STATEMENT OF AUDITING STANDARDS 112 (SAS112) Communicating Internal Control Matters Identified in an Audit UC Riverside

1. STATEMENT OF AUDITING STANDARDS 112 (SAS112) Communicating Internal Control Matters Identified in an Audit UC Riverside June 2007

2. " Today's  audit environment   encourages  transparency and accountability. Therefore, an integrated campuswide effort is  needed  to  effectively steward the funds entrusted to UCR.” Chancellor Córdova

3. AGENDA 1- Why SAS112 2- What is SAS112 3- Impact of SAS112 4- Internal Control 5- Minimizing risk in dept. operations 6- What to do?

4. - United States Federal Law and SEC • For Public Companies • -Sarbanes–Oxley (SOX): • Requires conducting an assessment of the effectiveness of internal controls by management, • to be audited and approved by the company’s independent accountants WorldCom Enron Why SAS112? SAS112 is our SOX • - American Institute of Certified Public Accountants • For non-profit organizations (UCR) • - SAS 112

5. Non-Compliance Fine$ - Contract & Grants University of California (2002).Fine =$1.8 m Northwestern University (2003).Fine = $5.5m Harvard University (2004).Fine = $2.6m Mayo Foundation (Mayo Clinics). Fine = $6.5m Florida International University (2005).Fine= $11.5m University of Alabama Birmingham (2005).Fine =$3.4 m

6. What is SAS112? • Establishes standards for communicating internal control issues relating to: • integrity of financial reporting • compliance with applicable laws and regulation • Establishes standards that classifies communicated control issues as: • - control deficiencies • - significant deficiencies • - material weaknesses • SAS112 standards have been adopted by the federal agencies and the Government Audit Standards has been updated to incorporate SAS112

7. Impact of SAS 112 on UCR Due to significant changes in the evaluation of control exceptions and more stringent audit standards, UCR is more likely to encounter control issues being identified and reported - Increased scrutiny - Larger audit samples - More evidence and documentation required during audits - Lower audit materiality thresholds

8. Impact of SAS 112 on UCR • SAS 112 requires UCR to disclose deficiencies to 3rd parties: • Regents • Sponsors (Federal, State & Private) • 3rd party creditors • Accrediting agencies • Rating agencies • Insurers

9. Impacts of deficiencies and weaknesses disclosures: -negative impact on reputation for UC, UCR, VCA, and Department -increased internal and external audits -audit disallowances, fines and penalties -potential negative impact on resource allocation

10. Generally, internal controls at UCR are in order and adequate, but there are departments, functions and areas where we noted…. Control Issues with - Ledger reconciliation & review - Budget variance analysis - Revenue monitoring - Cash handling - Payroll processing - Timekeeping & billing - Cost Transfers - Fiscal Year End Processes - PAN Reviews The campus goals, related to SAS112, are to: - Enhance understanding of Internal Controls - Minimize Control Issues

11. INTERNAL CONTROL • Internal Control • Internal control is broadly defined as a process, effected by the UC Regents, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations. • Reliability of financial reporting. • Compliance with applicable laws and regulations.

12. Who is responsible for implementing internal controls?

13. PARTNERSHIP Central Offices (Accounting, Audit & Advisory Services, AP&B, OR, etc.) Executive Management Departments (Chair/ Director, MSO, Staff) Control Units (Deans/VC & CFAO)

14. Minimizing the Risks • Department Head: • Oversees and is integrated into the financial management process • Ensures proper controls and monitoring procedures are in place • Ensures financial reports are accurate and meaningful • Ensure SAAs, transactors and reviewers are appropriately trained and supported in their key business process roles

15. Minimizing the Risks • Timely reconciliation and review of monthly ledgers • Budget to Actual review • Analysis of causes for variances • Review of payroll transactions by financial staff and responsible manager • Regular review of financial reports by department manager and business officer • Evidence of ledger reconciliation and review • New Ledger Recon Tool-coming soon

16. Minimizing the Risk • Timely resolution of errors • Frequent and late cost transfers can be a symptom of a deficiency • Ensure sufficient segregation of duties • No one person should have complete control over the key processing functions for financial transactions • Provides for prevention and detection • Errors • Inappropriate activities • Post Audit Notification (PAN) Reviews • Payroll/Personnel System and UCRFS transactions • Timely • Adequate

17. What to do: • Control Assessment • Training When issues are identified: 1- Self-report 2-Assistance 3-Escalate/Remediate 4-Proactive Approach When control issues or policy non-compliance are recurring and systemic: Everyone is responsible It will be transparent and there will be consequences

18. Contacts • Gretchen Bolar, Vice Chancellor-Academic Planning & Budget gretchen.bolar@ucr.edu • Bobbi McCracken, Asst. Vice Chancellor-Financial Services bobbi.mccracken@ucr.edu • Mike Jenson, Director-Audit & Advisory Services michael.jenson@ucr.edu • Bruce Morgan, Asst. Vice Chancellor-Office of Research bruce.morgan@ucr.edu • Toffee Jeturian, Asst. Director-Audit & Advisory Services rodolfo.jeturian@ucr.edu • Marc Guerra, Director-Financial Control & Accountability marc.guerra@ucr.edu