270 likes | 444 Views
NASC Presentation – March 2014. An Overview of Pennsylvania’s Internal Controls By: Anna Maria Kiehl, CPA State Comptroller/Chief Accounting Officer Governor’s Office of Budget / Office of Comptroller Operations. NASC Presentation – March 2014. Agenda.
E N D
NASC Presentation – March 2014 • An Overview of Pennsylvania’s • Internal Controls • By: Anna Maria Kiehl, CPA • State Comptroller/Chief Accounting OfficerGovernor’s Office of Budget / Office of Comptroller Operations
NASC Presentation – March 2014 Agenda Pennsylvania’s Internal Control Structure Statewide Audit Committee - Functions of the Audit Committee - Goals and Objectives of the Committee - Frequency of Committee Meetings - Questions? Single Audit Finding Prompts need to improve Access Controls with SAP’s Governance Risk Compliance - Background - Overview - Challenges - Actions - Useful Tools - Sample internal flowcharts & reporting - Questions? 2
NASC Presentation – March 2014 Examples of Internal Controls in Pennsylvania Components Process • Methods for maintaining integrity, ethics and competency: • Governor’s Code of Conduct/Ethics Disclosure Forms • Statewide Audit Committee/Bureau of Internal Audits • Auditor General Audits & Inspector General Investigations • Bureau of Quality Assurance • Independent annual audits • Continuous IC Training & Employee Development/Standards • Increased accounting and auditing entry level requirements Control Environment Risk Assessment • Methods for identifying and assessing risk: • Recommendations of Audit Committee/Audit findings/MLCs • System Development Life cycle Reviews /Post implementation reviews • Examining new programs and areas most vulnerable (e.g., systems, financial reporting, operational) • Implement controls through effective policies & procedures: • General System Controls/data security • System access controls • Month-end closing processes and reconciliations Control Activities 3
NASC Presentation – March 2014 PA’s Process to Ensure Effective Internal Controls Process Components • Information must be disseminated timely: • Monthly /Quarterly/Comprehensive Annual Financial Reporting • Required Communications with Management on Audit findings & Required Resolutions • Quarterly Audit Committee Meetings/Annual Audit Plan/Findings • Policy communications , e.g., New OMB Grant Reform standards • Entity-wide business process communications • On-line and classroom training for fraud detection and prevention, ethics, accountability and transparency requirements Information & Communication 4
PA’s Process to Ensure Effective Internal Controls Process Components • Methods to continuously monitor internal controls include: • Monitoring of role assignments & segregation of duties • Continuous control payment monitoring • Performance metrics and analysis/ management dashboards • Quality assurance processes to ensure compliance with laws, regulations, and policies. • Weekly system access Controls risk reporting • Inventory and Fixed Asset monitoring • Management reviews/System Development Life Cycle Reviews Monitoring Activities
NASC Presentation – March 2014 Questions or Comments? 6
NASC Presentation – March 2014 Functions of an Audit Committee • The audit committee reviews and discusses the following with the external auditors: • Annual financial statements (CAFR) • Single Audit report and findings • Significant written communications between the independent auditors and management (i.e. management letter, unadjusted audit differences) • Significant disputes or difficulties with management encountered during the audit • Matters required to be discussed in accordance with SAS 114, “The Auditors Communication with Those Charged with Governance” 7
NASC Presentation – March 2014 Functions of an Audit Committee Internal Controls • Review the following with the internal auditors: • Significant risks or exposures facing the Commonwealth, as well as steps taken by management to mitigate these risks • The audit scope and plan for the internal auditors • Any significant findings and recommendations, from internal audits, along with management’s response • Any difficulties the internal audit team encountered in the course of their audits 8
NASC Presentation – March 2014 Goals and Objectives of the Committee Oversee the internal and external auditing and reporting process Provide direction for the Commonwealth’s limited internal audit resources Review and approve the Commonwealth annual audit plan to promote accountability and ensure management maintains appropriate internal controls Review audit findings and recommendations and directs the necessary follow-up to ensure appropriate corrective action is initiated across state agencies. 9
NASC Presentation – March 2014 Enterprise Risk Management (ERM) PA has been moving forward with five strategic goals. These strategic goals are as follows: Established a Commonwealth-wide audit committee. Facilitate Control Self Assessment sessions with agency heads and management Complete a Commonwealth-wide audit risk assessment Develop an annual audit plan based on risk Established a Bureau of Quality Assurance to provide continuous monitoring for improper payments, compliance, and continuous process improvements. 10
NASC Presentation – March 2014 Audit Committee Communications Notifications will be provided to the committee when the following occur: Department of the Auditor General Opens a Special Performance Audit US Office of the Inspector General Opens an Audit Department of the Auditor General Releases a Special Performance Audit US Office of the Inspector General Releases an Audit BOA Releases a High Profile Audit 10
NASC Presentation – March 2014 Frequency of Audit Committee Meetings The Audit Committee meets 3-4 times annually Usually meets at least twice with independent auditors to discuss CAFR and Single audits, auditor adjustments, audit findings, and management letter comments. Usually meets to approve annual internal audit plan and requests management reviews and audits of risk areas Agenda is typically set by the Director of the Bureau of Audits Comptroller and Director of Reporting attend the meetings and provide content. 12
NASC Presentation – March 2014 Questions or Comments? 13
NASC Presentation – March 2014 SAP’s Governance, Risk & Compliance Module (GRC) Background: • Segregation of Duties risks within the Commonwealth’s SAP system resulted in a recurring single audit finding for 8 consecutive years. • Previous attempts were made to address SAP Access Controls: Approva failed since it was not directly integrated with SAP. • Number of users – Large organization with thousands of core users – needed a tool that could analyze large numbers of users with extensive access to multiple modules of SAP. 14
NASC Presentation – March 2014 SAP’s Governance, Risk & Compliance Module (GRC) “Governance” is how we manage strategic initiatives “Risk” is the effect of uncertainty on business objectives. Risk management is the process that helps minimize financial losses “Compliance” goes beyond our conformity with laws and regulations to include all facets that affect integrity, reputation, and our “brand” SAP’s GRC module provides the Commonwealth with an enterprise view across these activities throughout our organization. 15
NASC Presentation – March 2014 SAP’s Governance, Risk & Compliance Module (GRC) GRC is the system access control tool that helps: Protect key information Prevent unauthorized access Prevent unauthorized transactions Prevent errors and fraudulent activity Ensures proper Segregation of Duties (SoD) Ensure the security & integrity of our financial systems & reporting 16
NASC Presentation – March 2014 SAP’s Governance, Risk & Compliance Module (GRC) Challenges: • The complexity of the GRC module/ significant learning curve. • The complexity and extent of access issues that developed over ten years that SAP was in place. • Little understanding of GRC from a rule set /business perspective • Few resources to dedicate to such a large project • Budget constraints prevented hiring SAP consultants • Minimal guidance on how to best implement the system within our current business environment. • PA’s role assignment process is managed by another state agency and sits outside of SAP. • Multiple agency involvement – role development (OA-IT), role assignment (OA/HR) and risk monitoring (Comptroller) 17
NASC Presentation – March 2014 SAP’s Governance, Risk & Compliance Module (GRC) Year 2010 – Year of Planning and gaining an understanding of the system tools • Small project team developed to coordinate the clean-up of SoD risks. • The group led workshops of technical and business representatives to determine how to identify and resolve risks. • Process is on-going 18
NASC Presentation – March 2014 SAP’s Governance, Risk & Compliance Module (GRC) Tremendous Progress within the last 6 months • Resolving risks identified within our Office of Budget • Systematizing & automating processes • Documenting processes & procedures • Improving communication between agencies • Reporting • And training personnel 19
NASC Presentation – March 2014 SAP’s Governance, Risk & Compliance Module (GRC) The Future: To continue GRC rollout to agencies with greatest number of risks Expect the cleanup to benefit the remaining agencies who share same roles/risks. Expect roles to stay clean going forward using GRC simulation tool. Most current pain: establishing a process to help agency HR reps interpret SoD risk results before requesting a role for their users. 20
NASC Presentation – March 2014 Questions? 27