Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September 11, 2014
Jan 06, 2016
Effective Internal Control,Establishing an Internal Audit
Function,and Compliance Plans
2014 Governmental Accounting For Local Public HealthSeptember 11, 2014
2
Presented by:
Stephen W. Blann, CPA, CGFM, CGMADirector of Governmental Audit QualityRehmann
3
Session Outline
• Effective internal control– COSO Framework
• Internal audit function– GFOA Best Practices
• Compliance Plans– Internal control over compliance
4
Overview of Internal Control
• Internal Control—Integrated Framework – COSO Report (1992 & 2013)– Committee of Sponsoring Organizations (AICPA,
AAA, IIA, IMA, FEI)– Codified in Auditing Standards by AICPA, GAO, and
PCAOB (SOX)
5
Overview of Internal Control
• Management’s responsibilities– Effectiveness– Efficiency– Compliance– Financial Reporting
• Internal controls are the framework management establishes to ensure it meets these responsibilities
6
Overview of Internal Control
• Limitations of internal controls– Cost vs. benefit– No “perfect” system– Management override
7
Overview of Internal Control
• Responsibility for internal control– Management is primarily responsible• Independent auditors “gain an understanding” – not a
substitute for management • Internal auditors work for management
– The governing body is ultimately responsible
8
Overview of Internal Control
• Management is responsible for:– Design– Implementation– Monitoring– Reporting
9
The Internal Control Framework
• The Control Environment• Risk Assessment and Monitoring• Control-related Policies and Procedures• Information and Communication• Monitoring
10
The Internal Control Framework
Control Environment• Management’s attitude / example• Communication• The Internal Auditor• The Audit Committee
11
The Internal Control Framework
Risk Assessment and Monitoring• Changes in:– Operating environment– Personnel– Information systems / technology– Rapid growth– New programs / services– Structure
12
The Internal Control Framework
Risk Assessment and Monitoring• Inherent risk• Prioritization– Significance – Likelihood
13
The Internal Control Framework
Control-Related Policies• Essential tasks of an accounting system– Assemble data– Analyze, classify, and record data– Report on data– Maintain accountability over assets
14
The Internal Control Framework
Control-Related Policies• Management’s implicit assertions– Existence / occurrence– Completeness– Rights / obligations– Allocation / valuation– Presentation / disclosure
15
The Internal Control Framework
Control-Related Policies
– Authorization– Properly designed
records– Security of assets
and records– Segregation of
incompatible duties
– Periodic reconciliations
– Periodic verifications– Analytical review– Timely external
reporting (GAAP)
• Policies and procedures
16
The Internal Control Framework
Information and Communication• Information needs– Appropriate content– Timely / current– Accurate– Accessible
• Methods of communication• Accounting policies and procedures manual
17
The Internal Control Framework
Monitoring• Purpose (smoke alarm)• Ongoing• Evaluation of internal controls (internal audit)
18
Evaluating Internal Controls
• Identify control cycles• Document processes• Identify potential risks
http://www.coso.org/Guidanceonmonitoring.htm
19
Evaluating Internal Controls
– Authorization– Properly designed
records– Security of assets
and records– Segregation of
incompatible duties
– Periodic reconciliations
– Periodic verifications– Analytical review– Timely external
reporting (GAAP)
• Identify compensating controls
20
Establishing an
Internal Audit Function• GFOA Best Practices:– Establishment of an Internal Audit Function– Enhancing Management Involvement with Internal
Control– Audit Committees
http://www.gfoa.org/best-practices
21
GFOA Best Practices
• Government Finance Officers Association of the United States and Canada– Professional organization– Issues best practices and advisories on a variety of
topics relevant to government financial management
22
GFOA Best Practices
• A BP identifies specific policies and procedures as contributing to improved government management. It aims to promote and facilitate positive change rather than merely to codify current accepted practice. Partial implementation is encouraged as progress toward a recognized goal.
23
GFOA Best Practice
Establishment of an Internal Audit Function
• Definition of an “internal auditor”:– any audit professional who works directly for
management, at some level, and whose primary responsibility is helping management to fulfill its duties as effectively and efficiently as possible.
24
GFOA Best Practice
Establishment of an Internal Audit Function
• Role(s) of an internal auditor:– Monitoring the design and proper function of
internal control policies and procedures– Function as an additional level of control– Conduct performance audits– Special investigations and studies
25
GFOA Best Practice
Establishment of an Internal Audit Function
• Recommendations:– Every government should either• Establish a formal internal audit function;• Assign internal audit responsibilities to its regular
employees; or • Hire a CPA firm (other than the independent auditor)
for this purpose
26
GFOA Best Practice
Establishment of an Internal Audit Function
• Recommendations:– The internal audit function should be formally
established by charter, enabling resolution, or other appropriate legal means
– Internal auditors should follow the GAO’s Government Auditing Standards, including standards applicable to independence
27
GFOA Best Practice
Establishment of an Internal Audit Function
• Recommendations:– The head of the internal audit function should
possess at least a college degree and relevant experience; a professional certification is encouraged (CIA, CPA, CISA)
– The annual internal audit work plan and all reports of internal auditors should be made available to the audit committee
28
GFOA Best Practice
Enhancing Management Involvement w/ IC
• Purpose of internal control:– Adequately protect public funds by prudent
management– Provide a reasonable basis for finance officers to
assert the financial information they provide can be relied upon
29
GFOA Best Practice
Enhancing Management Involvement w/ IC
• Stakeholders in internal control:– Independent auditors provide assistance in
meeting internal control-related responsibilities, but are not a substitute for management’s direct and informed involvement with internal controls
– Elected officials must ensure that managers who report to them fulfill their responsibilities in implementing IC
30
GFOA Best Practice
Enhancing Management Involvement w/ IC
• Recommendations:– Financial managers should obtain information and
training needed to meaningfully take responsibility for internal control
– Obtain sound understanding of COSO’s comprehensive framework of internal control
31
GFOA Best Practice
Enhancing Management Involvement w/ IC
• Recommendations:– Internal control procedures should be
documented– Design a practical means for lower level
employees to report instances of management override of controls that could be indicative of fraud
– Internal controls should be monitored and reevaluated for adequacy
32
GFOA Best Practice
Enhancing Management Involvement w/ IC
• Recommendations:– Evaluations of controls should include
effectiveness and timeliness of corrective action for identified deficiencies
– Control effectiveness requires a baseline for future monitoring, which should be adjusted for changes in controls
– Corrective action plans should have timetables and be monitored
33
GFOA Best Practice
Audit Committees• There are 3 groups responsible for the quality
of financial reporting:– Governing body– Financial management– Independent auditors
• The governing body must be seen as “first among equals”
34
GFOA Best Practice
Audit Committees• Audit Committees are a practical means for a
governing body to provide much needed independent review and oversight of:– the government’s financial reporting processes,– internal controls, and – the independent auditors
35
GFOA Best Practice
Audit Committees• Selected recommendations:– The governing body of every state and local
government should establish an audit committee– The audit committee should be formally
established by charter, enabling resolution, or other appropriate legal means
36
GFOA Best Practice
Audit Committees• Selected recommendations:– The documentation establishing the audit
committee should prescribe the scope of the committee’s responsibilities, its structure, and membership requirements
– The audit committee should be directly responsible for the appointment, compensation, retention, and oversight of the independent auditor
37
GFOA Best Practice
Audit Committees• Selected recommendations:– All members should possess or obtain a basic
understanding of governmental financial reporting and auditing
– The committee should have access to the services of at least one financial expert (either a committee member or outside party engaged for this purpose)
38
GFOA Best Practice
Audit Committees• Selected recommendations:– The audit committee should provide independent
review and oversight of a government’s financial reporting processes, internal controls and independent auditors
– The audit committee should have access to the reports of internal auditors, as well as access to annual internal audit work plans
39
Compliance Plans
• Internal control over compliance– Differences and similarities with IC over financial
reporting– Existing and new requirements for grants– Auditor involvement
40
Compliance Plans
• Existing requirements:– OMB Circulars A-102 Common Rule and A-110
Administrative Requirements– Requires management to establish and maintain
internal controls designed to provide reasonable assurance of compliance with Federal laws, regulations and program compliance requirements
41
Compliance Plans
• New Uniform Grant Guidance (2 CFR 200):– Establish and maintain effective internal control
over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award
– Consistent with COSO
42
Compliance Plans
• Auditor involvement– Yellow Book engagements (material to financial
statements)– Single audit (material to major federal programs)– Other (Medicare, etc.)
43
Questions?
44
For more information...
Stephen W. Blann, CPA, CGFM, CGMADirector of Governmental Audit [email protected] www.rehmann.com/government