300 likes | 448 Views
Developments in High Risk. Tiffany R. Winters, Esquire twinters@bruman.com Brustein & Manasevit, PLLC Fall Forum 2011. Risk Management: What Does it Mean. Risk = any barrier that prevents grantees and subgrantees from: (1) complying with federal law; and (2) meeting program objectives.
E N D
Developments in High Risk Tiffany R. Winters, Esquire twinters@bruman.com Brustein & Manasevit, PLLC Fall Forum 2011
Risk Management:What Does it Mean Risk = any barrier that prevents grantees and subgrantees from: (1) complying with federal law; and (2) meeting program objectives. • Primarily financial (protecting the integrity of federal funds) • But can also be programmatic (what is ED’s return on investment)
Risk Management:Why Does it Matter? • Federal laws require ED to monitor risk levels at state/local level • Internal problems at ED have led to increased awareness of the impact of state/local activities • Significant audit/monitoring findings (including fraud, waste & abuse) These issues have led to a major ED restructuring to focus on risk issues
Risk Management Services • RMS Group • Part of the Office of the Secretary • 4 Primary Responsibilities: • Grant policy • Training/Customer service • Oversight of “high-risk” entities • Risk based monitoring
According to RMS… • Successful Risk Mitigation • Application review identifies who can best implement the program • Risk analysis identifies issues that can impede program implementation • Early risk mitigation actions can improve grant administration
Internal Controls – Control Environment Maintaining a level of competence that allows personnel to accomplish their assigned duties Clearly defined organizational structure Proper amounts of supervision Maintaining a good relationship with oversight agencies (like ED and OIG for example!)
Internal Controls – Risk Assessment What could go wrong? What assets do we need to protect? How could someone steal or disrupt operations? What information do we rely on? High Most Control Risk Judgment Required Least Control Low Low High Impact
Internal Controls – Control Activities Examples: Segregating Key Responsibilities Among Different People Restricting Access to Systems and Records Authorizations / Passwords Implementing Clear Written Policies in Key Areas Performance Reviews Maintaining Physical Control Over Valuable Assets Maintenance of Security Data System Checks Accurate and Timely Recording of Information
Risk / Internal Control Examples Scheme Control Lacking Preapproved vendor list Supervisory oversight / invoice review Supervisory payroll approval Tight RFP procedure / insulated Lack of RFP process Separation of duties Reconciliation of statements • Fake Expense Reports • Diversion to personal use • Payroll / No work • Rigged RFP – kickbacks • Fictitious Vendors • Fictitious Invoices • District cards / personal use
DocumentationIssues to Consider • Record retention • State law • Federal law = 3 years • Statute of limitations = 5 years • Records to facilitate an effective audit (comprehensive) • Consistency of documentation • Source documentation
RMS • Want SEAs and LEAs to self-analyze and recognize risk • What are strategies for minimizing risk (i.e., succession planning, internal audit function, monitoring, self assessment, control environment) • Where are the entity’s greatest risks • How can ED help
Possible factors in risk matrix • Amount of money received • Single audit findings (especially repeat findings or findings in multiple districts) • Federal program monitoring findings • SEA monitoring of LEAs (Sub-recipient monitoring) • Lapsed funds • Program performance • Compliance with laws/regulations • Media reports!
Tips for Avoiding Risks • Keep in mind federal cost principles and basic threshold compliance standards • Have a well developed system of internal controls • Document, document, document!
Top Single Audit Findings • Unallowable Costs • Reporting • Property and Procurement • Cash Management • Subrecipient Monitoring
Single Audit Findings • A-133 Audit NOT necessarily reliable regarding compliance • Not all programs are covered • Depth of Review • Problems with Quality • Hold Firms Accountable • Be Proactive • Internal Controls!!
How to Trigger High Risk Status • Puerto Rico: PRDE Secretary sentenced to 12.7 years – bribes and kickbacks • New Orleans August 2005 OIG Audit $69.3 million not properly accounted for • OIG recommendation: Designate New Orleans High Risk and impose special conditions • Detroit, August 2008 OIG Audit $53.6 million not adequately documented • OIG recommendation: Designate Detroit High Risk and impose special conditions • Philadelphia, January 2010 OIG Audit $138.4 million unallowable or not adequately documented • OIG recommendation: Designate Philadelphia high risk and impose special conditions
You suspect an audit or some other trigger for high risk is here – or coming– • What do you do?
High Risk Preemptive Strike • Do nothing – the U.S. Department of Education will take over the high risk designation and process; • May review overall State supervision of LEA’s in State administered programs
High Risk Preemptive Strike • States/Districts prefer to manage the process at the state level – USDOE will generally not manage day to day – may require hiring outside third party fiduciary
High Risk Preemptive Strike • States can take more active role • Cooperative SEA-LEA relationships generally in place • Closer to local conditions • Can move faster more flexibility
High Risk Preemptive Strike • State high risk process • Notify RMS that state is acting preemptively and will stay in close touch with RMS • State designates LEA as high risk
State Designation to LEA as High Risk • Formal letter • Imposes conditions
State Designation to LEA as High Risk • Conditions • Can be varied to fit circumstances • Include at minimum • Risk assessment • Corrective action plan • Audit resolution process • Review and revision if necessary of policies and procedures
May include • Restrictions on advance payment • Contracting with third party to review internal controls • Outsourcing some or all • LEA admin activities • Requirements to deliver manuals • Personnel • Procurement • Payroll • Any other actions the SEA deems appropriate
Next Steps • RMS, SEA, LEA Meeting • Discussion includes steps taken • Timelines • Deliverables • Further Communication
Finally • The LEA wants to know when this is over: • Rome wasn’t built in a day a.k.a. the conditions at issue did not develop in 6 months or a year • Be patient.
Firm Disclaimer (Yet Again) This presentation is intended solely to provide general information and does not constitute legal advice or a legal service. This presentation does not create a client-lawyer relationship with Brustein & Manasevit and, therefore, carries none of the protections under the D.C. Rules of Professional Conduct. Attendance at this presentation, a later review of any printed or electronic materials, or any follow-up questions or communications arising out of this presentation with any attorney at Brustein & Manasevit does not create an attorney-client relationship with Brustein & Manasevit. You should not take any action based upon any information in this presentation without first consulting legal counsel familiar with your particular circumstances.