accountability for capital assets purchased by the State of Indiana – how capital asset records are maintained, how such assets are reported for financial reporting purposes, and the responsibility of agency personnel regarding such assets.

Chapter 9 – Payroll…A summary of personnel rules and regulations and descriptions of processes used in the processing of payroll transactions (note this chapter is currently being rewritten due to the new Peoplesoft HCM system).

Chapter 10 – Travel…General compliance for travel by state officials and employees; includes current official travel rules.

Chapter 11 – Public Records… A description of regulations regarding public records and record retention.

Chapter 12 – State Institutions… A description of certain business processes at the various state institutions.

Chapter 13 – Internal Service Funds… A description of services provided to state government through the various internal service funds.

Chapter 14 – Information Technology Controls… A description of computer system requirements.

SUBRECIPIENT MONITORING

According to 2 CFR 200.332, all pass-through entities must monitor the activities of the subrecipient to ensure the subaward is used for authorized purposes, in compliance with Federal statutes, regulations and the terms and conditions of the subaward; and that subaward performance goals are achieved.

A subrecipient means an entity that receives a subaward from the pass-through entity to carry out part of a Federal award.

Before you begin your subrecipient monitoring activities, it is a good idea to make sure your list of subrecipients is accurate. Sometimes the entity that signed the grant agreement and received the funding from your agency (subrecipient) is different than the entity you work with for program implementation.

The State Budget Agency (SBA) has recommended tasks and tools for subrecipient monitoring on the Federal Grants Resources Page: https://www.in.gov/sba/grants/Federal-Grants-Resources/

Also, for your reference, SuccessFactors has four SBA training sessions on grants management which can be accessed on the Learning page by typing ‘FMC 4.1’ in the search bar. Topics covered include:

Training 1: Pre-Award Requirements and Financial Management

Training 2: Post Award Requirements; Procurement and Inventory Management

Training 3: Documentation and Record Keeping Requirements

Training 4: Timely Spending, Close Out, and Audit Requirements

Third Party Vendors - Payment Processors

Training Videos

THIRD PARTY VENDORS - PAYMENT PROCESSORS

IC 5-27-3-2 states:

(a) A governmental body may enter into a contract with a provider company to enable the governmental body to accept an electronic payment.

(b) A governmental body must use the provider company provided or specified by the office of technology established by IC 4-13.1-2-1 to accept an electronic payment submitted to the governmental body as payment for a fee based service, license, or permit or for fee based information obtained through electronic access.

IC 5-27-2-4 defines a “Governmental body” as the state or a state agency.

State agencies accepting electronic payments must use a vendor approved by the Indiana Office of Technology (IOT). Certain agencies may have specific statutory authority to enter into agreements with payment processors. There may also be situations where a specific service provider is required to be used by the federal government. IOT must still be notified of these situations and agencies should work with IOT to ensure compliance with statute and the state’s policies.

IOT maintains a list of provider companies approved for payment processing. All IOT-supported entities, their employees, their contractors, and their vendors must use an approved payment processing company unless granted an exception by IOT.

If you are using a third-party vendor to collect payments and are unsure if your agency is compliant, please reach out to IOT.

Payment processing online through the agency’s website, or on the state network, must adhere to the requirements of IC 5-27-3-2 and IOT’s policies. If an agency has a business need to utilize peer-to-peer payment platforms, such as PayPal, Venmo, Zelle etc… they should contact IOT. These payment platforms are supported by the vendors approved for payment processing. Agencies must not utilize these payment platforms without obtaining approval from IOT.

Agencies should have internal controls in place to ensure that third party payment processors are providing the agreed upon services in a cost-effective, secure, and appropriate manner. When using third party vendors to collect funds, agencies are still be required to meet requirements related to the timely receipting, recording, and depositing of funds as required by statute and the SBOA State and Quasi Agencies Uniform Compliance Guidelines Manual.

Reconciliation and reporting tools are normally accessible through third party payment processing systems. Reports in these systems could be run and saved to assist with established control procedures. For audit purposes, we recommend that all collections be able to be traced from third party payment processing systems to the Receipt of Collections (ROCs) and the bank deposit.

TRAINING VIDEOS

We are expanding our library of training videos on a variety of topics including, but not limited to: Audit Issues, Compliance, Accounting Procedures, Best Practices, Internal Controls, Uniform Compliance Guidelines, and more. If there is a training topic you believe would be of assistance to you, please send your suggestions to stateagencyadvisory@sboa.in.gov.

Understanding the Audit Report Series - Part 1

Understanding the Audit Report Series - Part 2

UNDERSTANDING THE AUDIT REPORT SERIES - PART 1

Every profession has its own lingo, and auditors are no different. As you read the state’s single audit report, you may see some unfamiliar terms. For example, what exactly are compliance requirements? What is the difference between an unmodified opinion versus a qualified opinion? How do you distinguish between a material weakness and a significant deficiency? What is material? Over the next few bulletins, we will be focusing on these and other aspects and terms in the audit report to provide an understanding of its meaning. In this article, we are discussing portions of the Independent Auditor’s Report on Compliance for Each Major Federal Program; Report on Internal Control over Compliance; and Report on Schedule of Expenditures of Federal Awards Required by the Uniform Guidance, which is found on pages 4-10 of the State’s Federal Compliance Audit Report for July 1, 2020 to June 30, 2021 (B59787): https://www.in.gov/sboa/WebReports/B59787.pdf

In this report, it says the following:

“We have audited the State of Indiana's (State) compliance with the types of compliance requirements described in the OMB Compliance Supplement that could have a direct and material effect on each of its major federal programs for the year ended June 30, 2021.”

The compliance requirements are as follows:

• Activities Allowed or Unallowed
• Allowable Costs/Cost Principles
• Cash Management
• Eligibility
• Equipment, Real Property Management
• Matching, Level of Effort, Earmarking
• Period of Performance
• Procurement, Suspension, and Debarment
• Program Income
• Reporting
• Subrecipient Monitoring
• Special Tests and Provisions

The grant agreement will define which compliance requirements are applicable to your federal programs. However, the Federal OMB Compliance Supplement will define which compliance requirements have a direct and material effect on each major program and, therefore, will be audited. You can look up these compliance requirements in the Federal OMB Compliance Supplement at this link: https://www.whitehouse.gov/wp-content/uploads/2022/05/2022-ComplianceSupplement_PDF_Rev_05.11.22.pdf

Please see this training video on how to use the Federal OMB Compliance Supplement:

Video Link: https://www.youtube.com/watch?v=tyi_qXoztCs

Slides PDF: https://www.in.gov/sboa/files/Compliance-Supplement-Presentation-StateAgencies.pdf

In the next bulletin article, we will discuss the significance of the audit opinion and the types of opinions issued.

UNDERSTANDING THE AUDIT REPORT SERIES - PART 2

Financial Statement Audit Report

When SBOA issues an Independent Auditor’s Report, the SBOA expresses an opinion as to whether the financial statements are presented fairly, in all material respects, with the applicable financial reporting framework. This enhances the degree of confidence that intended users can place on the financial statements. An unmodified opinion indicates that the financial statements are presented fairly, in all material respects, with the applicable financial reporting framework. (AU-C 700.11, 13)

The State Annual Comprehensive Financial Report (ACFR) for fiscal year 2022 has an unmodified opinion from the SBOA.

Single Audit Report

When SBOA performs a single audit, SBOA expresses an opinion as to whether the state complied with Federal statutes, regulations, and the terms and conditions of Federal awards which could have a direct and material effect on each major program. An unmodified opinion indicates that the state complied, in all material respects, with Federal statutes, regulations, and the terms and conditions of Federal awards which could have a direct and material effect on each major program.

If an SBOA expresses a modified opinion, it will be expressed as one of the following:

• Qualified – Expressed either when the auditor has collected sufficient appropriate audit evidence to determine instances of noncompliance identified are material to the major program(s) but not pervasive; or the auditor was unable to obtain sufficient appropriate audit evidence due to a restriction(s) on the audit scope.
• Disclaimer – Expressed when the auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion but concludes that the possible noncompliance, if any, could be both material and pervasive.
• Adverse – Expressed after the auditor has collected sufficient, appropriate evidence, and determines that the noncompliance is both material and pervasive.

In the Single Audit Report filed March 31, 2023, each major program was given either an unmodified or a qualified opinion based on the results of audit procedures for the program.

YouTube Channel

SBOA YOUTUBE CHANNEL

The State Board of Accounts has a YouTube Channel! The State Advisory Services team plans to periodically release short training videos on internal controls, fraud prevention, best accounting practices and other topics. If there is a topic you think would make a good training video, please let us know (Stateagencyadvisory@sboa.IN.gov). You can subscribe to our channel to receive updates via YouTube notifications. To access the SBOA State agency playlist on YouTube you can use this link.