Common Deficiencies in Internal Control that Ive seen

Common Deficiencies in Internal Control that I’ve seen in Government and Not-for-Profit Auditing 1

About your presenter… Keith Hundley, CPA Audit partner with CRI Based in CRI’s Enterprise, AL office 20+ years serving governments and not-for-profits Assurance and consulting services Government focus at the state and local level Nonprofit focus on CAAs and Head Start Fiscal Consultant with Head Start’s National Center for Program Management and Fiscal Operations (PMFO) – CRI SME in the areas of Uniform Guidance and Single Audits – Member of CRI’S Internal Inspection Team – Governmental Audits as well as a regular presenter of CPE topics for CRI – Speaker and training services at the national, regional, state and local level – – – – 2

Common Deficiencies in Internal Control Information Technology (ITGC) Financial Grants Compliance VERY IMPORTANT – EFFECTIVE CONTROLS MUST BE VERIFABLE AND AUDITABLE 3

Common Deficiencies in Internal Control Information Technology General Controls (ITGC) 4

ITGC Control Objectives (There are 5) 1. The entity has an IT strategic planning and risk assessment process in place to support the financial reporting process 2. The entity maintains reliable systems that include appropriate data backup and recovery 3. Physical security and accesses to programs and data are appropriately controlled to prevent unauthorized use, disclosure, modification, damage or loss of data 4. Program changes (including report development) and systems acquisition and development are appropriately managed to ensure that the application software and reports adequately support internal control and financial reporting objectives 5. Service Organization user complementary controls are implemented 5

ITGC Control Objective 1 The entity has an IT strategic planning and risk assessment process in place to support financial reporting process • IT steering committee responsible for reviewing and approving IT plans and priorities • IT is regularly evaluated for risks and any identified risks are appropriately addressed 6

ITGC Control Objective 2 The entity maintains reliable systems that include appropriate data backup and recovery • Data backup/retention policy schedule (how often backups are performed, how long retained, where backup media is stored) • Application data and file server recovery procedures are tested at least annually to ensure data integrity and recovery • Interfaces between systems include appropriate controls to ensure complete and accurate transfer of data • Appropriate environmental controls (fire/smoke detection, temp. controls, alternate power supply) • A process exists to ensure that systems incidents, problems, and errors are reported, analyzed, and resolved in a timely manner 7

ITGC Control Objective 3 Physical security and accesses to programs and data are appropriately controlled to prevent unauthorized use, disclosure, modification, damage or loss of data • An information security policy exists and supported by documented standards and procedures • Procedures exists and are followed to ensure timely action relating to requesting, establishing, issuing, suspending, modify, and closing user accounts, including appropriate authorization • User access rights, (network application and database) are granted on a need-to-know, need-to-do basis that considers appropriate segregation of duties • Procedures exists to maintain the effectiveness of authentication and access mechanisms (e. g. , password length, password history, password expiration and lockout for failed attempts). 8

ITGC Control Objective 3 (continued) • Controls are in place to ensure that all users are identified uniquely – No shared IDs are used except for limited read-only access – Access rights for any guest IDs are appropriately limited • Physical access to servers, off-line data storage and other sensitive areas is appropriately restricted to authorized personnel and access is reviewed for appropriateness on a periodic basis • Controls over perimeter and network security are in place. Such controls may include firewalls, routers, terminal service devices, wireless security, intrusion detection, and vulnerability assessments 9

ITGC Control Objective 3 (continued) • Software users are prohibited from having access to source code, the compiler, and programming documentation, including protection of critical spreadsheet formulas • There is adequate segregation of duties among those who: – Administer IT security – Make changes to programs or systems – Perform transactions and accounting functions 10

ITGC Control Objective 4 Program changes (including report development) and systems acquisition and development are appropriately managed to ensure that the application software and reports adequately support internal control and financial reporting objectives • Formalized change management policies and procedures and are appropriately approved and tracked in a centralized change tracking database or system • Application controls are formally considered and documented during the implementation of new information systems • Users are involved in deriving application system requirements • A test plan is developed and followed for all major implementation projects • User acceptance testing is performed on all user-requested projects. Tests are completed and documented prior to move into production. 11

ITGC Control Objective 5 Service Organization user complementary controls are implemented 12

Common Deficiencies in Internal Control Financial 13

Deficiencies in Internal Control Material Weaknesses: • Absent or inadequate SEGREGATION OF DUTIES within a significant account or process. Custody Authorization Recording Reconciling Can exist in both manual and automated environments. 14

Cash Receipts • Segregation of duties in cash receipting, depositing and reconciliation (fraud risk) • Bank reconciliations – lack of supervisory review – not completed timely • Lack of controls over cash collection points (review and understand – fraud risk is elevated) • Point of sale systems (Square) 15

Investments • Segregation of duties • No investment policy – Investment objectives, performance and reporting, authorized investments, maturity and liquidity requirements, diversification and risk, authorized investment institutions and dealers, third party custodial agreements, bid requirement, internal controls • Lack of controls over authorization of investment transactions, (buy, sell, transfers) • Use of investment committees, lack of oversight • Consider statutory requirements (governments) 16

Capital Assets • Segregation of duties • Lack of or poorly constructed no capital asset management policy • Inventory counts not performed and reconciled as required • Controls not documented (procurement, inventory counts, additions, deletions, impairments, donations, etc. ) • Transactions not supported by documentation, • Procurement policies not followed • Inadequate property records 17

Accounts Payable / Disbursements • Segregation of duties (manual and automated) • Documenting of policies and procedures • Maintenance of vendor master file (fictitious vendors) (SOD issue) • Controls over the processing of AP (reviewing of edit reports, secondary reviews, etc. ) • Proper recording of accruals • Check signing (electronic, stamp, live) • Reconciling bank account • Controls over approval of credit cards and travel • ACH payments • Adequate documentation supporting disbursement • Proper approvals over disbursements 18

Payroll and payroll related expenditures • Segregation of duties (manual and automated) • Documenting of policies and procedures • Maintenance of employee master file (fictitious employees) (SOD issue) • Controls over the processing of payroll (reviewing of edit reports, secondary reviews, etc. ) • Check signing (electronic, stamp, live, etc. ) • Proper recording of accruals • Reconciling bank account • ACH payments • Controls over the filing of payroll tax returns • When using a service organization, implementation of user entity controls 19

Debt • Lack of controls over the recording of debt (governments) • Lack of controls over ensuring compliance with debt covenants • Lack of controls to ensure compliance with debt’s Continuing Disclosure Agreement (CDA), this is the Electronic Municipal Market Access (EMMA) filing requirement 20

Equity • Lack of documentation and approvals for classification of fund balance (restricted, committed, assigned and unassigned) • Lack of controls over proper classification and allocation 21

Revenue and accounts receivable • Controls over recording of revenue, proper classification and allocation • Controls over account reconciliations • Controls over monitoring revenue streams (Analytics, budget to actual, current year vs. prior year, etc. ) • Controls over the collection of accounts receivables, write-offs, bad debts, allowance accounts 22

Financial – Financial Reporting • Segregation of duties (preparation and review) • No documentation of process and controls in the closing process • Journal entries – lack of review and lack of supporting documentation • Lack of controls over the accrual process • A material adjustment by your auditor is a material weakness • Timeliness and relevance (internal and external) • Lack of skills, knowledge and expertise (SKE) • Lack of controls over roll-forwards (capital assets, debt, equity) – account reconciliations 23

Internal Control Deficiencies Grants 24

Internal Controls Over Grants Compliance • Focusing on what your f/s auditors are concerned about not federal or state monitors • Everyone involved in the grants process need to be very knowledgeable of the grant agreements and all requirements • Consider federal and state regulations as well as audit standards • Understand what your auditors do in relation to your federal programs https: //www. aicpa. org/interestareas/governmentalauditquality/resources/singleau dit/2019 -omb-compliance-supplement. html • Understand what your federal and state monitoring teams are focused on and build your processes and controls to ensure compliance • If its not documented it doesn’t exist!!! 25

Written Policies Required Under the UG § 200. 302 Financial Management 200. 302(b)(6) and 200. 302(b)(7) § 200. 305 Payment 200. 305(b)(1) § 200. 318 General Procurement Standards 200. 318 (c)(1) and (c)(2) § 200. 319 Competition 200. 319 (c)(1) and (c)(2) § 200. 320 Methods of procurement to be followed 200. 320(d)(3) § 200. 430 Compensation – personal services 200. 430(a), 200. 430(c), 200. 430(h)(1), 200. 430(h)(4), 200. 430(h)(5), 200. 430(h)(7), 200. 430(h)(8) Red applies to IHE § 200. 431 Compensation – fringe benefits 200. 431(b)(1), 200. 431 (c), 200. 431(g)(6), 200. 431(h) § 200. 464 Relocation Costs of Employees 200. 464(a)(2) § 200. 474 Travel costs 200. 474(a) and 200. 474(b) 26

Grants Compliance • • • Allowable Costs Activities Allowed Cash Management Eligibility Equipment and Real Property Management Matching, Level of Effort and Earmarking Period of Performance Procurement, Suspension and Debarment Program Income Reporting Subrecipient Monitoring Special Tests and Provisions 27

Questions? 28

29

Keith Hundley, CPA Partner - CRI P. O. Box 311070 Enterprise, AL 36331 334. 347. 0088 (Office) 334. 348. 1365 (Direct) 334. 389. 1365 (Cell) khundley@cricpa. com 30