Downsizing and Maintaining Strong Internal Controls by wgv13363

VIEWS: 0 PAGES: 33

									                                                                   Downsizing and Maintaining
                                                                    Strong Internal Controls




RSM McGladrey Inc. and McGladrey & Pullen LLP are member firms of RSM International – an affiliation of separate and independent legal entities.
Transparency and Accountability




                                  2
Heightened Transparency and Oversight:
   “My Administration is committed to creating an
   unprecedented level of openness in Government. We
   will work together to ensure the public trust and
   establish a system of transparency, public
   participation, and collaboration. Openness will
   strengthen our democracy and promote efficiency and
   effectiveness in Government.”
   - President Barack Obama, in a Memorandum for the Head of
   Executive Departments and Agencies, issued his first day in
   office


                                                                 3
Unprecedented Oversight and Monitoring from….

      • Office of Management & Budget
      • Government Accountability Office
      • State of Florida Auditor General
      • Recovery Act Accountability and
        Transparency Board
      • OMB Circular A-133
      • Other Federal and State agencies



                                                4
What is the ARRA?
• Commonly referred to as the “federal stimulus bill”, on February 17,
  2009, the ARRA – a $787 billion stimulus plan in response to a growing
  enacting recession was signed into law.
• Key Message – Funds are to be expended responsibly and in
  transparent manner to further job creation, economic recovery, and
  other purposes of the act, to that end the Act requires:
    – Merit Based Decision Making
    – Long-term Public Benefits
    – Optimizing Economic and Programmatic Results
    – Targeting Assistance Consistent with Other Goals
                                                                      5
  Florida Impact of Stimulus Funds

• Florida expects to receive up to approximately
  $13B over the program’s three years.
• $5.3B Fiscal Year 2009/2010
• Florida’s local governments are expected to
  receive $4.7B from the State over three years.
• $1.2B directly from the Federal government over
  three years.



                                                    6
Requirements that may be beyond normal practices:

• Specific timelines for obligating funds and awarding
  grants, or risk losing funds.
• Comprehensive quarterly reporting to the public and
  federal awarding agency on how funds are being
  used.
• Requirement to assess the risk of not achieving stated
  accountability objectives.


                                                           8
Requirements that may be beyond normal practices:
• Requirement to track and report progress against
  accountability measures, including measures relating to timely
  awards, improper payments, and proper oversight.
• US Treasury has developed a unique set of Treasury
  Appropriate Fund Symbols to track funding - funds may not
  be commingled within financial systems, agencies must
  separately track apportionments, allotments, obligations, and
  outlays related to Recovery Act funding.
• Reporting of status of projects or activities for which recovery
  funds were obligated and expended, including jobs created
  and/or retained by the project/activity.
                                                                     9
Are you prepared?
• There are 100+ programs, each with its own set of eligibility
  criteria……
• Have you identified resources to ensure compliance, accountability,
  transparency and risk management requirements?
• Are accounting processes established to segregate Recovery funds
  from other sources?
• Are management reporting process for financial and program results
  established?
• Have you reviewed your Single Audit readiness?
• Have you established appropriate internal control and monitoring
  systems?


                                                                        10
Stay Up-To-Date
•   www.whitehouse.gov/omb/
•   Recovery.gov
•   Flarecovery.com
•   Agency web-sites

    The Florida Recovery website is updated regularly.




                                                         11
Why is Internal Control Important?

                            Financial Reporting
                        • Promotes integrity of data
                          used in making business
                          decisions

                        • Assists in fraud prevention
                          and detection through the
                          creation of an auditable trail of
                          evidence



                  Operations                        Laws and Regs
         • Promotes efficiency and          • Helps maintain compliance
           effectiveness of operations        with laws and regulations
           through standardized                through periodic monitoring
           processes
         • Ensures the safeguarding of
           assets through control
           activities

                                                                             12
What is COSO?

Provides the Internal Control Integrated Framework:
    –   Control Environment
    –   Risk Assessment
    –   Control Activities
    –   Information and Communication
    –   Monitoring




                                                      13
Internal Control Design, Assessment and Monitoring


          Entity                       Process          On-going
          Risk                       Assessments        Monitoring
       Assessment




                                     Process Analysis


                            Process Assurance

      Process Improvement

                                         Document
 Process                                    and
                        Risk
 Overview                               Evaluation of      Final Control
                    Identification
                                          Existing          Evaluation
                                          Controls




                                                                           14
                                                                                  Entity
Entity Risk Assessment                                                            Risk
                                                                               Assessment




     A “true” top-down approach        •   Evaluate Entity-Level Controls
   should put significant emphasis
  on entity-level controls and “tone
                                       •   Identifying Key Processes with Significant
              at the top”
                                           Risk
                                            • Change
                                            • Complexity
                                            • Public-perception
                                            • Volume
                                            • Financial
              Managing
                                            • Legal and Regulatory
               Risks




                                                                                        15
Internal Control Design, Assessment and Monitoring


            Entity-level                Process               On-going
               Risk                   Assessments             Monitoring
            Assessment




                                      Process Analysis


                             Process Assurance

      Process Improvement

                                          Document
 Process                                     and
                         Risk                            Final Control
 Overview                                Evaluation of
                     Identification                       Evaluation
                                           Existing
                                           Controls




                                                                           16
Internal Control Design, Assessment and Monitoring


                    Entity-level         Process
                                                          On-going
                       Risk            Assessments
                                                          Monitoring
                    Assessment




                                       Process Analysis


                              Process Assurance

           Process Improvement

                                           Document
Process                                       and
                          Risk
Overview                                  Evaluation of      Final Control
                      Identification
                                            Existing          Evaluation
                                            Controls




                                                                             17
                                      Process

    What is a Facilitated Session?    Overview



•   Includes Key Process Owners

•   Includes Subject Matter Experts

•   Encourage discussion

•   Evaluation of process

•   Process Enhancement

                  Creates buy-in…….



                                             18
Process Mapping                                                                                                                                                      Process
                                                                                                                                                                     Overview



• Understand the process
• Common Language                  Purchase to Pay

• Show complexity, bottlenecks,                                                                 From




                                        Departments
                                                                Electronically submit           Pg 3



  redundancy and re-work loops
                                                              purchase requisition [PR]                                                                                                                         To
                                                               approved per authority                                                                                                                          pg 2
                                                      Start                                                                No
                                                               matrix, informal quote
                                                                      process
                                                                         220



• Identifies transactional hand-
  offs

                                      Purchasing
                                        Agent
                                                                                                                  Review PR for                                     Create and
                                                                                             Login into
                                                                                                                 appropriateness,                                approve PO with
                                                                                            Purchasing                                PR approved                                         Notify departments



• Highlights “risk zones”
                                                                                                               pricing and approval                        Yes   values for goods
                                                                                          Module to identify                          appropriately?                                        PO processed
                                                                                                                   by originating                                 and/or services
                                                                                           released PRs
                                                                                                                    department                                         225




• Highlights “control points”
                                   SAP “Logistics”
                                    Purchasing
                                      Module
                                                                                                                                       Access over POs              Creates, configure          Configures actual PO
                                                              Automatically creates



• Used to promote
                                                                                                                                      including purchase          actual PO and assigns          and assigns unique
                                                              actual PR and assigns
                                                                                                                                        adjustments is              unique commodity             commodity number
                                                                unique commodity
                                                                                                                                          segregated                      number                        230
                                                                      number
                                                                                                                                              200




  consistency/turnover                                                                                                                                                    Process
                                                                                                                                                                           Step
                                                                                                                                                                                           Legend:
                                                                                                                                                                                     Automated Manual
                                                                                                                                                                                      Control    Control
                                                                                                                                                                                                                Gap




                                                                                                                                                                                                  19
 Internal Control Design, Assessment and Monitoring


                    Entity-level         Process
                                                            On-going
                       Risk            Assessments
                                                            Monitoring
                    Assessment




                                       Process Analysis


                              Process Assurance

           Process Improvement

                                                   Document
                                                      and
Process                   Risk                                      Final Control
                                                  Evaluation of
Overview              Identification                                 Evaluation
                                                    Existing
                                                    Controls




                                                                                    20
Identifying Key Risk Within a Process                                                        Risk
                                                                                         Identification


Inherent Risk is the susceptibility of an account balance
  or class of transactions to misstatement that could be
  material, individually or when aggregated with
  misstatements in other balances or classes, assuming
  that there were no related internal controls.
                 Moderate                      High Exposure
                 Exposure                                                   Risks can be:
   Risk Impact




                            Risk Coverage                 Risk Coverage
                               Periodic                    High Priority    • Financial
                 Low Exposure                  Moderate
                                                                            • Operational
                                               Exposure Risk Coverage       • Regulatory
                            Risk Coverage                Self-assessment/
                                                             rotational
                                                                            • Public Perception
                             Monitoring only




                   Likelihood of Occurrence
                                                                                                    21
Identification of Risks                                                                         Risk

Procure-to-Pay (Example)                                                                    Identification




What Ensures…..
•   All purchase orders are input and processed
•   Arms length transactions with related parties and proper disclosure
•   Purchases are for proper business purposes
•   Purchasers are not receiving kickbacks from vendors
•   Purchases are not from fictitious vendors
•   Vendor master file is pertinent, accurate and changes are timely and valid
•   Purchase orders have been properly approved
•   Purchases are not in violation of Florida Statutes & local ordinances
•   Amounts posted to accounts payable represents authorized and valid goods received and/or services
    rendered
•   Amounts for goods received and services rendered are input and processed in the correct period
•   Duplicate purchases are not made
•   Disbursements are only made for goods received and/or services rendered
•   All disbursements are accurately calculated and recorded in the period in which they are issued


                                                                                                        22
Internal Control Design, Assessment and Monitoring


               Entity-level         Process
                                                        On-going
                  Risk            Assessments
                                                        Monitoring
               Assessment




                                  Process Analysis


                         Process Assurance

      Process Improvement

                                         Document
                                            and
 Process             Risk                                            Final Control
                                        Evaluation of
 Overview        Identification                                       Evaluation
                                          Existing
                                          Controls




                                                                                     23
                                                            Document
                                                               and
                                                           Evaluation of

Control Activity                                             Existing
                                                             Controls




                  Internal controls are the policies,
                     procedures, practices, and
                     organizational structures
                     implemented to achieve business
                     objectives and more importantly to
                     protect the organization.

 A control activity is a policy or procedure designed to
  help ensure that control objectives are met.

                                                                      24
                                                       Document
                                                          and
                                                      Evaluation of

Types of Controls
                                                        Existing
                                                        Controls




• Automated Controls - Consider the apparent
  effectiveness of information technology controls
• Preventative – Stop problems from occurring in the first
  place.
• Detective – Uncover problems after the fact.
• Manual Controls - Consider the competence,
  experience and diligence of the persons performing control
                                                                 25
                                                                Document and
                                                                Evaluation of
                                                                  Existing

Commonly Performed Control Activities                             Controls




 • Top level review:
    – Actual to budget performance
    – Action taken following review
 • Activity Management:
    – Review of A/R aging
    – Reconciliation of ledgers
    – Identification of trends and actions (i.e. slow payers)
 • Information Processing:
    – Edit checks prior to entry
    – Exception reporting

                                                                         26
                                                                              Document

Mitigating Controls Procure-to-Pay (Example)                                     and
                                                                             Evaluation of
                                                                               Existing
•   Appropriate segregation of duties exist.                                   Controls

•   Access is reviewed on at least an annual basis.
•   Purchase requisitions are approved per the established authority matrix.
•   When POs are not utilized for purchases, approval per the established authority
    matrix is required on the invoice.
•   Purchase orders are sequentially numbered. The sequence of purchase orders
    processed is accounted for.
•   A three-way match is performed.
•   The purchasing manual includes the request for quote procedures, including how to
    document basis of award or why quotes were not obtained.
•   Bids are required for all applicable purchase requisitions, including documentation
    as to why or why not bids were obtained.
•   A formal vendor approval process exists.
•   Due diligence is performed on potential vendors to prevent unidentified purchases
    with related parties.
•   Commissioners disclose related party relationships.
                                                                                        27
                                                                              Document

Mitigating Controls Procure-to-Pay (Example)                                     and
                                                                             Evaluation of
                                                                               Existing
                                                                               Controls
•   The AP sub-ledger is reconciled to the G/L on a monthly basis.
•   Independent bank reconciliation.
•   Aged accounts payable is reviewed periodically for vendors with credit balances
    and resolved.
•   The Organization performs a periodic review of duplicate invoice numbers and/or
    overpayments to vendors.
•   Blank check stock stored in a secured place under lock and key.
•   AP matches the unposted check register to actual check register and reconciles
    each pay run.
•   A conflict of interest policy is established under the Organization’s name.
•   Monthly, Management performs a budget to actual analysis on financial results,
    with variance percentages by line item.
•   Vendor additions/changes/deletions are reviewed on a periodic basis.
•   Vendor lists are reviewed on an at least an annual basis for on going pertinence.
                                                                                        28
    Segregation of Duties                                                          Document
                                                                                      and

    Procure-to-Pay                                                                Evaluation of
                                                                                    Existing
                                                                                    Controls
    The basic intent of segregation of duties (SOD) controls are
      that no one person should have excessive control over
      one or more critical processes.
•     The person who approves invoices for payment
      should not be responsible for writing and signing
      checks.                                                      •   Authorization
•     The person who writes a check should not be the one
      to sign it.                                                  •   Custody of Assets
•     The person who requisitions the purchase of goods            •   Recording
      or services should not be the person who approves
      the purchase.                                                •   Control Procedures
•     The person who approves the purchase of goods or
      services should not be the person who reconciles the
      monthly financial reports.
•     The person who approves the purchase of goods or
      services should not be able to obtain custody of
      checks.
•     The person who maintains and reconciles the
      accounting records should not be able to obtain
      custody of checks.
                                                                                             29
Internal Control Design, Assessment and Monitoring


               Entity-level         Process
                                                     On-going
                  Risk            Assessments
                                                     Monitoring
               Assessment




                                  Process Analysis


                         Process Assurance

      Process Improvement

                                      Document
 Process                                 and                 Final Control
                     Risk
 Overview                            Evaluation of            Evaluation
                 Identification
                                       Existing
                                       Controls




                                                                             30
                                                         Final Control

Final Control Evaluation                                  Evaluation




For Identified control gaps consider:
   – Likelihood and magnitude
   – Consider compensating controls
   – Evaluate entity-level controls
   – Evaluate residual risk
       • Financial
       • Legal and Regulatory
       • Operational
       • Public perception
   – Consider cost/benefit
   – Take corrective action if material or significant

                                                                  31
Internal Control Design, Assessment and Monitoring


               Entity-level         Process              On-going
                  Risk            Assessments            Monitoring
               Assessment




                                  Process Analysis


                         Process Assurance

      Process Improvement

                                      Document
 Process                                 and
                     Risk
 Overview                            Evaluation of   Final Control
                 Identification
                                       Existing       Evaluation
                                       Controls




                                                                      32
COSO Monitoring:
                                     On-going
                                     Monitoring



                   COSO Framework states
                   that “Monitoring ensures
                   that internal control
                   continues to operate
                   effectively.”

                   The COSO Framework
                   recognizes that risks
                   change over time and that
                   management needs to
                   “determine whether the
                   internal control system
                   continues to be relevant
                   and able to address new
                   risks.”


                                            33
Progress Through Sharing…


                            34

								
To top