Developments in High Risk Tiffany R. Winters, Esquire Brustein & Manasevit, PLLC Fall Forum 2011

Risk Management: What Does it Mean Primarily financial (protecting the integrity of federal funds) But can also be programmatic (what is ED’s return on investment) Risk = any barrier that prevents grantees and subgrantees from: (1) complying with federal law; and (2) meeting program objectives. 2

Risk Management: Why Does it Matter? Federal laws require ED to monitor risk levels at state/local level Internal problems at ED have led to increased awareness of the impact of state/local activities Significant audit/monitoring findings (including fraud, waste & abuse) These issues have led to a major ED restructuring to focus on risk issues 3

Risk Management Services RMS Group  Part of the Office of the Secretary 4 Primary Responsibilities: 1. Grant policy 2. Training/Customer service 3. Oversight of “high-risk” entities 4. Risk based monitoring 4

According to RMS… Successful Risk Mitigation  Application review identifies who can best implement the program  Risk analysis identifies issues that can impede program implementation  Early risk mitigation actions can improve grant administration 5

Improved Decisions by ED Grant Applications Risk Assessment Management strength Data sophistication Control environment Financial Soundness Assurances of compliance Capacity to deliver Subject matter expertise Viable program plan 6

Components of Internal Controls Risk Assessment Control Activities Information and Communications Monitoring Control Environment 7

Internal Controls – Control Environment Maintaining a level of competence that allows personnel to accomplish their assigned duties Clearly defined organizational structure Proper amounts of supervision Maintaining a good relationship with oversight agencies (like ED and OIG for example!) 8

Internal Controls – Risk Assessment What could go wrong? What assets do we need to protect? How could someone steal or disrupt operations? What information do we rely on? Risk High Low Judgment Required Low High Impact 9

Internal Controls – Control Activities Examples: Segregating Key Responsibilities Among Different People Restricting Access to Systems and Records  Authorizations / Passwords Implementing Clear Written Policies in Key Areas Performance Reviews Maintaining Physical Control Over Valuable Assets  Maintenance of Security Data System Checks Accurate and Timely Recording of Information 10

Risk / Internal Control Examples Scheme Fake Expense Reports Diversion to personal use Payroll / No work Rigged RFP – kickbacks Fictitious Vendors Fictitious Invoices District cards / personal use Control Lacking Preapproved vendor list Supervisory oversight / invoice review Supervisory payroll approval Tight RFP procedure / insulated Lack of RFP process Separation of duties Reconciliation of statements 11

Documentation Issues to Consider Record retention  State law  Federal law = 3 years  Statute of limitations = 5 years Records to facilitate an effective audit (comprehensive) Consistency of documentation Source documentation 12

RMS Want SEAs and LEAs to self-analyze and recognize risk  What are strategies for minimizing risk (i.e., succession planning, internal audit function, monitoring, self assessment, control environment)  Where are the entity’s greatest risks  How can ED help 13

Possible factors in risk matrix Amount of money received Single audit findings (especially repeat findings or findings in multiple districts) Federal program monitoring findings SEA monitoring of LEAs (Sub-recipient monitoring) Lapsed funds Program performance Compliance with laws/regulations Media reports! 14

Tips for Avoiding Risks Keep in mind federal cost principles and basic threshold compliance standards Have a well developed system of internal controls Document, document, document! 15

Top Single Audit Findings Unallowable Costs Reporting Property and Procurement Cash Management Subrecipient Monitoring 16

Single Audit Findings A-133 Audit NOT necessarily reliable regarding compliance  Not all programs are covered  Depth of Review  Problems with Quality Hold Firms Accountable Be Proactive  Internal Controls!! 17

RISKY Consequences

How to Trigger High Risk Status Puerto Rico: PRDE Secretary sentenced to 12.7 years – bribes and kickbacks New Orleans August 2005 OIG Audit $69.3 million not properly accounted for  OIG recommendation: Designate New Orleans High Risk and impose special conditions Detroit, August 2008 OIG Audit $53.6 million not adequately documented  OIG recommendation: Designate Detroit High Risk and impose special conditions Philadelphia, January 2010 OIG Audit $138.4 million unallowable or not adequately documented  OIG recommendation: Designate Philadelphia high risk and impose special conditions 19

You suspect an audit or some other trigger for high risk is here – or coming– What do you do? 20

High Risk Preemptive Strike a) Do nothing – the U.S. Department of Education will take over the high risk designation and process; b) May review overall State supervision of LEA’s in State administered programs 21

High Risk Preemptive Strike States/Districts prefer to manage the process at the state level – USDOE will generally not manage day to day – may require hiring outside third party fiduciary 22

High Risk Preemptive Strike States can take more active role  Cooperative SEA-LEA relationships generally in place  Closer to local conditions  Can move faster more flexibility 23

High Risk Preemptive Strike State high risk process a) Notify RMS that state is acting preemptively and will stay in close touch with RMS b) State designates LEA as high risk 24

State Designation to LEA as High Risk Formal letter Imposes conditions 25

State Designation to LEA as High Risk Conditions  Can be varied to fit circumstances  Include at minimum Risk assessment Corrective action plan Audit resolution process Review and revision if necessary of policies and procedures 26

 May include Restrictions on advance payment Contracting with third party to review internal controls Outsourcing some or all  LEA admin activities  Requirements to deliver manuals Personnel Procurement Payroll  Any other actions the SEA deems appropriate 27

Next Steps RMS, SEA, LEA Meeting Discussion includes steps taken  Timelines  Deliverables  Further Communication 28

Finally The LEA wants to know when this is over:  Rome wasn’t built in a day a.k.a. the conditions at issue did not develop in 6 months or a year  Be patient. 29

Firm Disclaimer (Yet Again) This presentation is intended solely to provide general information and does not constitute legal advice or a legal service. This presentation does not create a client-lawyer relationship with Brustein & Manasevit and, therefore, carries none of the protections under the D.C. Rules of Professional Conduct. Attendance at this presentation, a later review of any printed or electronic materials, or any follow-up questions or communications arising out of this presentation with any attorney at Brustein & Manasevit does not create an attorney-client relationship with Brustein & Manasevit. You should not take any action based upon any information in this presentation without first consulting legal counsel familiar with your particular circumstances. 30