Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Controls and Audit Findings FMC Conference September 2018

Published byDarlene Moore Modified over 6 years ago

Similar presentations

Presentation on theme: "Internal Controls and Audit Findings FMC Conference September 2018"— Presentation transcript:

1 Internal Controls and Audit Findings FMC Conference September 2018
Discuss that this training will focus more on not just how to fill out the spreadsheet, but how to start to look for gaps

2 Agenda Internal Control System Overview
Accurate Financial Reports and YOU……. Control Activities and Audit Findings Internal Control System Ongoing Considerations

3 Effective Internal Control System
The five components (of Green Book) must be properly designed, implemented, and then operate together, for an internal control system to be effective. The 17 principles support the associated components and represent additional requirements for an effective internal controls system. The various attributes provide further explanation and documentation requirements, or include examples of procedures that may be appropriate for an organization. Going to shift the focus of our training slightly. The templates are getting better, but there are still some instances where the answers may not be what is actually occurring at the Organization as well as some missing information……

4 Internal Control System Design
Management needs to implement and design an internal control system that effectively and efficiently addresses the identified risks, and allows the organization to achieve their objectives. No two organizations will have an identical internal control system because of differences in factors such as mission, regulatory environment, size, and management’s judgment. Responsibility of management Don’t just copy someone else

5 Internal Control System Design
Accuracy - Transactions are recorded at the correct amount in the right account (and on a timely basis) at each stage of processing. Does it matter which way you establish and analyze control activities???? For example, looking for capital asset balances recorded in the accounting records at the correct amounts, would it matter if you: Start at accounting records vs. Start at an outside source This is accuracy

6 Internal Control System Design
Completeness - Transactions that occur are recorded and not understated. So, does it matter which way you establish and monitor control activities???? For example, looking for capital assets not recorded in accounting records, would it matter if you: Start at accounting records vs. Start at an outside source This is completeness – need to start with an outside source when looking for missing items

7 Internal Control System Design
Validity - Recorded transactions represent economic events that actually occurred and were executed according to prescribed procedures. Does it matter which way you establish and analyze control activities????For example, looking for capital assets recorded in the accounting records that do not exist, would it matter if you: Start at accounting records vs. Start at an outside source This is validity – need to start with accounting records as you are trying to “prove” what is recorded in them

8 Internal Control System Design
Therefore, when designing control activities for these two specific risks, should they be the same? NO Capital assets are not all included in the accounting records. Capital assets that are not valid are recorded in the accounting records (such as including capital assets that do not physically exist). Remember one is completeness and one is validity – start at two different places so they can not have the same control activities

9 Internal Control System Design
Where would you start designing control activities looking this specific risk?..... Outside sources Specific Risk Potential Control Activities Capital assets are not all included in the accounting records. Perform physical verifications (comparing physical existence to actual assets recorded) and reconcile any differences Review purchases over the capitalization threshold and verify asset was added to records, if appropriate This is Completeness – looking for items not in your accounting records, so start somewhere outside of your records

10 Internal Control System Design
Where would you start designing control activities looking this specific risk?..... Accounting records Specific Risk Potential Control Activities Capital assets that are not valid are recorded in the accounting records (such as including capital assets that do not physically exist). Perform routine physical verifications (comparing assets recorded to physical existence) and reconcile any differences Performing routine reconciliations between the control account in the accounting records to the detail accounts/asset records. This is validity – trying to prove what is already recorded in your accounting records, so you would start there and compare to something outside of records

11 Internal Control System Operation
Once the internal control system has been properly designed, management then determines if the organization has placed the system into operation as designed. Management determines if the controls were applied at relevant times, in a consistent manner, and by whom they were applied. Even if you have the best design then you still need to make sure it is operating as designed Have right people, doing the right things

12 Putting it all Together
Your internal control system should be what is recorded on the submissions to SAO Document controls actually in place, don’t just document the “right answer” Also, this is not just an exercise to fill out something to be submitted to SAO, instead your internal control system should monitored on an ongoing basis. Don’t just give the answer you think is right, it will not help see the true picture of operations and controls

13 Accurate Financial Reports and YOU…….

14 So How Does This Impact Me??
The State has an objective for “accurate financial reports”, so there should be internal control systems designed and operating effectively to provide accurate data….. Where does the data creating the State’s Statewide financial reports (such as CAFR and Single Audit) come from? Our financial reports can only be as good as the data we get from you…. YOU

15 CAFR Information…. Organization’s accounting records you maintain in State’s Financial Software (Teamworks) Year end forms convert data from the accounting basis used in the accounting records (every day recording) to accounting basis necessary based on GASB/GAAP Data you submit to SAO on Year-end forms, trial balance shells, and miscellaneous requests

16 Single Audit Information….
Federal awards data you submit to SAO via the SEFA webportal Status of Prior Year Findings and Current Year Corrective Action Plans you submit to SAO Single Audit is compiled from Findings responses and SEFA data organizations submit

17 Control Activities and Audit Findings

18 Financial Reporting “Why” should we all care about your internal control system: Effective internal controls provides reasonable assurance that objectives of the organization will be achieved: Accurate accounting records and financial reports Maintain fiscal health of the State Your internal control system relating to accurate accounting records and financial reports should be documented on SAO’s templates. Always step back and think about what is the State trying to accomplish with the renewed focus on internal controls Correlation between errors on CAFR information/year end forms provided and how the controls for those areas were reported on the templates submitted by the Organizations

19 Internal Control System vs. Findings
So, if the control activities reported in SAO submissions seem pretty good, then why are there still audit findings (which identify internal control system weaknesses)? ? Remember you should be aware of this before the auditor tells you so Something is still not adding up, since we are seeing good controls listed but continue to get audit fidnings The control activities reported in the submission must not be actually occurring the same way as documented……. So either they are not designed properly OR not operating as designed.

20 Internal Control System Deficiencies
Therefore……. Organizations should already identifying these internal control system deficiencies in your submissions, mainly as: High residual risk ratings Remember, organizations then need to “fix “ that high residual risk which could include: Redesigning the internal control system Monitoring more closely to ensure the internal control system is operating as designed Remember residual risk is what is left over after considering control activities in place If something is not working, it needs to be fixed

21 Single Audit Finding Trends
Now, let us look at the “Top 4” topics in recent audit findings: Recently started doing trend analysis of types of findings, who is getting them, etc

22 Financial Reporting Findings
Audit Findings were received at both the organization level and Statewide level (relating to both CAFR and SEFA schedule) Statewide finding has been received last four years Financial reporting was topic with most number of findings over the last 5 years

23 Financial Reporting Findings
Some “highlights” from these audit findings: “Our examination of all the forms included in the year-end financial reporting package revealed some errors and omissions….” “…basic financial statements revealed several material errors” “Identified discrepancies in the reporting of federal award expenditure information related to transactions between State organizations” The Organizations were not able to reconcile the difference of $10,702,279. The Organizations were not able to reconcile the remaining $6,007,518 difference. The Organizations did not report the pass-through activity under the same CFDA number. Snipits from the actual audit findings

24 Findings vs. Internal Control System
Does that internal control system seem appropriately designed? If so, then how can there be a finding? And should the auditor or management be the first to be aware of the finding? Finding Control Activities Submitted by Organization Residual Risk “Our examination of all the forms included in the year-end financial reporting package revealed some errors and omissions….” The Accounting Manager verifies amounts are properly reported on the General Ledger. Queries and reports are examined to ensure all applicable information is properly reported. The Accounting Manager prepares the form and gives all documentation to the CFO to verify the amounts and information is reported correctly. If the CFO agrees, the Accounting Manager submits report to SAO. Low – All risks compensated for Controls listed seem pretty good, so WHY STILL FINDING

25 Findings vs. Internal Control System
Do those internal control systems seem appropriately designed? If so, then how can there be a finding? And should the auditor or management be the first to be aware of the finding? Finding Control Activities Submitted by Organization Residual Risk The Organizations were not able to reconcile the difference of Federal related amounts. Information is reconciled at the transaction level to totals from accounting systems and modules. A reconciliation is part of the SEFA process to ensure accuracy, completeness and appropriate accounting basis. Once the SEFA report is completed it is forwarded to the Finance Director for final review and approval. Low Controls listed seem pretty good, so WHY STILL FINDING

26 Findings vs. Internal Control System
Does this internal control system seem appropriately designed? If so, then how can there be a finding? And should the auditor or management be the first to be aware of the finding? Finding Control Activities Submitted by Organization Residual Risk The Organizations did not report the pass-through activity under the same CFDA number. Preparer uses guidance from Federal Uniform Grant Guidelines concerning federal awards and sub-recipients Report is reviewed and approved by competent person before submission to SAO; Preparer uses documentation identifying sub-recipients by CFDA number. Low - Residual risk is very minimal if all the control steps are completed. Controls listed seem pretty good, so WHY STILL FINDING

27 FY18 Deficiencies Already Seen………
SAO has already returned FY18 year-end forms, PCAs, and SEFA data for not being fully and accurately completed by organizations Remember your data is used to prepare the Statewide financial reports, therefore, it is important to record correct information, on the year-end forms, PCAs, and in the SEFA webportal. Inaccurate information should not be turned in just to meet a deadline. Already SAO is already seeing issues with forms/data being received

28 FY18 Deficiencies vs. Internal Control System
Those organizations should take a look at their internal control system now …… and update the design or find a way to make sure it is operating as designed, in order for system to be effective. Remember, there are still various year-end forms to be submitted, and effective internal control systems should be in place to ensure only accurate data is submitted. And if applicable, determine how to mitigate residual risk to low. Fix now

29 FY18 Deficiencies vs. Internal Control System
Does that internal control system seem appropriately designed? If so, then how can there be PCAs that need to be returned? FY18 Deficiency Control Activities Submitted by Organization Residual Risk "Post-Closing Adjustments Form: fund, amounts and account codes, etc. reported are not accurate and do not agree with accounting records and/or supporting documentation" Accountant completes a trial balance reconciliation and analysis to ensure PCA will have the desired impact. Management reviews the completed form, reconciliation and supporting documentation. Medium Controls listed seem pretty good, so WHY STILL BAD FORMS/PCAs/DATA

30 Capital Asset Findings
Some “highlights” from these audit findings: Assets could not be located Assets missing from inventory records Errors in inventory records (wrong location, wrong serial number, not complete, etc.) Amounts not properly recorded and reported 2nd most common finding

31 Findings vs. Internal Control System
Does that internal control system seem appropriately designed (is there enough detail to determine that)? In this case, would need to capture more specifics to determine if it is not designed properly or not operating as designed. Finding Control Activities Submitted by Organization Residual Risk Assets could not be located Errors in inventory records and assets not listed Inventory rows of RA/CA submission were marked N/A Ensure that all capital assets recorded in the accounting records are valid by utilizing layers of control activities Personnel perform reconciliations with management reviews, and management monitors and reviews account balances, variances, and reports. Low - Manual and system controls reduce the risk to a low level. Controls could be expanded on to include more on issues in finding, then can assess if design needs to be updated or if not operating as designed

32 Findings vs. Internal Control System
Does that internal control system seem appropriately designed? In this case, would need to capture more specific control activities relevant to capital assets to determine if it is not designed properly or not operating as designed. Finding Control Activities Submitted by Organization Residual Risk Amounts not properly recorded and reported Accountant follows guidance from SAO specifically the "Cash, Cash Equivalents and Investments" and business process policies in the Cash Management section. Accountant's manager reviews a sample of general ledger cash postings and traces back to source documents to ensure correct chartfields were used. Low - All Risks are compensated for in this analysis. This is capital assets risk, cash policy would not apply – be careful to list control activities relevant to the specific risk example you are answering

33 IT Findings Some “highlights” from these Information Technology (IT) audit findings: Lack of segregation of duties for user access Lack of adequate procedures to monitor internal controls at service organization User access not match current job role Lack of segregation of duties for system changes 3rd most common, and growing fast

34 Findings vs. Internal Control System
Control Activities Submitted by Organization Lack of segregation of duties for user access Separation of duties not allowing the same position to record and reconcile cash activity. There is a segregation of duties between the individuals recording cash transactions (AR & AP) and the individuals performing the cash reconciliations (GL). Finding Control Activities Submitted by Organization Lack of adequate procedures to monitor internal controls at service organization Reconciliations to external Systems are prepared at least monthly. Controls listed seem pretty good, so WHY STILL FINDING

35 Findings vs. Internal Control System
Control Activities Submitted by Organization User access not match current job role Restricted account setup to Sr. Accounting Mgr/Director of Accounting/Sr. Director of Finance Finding Control Activities Submitted by Organization Lack of segregation of duties for system changes None Controls could be expanded/included on to include more on issues in finding, then can assess if design needs to be updated or if not operating as designed Most organizations included little to no IT controls in their submissions. Should IT controls be documented???

36 IT Control Activities Yes………..
Even though there are not specific questions or risk examples solely devoted to IT, the statewide guidance for the control activities component has this requirement: “If the organization relies on information technology in its operations, then management designs control activities so that the information technology continues to operate properly” Most every organization relies to some extent on information technology, so therefore those control activities should be documented in your submission. Controls could be expanded on to include more on issues in finding, then can assess if design needs to be updated or if not operating as designed

37 Potential Control Activities
IT Control Activities Remember most of the IT Findings could be mitigated by fairly simple control activities……. Specific Risk Potential Control Activities Lack of segregation of duties for user access User access not match current job role Supervisor or Manager routinely reviews user access for segregation of duties (for example, someone with payroll access should not have HR access). CIO routinely compares financial user access to job roles. Supervisor completes form signed by Manager (and others) updating or removing user access for job changes.

38 Bank Reconciliation Findings
Some “highlights” from these audit findings: Not properly identifying and resolving reconciling items timely Unreconciled differences between accounting records vs. bank balances Last topic we will discuss today

39 Findings vs. Internal Control System
Does this internal control system seem appropriately designed? If so, then how can there be a finding? And should the auditor or management be the first to be aware of the finding? Finding Control Activities Submitted by Organization Residual Risk Not properly identifying and resolving reconciling items timely Bank reconciliation performed and signed by employee comparing G/L activity with the Bank Statement. Supervisor performs verification and attestation by authorizing signature on monthly Bank Reconciliation. Reconciling items are reviewed and corrected in a timely manner. Low - Multiple touch points of verification mitigated by supervisory review for accuracy. Controls listed seem pretty good, so WHY STILL FINDING Fairly significant difference in the 2 balances

40 Findings vs. Internal Control System
Does that internal control system seem appropriately designed (is there enough detail to determine that)? In this case, would need to capture more specifics to determine if it is not designed properly or not operating as designed? Finding Control Activities Submitted by Organization Residual Risk Unreconciled differences between accounting records vs. bank balances N/A - Minimal cash received by the Department N/A Controls could be included on to include more on issues in finding, then can assess if design needs to be updated or if not operating as designed

41 Bank Reconciliations Remember bank reconciliations are a very important control activity that will most likely be documented in other specific risk rows in the template, such as: Fund balance is not all included or not recorded at the correct amounts in the accounting records Revenues are not all included or not recorded at the correct amounts in the accounting records Expenditures are not all included or not recorded at the correct amounts in the accounting records So, even though this organization did not record control activities in the cash rows in the initial template, bank reconciliation controls should have been documented in other risk areas as well. Note: Bank reconciliation business process policy recently updated, with sample template for bank reconciliations Should be incorporated in to many aspects of the overall internal control system design

42 Internal Control System Ongoing Considerations

43 Overall Impact Remember your internal control system impacts all aspects of your organization and daily functions Don’t wait for an audit finding before reviewing the internal control system design and operation Also, don’t just think of it as completing the submission but more an overall culture change, training, discussion, etc. Remember not to view as a template needing to be submitted, but consider overall impact on your organizations and potential results of a bad system design and/or operation

44 Future SAO will request updated and/or new submissions
Control Environments will be re-submitted in November Some new and exciting ways to submit internal control templates SAO will offer additional trainings Upcoming deadline and expectation for control environment submission CPE video – looking for moderator, etc.

45 Where to Find Information
The Green Book is available on GAO’s website at: SAO’s website: My Contact Information: 45 45

Download ppt "Internal Controls and Audit Findings FMC Conference September 2018"

Similar presentations

INTERNAL CONTROLS.

INTERNAL CONTROLS.
MONITORING OF SUBGRANTEES

MONITORING OF SUBGRANTEES
Fiscal Monitoring: Ensuring Accountability of Your Sub-Grantees

Fiscal Monitoring: Ensuring Accountability of Your Sub-Grantees
Internal Controls Becoming Compliant. Design & Implementation of Internal Controls. Design: Need to show that a framework is in place to establish internal.

Internal Controls Becoming Compliant. Design & Implementation of Internal Controls. Design: Need to show that a framework is in place to establish internal.
The Islamic University of Gaza

The Islamic University of Gaza
MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.

MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
1. Definition of a Reconciliation 2. Importance of a Reconciliation 3. When to Prepare a Reconciliation 4. Items Needed to Prepare a Reconciliation 5.

1. Definition of a Reconciliation 2. Importance of a Reconciliation 3. When to Prepare a Reconciliation 4. Items Needed to Prepare a Reconciliation 5.
AUDITING CHAPTER 14 Control & Substantive Tests in Personnel & Payroll

AUDITING CHAPTER 14 Control & Substantive Tests in Personnel & Payroll
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.

SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
Chapter 10 Cash and Financial Investments McGraw-Hill/Irwin

Chapter 10 Cash and Financial Investments McGraw-Hill/Irwin
An Educational Computer Based Training Program CBTCBT.

An Educational Computer Based Training Program CBTCBT.
Effective Management and Compliance 1 ANA GRANTEE MEETING  FEBRUARY 5, 2015.

Effective Management and Compliance 1 ANA GRANTEE MEETING  FEBRUARY 5, 2015.
ARMICS Randy Sherrod, Internal Audit Manager – Department of Behavioral Health and Developmental Services.

ARMICS Randy Sherrod, Internal Audit Manager – Department of Behavioral Health and Developmental Services.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 5 Internal Control over Financial Reporting

Chapter 5 Internal Control over Financial Reporting
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Auditor Relationships – What you can do to make them as painless as possible Presented by Matthew Lenton, C.P.A. M AYER H OFFMAN M C C ANN P.C. 2301 Dupont.

Auditor Relationships – What you can do to make them as painless as possible Presented by Matthew Lenton, C.P.A. M AYER H OFFMAN M C C ANN P.C Dupont.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit

Similar presentations

Ads by Google