UPDATE: AUDITOR OF PUBLIC ACCOUNTS RECOMMENDATIONS FOR Agenda Item J-3 PUBLIC AND NONPROFIT BOARDS September 17, 2010

UPDATE: AUDITOR OF PUBLIC ACCOUNTS RECOMMENDATIONS FOR Agenda Item J-3 PUBLIC AND NONPROFIT BOARDS September 17, 2010 In May 2009, the Auditor of Public Accounts issued a report entitled Recommendations for Public and Nonprofit Boards. At the June 12, 2009, KCTCS Board of Regents meeting, the Board received a copy of the recommendations as well as a matrix developed by KCTCS staff that listed the Auditor of Public Accounts recommendations, KCTCS responses and actions to the recommendations, and the independent review and comment to KCTCS responses by then external auditor, Crowe Horwath, LLP. In March 2010, the Auditor of Public Accounts updated the report of Recommendations for Public and Nonprofit Boards. New recommendations of the updated report are numbered 1, 17, 19, and 28. Attachment A is a copy of the Auditor of Public Accounts March 2010 report. Attachment B is an updated matrix that includes the Auditor of Public Accounts recommendations, KCTCS responses and actions to the recommendations, and the independent review and comment to KCTCS responses by current external auditor, Dean Dorton Ford. 95

96

Attachment A Auditor of Public Accounts Recommendations for Public and Nonprofit Boards Revised 3/4/10 The Auditor of Public Accounts, as a result of recent investigations, makes the following recommendations to assist public and nonprofit Boards in designing and implementing internal controls. These recommendations should assist Board members in providing appropriate financial oversight. The following is a brief summary of various financial policy areas that Board members should consider. After each control area is considered, a policy should be developed to address the specific business model of the organization. 1. The Board should have a well defined, clear mission statement to serve as a platform for policies, operational plans, and resource allocations that further the interest of its organization s members. 2. The Board should facilitate the development of an annual orientation program and manual for new and returning Board members to ensure an understanding of the Board s structure, operations, and their legal and fiduciary responsibilities. An explanation of the budget and accounting structure, as well as revenue and investment information should also be included. If possible, the orientation should be facilitated by a knowledgeable, independent party, such as a Board attorney or consultant. 3. The Board should ensure that its organizational structure maintains a flexibility that allows for multiple sources of information. The Board should request reports from individuals having responsibility for various program areas rather than from just the chief executive. 4. The Board meeting minutes should document the exact nature of the financial reviews conducted by the Board. Any issues that result from these reviews and action taken to resolve the issues should also be documented. 5. For Boards who fall under the open meetings law, sessions closed to the public should be entered into in accordance with KRS 61.810. Any conclusions or decisions reached during a session closed to the public must be documented in the Board meeting minutes as stated in KRS 61.815, clarified in OAG 81-387. 97

6. The Board should establish an independent process to receive, analyze, investigate, and resolve concerns related to the organization including anonymous concerns. Employees, business associates, customers, or the general public may have significant, beneficial information that they are uncomfortable reporting directly to the Board. A toll-free complaint number or an advertised email and postal address for feedback would allow the transmission of this information. In addition, where applicable, the Board s policy should include a reference to Kentucky law (KRS 61.102) notifying employees, as defined in KRS 61.101, of their rights to protection against retaliation for reporting violations to certain authorities. A whistleblower policy should be adopted and distributed to employees. The policy should include reporting procedures and management s responsibility to address issues reported. 7. An internal audit function could be used to ensure that Board concerns are independently investigated. The individual designated to perform internal audits should be given the authority to investigate and examine any area designated by the Board and the responsibility to report the audits findings directly to the Board. 8. A Board audit committee should appoint and compensate the audit firm and ensure the rotation of the lead audit partner and the audit partner reviewing the audit, as required by the Sarbanes Oxley Act (SOX) for companies with publicly traded stock. The Board should also consider whether rotating audit firms would be beneficial given the facts and circumstance of the organization. Further, if possible, the Board audit committee should be comprised of at least one member who has an understanding of generally accepted accounting principles and financial statements, experience with internal controls and in preparing or auditing financial statements, and an understanding of audit committee functions, as suggested in Section 407 of SOX. In addition, reviews of internal controls should be conducted to ensure that controls are functioning as designed or needed. The review of internal controls could be conducted by an internal auditor, Board designee, or included in the engagement of an auditing firm. Any concerns noted by the Board should be disclosed to the auditor and included in the audit scope for review. 9. The Board should adopt a code of ethics that includes standards of conduct for its Board members, officers, and employees related to business conduct, integrity, and ethics. The policy should include the requirement to sign a form stating that the individuals have received and understand the code of ethics. The code should include statements regarding moral and ethical standards, confidentiality, conflicts of interest, nepotism, gifts, honoraria, and assistance with applicable audits and investigations. Violations of the code of ethics should be reported to the Board or designated committee of the Board. 10. The Board should adopt a financial disclosure policy for Board members and executive management. A policy should also be developed requiring Board members and executive management to disclose any conflicts of interests. The disclosure form should be completed by a specified date and returned to the appropriate committee of the Board. Page 2 98

11. The Board should establish and approve a detailed, equitable personnel and compensation policy. The policy should include that the Board or a designated Board committee annually review the salary increases and bonus payments made to all staff. This review should be documented in the Board meeting minutes. 12. The Board should define and document all employee benefits in a fair and equitable manner. Benefits received that result in taxable income should be properly accounted for and accrued to each applicable employee. Employee benefits should also be reviewed to ensure they provide a reasonable business purpose. Also, membership fees to organizations or associations should provide a reasonable business benefit. 13. The Board should approve the compensation package of the organization s primary executive and be aware of the compensation provided to other Executive Staff. In determining the compensation for the primary executive, the Board should consider the organizations financial resources, current economic conditions, employee performance, and salary data for similar positions at relevant organizations within the region. 14. The Board should ensure a well-defined employee evaluation system is implemented within the organization to consistently assess employee performance. The results of the employee s evaluation should be used for employee advancement or salary adjustments. 15. The Board should adopt policies to ensure all forms of employee leave are properly approved and accurately recorded. 16. The Board should have sick and vacation leave policies that address the accrual, use, and the payment to employees for any unused sick, vacation, or compensatory time. 17. The Board policy should include a transparent, competitive selection process for the procurement of goods and services. The policy should outline the circumstances under which quotes or competitive bids are required and the process to be followed. The Board should have policies that require a formal contract for purchases over a specified amount and that all contracts over a specified dollar amount require Board approval. 18. A review of budget to actual expenditures should be performed regularly by the Board or a designated Board Committee to monitor costs in each account. The name and number of budget categories or line items should provide transparency and sufficient detail to allow Board members to accurately identify the types of expenses being attributed to each category. If expenditures occur at an unexpected rate, additional detail should be requested to ensure that incurred expenditures are reasonable and necessary. 19. At least quarterly, the Board or a designated Board committee should receive and review a listing of payments that includes, at a minimum, the payee, dollar amount, and date of each expenditure. This review would assist in identifying inappropriate, unusual, or excessive expenditures. Page 3 99

20. Executive management traveling out of state should present their plans and estimated costs to the Board for prior approval. The approval of these activities and associated costs should be addressed at the Board meetings to ensure proper documentation in the minutes. Subsequent to attending approved conferences or activities, the amount expended should be reported to the Board. 21. To minimize and control the cost of travel, a travel expense policy should be developed that specifically defines the allowable costs related to lodging, meals, entertainment, personal mileage reimbursement, rental cars, and airfare. The travel expense policy should state the invoice requirements for the reimbursement of certain expenditures such as taxi fees, tips, parking, or tolls. The policy should provide examples of expenditures that are to be paid for by the employee, such as costs incurred by family members or the attendance at events not approved by the Board. This policy should explicitly state that expenses not in compliance with the travel expense policy would not be reimbursed or paid by the Board. 22. In lieu of credit cards, the Board should consider the following: The use of purchasing cards that would allow the Board to restrict the types of purchases that can be made on the card based on industry codes. Casinos, specialty retail outlets, and food and beverage establishments are examples of these restrictions. The amount spent on a single purchase can also be restricted through the use of a purchasing card. Reimburse employees personal credit card charges when the use is necessary. Procedures and supporting documentation requirements should be developed to facilitate this type of reimbursement. 23. If the use of credit cards is needed, the Board should implement the following oversight controls: A Board member or committee of the Board should be assigned to review, at a minimum, credit card statements of Executive Staff prior to payment. Credit card charges should be supported by detailed receipts, documented business purpose, and supervisory approval. The employee should be responsible for the timely payment of any unsupported credit card charges or disallowed expenses. Policies established by the Board should ensure that all review procedures are performed in a timely manner to avoid late fee and finance charges. 24. Expenses classified as gifts or entertainment should be documented to include the name and title of the person(s) involved and a description of why the expense was needed and how it relates to business operations. 25. A policy related to reimbursements made by employees to the organization should be developed to ensure that any expenses that should be paid by an employee are monitored. This policy should include the timeframe allowed for making the reimbursement and the alternative actions that will be taken if reimbursement is not made. Page 4 100

26. Business expense reimbursements requested by executive management should be reviewed by the Board or a designated Board committee to ensure supporting documentation is provided. This documentation should be retained to ensure that duplicate payments are not made to the employee. 27. Specific marketing goals should be developed to monitor the success of any business promotions approved by the Board. Marketing expenditures incurred should be coded to that goal so that Board members will know the expenses involved in a specific marketing promotion. Further, documentation should be maintained detailing the recipients of promotional prizes including tickets, trips, or merchandise. 28. A Board policy should be developed to address the authorization process to purchase vehicles and the method used to dispose of vehicles. The use and assignment of vehicles owned by the organization should be addressed within this policy. In addition, the practice of providing a vehicle should be reviewed and monthly vehicle allowances considered. The policy should include following the IRS guidelines for personal use of a vehicle. 29. The personal use of business equipment should be addressed within Board policy to determine when appropriate. The policy should require that equipment being used inappropriately or that is missing should be reported directly to the Board. 30. The Board should establish a policy detailing the process to report lost or missing financial information or records. To avoid lost or stolen financial information, electronic images of financial records should be created and retained, if possible. 31. A formal policy should be developed that identifies what equipment is a fixed asset and should be included as inventory. Once this designation has been made, the existing inventory listing should include the following identifying information related to each piece of equipment: The name of the individual in receipt of equipment; Description of equipment; Vendor name; Model number; Serial number; Acquisition date; and, Acquisition cost. Once the inventory listing has been validated, any acquisitions and dispositions of computer equipment that fall within the fixed asset policy should cause an appropriate update to the inventory listing. Page 5 101

32. An information system policy should be developed that explicitly defines a user s responsibilities as they relate to information system resources and applications. These policies should cover, at a minimum: Securing of user id and password; Protection against computer virus or mal-ware infection; Legal notice at logon indicating system is to be used for authorized purposes only; Securing unattended workstations; and, Securing portable devices, such as laptops, Blackberries, cell phones, etc. Page 6 102

Auditor of Public Accounts Recommendations for Public and Nonprofit Boards September 2010 Auditor of Public Accounts Recommendation KCTCS Response Dean Dorton Ford 1 The Board should have a well defined, clear mission statement to serve as a platform for policies, operational plans, and resource allocations that further the interest of its organization s members. The KCTCS Board of Regents has adopted a well defined, clear vision and mission statement for KCTCS as well as core values, all of which may be found at the following web address: http://www.kctcs.edu/about_kctcs/system_adm inistration/our_mission_vision_and_values.aspx. Further, the Board has and continues to insist on KCTCS having a strategic plan with core indicators of success and six-year targets. The KCTCS Strategic Plan 2010-16 can be found at: Dean Dorton Ford has reviewed the vision and mission statements. Dean Dorton Ford has also reviewed the strategic plan, which includes core indicators and KCTCS' five-year targets. http://www.kctcs.edu/about_kctcs/system_adm inistration/our_strategic_plan.aspx. 103 2 The Board should facilitate the development of an annual orientation program and manual for new and returning Board members to ensure an understanding of the Board s structure, operations, and their legal and fiduciary responsibilities. An explanation of the budget and accounting structure, as well as revenue and investment information should also be included. If possible, the orientation should be facilitated by a knowledgeable, independent party, such as a Board attorney or consultant. Both the KCTCS Board of Regents and the KCTCS President hold Board professional development, especially that of new regents, in high regard. The KCTCS Board of Regents Bylaws Section 1.3.2, Board of Regents Development, states that: The KCTCS Board of Regents believes that to be an effective board it should take responsibility for ensuring its own education in order to be well informed about KCTCS, postsecondary education in Kentucky, and the role of its Board members and their performance as a Board. The Bylaw goes on to set forth expectations for the development of its Board members related to: Orientations. Statewide Governance Conferences, like the Governor s Conference on Postsecondary Education Trusteeship coordinated by the Kentucky Council on Postsecondary Education (which all Board members are encouraged to attend on an annual basis). Board Workshops scheduled periodically to provide more in-depth information on relevant topics. National and Regional Conferences, assuming funds are available. Dean Dorton Ford is aware of and has reviewed Section 1.3.2, Board of Regents Development. This section sets forth the expectations and responsibilities of all Board members as it relates to orientation and continued development. Dean Dorton Ford has also reviewed the June 12, 2009, Board Minutes, which detailed the Board action as it relates to reviewing and approving the FY2010 annual budget. Throughout all of the Board meeting minutes, there is evidence of discussions related to the finances of KCTCS. However, Dean Dorton Ford cannot comment on the annual orientation program. Attachment B

As such, regents are apprised of their responsibilities on an ongoing basis: 104 1. On a quarterly basis (the KCTCS Board of Regents is statutorily mandated to meet at least quarterly), detailed updates are provided on: a. Legislation and Legal Responsibilities. The Board is apprised of proposed or enacted legislation that is of interest to or that might impact KCTCS. When applicable, Attorney General Opinions are distributed and discussed in light of the Board s responsibilities. The Board also is apprised of its responsibilities related to proposed or pending litigation and open records requests. b. Financial Updates. Provided in verbal and hard copy format, the quarterly report is comparative by accounting categories (including investment income). The quarterly financial reports allow regents to review and discuss financial performance based on the budget approved for the current fiscal year (Statement of Revenues and Expenditures) as well as the corresponding quarter during the previous fiscal year (Statement of Net Assets). c. Strategic Plan Implementation. Evidence of progress toward achieving strategic plan goals and performance measures is formally presented at each meeting. d. Major Gift Campaigns and Foundation Initiatives. Information on the KCTCS major gifts campaign is routinely presented to the Board. A report is distributed that lists cumulative donation and pledge amounts by college as well as the designated use of lead gifts (if specified by the donor). An update on Foundation initiatives is routinely provided by the KCTCS Board Chair. 2. On a semi-annual basis, detailed reports on technology, facilities, capital construction, and maintenance are provided. 3. On an annual basis, the KCTCS Board of Regents: a. Participates actively in the annual budget development process, giving guidance to staff regarding the budget proposal. Usually, the Board gives staff direction at the regular quarterly meeting preceding the meeting at which a proposed annual budget is considered. b. Receives detailed audit information presented by independent auditors regarding annual audit findings. The presentation includes explanations of significant accounting procedures, findings, footnotes, and potential impacts of anticipated changes to generally accepted accounting procedures for nonprofit agencies. c. Attends a workshop devoted to KCTCS strategic planning and accountability. d. Reviews matching funding for the KCTCS Endowment Match program. 4. On a biennial basis, the KCTCS Board of Regents participates in the development of the KCTCS Biennial Budget Recommendation. 5. On an ad hoc basis, workshops are scheduled to educate the Board on various topics, like advocacy, KCTCS programs, and special initiatives.

Regarding new regent orientations, the KCTCS New Regent Orientation is comprehensive. New regents are given resources from national and state sources, including the Association of Governing Boards of Universities and Colleges, the Association of Community College Trustees, and the Kentucky Legislative Research Commission. Resources are compiled into a notebook containing information about Kentucky postsecondary education in general along with information about KCTCS. The notebook is also provided to regents in CD format. Some of the information included in the notebook, includes: 105 KCTCS regent roles and responsibilities. Kentucky Revised Statutes (including but not limited to open meetings, open records, conflict of interest, general powers and duties authority of the Board of Regents, etc.). Parliamentary procedure. KCTCS history. KCTCS organizational charts. KCTCS strategic planning. KCTCS biennial and annual budgeting. KCTCS colleges accreditation. KCTCS human resources/personnel. Travel reimbursement. The most recent orientation notebook (August 2010) is available for review. 3 The Board should ensure that its organizational structure maintains a flexibility that allows for multiple sources of information. The Board should request reports from individuals having responsibility for various program areas rather than from just the chief executive. The KCTCS Board of Regents has established various committees that bring reports to the Board on various types of information, e.g., Academic Affairs and Curriculum Committee; the Efficiency, Effectiveness, and Accountability Committee; the Finance, Technology, and Human Resources Committee; and the Executive Committee. The committees gather information and report information to the entire Board and help ensure different perspectives are shared on a regular basis. Members of the KCTCS President's Cabinet, as well as college presidents, and other mid-management staff support these committees and participate as called on by the Board and its committees. Dean Dorton Ford has discussed Board activities with various management employees. Each employee has noted that that Board is actively involved in the overall management of KCTCS. They have provided us examples of reports, which are provided to the Board on an annual basis, which corroborates KCTCS' response. Dean Dorton Ford also examined minutes of the meetings of these various committees, which then result in a report to the Board.

4 The Board meeting minutes should document the exact nature of the financial reviews conducted by the Board. Any issues that result from these reviews and action taken to resolve the issues should also be documented. KCTCS' Board meeting minutes reflect the exact nature of the financial information and reviews conducted by the Board or its committees, primarily the Finance, Technology, and Human Resources Committee. On a quarterly basis the financials of KCTCS are presented to the Finance, Technology and Human Resources Committee and then to the full Board by the committee. A Statement of Current Funds Revenue and Expenditures (comparison of actuals to budget) and a Statement of Net Assets are presented. Any significant nonroutine events and transactions are noted, as are any unusual fluctuations. Questions by the Finance, Technology, and Human Resources Committee or the Board are answered. Any directive of the committee or the Board is researched, addressed, and brought back as appropriate. As a practice, KCTCS leadership openly shares and briefs the KCTCS Board Chair and the Board's committees leadership on matters of management and finance. Draft minutes of the Board's Finance, Technology, and Human Resources Committee can be viewed on the KCTCS Board of Regents meeting website at the following web address: http://legacy.kctcs.edu/organization/board/meetings/ Dean Dorton Ford has reviewed all available Board Minutes for FY 2010. In each of the Board Minutes, there is evidence of the exact nature of the financial reviews conducted by the Board. There is also discussion of any issues and actions, when applicable. 106 5 For Boards who fall under the open meetings law, sessions closed to the public should be entered into in accordance with KRS 61.810. Any conclusions or decisions reached during a session closed to the public must be documented in the Board meeting minutes as stated in KRS 61.815, clarified in OAG 81-387. The KCTCS Board of Regents strictly follows the open meetings law. The KCTCS Board of Regents rarely enters Executive or Closed Sessions. When it does enter into Executive Session, it enters pursuant to KRS 61.810 (1) (c) Proposed or Pending Litigation or KRS 61.810 (1) (f) Individual Personnel Matters. Also pursuant to statute, the Board does not take formal action during Executive Session. Anticipated Executive Sessions are included on the meeting agendas. If an Executive Session is not listed on the agenda and the need for such a session arises after the Board s agenda is published, then an Executive Session is requested to be added to the agenda at the beginning of the meeting and the request voted upon. In summary, any closed sessions are in accordance with KRS 61.810 and any decisions reached during a closed session are documented as required per KRS 61.815 and clarified in OAG 81-387. Record of KCTCS Board meetings, including any closed sessions for individual personnel matters or pending litigation, are documented as required. Records of KCTCS Board of Regents meetings and agenda and meeting minutes can be found at http://legacy.kctcs.edu/organization/board/meetings. Dean Dorton Ford has reviewed all available Board Minutes for FY 2010. In each of the Board Minutes, Dean Dorton Ford noted that the meetings were announced to the press prior to the meeting. Dean Dorton Ford further noted that any action items discussed by the Executive Committee were brought to the Board, when applicable.

6 The Board should establish an independent process to receive, analyze, investigate, and resolve concerns related to the organization including anonymous concerns. Employees, business associates, customers, or the general public may have significant, beneficial information that they are uncomfortable reporting directly to the Board. A toll-free complaint number or an advertised email and postal address for feedback would allow the transmission of this information. In addition, where applicable, the Board s policy should include a reference to Kentucky law (KRS 61.102) notifying employees, as defined in KRS 61.101, of their rights to protection against retaliation for reporting violations to certain authorities. A whistleblower policy should be adopted and distributed to employees. The policy should include reporting procedures and management s responsibility to address issues reported. KCTCS is in process in implementing a "whistleblower" policy and procedure. Ethics Point, a nationally recognized provider of whistleblower services, has been chosen to host the toll-free hotline. It is anticipated the hotline will be operational by late fall/early winter 2010. The policy and procedure will encompass the process for KCTCS to receive information, analyze, investigate, and resolve organizational concerns. The process will include reporting ability for management, the ability to receive the information anonymously, include a toll-free telephone number, and track the concern through resolution for the informant and KCTCS. When finalized, the whistleblower policy, procedure, and information about the toll-free hotline will be distributed to employees. Dean Dorton Ford has reviewed the proposed whistleblower policies and procedures. 107 7 An internal audit function could be used to ensure that Board concerns are independently investigated. The individual designated to perform internal audits should be given the authority to investigate and examine any area designated by the Board and the responsibility to report the audits findings directly to the Board. KCTCS uses its internal audit function (Office of Audit Services) to ensure concerns are independently investigated and when, deemed appropriate, the Board has engaged its external auditor as an independent investigator. An example of the use of the external auditor includes the Kentucky WINS Program audit in March 2010 by then KCTCS external auditor, Crowe Horwath, LLP. Dean Dorton Ford performs inquiries with the Director of Audit Services and is provided all reports for audits and projects conducted during the fiscal year.

108 8 A Board audit committee should appoint and compensate the audit firm and ensure the rotation of the lead audit partner and the audit partner reviewing the audit, as required by the Sarbanes Oxley Act (SOX) for companies with publicly traded stock. The Board should also consider whether rotating audit firms would be beneficial given the facts and circumstance of the organization. Further, if possible, the Board audit committee should be comprised of at least one member who has an understanding of generally accepted accounting principles and financial statements, experience with internal controls and in preparing or auditing financial statements, and an understanding of audit committee functions, as suggested in Section 407 of SOX. In addition, reviews of internal controls should be conducted to ensure that controls are functioning as designed or needed. The review of internal controls could be conducted by an internal auditor, Board designee, or included in the engagement of an auditing firm. Any concerns noted by the Board should be disclosed to the auditor and included in the audit scope for review. In accordance with KRS 164A.560 and 164A.570, KCTCS hires an independent certified public accounting firm to perform an annual audit of KCTCS' financial statements. This audit is conducted in accordance with generally accepted auditing standards for the purpose of submitting an independent opinion, preparing a report of findings and recommendations concerning internal accounting controls and procedures, and compliance with KRS 164A.555 to 164A.630. A report as to the finances is then filed with the secretary of the Finance and Administration Cabinet for compilation into the Commonwealth of Kentucky's Comprehensive Annual Financial Report (CAFR). KCTCS has in the past and intends to continue to rotate auditors in accordance with the Sarbanes Oxley Act of 2002 (SOX). The KCTCS Finance, Technology, and Human Resources Committee serves as the audit committee for the KCTCS Board of Regents. Dean Dorton Ford has seen several approaches to audit firm rotation and partner rotation. The purpose of the Sarbanes Oxley Act of 2002 requirement to rotate audit partners every five years is to have a fresh look at the independence requirements, ethics, and other aspects of the Sarbanes Oxley Act of 2002. Based on the nature and complexity of audits, Dean Dorton Ford has always recommended to clients a partner rotation instead of an audit firm rotation. This practice allows for KCTCS to continue to have the specific knowledge the audit firm has developed and the efficiencies gained during the relationship and still have a fresh look at the independence requirements of audits and the audit procedures performed during the audit. 9 The Board should adopt a code of ethics that includes standards of conduct for its Board members, officers, and employees related to business conduct, integrity, and ethics. The policy should include the requirement to sign a form stating that the individuals have received and understand the code of ethics. The code should include statements regarding moral and ethical standards, confidentiality, conflicts of interest, nepotism, gifts, honoraria, and assistance with applicable audits and investigations. Violations of the code of ethics should be reported to the Board or designated committee of the Board. KCTCS Board of Regents appointed members must sign conflict of interest statements prior to their appointment based on KRS 164.005(2)a. Further, the KCTCS Board of Regents Bylaws also include a provision of conflict of interest as well as the duties and responsibilities of the Finance, Technology, and Human Resources Committee. Appointed members of the KCTCS Board of Regents are covered under the Executive Branch Code of Ethics. Also as noted in Recommendation 6, KCTCS is in the process of finalizing a "whistleblower policy" that includes core values, inclusive of confidentiality, conflicts of interests and commitment, nepotism, gifts, auditing services and other ethical conduct provisions with expectation that in 2010-11 the policy and any associated procedures will be finalized and implemented. Dean Dorton Ford has reviewed the KCTCS Board of Regents Bylaws noting specific discussion related to conflicts of interest. Dean Dorton Ford has also reviewed a draft copy of the whistleblower policy.

10 The Board should adopt a financial disclosure policy for Board members and executive management. A policy should also be developed requiring Board members and executive management to disclose any conflicts of interests. The disclosure form should be completed by a specified date and returned to the appropriate committee of the Board. Please see response to Recommendation 9. Please see response to Recommendation 9. 109 11 The Board should establish and approve a detailed, equitable personnel and compensation policy. The policy should include that the Board or a designated Board committee annually review the salary increases and bonus payments made to all staff. This review should be documented in the Board meeting minutes. KCTCS uses a methodology to administer an equitable personnel and compensation structure. The structure has been reviewed by outside sources, including the Mercer Human Resource Consulting and Towers Watson, with adjustments made as appropriate based on market conditions and available funding. KCTCS Administrative Policy 2.5 Performance Review defines this process. The actual form used is the Performance and Planning Evaluation (PPE) Form may be found within the KCTCS Intranet (thepoint) at https://thepoint.kctcs.edu/departments/humanresources/ Pages/Performance,PlanningandEvaluation.aspx. The KCTCS Board of Regents uses PPE results in awarding compensation increases. KCTCS has not awarded recurring compensation increases in the last two and current fiscal years because of the reductions in state appropriation and the uncertainty of the economic times. However, evidence as to the Board's discussion and approval of compensation increases as part of the budget development process with specific scenarios can be corroborated by reviewing the Board's meeting minutes. Dean Dorton Ford has reviewed a completed Performance Planning Evaluation Form during our review of entity level controls as part of the annual audit. Dean Dorton Ford will review documented approval of pay rates during our payroll testing as part of the annual audit. 12 The Board should define and document all employee benefits in a fair and equitable manner. Benefits received that result in taxable income should be properly accounted for and accrued to each applicable employee. Employee benefits should also be reviewed to ensure they provide a reasonable business purpose. Also, membership fees to organizations or associations should provide a reasonable business benefit. KCTCS Human Resource related policies are defined in Section 2 of the KCTCS Board of Regents Policy Manual, beginning with KCTCS Board of Regents Policy 2.0 Kentucky Community and Technical College System Employment and concluding with KCTCS Board of Regents Policy 2.18.7.1 Kentucky Community and Technical College System Policy on Continued Employment Status. Specific information on the KCTCS benefits plans and policies are found within KCTCS Administrative Policy 3.6 Employee Benefits Policy (Technical College Employees Hired on/or after July 1, 1998; Community College and System Employees Hired on/or after January 14, 1998). Retirement plan policies are found in KCTCS Board of Regents Policy 3.7 KCTCS Retirement Plan Policies. In all instances, benefits are taxed according to IRS code and have a reasonable business purpose and benefit, including any membership fees to organizations or associations. Dean Dorton Ford will review the various employee benefit plan policies to support disclosure in the financial statements as part of the annual audit.

13 The Board should approve the compensation package of the organization s primary executive and be aware of the compensation provided to other Executive Staff. In determining the compensation for the primary executive, the Board should consider the organizations financial resources, current economic conditions, employee performance, and salary data for similar positions at relevant organizations within the region. The KCTCS Board of Regents approves the compensation package of the organization s primary Executive and is aware of the compensation provided to other Executive Staff. In determining the compensation for the primary Executive, the KCTCS Board of Regents considers the organization's financial resources, current economic conditions, employee performance, and salary data for similar positions at relevant organizations within the region. Dean Dorton Ford reviewed the employment agreement between the primary Executive and the Board of Regents. It was noted that the Board voted unanimously to renew the contract with the primary Executive through 2013 due to his outstanding performance. Dean Dorton Ford also noted in the June Board meeting minutes that salaries for all faculty and staff were approved by the Board. 110 14 The Board should ensure a well-defined employee evaluation system is implemented within the organization to consistently assess employee performance. The results of the employee s evaluation should be used for employee advancement or salary adjustments. Please see response to Recommendation 11. Please see response to Recommendation 11. 15 The Board should adopt policies to ensure all forms of employee leave are properly approved and accurately recorded. KCTCS Administrative Policy 2.14 Leaves of Absence describes the various types of leave KCTCS offers. KCTCS requires reporting by leave type. In concurrence with the PeopleSoft payroll process, leave is awarded via automated accrual/award functionality. Dean Dorton Ford will test compensated absences as a part of the annual audit. 16 The Board should have sick and vacation leave policies that address the accrual, use, and the payment to employees for any unused sick, vacation, or compensatory time. KCTCS internal controls require each employee's accrued vacation and sick time to be reviewed and reported for each pay period. Additionally, as a part of the annual audit, the amount of accrued vacation and sick time are reviewed and adjusted. As a means to control future benefits cost, KCTCS has recently examined its post-employment benefits based on the effects of implementing GASB 45 s requirement of booking the liability for the future expense of other post-employment benefits. The Board of Regents at its March 13, 2009, meeting took action to modify future retirement (health insurance) benefits for employees hired on or after July 1, 2009. Dean Dorton Ford will test compensated absences as a part of the annual audit.

17 The Board policy should include a transparent, competitive selection process for the procurement of goods and services. The policy should outline the circumstances under which quotes or competitive bids are required and the process to be followed. The Board should have policies that require a formal contract for purchases over a specified amount and that all contracts over a specified dollar amount require Board approval. KCTCS uses a transparent, competitive selection process for the procurement of its goods and services. The procurement of goods and services is described in-depth within KCTCS Business Procedures (BP) 4.0 through 4.20. The Business Procedures prescribe the requirement and thresholds for purchases, including quotes and competitive bids, and the use of a procurement card for certain commodities and services. Further, the following three Business Procedures clearly define transaction levels and required approvals for purchases over a specified level: Dean Dorton Ford is aware of the Business Policies and Procedures manual and will refer to the manual during audit testing. BP 1.9 Financial Delegation of Authority. BP 1.10 Financial Transaction Approval Authority. BP 1.11 Approval Authority for Contracts and Agreements. 111 18 A review of budget to actual expenditures should be performed regularly by the Board or a designated Board Committee to monitor costs in each account. The name and number of budget categories or line items should provide transparency and sufficient detail to allow Board members to accurately identify the types of expenses being attributed to each category. If expenditures occur at an unexpected rate, additional detail should be requested to ensure that incurred expenditures are reasonable and necessary. On a quarterly basis, the financials of KCTCS are presented to the KCTCS Board of Regents Finance, Technology, and Human Resources Committee and then to the full Board by the committee. A Statement of Current Funds Revenue and Expenditures (comparison of actuals to budget) and a Statement of Net Assets are presented. Any significant nonroutine events and transactions are noted, as are any unusual fluctuations. Questions by the Finance, Technology, and Human Resources Committee or the Board are answered, and directives of the committee or the Board are researched, addressed, and action reported back to the Board/committee as appropriate. Please also see response to Recommendation 4. Dean Dorton Ford reviews the annual budget and will perform an analysis of budget to actual as part of the annual audit. 19 At least quarterly, the Board or a designated Board committee should receive and review a listing of payments that includes, at a minimum, the payee, dollar amount, and date of each expenditure. This review would assist in identifying inappropriate, unusual, or excessive expenditures. It would be impractical for the Board or designated Board Committee to be assigned to review in detail a listing of every payment, payee, dollar amount, and date of expenditure. KCTCS processes tens of thousands of payments annually. The listing of every payment, the payee, dollar amount, and date of expense is so voluminous in nature that it would not be a practical use of the Board's or Board committees time to review in detail. Nevertheless, at the Board's or a Board committee's request, management will provide the detail of any sample or all payments desired for any period requested, dollar threshold, type, sample size, etc. Dean Dorton Ford will review a sample of various expenditures throughout the audit process.

20 Executive management traveling out of state should present their plans and estimated costs to the Board for prior approval. The approval of these activities and associated costs should be addressed at the Board meetings to ensure proper documentation in the minutes. Subsequent to attending approved conferences or activities, the amount expended should be reported to the Board. The KCTCS President has established an approval process for out-of-state travel as described below. KCTCS System Office Personnel: Travel is reviewed and approved in advance by the KCTCS Cabinet Member in charge of the functional area where the employee is assigned. College Personnel: Out-of-state travel is reviewed and approved in advance by the college president. KCTCS President: Travel is reviewed and signed off by the KCTCS Vice President for Finance and the KCTCS System Director of Business Services. The KCTCS President s expenses, travel, or other reimbursements are also audited annually by the external auditor (currently Dean Dorton Ford). College Presidents: Travel is reviewed locally by the College Business Office and is also reviewed and signed off by the KCTCS System Director of Business Services. Dean Dorton Ford will test a sample of travel and entertainment expenses during the audit process. 112 21 To minimize and control the cost of travel, a travel expense policy should be developed that specifically defines the allowable costs related to lodging, meals, entertainment, personal mileage reimbursement, rental cars, and airfare. The travel expense policy should state the invoice requirements for the reimbursement of certain expenditures such as taxi fees, tips, parking, or tolls. The policy should provide examples of expenditures that are to be paid for by the employee, such as costs incurred by family members or the attendance at events not approved by the Board. This policy should explicitly state that expenses not in compliance with the travel expense policy would not be reimbursed or paid by the Board. KCTCS has prescribed Business Procedures (BP 8.1 Travel and BP 1.14 Nonemployee Meals and Refreshments) that define allowable costs for travel, including lodging, meals, entertainment, personal mileage, etc. along with expenses related to meals and refreshments for nonemployees. Dean Dorton Ford is aware of the Business Policies and Procedures manual and will refer to the manual during audit testing. 22 In lieu of credit cards, the Board should consider the following: The use of purchasing cards that would allow the Board to restrict the types of purchases that can be made on the card based on industry codes. Casinos, specialty retail outlets, and food and beverage establishments are examples of these restrictions. The amount spent on a single purchase can also be restricted through the use of a purchasing card. Reimburse employees personal credit card charges when the use is necessary. Procedures and supporting documentation requirements should be developed to facilitate this type of reimbursement. KCTCS asked its external auditor to review the KCTCS procurement card (ProCard) program in 2007. Subsequently, changes were implemented to tighten internal controls. All purchases made by a ProCard are supported by detailed description of the bona fide business purpose of the expense using appropriate supporting documentation. These transactions are reviewed by the cardholder and the cardholder's supervisor before payment is made. Systemwide, KCTCS has approximately 670 ProCards in use. KCTCS does restrict cards by employee, makes use of custodial card agreements when the card is used by anyone other than the cardholder named on the card, merchant category codes to disallow purchases with certain types of vendors, limit threshold amounts by day and month, etc. Dean Dorton Ford will review a sample of ProCard expenditures as part of the annual audit.

23 If the use of credit cards is needed, the Board should implement the following oversight controls: A Board member or committee of the Board should be assigned to review, at a minimum, credit card statements of Executive Staff prior to payment. Credit card charges should be supported by detailed receipts, documented business purpose, and supervisory approval. The employee should be responsible for the timely payment of any unsupported credit card charges or disallowed expenses. Policies established by the Board should ensure that all review procedures are performed in a timely manner to avoid late fee and finance charges. The KCTCS President, as a matter of practice, asked the KCTCS President s Leadership Team (i.e., senior leadership that includes the KCTCS President, college presidents, and the KCTCS President's Cabinet Members) not to have a procurement card. Further, KCTCS requires all its credit card purchases to be supported by detailed receipts, documented business purpose, and have the signature of the supervisor as the approver. KCTCS issues violations as warranted. Requests for reimbursement or return of the merchandise for credit is also pursued as warranted. KCTCS practice is to ensure that payments are made in a timely manner to avoid late fee or finance charges. Dean Dorton Ford will review a sample of ProCard expenditures as part of the annual audit. 113 24 Expenses classified as gifts or entertainment should be documented to include the name and title of the person(s) involved and a description of why the expense was needed and how it relates to business operations. Any and all expenses related to any gift made with KCTCS funds falls within BP 4.10 Special Purchase Authority. Entertainment expenses are required to have a bona fide business purpose as to the propriety of the expense and benefit to KCTCS. All meal expenses require documentation of attendees, and the BA50 form is required with an explanation of the business conducted for audit purposes. Entertainment expense for nonemployees falls under business procedure BP 1.14 Nonemployee Meals and Refreshments. In all instances (gift or entertainment), documentation must include the bona fide business purpose, attendee(s) or recipient(s), and the appropriate signatory approvals. For both gifts and entertainment, dollar limits are specified by type of activity. Some gifts (e.g. gift card versus a recognition plaque) may have tax implications; in such instances, KCTCS taxes according to IRS code and regulations. Dean Dorton Ford will test a sample of travel and entertainment expenses during the audit process. 25 A policy related to reimbursements made by employees to the organization should be developed to ensure that any expenses that should be paid by an employee are monitored. This policy should include the timeframe allowed for making the reimbursement and the alternative actions that will be taken if reimbursement is not made. KCTCS employee travel and reimbursement policies are addressed within Business Procedure 8.1 Travel. The procedure includes the timeframe and conditions required in seeking reimbursement. KCTCS Board of Regents travel and reimbursement policies are the same as that of KCTCS employees. Dean Dorton Ford will test a sample of travel and entertainment expenses during the audit process.

26 Business expense reimbursements requested by executive management should be reviewed by the Board or a designated Board committee to ensure supporting documentation is provided. This documentation should be retained to ensure that duplicate payments are not made to the employee. Reimbursements to Executive Management follow the same procedures as all KCTCS employees. Documentation is provided, or reimbursement is not made. All expenses of the KCTCS President are reviewed and signed off by the KCTCS Vice President for Finance and the KCTCS System Director of Business Services. The KCTCS President s expenses (travel or other reimbursements) are audited annually by the external auditor. KCTCS believes that this three-tiered review of the KCTCS President's expenses is an adequate alternative to KCTCS Board review of these expenses. Please see response to Recommendation 25. Dean Dorton Ford will also test a sample of the President's expenses as part of the annual audit. 114 27 Specific marketing goals should be developed to monitor the success of any business promotions approved by the Board. Marketing expenditures incurred should be coded to that goal so that Board members will know the expenses involved in a specific marketing promotion. Further, documentation should be maintained detailing the recipients of promotional prizes including tickets, trips, or merchandise. KCTCS marketing promotions has worked with a marketing vendor (Creative Alliance) to review and implement specific outcome metrics in comparison to expenses or defined outcomes of success. The metrics being used by KCTCS are nationally recognized standards. Tracking and documentation of recipients of promotional prizes including merchandise, tickets, trips, etc. also are occurring. Dean Dorton Ford noted that KCTCS has contracted with Creative Alliance for marketing services. As part of this contract, Creative Alliance provides marketing services for the System on a statewide basis, in order to gain economies of scale and to provide a consistent message to the market. Creative Alliance and KCTCS work together to develop specific metrics and goals for marketing activities. Dean Dorton Ford reviewed the presentation to the President's Leadership Team, which communicated the various marketing outcomes from the previous year, as well as the marketing plan and goals for the upcoming year.