RELATES TO: KRS 42.0201, 45.121, 45.240
NECESSITY, FUNCTION, AND CONFORMITY: KRS 45.237 requires the Finance and Administration Cabinet to develop, for the executive branch, a system of internal controls and pre-audit policies and procedures applicable to disbursement transactions for the purpose of prevention and detection of errors or fraud and abuse prior to the issuance of a check or warrant. This administrative regulation requires agencies to draft and submit internal control plans to the Finance and Administration Cabinet. Agencies will also be required to provide information related to internal controls and pre-audit procedures as requested by the Office of the Controller, per the delegation agreement with each agency. Based on agency internal control plans and activities reported, the Finance and Administration Cabinet shall assist agencies, when appropriate, in the implementation of policies and procedures to reduce improper and unnecessary payments.
Section 1. Definitions.(1) "Agency" is defined by KRS 12.010.(2) "Agency head" means the cabinet secretary or executive and administrative head of an agency that does not have a secretary at the top of its organizational structure.(3) "Control environment" means the atmosphere or organizational culture in which state employees conduct activities and carry out their jobs. It encompasses the organizational structure, management philosophy and operating styles, integrity and ethical values, commitment to competence, and human resource policies and practices.(4) "FAP" means Finance and Administrative Polices incorporated by reference in 200 KAR 5:021.(5) "Fiscal officer" means the employee appointed by the agency head, in accordance with FAP 120-07-00, with responsibilities including establishing and maintaining a proper internal control structure, establishing and maintaining the chart of accounts for the state's accounting system, providing assurances that agency financial reports accurately reflect underlying activity, conducting fiscal operations under Generally Accepted Accounting Principles (GAAP), and acting as a single point of contact with the Office of the Controller.(6) "Internal control" means a procedure or activity implemented to provide reasonable assurance that the agency achieves effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws, administrative regulations, policies, and procedures.(7) "Monitor" means quantifiable and qualitative assessment of the effectiveness and efficiency of the system of internal controls and pre-audit policies and procedures.(8) "Risk assessment" means the identification and analysis of risks to the achievement of operations, financial reporting, and compliance objectives, forming the basis for determining how those risks should be managed.Section 2. Fiscal Officer to Develop Internal Control Plan.(1) The agency head shall perform the responsibilities of fiscal officer or delegate the responsibilities to an employee with adequate skills to perform the job duties. The fiscal officer shall be specified in the delegation agreement between the agency and the Office of the Controller.(2) Each fiscal officer shall develop and document internal controls to both prevent and detect abuse, unintentional errors, and the fraudulent disbursement of funds or use of state assets. In addition, the fiscal officer shall work with agency personnel to implement the internal controls and monitor their effectiveness.(3) An internal control plan shall include the following:(a) Organizational structure and alignment of job duties that provide the appropriate segregation of duties for the proper safeguarding of agency assets to prevent one (1) individual from controlling or processing a transaction from beginning to end.(b) Limited number of agency personnel authorized to access agency assets and records in the performance of their assigned duties.(c) Procedure that provides for the internal review of all transactions processed by the agency, as required by the agency's Pre-audit Delegation Agreement with the Office of the Controller and FAP 120-13-00. The internal review shall include, but is not limited to, the following:1. Authenticity of transactions or documents including vendor invoices, claims for refund amounts previously paid or withheld, and other documents;2. Legality and propriety of transactions;3. Authorized approvals of transactions;4. Review of transactions for appropriate accounting codes and accuracy; and5. Review for compliance with GAAP.(d) Authorization and recordkeeping procedures, including document retention in accordance with agency established retention schedules and the General Schedule for state agencies, FAP 111-28-00, and FAP 120-21-00.(e) Reconciliation of agency accounts on a timely basis.(f) Detailed procedures to be followed in the performance of job duties and functions, to emphasize duties that comprise the overall framework of accountability and internal controls, and to help assure the continuation of agency operations in the event of staffing changes.(g) Procedures for safeguarding agency assets;(h) Assessment of the control environment, risks, impact of abuse, unintentional errors, and potential fraud for the following:3. Procurement practices;6. Pre-audit of agency transactions;7. Routing of MARS documents;9. Grant and program administration;10. Compliance and noncompliance with statutes, administrative regulations, policies, and procedures;11. Accounts Receivables;13. Adjustment transactions;14. Physical security; and15. Other relevant agency activities.(i) Cost-effective control activities to address identified risks that may result in improper or unnecessary payments.(j) Written communication regarding agency internal controls to employees.(k) System of monitoring compliance with internal control and pre-audit procedures.(l) Procedures for employees to report violations of internal control and pre-audit procedures requested by the Office of the Controller in the delegation agreement with the agency.Section 3. Agency Reports to the Finance and Administration Cabinet. (1) Each fiscal officer shall submit information about internal controls and pre-audit procedures requested by the Office of the Controller in the delegation agreement with the agency.(2) Upon request, each fiscal officer shall complete and submit to the Office of the Controller information related to the system of internal control and pre-audit policies and procedures in place to prevent and detect errors, waste, abuse, and fraud.(3) Each fiscal officer shall report amounts paid to a vendor, provider, or recipient due to errors, fraud, or abuse in the annual financial closing package to the Office of the Controller.(4) In compliance with 200 KAR 5:302, Section 2(2)(h), each agency that requests or obtains a small purchase delegation above the limits established in KRS 45A.100 shall submit to the secretary of the Finance and Administration Cabinet every record of control weakness or noncompliance, related to procurement practices, issued to the agency by the Auditor of Public Accounts, internal auditors, or the Finance and Administration Cabinet's Office of Policy and Audit, for each of the past two (2) fiscal years, the agency's response to the finding, and any corrective measure taken.(5) Financial or administrative abuse or fraud discovered by the agency shall be reported to the Office of the Controller as soon as practicable. After the appropriate agency authorities and state or federal officials have investigated the fraud or abuse, the agency shall submit an analysis of the internal control weakness that allowed the fraud or abuse to occur to the Office of the Controller. The agency shall also submit the internal controls that have been implemented by the agency to correct the weakness.Section 4. Additional Internal Controls or Pre-Audit Procedures.(1) The Finance and Administration Cabinet may require an agency to implement additional internal controls or pre-audit procedures necessary to correct a control weakness or to meet the unique needs of the agency.(2) When applicable, the Office of the Controller shall perform additional review to ensure that the internal controls or pre-audit procedures have been implemented, as required by KRS 45.237 and this administrative regulation.32 Ky.R. 171; 477; eff. 9-22-2005; Crt eff. 2-10-2020.STATUTORY AUTHORITY: KRS 45.237