Not-for-Profit Organizations’ Attest Engagements and Information Technology

1. Not-for-Profit Organizations’ Attest Engagements and Information Technology Yigal Rechtman, CPA, CITP, CISM February 3, 2004 Technology Assurance Committee

2. Objectives • Highlight Information Technologies at NFPs and Attest issues IT presents • Discuss Internal attest procedures • Discuss External attest issues • Review New York State required attestation • Donated IT services and supplies: Do’s and Don’ts

3. 1.0 Overview of IT and NFPs • Software and Applications • IT Budget • Maintenance levels • HIPPA and other constraints

4. 1.1 Software • NFPs have special needs, often niche software or in-house application • Custom software is suspect • Often, programmer dial/access database for “updates” which include revision to raw data • No built in integrity checks • Overall: SUSPECT

5. Software Example • An NFP uses SAP module which is subject to QC and support agreement • An NFP uses Cobol based application for its clients supported by several electronic spreadsheets for reconciliation and adjustments.

6. 1.2 IT Budget • NFPs often required to have a budget, esp. governmental NFP • Sometimes a budget does not include IT budget. • Budget is at times unrealistic, especially in charitable NFPs. • When a budget is present, its an excellent internal/external attest tool.

7. 1.3 Maintenance Levels • IT maintenance is directly affected by long term planning and goals • Observation: Governmental (high) versus non-governmental (low).

8. Examples: Maintenance Levels • Audit steps to review maintenance levels at NFP: • Get SLA agreements • Review sample bids and process • Review completeness of coverage for support staff and support agreement (also in contingency planning).

9. 1.4 Legal and other constraints • HIPPA • Fair Credit Reporting Act • Governmental Auditing requirements (Yellow book). • Contractual requirements (e.g. other governmental agency)

10. 1.5 Evaluation of Internal Controls • In general go from the specific technical knowledge to the impact on the financial statement. • Three column method – most effective: • Technical Background • Technical Issue/Problem • Effect on Financial Statement

11. 1.6 How to drive value from IT Findings • Technical Background • Technical Issue/Problem • Effect on Financial Statement Consulting Work Management Letter Audit Risk/Procedures

12. 2.0 Internal Attestation • Who • Why • What

13. 2.1 Internal Attestation - Who • Internal attest done by CFO, CIO, Manager level • Often not formal • Results can be informal and may require inquiry and observation

14. 2.2 Internal Attestation - Why • “Internal attestation” are the results of internal control processes. • They indicate the existence of internal controls • They facilitate audit steps in reviewing • Depending on size and complexity • Internal procedure enforcement is regulated • e.g. HIPPA, Credit Reporting Act, Yellow Book

15. Example: “Internal Attestation” • Results of review of approval of ACH transaction for fund transfers / disbursements. • Results of moving a user within the organization (large organizations, typically) • Results of reviewing error logs

16. 2.3 Internal Attestation - What • Effectiveness of IT controls has to comply with: • Yellow book • HIPPA or other Acts • NFP’s own policy • Law • Auditor/Attest must make inspect compliance and report deviation

17. 3.0 External Attest Issues - IT • HIPPA • Credit Reporting Act • Yellow Book

18. 3.1 HIPPA (examples) • Auto logout and segregation of duties • Business continuity planning • Formal software changes’ procedure

19. 3.1 Other Acts • Credit Reporting Act • Reasonable measures to protect privacy • Process to protect accuracy • Yellow Book • Internal Controls Risk assessed below maximum • Attestation on Internal Controls

20. 4.0 New York State required attestation • $3M in Asset or $1M in revenue up from $250K in assets or revenues • Will Require attestation of Internal Controls for YE after 6/30/03 • Internal Control is often overlapped with IT environment • Conclusion: get an IT proficient auditor to review!

21. 5.0 Donated IT services and supplies: Do’s and Don’ts • DO: Get and accept donated goods and services • DO: document source of materials and services • DON’T: accept old equipment. Use budget as guideline for donated equipment: “The poor pay twice…”

22. Do’s and Don’ts (cont.) • DO: acknowledge all donated services with FMV letter. • DO: enact policy of use of software and equipment in the NFP, including e-mail archiving and fair-use of equipment. • DON’T: accept service donation over one year… if you need it for more than a year either the donor will not come through or the donee won’t get all that they need. One year should be limit.

23. Review • Highlight Information Technologies at NFPs • Discuss Internal attest procedures • Discuss External attest issues • Review New York State required attestation • Donated IT services and supplies: Do’s and Don’ts

24. Not-for-Profit Organizations’ Attest Engagements and Information Technology Yigal Rechtman, CPA, CITP, CISM Person & Company, LLP February 3, 2004 © Q & A

25. About the Presenter Yigal Rechtman, CPA, CITP, CISM, is a programmer since 1984 and specializes in computer aided auditing techniques and information systems' integration and reviews. He is a member of the American Institute of Certified Public Accountants (AICPA), the New York State Society of Certified Public Accountants (Technology Assurance committee) and the Association for Certified Fraud Examiners. Rechtman is an AICPA registered peer-reviewer and a Certified Information Technology Professional (CITP). Rechtman specialize in Internal Controls reviews and has presented and written about issues related to Internal Controls, Attestation engagements and Information Technologies. He can be reached at yrechtman@personcpa.com or (212) 684-0011