Financial Management Workshop for CILs…Regulations and Beyond
IL-NET presentation on May 25-27, 2016
Module 15: Developing & Evaluating Your Organization’s Internal Control Policies

JOHN HEVERON: So this is how we're going to these are the things we're going to consider.

You may not do all of these things.

You may find that there are many of these you don't do.

I'll repeat this probably later, but every control that we talk about comes with some demand, some time commitment, and of course, it adds a level of security.

So you could control your organizations like crazy but you'd go broke doing it.

Your indirect rate would be excessive, so what you need to do is to find the right balance.

You want to do the things that are most effective, and we talked about one of them being your whistle blower protection policy, but you can't do everything.

We're not going to list everything.

We're going to have a pretty significant list of things that you may consider doing.

And I welcome anybody to ask why we would recommend these things if it's not clear.

But some of the benefits of internal controls, they help employees work as team players because they are a set of policies and procedures that facilitate that.

They protect from false accusations.

When you have good internal controls, I mean sometimes things just happen, and sometimes they look suspicious.

When I was a young auditor, one of my first jobs, I was checking paychecks, and I was looking at the old W4 forms where people sign for their withholding authorizations, and I was comparing the paychecks from the past week or so to those signatures, and none of them looked the same.

In fact, they looked like scribbles.

And I figured, here I am, I discovered this big problem here, so you know, I went to my supervisor, and my supervisor went to the manager of the company, and the manager of the company brought four of these people in whose checks appeared to be improperly signed, and we handed them their checks.

They looked at them and they started looking at each other and laughing.

Well, this was the evening crew, you know, afternoon to evening crew and when they got off duty on Friday they went right to the bar across the street.

And by the time they time they ran out of their own cash and signed over their paychecks, they weren't writing as neatly, penmanship wasn't quite up there with what it had been.

That was a good lesson for me, I take everything with a grain of salt these days.

But internal controls eliminate even the concerns.

Because if you have a good solid system it eliminates suspicions that might happen.

They're an effective method of catching unintentional errors, and that's why they're a federal mandate now.

Systems with strong internal controls produce more reliable data.

Good internal controls make accounting systems more efficient because even on a day-to-day basis, the process happens more smoothly.

But much more so if you have a change in personnel, having good internal controls and good accounting systems things get up to speed much more quickly.

They protect the property and assets of the organization, and help assure that the assets are used according to your mission.

This next session is a little repetitive because we talked about the five elements of internal control but I really want to expand on them.

You know, before we get into specific procedures, I wanted to expand on the big picture here, the five things that you need to do.

And the first one we talked about is the tone at the top.

So management needs to demonstrate an attitude of integrity and commitment to competence.

Proper hiring and training practices is one good way of doing that.

Attention to compliance requirements such as maintaining complete up-to-date personnel files and background checks.

Management makes a statement by doing these things properly.

Other examples of that, Paula.

PAULA MCELWEE: As you look at all different things you do related to your hiring decisions, you really do want to check the person's prior employment, and sometimes the person will say to you well, you know, I don't want you to check with this person, that's fine, then you can't.

You need to ask why.

If it's a current job and they're afraid, that's one thing.

But, if they're saying to you, I don't want you to check in with this former employer, they have a story about how they had had some problem with that employer.

I don't know about you, but I've been taken in by that a time or two, and that can be very problematic.

Maybe they were in fact, the same organization that had the HUD problem, she had been fired from her prior job for embezzlement but they didn't press charges and she'd asked them not to contact that immediate employer, so if people want to hide them from you, they're going to tell you will their story, and they're going to find ways to make excuses and you need to let your barometer in your gut say, this doesn't seem quite right but you need to have policies that start you down that path, so you need to know you're asking the right questions and if they start giving you excuses, then your radar says, huh, maybe this is a problem.

JOHN HEVERON: So in addition, in setting the tone at the top, management and board members should review and sign a conflict-of-interest policy annually.

There should also be a written code of conduct that describes proper business practices and everyone should be familiar with that code of conduct.

PAULA MCELWEE: Everyone meaning both board and staff.

JOHN HEVERON: Right.

Again, setting the tone at the top, show no tolerance for improper practices, even minor improprieties should be addressed.

We had a client who approached us.

There were fee for services as part of their program.

Sometimes these got paid in cash, usually by check.

But it got to the point where no cash was ever getting deposited.

Now, we're talking small amounts of money.

We're talking hundreds of dollars, and not hundreds and hundreds, but maybe two or $300 in total over a period of time.

It wasn't a lot of money.

But the organization contacted us, contacted their attorney, met with the employee.

They made a big deal out of an amount of money that really wasn't huge.

They sent a message to everybody, you know, that they're very, very serious about their internal controls.

About no tolerance for any form of fraud.

Question unusual activities, but do it without attempting to imply that you think something is wrong.

Ask questions, ask people to explain, tell them why you need this background.

PAULA MCELWEE: I always say, show me.

Show me.

Because a lot of this should have been documented, whatever it is you're concerned about.

So they out to be able to show you the paper related to it.

That's part of what you would expect.

JOHN HEVERON: In your control procedures, the next section, develop a good budget and look at variances.

Update the budget throughout the year, if things change.

If you add a program or a program doesn't occur as planned or if a program changes in size dramatically, update the budget.

When you do that, variances from budget are really a message to you that you need to look further.

PAULA MCELWEE: Not that you never have variances but you need to know what they are and why.

JOHN HEVERON: Of course.

Of course, that will happen.

Communicate your whistle blower protection policy regularly.

We have one organization that has, right as you walk in the front door, they have it right on the wall there.

It's very clear to employees what they do if they become aware of an issue.

You know, issue of dishonesty or abuse or serious misuse of funds.

Put it in the personnel manual.

Like we said, employees uncover most wrongdoing.

Some of the specific procedures that might be appropriate for your organization, separation of duties, verifications, reconciliations.

And we've said this a couple of times, but record keeping for assets and custody of assets should be separate and so when money comes in, the person who records or initially receives it isn't the person who is doing the accounting for it.

Similarly, the person who is approving the or preparing the checks isn't the person who is mailing the checks out.

Vouchering and billing, vouchers should be prepared from your accounting system.

We talked about how to facilitate that today.

An independent person should review vouchers and other billings before they're submitted and uploaded.

And that, for you Executive Directors, are you the reviewers of that typically, at least in smaller organizations?

A lot of head nods on that one.

For receipts, someone not involved with billing or accounting initially receives payments and lists them on a deposit ticket or a separate place and then checks should be stamped for deposit only as soon as they're received.

All bank accounts should be reconciled on a timely basis, typically at least monthly.

When the bank statement is received, checks, electronic payments and transfers should be reviewed by someone who isn't involved in preparing checks or authorizing transfers or electronic payments.

As Maria points out, maybe not just when the monthly bank statement comes in, but maybe you should check it more frequently than that.

She's glad she does.

Be sure that you have online or other access to actual check images to confirm that amounts or payees haven't been altered.

Going to jump to retirement plans here.

We've seen some problems with retirement plans with nonprofits.

IRS audited a lot of large commercial organization retirement plans and found a lot of noncompliance, and then they started going after some nonprofits.

And one that really shocked us was an organization that had a 403B that they didn't contribute to.

It was an employee only contribution plan, we figured how can that go wrong?

What's the compliance with that?

But there are compliance requirements for that.

The auditors do have the ability to impose some really large penalties for noncompliance.

You know, the compliance with that type of a plan is regular, at least annual notifications to employees about about the availability of this plan and then if you have a plan that you contribute to, your compliance requirements are much greater.

You need to do updates periodically, when they're required.

You need to have some way to provide guidance to employees about how those moneys should be invested.

You need to have a thing called summary plan description, which really describes how the plan works, and that needs to be done every year.

So somebody in your organization should have that responsibility.

PAULA MCELWEE: Got a question back here.

Right behind you.

AUDIENCE MEMBER: With the 403B plans, should we have like a third-party administrator?

Wouldn't that be the place they would check for that?

JOHN HEVERON: The third-party administrator would normally help you prepare the summary plan description, but it's your responsibility.

And really, it depends on what kind of an organization you're working with.

If people are just buying annuities, the responsibility level goes down quite a bit.

But annuities aren't really a good economic deal.

In most cases anyway.

If you're investing in mutual funds or something like that, then you need to have a way for employees to be able to get advice on how they should invest this.

And it might be very smart to limit the kinds of things they can get into, because it is a retirement plan.

It is a long term thing.

It's not a gaming or gambling thing.

So you don't want to allow them to do, oh, short sales or hedge funds or things of that nature that are very aggressive type investments, so you might want to limit them to a handful of mutual funds.

You want to give them choices, but give them choices of things that are more secure and more stable.

AUDIENCE MEMBER: You audit them for that?

When you guys come in, are you checking for that?

JOHN HEVERON: Well, again we consider part of our responsibility to make you aware of problems, just like I'm doing right now.

Now, we do we do audit some retirement plans.

That's a whole different game.

That's only if you have more than 100 employees in your plan and yes, we do do employee benefit plan audits, so there, we really are looking for problems.

With our audits, we're looking for best practices, just to make sure that people are aware of their responsibilities and you know, we always try to be aware of things like these IRS audits that we've seen pop up in a couple of cases and tell people about it in advance.

Securing your electronic data.

I think we probably covered this fairly well but constant threats to your confidential, electronic information, bank and investment accounts that can be assessed electronically.

Consider contracting with an outside IT organization that will assist you with backup software, upgrades, review of error logs and security.

Do you also have an outside organization, Michael, but you're full time with your organization.

Not everybody can afford that.

That's a great luxury if you can, but another way that is maybe a little more affordable is to have an outside organization that is monitoring your systems, reviewing your logs, doing software updates, the kinds of things that you would do.

The advantage for you is you're right there when problems occur.

PAULA MCELWEE: You know, giving your staff some idea about password security is also good.

I've had the advantage of going in several times to be an interim person at a center where the Executive Director is suddenly gone for whatever reason, and we have to go in and we have to access information, and I can tell you right now that I could go in and sit down at that desk and I could look under the keyboard and in the top right drawer and in the top left drawer and I could almost always find the password.

Now, if that sounded like you, that's scary.

Don't do it that way.

Make sure you have a secure place, and coach your staff, because some are more sophisticated about it than others and some are very trusting and just say, this is password protected for a reason, put the password on your password protected phone in a memo, if you have to, but don't leave it sitting around someplace.

JOHN HEVERON: I recently attended a seminar by a CPA that does nothing but IT security in the case of big failures, like Staples, some of these were his clients.

What was it?

Home Depot that had that big theft.

And he said, you know, the process for cracking passwords is just trying all sorts of different things.

So you don't need these odd ball passwords that are impossible for you to remember.

But something with some length can really make it much harder to crack, and there's an online site where you can go test the security of your password.

I don't know what it is.

Maybe you do.

At any rate, you could say, I loved Baltimore.

That's a really good password because it's a long password but it's not overwhelming or you know, something like that.

I like to bicycle.

That's a password with a lot of letters in it.

It's a tough to crack password.

Try that, in that online system that checks passwords.

You'll see it's very secure because of the length but it's very easy, so you can personalize it and make it yours.

PAULA MCELWEE: If there's a requirement for certain, you know, figures or numbers, you all know how to do that, right?

You can replace your Ls with ones and your O's with zero's or whatever.

For that same long password.

JOHN HEVERON: I know you're very thoughtful about this, Paula.

What is your password?

PAULA MCELWEE: I'll tell you how it's constructed without telling you the password.

I use the middle initials of my siblings there are five of us.

The middle initials of my siblings and the year that my next brother was born.

I'll never forget it but nobody else will ever figure it out.

JOHN HEVERON: That's right.

Regular backups should be made and stored off site.

Verify that backups are working.

And having good backups is what saved your organization, right?

Shut down or log off computers at night.

Antivirus software should be continuously updated and you would do that, but for somebody to use an outside service bureau, they'll do that for you as well.

You should have an ISCA certified firewall and antispam software.

Passwords should be used wherever appropriate and changed every 90 days.

Mobile devices that have access to your server, e-mail or calendars, should be password protected and set so that confidential information can be deleted remotely.

That's becoming a bigger and bigger deal by the day.

There's just so much use of handheld devices to do your banking, to get your e-mail, your calendar, and if it's tied into the computer, and somebody gets ahold of that device, then it makes it very easy to access your computer.

The Home Depot theft, I believe, I understand, was pulled off by an HVAC company, in other words, a heating company, that was installing heating in a Home Depot home office, I guess.

And so basically with the technology these days, they were tying into the organization's main computer.

That's how all of those credit cards got compromised.

That's hearsay.

So don't hold that to me, but from a very reliable source.

Hard drives on computers and copiers should be destroyed when you turn them in.

Copiers, did you all know an image of the things you copy is retained on a hard drive?

That would include your employees applications, their social security numbers, client information, HIPAA protected information, so you want to destroy those when you get rid of the copiers.

And then have written policies for computer, internet and e-mail use.

It should cover what happens with access when someone leaves or is terminated.

Should also cover downloading software, even software upgrades.

There should be a process, I'm sure Michael can share more on that.

Make sure your personnel manual is up to date and everyone knows how to access it.

How many people have an Intranet?

So half a dozen, maybe?

Do you love your Intranet?

It's a great resource, isn't it?

You know, it's really sort of a one time investment thing.

These types of things are easier and easier to get all the time.

It's a great place to have all of the key things that you depend on all the time.

We have one in our office, and I truly love being able to get to our state attorney general's website to look up charities, registration numbers, or key IRS sites, or to a variety of tax research resources that we use.

For you, it can be oh, and we have all of our forms on there.

Time off requests, and reimbursement requests.

Medical and expense, travel expense reimbursement requests.

All of these things are available.

If a client wants a copy of their return, we need to get them to authorize us to release that, and so we've got all of those forms right at our fingertips.

Something to think about.

Not so much a security thing, but an efficiency thing.

Consider developing an accounting procedures manual to confirm accounting procedures and internal controls.

Consider Fidelity bond coverage for employee dishonesty.

Use a carrier other than your general liability carrier to reduce the likelihood of countersuits.

So somebody was sharing that Fidelity bonding repaid at least part of a loss, and that's important to know.

Also important to know that they follow those circumstances, so if somebody is convicted of taking some money, those insurance companies have sort of a long memory for that.

PAULA MCELWEE: They also often have resources to guide you around whatever is emerging as a possible risk, so like these internet risks we've talked about, sometimes there are other risks that are specific to nonprofit organizations, and often their newsletter or underwriter, somebody will give you some of that good information as part of you insurance package.

You just have to ask.

JOHN HEVERON: And talk to your banker about controls they have available over your bank account.

You know, things continue to develop as the as the frauds spread, and become more pervasive.

The banks come up with new technologies to to guard against that.

The next section is on monitoring.

And before I get into the procedures, I want to remind you that this is the fifth element of internal controls.

It's the one that I think is most misunderstood.

It's the one that creates the greatest amount of concern, but it is an absolute requirement, and it's important for your systems to really work.

I have listed here several different things that can be done.

But the first thing you need to do is to say, how is monitoring going to happen?

And is this a board responsibility?

Is this is this going to fall on one of the staff?

If it's a board or a committee responsibility, then they could start with this list of different things and maybe say, we're going to do these three this year.

And then rotate that year after year.

So that's what this monitoring process is about.

You might do it internally, you might do it with the board.

You're not going to do all of this.

But these are a lot of different possibilities for you.

So we said, your written policies set standards for performance.

Monitoring should include review of your policies to make sure they're appropriate.

Your policies match what you're doing today.

It should also determine whether staff is familiar with and fully implementing your policies.

So whoever is doing this monitoring should just ask some questions of staff.

Do you have a whistle blower protection policy?

Do you get sufficient training for your responsibilities?

Simple questions, easy to ask, but they really provide some insight about whether it's working.

As Executive Director or finance director you might think it's working great, the training is fine, but if the employees don't know that you have a whistle blower protection policy, if they don't know what they need to know to do their job, then your system isn't working, regardless of whether you believe it is.

It's like I talked about the curse of intelligence.

You know things so well, you can't imagine how little some people know about it.

Make sure you get it to their level.

Is training of new and current staff appropriate?

Be sure to review personnel, conflict of interest, and whistle blower protection policies.

Make those part of your regular training.

Determine what security measures are in place over confidential information, employee information, which includes their social security numbers, donor information, credit card information, so for example, is it kept in a locked cabinet with limited information and credit card information being destroyed after 30 days?

How many people here scan checks rather than take them to the bank?

Scan them directly into your account.

Just one.

Wow.

It's a real time saver, isn't it?

Doesn't cost a lot of money.

Probably actually saves a lot of money.

Something to consider, check scanning, but you should destroy the actual check, the bankers tell us after about 30 days.

You destroy them PAULA MCELWEE: You're going to have to repeat that.

Wait for mic.

JOHN HEVERON: Let's get a mic here.

AUDIENCE MEMBER: I was just saying that I destroy them sooner than 30 days, because our administrative assistant actually receives the checks so that's outside our Accounting Department.

She scans them to the bank.

As soon as she gets the confirmation, she gives the check and confirmation to me which I enter into the system for the payments and I destroy the check immediately.

We don't save it.

JOHN HEVERON: Because you will get immediate feedback if there's a problem with the check, so really, as quickly as a check you took to the bank will clear, these should clear, the process is pretty fast.

It does reduce the possibility of checks being misused.

It assures that your deposits are going to be made as frequently as necessary, so it really is a good internal control.

Your risk assessment, the monitoring should also consider physical safety to staff and clients, and so really, this can be an interesting process for an ad hoc committee that might include your insurance person and some internal people, and then maybe someone who is has a specialty in personnel.

AUDIENCE MEMBER: Back to the destroying of the checks.

Our auditor tells us any checks that print upside down, are voided, cut the signature line off, and keep those our checks, wouldn't you do that for the checks that you scan and deposit?

Wouldn't you just cut the signature line off and keep them for however long you have to keep them?

It's okay to just go ahead and shred them?

JOHN HEVERON: Keep in mind, if you take them to the bank, they're gone.

You will have an electronic image and you still have that.

So really why would you need to keep those?

This is just a different way to take it to the bank, to be honest with you.

So it's a technology change, which makes things simple.

The concern is, if you stack them up and keep them for three years, you really don't need them for anything, and they do represent some risk, because they contain bank account numbers and you know, signature samples, so just best to get rid of them.

Review your hiring procedures.

Determine whether references are checked and criminal background checks are used.

Now, again, I'm not talking about an internal control here but I'm certainly implying this is something you should do.

What I'm talking about now is monitoring.

You know, the periodic checking process.

Whoever does that is going to look at your hiring practices, because you may have set up a set of practices, you may have a policy for it.

But the person doing the monitoring is going to check and see, are you really doing what the policy says?

PAULA MCELWEE: This is so important, because when things go wrong, it often goes wrong because you had the best intentions when you developed the policy, and you know what you expected to have happen, but if the person assigned that task is just too busy and doesn't get around to it and hasn't checked it for six months, eight months, two years, whatever it ends up being.

That time goes by really fast to that person and they don't have the same sense of urgency that you do about your policies and procedures.

Checking to make sure your policies are actually followed is key.

What Steven said this morning about how we're held accountable to our policies when someone comes in and reviews us, even adds more weight to that, doesn't it?

It's really urgent that you make sure that it's really followed through.

JOHN HEVERON: Okay.

Look at whether images of checks are provided.

Again, we're still talking about monitoring.

Look whether images of checks are provided with your checking account bank statements and verify whether an independent person reviews checks, electronic payments, and transfers for propriety.

Check how up to date bank reconciliations are.

Look at some invoices for purchases to determine whether they're properly marked to document approval, nonpayment of sales tax, if that applies, and to note payment.

Check whether unused checks, undeposited checks, and cash received are kept in a locked secure area with limited access.

Review charge card statements to see if there's an independent review and documentation for each purchase.

Require vendor receipts from the user for full documentation of detailed expenses.

Review expense reimbursements, especially for senior personnel to determine if there's proper documentation and an independent review there.

PAULA MCELWEE: I was going to say, with the credit card things, we can't say that enough.

If someone comes to you and says, oh I lost the receipt for that.

That's a red flag.

We have to keep the actual receipt from the place that they purchased from, and if you don't see that actual receipt, you don't really know what was purchased.

And so they can tell you, oh, yeah, that was all office supplies but they don't tell you how much of it they took home with them.

I knew of an Executive Director in a state that's represented here but I hope none of you know him.

It's been a few years.

But they were doing a remodel at the office, and he would make the lumberyard order and he would have half of it delivered to his house, so he got a new deck and new roof out of the deal.

Nobody was double checking the content, the inventory, nobody was looking back at what happened and he got by with it for a long time.

And finally they caught up with him, but it was ugly.

JOHN HEVERON: Expensive deck, huh?

PAULA MCELWEE: Expensive deck.

That's right.

JOHN HEVERON: At the end of the day.

So we've already said this, but the great majority of frauds are uncovered by employees.

The monitoring process should include an interview to be sure that employees know that they're encouraged to communicate any wrongdoing.

And that they're familiar with how to do that.

And then look at how time worked is documented and whether there was an independent review of time worked.

So as we said at the start of this, each one of these control procedures and the monitoring add burden and reduce risk.

You have to weigh these and other possible procedures to determine the right balance for your organization.

Pretty lengthy list but all things to be seriously considered.

And before we leave internal controls, I think we have some internal control questions that we may not have covered.

PAULA MCELWEE: We do.

We have a few questions from before and we'll just kind of hit a couple of those.

I think the first one we've covered.

One of them said that our board chairs disability is such that he doesn't sign his name, and I use his stamp to co-sign checks and approval.

I e-mail him the bank statements and credit card statement.

Is that okay or should I have the treasurer co-sign?

Well, there are a couple of things about this that you'll just want to make sure is in place.

You should not be using anyone's signature stamp unless they know specifically what they've signed.

You need to make sure that they are there and see it and agree to the use.

One way to do that is to have him keep his signature check himself.

But you shouldn't be just signing for him and at the end of the month saying, I signed everything for you.

You see what I mean?

You can't just stamp for him.

Even if you're sending him copies, you are legally using his legal signature which he can no longer easily do and you're using that legal signature on his behalf, he needs to be a participant in that process.

He needs to be there.

Or you could change who signs the checks or you could ask what other accommodations work for the board chair.

But you certainly cannot just you know, you have his stamp so you sign everything for him and tell him at the end of the month what you signed.

It needs to happen as this signature is used.

So if you want to get permission one item at a time or e-mail, and inform them and scan in the bill that you're paying and get his yes to go ahead, that would probably be workable, but that seems cumbersome.

It seems to make more sense to have him come in and affirm each of those as you're scanning them.

Did that work for you?

JOHN HEVERON: Absolutely.

So how would you word a policy about a financial statement audit if you are not above 750,000 in federal funds, requiring a compliance audit but the board or funder both want a financial statement audit to be part of your policy there?

The way to do this is to look at the Uniform Guidance cost categories, go to the audit section.

The audit section says that if you're under the $750,000, then you can't pay for any part of a compliance audit with federal funds.

But you can pay for a financial statement audit.

They are different things.

I will tell you there's a lot of confusion out there, at every level, including some of your funders there.

So get that documentation.

There's also a question and answer section, if you go to that COFAR website, one of the training tools there is a question and answer.

And that also addresses the difference between compliance audits, which can't be funded if you're under the level of $750,000 but financial statement audits that can be part of your indirect costs.

PAULA MCELWEE: If it will help any of you on this, remember that blog I mentioned yesterday, the IL-NET-TA.org, the article posting tomorrow no, is today Thursday?

Tomorrow, the article posting tomorrow is on this topic, if it helps you to show it to somebody or use that language, we've actually quoted the language in there.

Did you have a question?

AUDIENCE MEMBER: We've had some mixed direction as far as interpretation on this audits for agreed upon procedures that we've elected to do.

So when the CPAs are very firm about saying, they're not audits, so one time we were advised by RSA that that would be an allowable expense, agreed upon procedures, because it's not an audit because we fall under the 750.

But then more recently, this past year, there was some kind of confusing guidance, and they interchangeably referenced audit and agreed upon procedures as being the same, which they're not.

So do you have any input on that?

JOHN HEVERON: Well, sure.

Agreed upon procedures are done according to generally accepted auditing standards.

What that means is there needs to be proper planning, and supervision, and a review.

So as auditors we're held to the same standards, we are for financial statement audits.

But the objective of them is very different.

They an agreed upon procedures audit can be virtually anything.

As an example, we do agreed-upon procedures audits a lot when the New York State Parks Department gives a grant to some organizations, they want to make sure that money is used right.

We audit the Monroe County public administrator, the law firm that administers wills, or administers estates for people who die without wills and don't have any next of kin.

So we do an agreed-upon procedures audit, based on procedures from the controller of the currency.

So yours really could be sort of like an internal audit.

But they are very different from a financial statement audit.

They're focused on specific things and really they can be part of your internal control system.

So so I don't think they are specifically addressed.

I haven't seen them, either in Uniform Guidance or in any of the Q and A.

But I mean, if they're part of your system of controls, then it would seem to me they'd have to be allowable as an indirect.

PAULA MCELWEE: The guidance we have right now, if it's in your budget, and if it meets the Uniform Guidance, either the single audit if it's above the 750,000 federal funds or the financial statement audit, if it's below that amount, then it is allowable.

And that's the current information that we have.

Now, the financial statement audit is determining whether or not your financial statements fairly represent what's going on at your organization.

That's its purpose, and so that is something that your board wants reassurance on, typically your other funders would like to see an audit and it's certainly an appropriate level of auditing for those organizations that are under that $750,000 threshold.

JOHN HEVERON: I think we answered this one, and really goes back to the cost allocation.

If the rate is 25%, 25% of federal funding should go to indirect costs.

Did we clear that up, I hope, with the example of how you voucher?

If not, please catch Paula or me after the program.

PAULA MCELWEE: If you have some other questions related to this monitoring or other internal controls you'd like to ask at this time?

Let's get those questions out there.

Or you can write them on your sticky notes and we'll catch them in the morning.

If something is bugging you, you know.

I had somebody come up to me, John, this and say, I attended this training in Pennsylvania three years ago and I haven't slept since.

And I think should come with wording with it could be hazardous to your sleeping.

We have a question over here.

AUDIENCE MEMBER: I just want to get your opinion, please.

I know when we were all under EDGAR, one of the guidelines said we shouldn't use the same auditor or auditing company repetitively.

JOHN HEVERON: The bottom line is there have been actually multiple times when we got close to a recommendation from mandatory rotation of auditors, but we I shouldn't say we, but you know, the Federal government even talking about compliance auditing backed off because of trying to find the balance between skill, in sort of unique area, and experience with the client, the value of those versus the down side of becoming too familiar with somebody.

But I'll get you the exact reference here.

I've got it right in my pile of stuff.