440 likes | 453 Views
Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans. 2014 Governmental Accounting For Local Public Health September 11, 2014. Presented by:. Stephen W. Blann , CPA, CGFM, CGMA Director of Governmental Audit Quality Rehmann. Session Outline.
E N D
Effective Internal Control,Establishing an Internal Audit Function,and Compliance Plans 2014 Governmental Accounting For Local Public Health September 11, 2014
Presented by: Stephen W. Blann, CPA, CGFM, CGMA Director of Governmental Audit Quality Rehmann
Session Outline • Effective internal control • COSO Framework • Internal audit function • GFOA Best Practices • Compliance Plans • Internal control over compliance
Overview of Internal Control • Internal Control—Integrated Framework • COSO Report (1992 & 2013) • Committee of Sponsoring Organizations (AICPA, AAA, IIA, IMA, FEI) • Codified in Auditing Standards by AICPA, GAO, and PCAOB (SOX)
Overview of Internal Control • Management’s responsibilities • Effectiveness • Efficiency • Compliance • Financial Reporting • Internal controls are the framework management establishes to ensure it meets these responsibilities
Overview of Internal Control • Limitations of internal controls • Cost vs. benefit • No “perfect” system • Management override
Overview of Internal Control • Responsibility for internal control • Management is primarily responsible • Independent auditors “gain an understanding” – not a substitute for management • Internal auditors work for management • The governing body is ultimately responsible
Overview of Internal Control • Management is responsible for: • Design • Implementation • Monitoring • Reporting
The Internal Control Framework • The Control Environment • Risk Assessment and Monitoring • Control-related Policies and Procedures • Information and Communication • Monitoring
The Internal Control FrameworkControl Environment • Management’s attitude / example • Communication • The Internal Auditor • The Audit Committee
The Internal Control FrameworkRisk Assessment and Monitoring • Changes in: • Operating environment • Personnel • Information systems / technology • Rapid growth • New programs / services • Structure
The Internal Control FrameworkRisk Assessment and Monitoring • Inherent risk • Prioritization • Significance • Likelihood
The Internal Control FrameworkControl-Related Policies • Essential tasks of an accounting system • Assemble data • Analyze, classify, and record data • Report on data • Maintain accountability over assets
The Internal Control FrameworkControl-Related Policies • Management’s implicit assertions • Existence / occurrence • Completeness • Rights / obligations • Allocation / valuation • Presentation / disclosure
Authorization Properly designed records Security of assets and records Segregation of incompatible duties Periodic reconciliations Periodic verifications Analytical review Timely external reporting (GAAP) The Internal Control FrameworkControl-Related Policies • Policies and procedures
The Internal Control FrameworkInformation and Communication • Information needs • Appropriate content • Timely / current • Accurate • Accessible • Methods of communication • Accounting policies and procedures manual
The Internal Control FrameworkMonitoring • Purpose (smoke alarm) • Ongoing • Evaluation of internal controls (internal audit)
Evaluating Internal Controls • Identify control cycles • Document processes • Identify potential risks http://www.coso.org/Guidanceonmonitoring.htm
Authorization Properly designed records Security of assets and records Segregation of incompatible duties Periodic reconciliations Periodic verifications Analytical review Timely external reporting (GAAP) Evaluating Internal Controls • Identify compensating controls
Establishing anInternal Audit Function • GFOA Best Practices: • Establishment of an Internal Audit Function • Enhancing Management Involvement with Internal Control • Audit Committees http://www.gfoa.org/best-practices
GFOA Best Practices • Government Finance Officers Association of the United States and Canada • Professional organization • Issues best practices and advisories on a variety of topics relevant to government financial management
GFOA Best Practices • A BP identifies specific policies and procedures as contributing to improved government management. It aims to promote and facilitate positive change rather than merely to codify current accepted practice. Partial implementation is encouraged as progress toward a recognized goal.
GFOA Best PracticeEstablishment of an Internal Audit Function • Definition of an “internal auditor”: • any audit professional who works directly for management, at some level, and whose primary responsibility is helping management to fulfill its duties as effectively and efficiently as possible.
GFOA Best PracticeEstablishment of an Internal Audit Function • Role(s) of an internal auditor: • Monitoring the design and proper function of internal control policies and procedures • Function as an additional level of control • Conduct performance audits • Special investigations and studies
GFOA Best PracticeEstablishment of an Internal Audit Function • Recommendations: • Every government should either • Establish a formal internal audit function; • Assign internal audit responsibilities to its regular employees; or • Hire a CPA firm (other than the independent auditor) for this purpose
GFOA Best PracticeEstablishment of an Internal Audit Function • Recommendations: • The internal audit function should be formally established by charter, enabling resolution, or other appropriate legal means • Internal auditors should follow the GAO’s Government Auditing Standards, including standards applicable to independence
GFOA Best PracticeEstablishment of an Internal Audit Function • Recommendations: • The head of the internal audit function should possess at least a college degree and relevant experience; a professional certification is encouraged (CIA, CPA, CISA) • The annual internal audit work plan and all reports of internal auditors should be made available to the audit committee
GFOA Best PracticeEnhancing Management Involvement w/ IC • Purpose of internal control: • Adequately protect public funds by prudent management • Provide a reasonable basis for finance officers to assert the financial information they provide can be relied upon
GFOA Best PracticeEnhancing Management Involvement w/ IC • Stakeholders in internal control: • Independent auditors provide assistance in meeting internal control-related responsibilities, but are not a substitute for management’s direct and informed involvement with internal controls • Elected officials must ensure that managers who report to them fulfill their responsibilities in implementing IC
GFOA Best PracticeEnhancing Management Involvement w/ IC • Recommendations: • Financial managers should obtain information and training needed to meaningfully take responsibility for internal control • Obtain sound understanding of COSO’s comprehensive framework of internal control
GFOA Best PracticeEnhancing Management Involvement w/ IC • Recommendations: • Internal control procedures should be documented • Design a practical means for lower level employees to report instances of management override of controls that could be indicative of fraud • Internal controls should be monitored and reevaluated for adequacy
GFOA Best PracticeEnhancing Management Involvement w/ IC • Recommendations: • Evaluations of controls should include effectiveness and timeliness of corrective action for identified deficiencies • Control effectiveness requires a baseline for future monitoring, which should be adjusted for changes in controls • Corrective action plans should have timetables and be monitored
GFOA Best PracticeAudit Committees • There are 3 groups responsible for the quality of financial reporting: • Governing body • Financial management • Independent auditors • The governing body must be seen as “first among equals”
GFOA Best PracticeAudit Committees • Audit Committees are a practical means for a governing body to provide much needed independent review and oversight of: • the government’s financial reporting processes, • internal controls, and • the independent auditors
GFOA Best PracticeAudit Committees • Selected recommendations: • The governing body of every state and local government should establish an audit committee • The audit committee should be formally established by charter, enabling resolution, or other appropriate legal means
GFOA Best PracticeAudit Committees • Selected recommendations: • The documentation establishing the audit committee should prescribe the scope of the committee’s responsibilities, its structure, and membership requirements • The audit committee should be directly responsible for the appointment, compensation, retention, and oversight of the independent auditor
GFOA Best PracticeAudit Committees • Selected recommendations: • All members should possess or obtain a basic understanding of governmental financial reporting and auditing • The committee should have access to the services of at least one financial expert (either a committee member or outside party engaged for this purpose)
GFOA Best PracticeAudit Committees • Selected recommendations: • The audit committee should provide independent review and oversight of a government’s financial reporting processes, internal controls and independent auditors • The audit committee should have access to the reports of internal auditors, as well as access to annual internal audit work plans
Compliance Plans • Internal control over compliance • Differences and similarities with IC over financial reporting • Existing and new requirements for grants • Auditor involvement
Compliance Plans • Existing requirements: • OMB Circulars A-102 Common Rule and A-110 Administrative Requirements • Requires management to establish and maintain internal controls designed to provide reasonable assurance of compliance with Federal laws, regulations and program compliance requirements
Compliance Plans • New Uniform Grant Guidance (2 CFR 200): • Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award • Consistent with COSO
Compliance Plans • Auditor involvement • Yellow Book engagements (material to financial statements) • Single audit (material to major federal programs) • Other (Medicare, etc.)
For more information... Stephen W. Blann, CPA, CGFM, CGMA Director of Governmental Audit Quality Rehmann stephen.blann@rehmann.com www.rehmann.com/government