Internal Control Transformation IC s Role is Broader and More Strategic CACUBO Winter Workshop - 2013
Introduction Cindy Berg Director McGladrey LLP 201 N Harrison Street Davenport, Iowa 52801 cindy.berg@mcgladrey.com Phone: 563.888.4419 1
Agenda Introduction Areas sensitive to fraud Internal control strategies SOC reports Questions 2
Objectives Build awareness of areas at risk for potential fraud Internal control strategies specific to higher education Basic knowledge of SOC reports and their role in your internal control system 3
COSO Internal control components Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities Check out www.coso.org and whitepaper at http://www.aicpa.org/interestareas/frc/auditattest/d ownloadabledocuments/coso/coso- 2012_Whitepaper.pdf 4
Purpose of internal control Helps you be more successful by: - Preventing or detecting errors - Preventing or identifying fraud. Impact of fraud can be felt through: Lost funds Harm to the Institution s reputation L l l Lower employee morale Stakeholders expect organizations to safeguard resources entrusted to them 5
Risk Assessment Principle 8 The organization considers the potential for fraud in assessing risk to the achievement of objectives. - Various ways fraud can occur - Risk factors - Incentives and pressures - Opportunities - Attitudes and rationalizations From Exposure Draft of Internal Control Integrated Framework issued December 2011 by COSO 6
Fraud triangle Incentive/Pressure Fraud Risk Opportunity Attitude/Rationalization 7
Areas where greater risk for fraud Cash disbursements, especially Procurement cards (P-Cards) Payroll Cash receipts (usually at remote or branch locations) Student financial aid Ticketing venues Travel reimbursements 8
War stories P-Cards - Charging g personal items to P-Cards and supervisor reviewing P.O.s or statements not reviewing closely (or delegating the review) Expenses/reimbursements - rubber stamp for approval or inappropriate person approving Federal student loans Financial aid director certifying loans to herself, getting disbursement and then dropping class Payroll payroll clerk changing her tax withholding and replacing the page of the payroll register her information was on 9
War stories (continued) Work study funds Borrowing funds from students in exchange for stipends through work study Travel reimbursements Advancement personnel charging for trips to see potential donor but not actually meeting with donors Tickets at athletic events - Pocketing cash at the gate if no ticket system - Scalping tickets Branch location accepting credit cards applying credits to employee s personal credit card 10
Internal control strategies Getting the Governing Board/Audit Committee and senior management on board - Tone set - Whistleblower policy Risk assessment Putting controls in place - Policies i to establish what is expected and put procedures in place - Segregation of duties (or if not possible, then mitigating controls) Revising controls for changes in the environment or people 11
Internal control strategies Monitoring controls for effectiveness - Accountability for those in review positions Keeping that skepticism - Periodic training for those in review positions REMEMBER: None of your department heads graduated with a degree in how to be a good department head (OK maybe your business school folks came close) 12
Client Community College Financial Reporting History (June 2006) - State Auditors for 40 years since inception - 40 years of clean reports - 40 years of no constructive comments - Audit focused on Iowa Code compliance - Exec Director of Finance 30+ years Changes/Recommendations - New VP CFO/COO June 2006 Business vs Education mindset SEC and Sarbanes Oxley trained - Replaced Exec Director of Finance June 2007 - Changed external auditors June 2009 Restated 2008 financial statements 13
Client Community College Changes/Recommendations (continued) - Changed silo finance structure to cross functional - Evaluated each staff position Created new job descriptions Cross training Of 23 finance staff in 2006, only 3 remain Current staff size 21 - More skilled - Higher paid - Created Board Audit Committee - Centralized vs Decentralized functions - Restructured chart of accounts 14
SOC reports What are they? Service Organization Controls (SOC) reports (formerly known as SAS 70 reports) A service auditor may be engaged to examine and report on controls at a service organization related to various types of subject matter such as: - controls that affect user entities financial reporting - controls that affect the privacy of information processed for user entities customers SOC 1: Statements on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, establishes the requirements and guidance for a CPA (service auditor) examining and reporting on a service organization s description of its system and its controls that are likely to be relevant to user entities internal control over financial reporting. 15
SOC reports What are they? SOC 2: An examination engagement to report on controls at a service organization intended to mitigate risks related to security, availability, processing integrity, confidentiality, or privacy (trust services principles). - AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, establishes guidance. SOC 3: TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy provides criteria for evaluating and reporting on controls related to security, availability, processing integrity, confidentiality, and privacy. In the examination report included in TSP Section 100, the auditor expresses an opinion on whether the service organization maintained effective controls over its system, based on the criteria in TSP Section 100 that are applicable to the principle(s). 16
SOC reports What are they? Although SOC 2 and SOC 3 reports address similar subject matter and use the same criteria in TSP Section 100, a SOC 2 report differs from a SOC 3 report in that a SOC 2 report provides report users with the following report components that are not included in a SOC 3 report: - a description of the service organization s system prepared by management of the service organization, - a description of the service auditor s tests of the operating effectiveness of the service organization s controls and the results of those tests, and - in a type 2 report that addresses the privacy principle, a description of the service auditor s tests of the service organization s compliance with the commitments in its statement of privacy practices and the results of those tests. 17
What is the subject matter of the engagement? SOC 1 SOC 2 SOC 3 Controls at a service organization relevant to user entities internal control over financial i reporting Controls at a service organization relevant to security, availability, processing integrity it confidentiality, or privacy. If the report addresses the privacy principle, the service organization s compliance with the commitments in its statement of privacy practices Controls at a service organization relevant to security, availability, processing integrity, it confidentiality, or privacy If the report addresses the privacy principle, the service organization s compliance with the commitments in its statement of privacy practices 18
What is the purpose of the report? SOC 1 SOC 2 SOC 3 To provide information To provide To provide interested to management and the auditor of a user entity about controls at management of a service organization, user entities and other parties with a CPA s opinion about controls at the service a service organization that may be relevant to a user entity s internal control over financial reporting. specified parties with information and a CPA s opinion about controls at the service organization that may affect user entities security, availability, processing integrity, it confidentiality or privacy. organization that may affect user entities security, availability, processing integrity, confidentiality, or privacy. 19
Who are the intended users of the report? SOC 1 SOC 2 SOC 3 Auditor s of the user Parties that are Anyone entity s financial statements, management of the user entities, and management of the service organization. knowledgeable about: the nature of the service provided by the service organization how the service org s system interacts with user entities, subservice organizations, and others internal control and its limitations the criteria and how controls address those criteria Tables from http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/cpas.aspx 20
SOC reports why you should care? Service organizations are part of your internal control system Problems in their organization can lead to problems with their services to your organization Compliance related findings in their organization can be compliance findings for your organization 21
SOC reports how you should be using them Obtaining reports and reading them for exceptions, qualified opinion, etc. Determine impact of any exceptions or qualifications on your organization Consider the impact to your internal control system If considering a new service organization, make the SOC reports part of your due diligence 22
Conclusion Tone at the top matters more what you do than what you say Internal control is an every changing subject new processes mean the need for new controls - COSO framework is being updated to keep in relevant in the current business world. In an electronic environment reviews are extremely important Do your department heads know what to be looking for? 23
Questions??
For additional information contact: Cindy Berg, Director McGladrey LLP 201 N Harrison St., Suite 300 Davenport, Iowa 52801 cindy.berg@mcgladrey.com Direct 563.888.4419 For more information on McGladrey s Education practice visit http://mcgladrey.com/industries/education 25
McGladrey LLP is the U.S. member of the RSM International ( RSMI ) network of independent accounting, tax and consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. McGladrey, the McGladrey signature, The McGladrey Classic logo, The power of being understood, Power comes from being understood and Experience the power of being understood are trademarks of McGladrey LLP. McGladrey LLP 201 North Harrison St, Suite 300 Davenport, Iowa 52801 563.888.4000 800.274.3978 www.mcgladrey.com