accounting and auditing topics for school districts€¦ · cipp/us, ceh, chfi, ccfe principal –...

Accounting and Auditing Topics for

School DistrictsPresented to

NJASBOJanuary 15 and 17, 2019

Scott Clelland, CPA, PSA, RMA

Partner –Wiss & Company, LLP 34 Years Experience working solely in Public Sector Reviewer for International ASBO Certificate of

Excellence in Financial Reporting Member of the NJCPA Government A&A Committee Member of the Trustees of the RMA Association

David Gannon, CPA, PSA, RMA

Partner – PKF O’Connor Davies 21 Years Experience working solely in Public Sector Member of the NJCPA Government A&A Committee Reviewer for International ASBO Certificate of

Excellence in Financial Reporting Member of the Trustees of the RMA Association

Thomas DeMayo, CISSP, CISA, CRISC, CIPP/US, CEH, CHFI, CCFE Principal – PKF O’Connor Davies 15 Years Experience in Information Technology and

Cyber Security Experience with a number of different industries,

including: governmental, not-for-private, private schools, higher education, healthcare and commercial entities

Agenda

Fraud and Internal ControlsCybersecurity for School DistrictsGASB UpdateCommon Audit DeficienciesOpen Forum for Questions

FRAUD AND INTERNALCONTROLS

Overview of Fraud Presentation

Understanding internal controls

Fraud risk areas

Real life examples of fraud in school districts

Internal controls to prevent and detect fraud

Understanding Internal Controls

Internal Controls are an integral part of any organization’spolicies and procedures, that can be effected by its Board,management, and other personnel, that is designed toprovide reasonable (not absolute!) assurance regarding theachievement of the following objectives:

• Protecting its resources against waste, abuse, fraud or inefficiency

• Reliability and accuracy of financial reporting

• Effectiveness and efficiency of operations

• Compliance with laws and regulations


Helps protect us from bad things happening!

As accountants we are very risk adverseindividuals• Internal Controls help mitigate risk

• Won’t eliminate risk


Types of Risk a District May Face: Strategic – the risk that would prevent a District from

fulfilling its mission Financial – the risk that could result in a negative

financial impact to the District Regulatory – the risk that could expose the District to

penalties from a regulatory agency due to non-compliance with laws or grant requirements


Types of Risk a District May Face (continued): Reputational – the risk that could expose the District

to negative publicity• Affects ability to pass annual budgets• Affects ability to pass referendums


Types of Risk a District May Face (continued): Operational – the risk that could prevent the District

from operating in the most effective and efficient manner• Especially important given the limited resources

currently available


What Could Go Wrong???: Program decisions being made with incorrect financial

information Deficits in operations Amounts due back to the federal government Lose support of the residents of the District Basic functions of the District are not working Modified opinion to financial statements Appointment of State Monitor

Understanding Internal ControlsInternal Controls Are SimpleWhat do you worry about going wrong?

• What keeps you up at night?

What steps have been taken to assure it doesn’tgo wrong?• Where are those internal controls?

How do you know everything is under control?• Have you looked to see if anything is working properly?

Understanding Internal Controls COSO’s Internal Control Framework:

• Internal control consists of five integrated components:

− Control Environment

− Risk Assessment

− Control Activities

− Information & Communication

− Monitoring– 17 principles are associated with the components


Control Environment− The foundation for any system of internal controls

− Pervasive influence on all the decisions and activities of anorganization

− Either sets a positive or negative “tone at the top”− Components of the control environment include: integrity,

ethical values, commitment to competence, management’soperating style, human resource policies and practices andorganizational structure

Understanding Internal Controls Risk Assessment

− Risks are internal and external events that threaten the accomplishment ofthe District’s objectives

– Economic conditions – changes in state aid– New systems– Breakdown in internal control– Regulatory changes/tax levy caps/FB taken by State

− Risk assessment is the process of identifying, evaluating and deciding howto manage these events

– What is the likelihood of the event happening?– What would be the impact of the event occurring?– What can the District do to prevent or reduce the risk of the event occurring?


Control Activities− Provides the tools for success – Includes policies, procedures

and processes designed to ensure that directives from theBoard and Administration are implemented

− Assists in the prevention or reduction of risks that canundermine accomplishment of the District’s goals

− Occurs throughout the District within every level and function

− Includes the following: approvals, authorizations, verifications,reconciliations, segregation of duties, safe guarding of physicalassets and evaluation of overall performance


Information and Communication• Information must be captured, identified and communicated

– Has to be timely!

– Has to be accurate!

– Has to be communicated to those that need it!

» Board members

» Employees

» Those outside of the organization – Tax payers,parents, and vendors


Monitoring− After internal controls are put in place, their effectiveness

needs to be monitored from time to time to ensure that thecontrols in place continue to be adequate and continue tofunction properly

– Are they operating as intended?

– Have the controls become outdated, redundant or obsolete?

− Management and the Board of Education should alsomonitor previously identified deficiencies to ensure they arecorrected


Segregation of Duties− Responsibilities should be assigned to employees to ensure

one employee does not have total control over all aspects ofan entire transaction

− The District should reduce the opportunity for an employee tocommit or conceal an error, whether it be intentional orunintentional, or to commit fraud


Segregation of Duties− Board responsibilities – effective oversight over management

− Purchasing and Accounts Payable

− Human Resources and Payroll

− Cash receipts and cash disbursements

− Rights to modules with financial accounting system

− Bank reconciliation segregated from cash activities– May be difficult if the Treasurer of School Monies position was

eliminated based on size of district

Fraud Risk Areas

Instances of fraud or suspected fraud related to third party vendors Need to assess the risk of fraud in each of your

Districts Need to put in place better monitoring procedures

over third party vendors that are charged with managing a function The “Trust Factor”

How fraud is Committed

Schemes – typically three categories:• Asset Misappropriation

• Corruption

• Financial Statement Fraud

Characteristics of Fraud-The Fraud Triangle3 Conditions generally present when fraud occurs:

• Management or other employees have an Incentive or are under pressure, which provides a reason to commit fraud

• The absence of controls, ineffective controls, or the ability of management to override controls provides an opportunity for a fraud to be perpetrated

• Those involved are able to rationalize committing a fraudulent act. Some individuals possess an attitude, character, or set of ethical values that allow them to knowingly commit a dishonest act.

Cases and Headlines

Examples of cases that have been in newspapers Do not think any of us want to be mentioned in the

press for fraud

Cases and Headlines

Woman accused of stealing from North Jersey school district charged with tax fraud Ex-Poplar School District worker pleads guilty to wire

fraud Insurance agent in New Jersey admits to defrauding

school district | Insurance Worker who stole from school district will go to prison,

lose pension

Cases and Headlines New Jersey Teacher Charged With Health Care Fraud

Conspiracy Targeting New Jersey School Employees Health Benefits Program District alleges fraud in charter school application Treasurer headed to prison after hosing fire department out

of $40K Engineer, Contractors, School Business Administrator

Charged in Kickback Scheme School board employee arrested in connection with stolen

laptops

Cases and Headlines

Ex-official admits stealing $90K for pocketing lunch money Educator arrested in Billing Fraud Case

Areas Most Susceptible to Fraud in School Districts Purchasing/Contract Mgt. and Quotes Third Party Vendors Cash Receipts/Revenue Payroll/Taxes IT issues/access/hacking

Areas Most Susceptible to Fraud in School DistrictsPurchasing/Contract management

• Vendor Existence/Setup

• Kickbacks from Vendors− Cash Payments

− Gifts from vendors in exchange for business

− In-kind

− Work done on private residences

― Contract Splitting/manipulation of quotes or bids― Fictitious vendors

Case Study #1-Purchasing

Background• Audit initially identified unusual fluctuations in

expenses in certain accounts• Follow up with Bus Adm and directed to pursue

further• Director of department out on medical leave• Fraud interview conducted and clerk opened up and

shared all sorts of information


What was identified• 2 new vendors established without supervisor

approval• Access to add vendors to system without supervisor

approval• Purchases of supplies well in excess of needs all

associated with the 2 new vendors• Possible collusion with vendor and kickbacks


How to Prevent• Make sure vendor set up is properly controlled• Question purchase requisitions/orders that seem

extreme or unusual• Question unusual fluctuations in expenses

Case Study #2-Contracts with Third Parties Background

• Outside vendor hired to provide certain services to districts

• Significant vendor contract• Vendor submits monthly invoices in summary form• Vendor is paid based on hours incurred per contract• Detailed timesheets and other supporting

documentation not provided

Case Study #2-Contracts with Third Parties Background

• Invoices reviewed internally and approved for payment

• Request for detail to prove hours incurred not requested

Case Study #2-Contracts with Third Parties What was identified

• District questioned invoice and decided to request additional support including timesheets for each individual charged

• Services never performed• Dates of service were on weekends, holidays and in

certain cases were doubled up• Services provided exceeded any reasonable day of

services

Case Study #2-Contracts with Third Parties How to Prevent

• Impact was hundreds of thousands of dollars of potential overcharges

• Request additional information to support invoice• Careful review of invoice to verify reasonableness of

dates charged for services• Look for unusual amount of services that would not

be possible to provide in a given day

Case Study #3-Collusion with Vendor

Background• Approved contract in place

• Individual from vendor assigned on site at district

• Relationships

• Projects approved

• Proper internal approvals and bill list

• Kick backs

• Impact-over $3.5 million


What was identified• Business Administrator received invoice from vendor for

a service that had been completed a year ago while the individual was a principal

• Questioned invoice with vendor• After numerous attempts to get answers, withheld

payments of the contract• After meeting with management of vendor, individual

assigned admitted to receiving kickbacks from vendor


What was identified• Investigation of entire contract• Outside vendor had ability to approve contracts for

services with vendor• Vendor inflated invoices above actual cost• Excess used to provide kickbacks in exchange for

services rendered.


How to Prevent• Should not allow third party vendor to hire

contractors on behalf of district-violates statute as well

• Don’t be afraid to question project costs that seem unreasonable

• Controls in place over the third party vendor that everyone understands

Case Study #4-Cash Receipts/Revenue

Background• Certain cash receipts not recorded• Replacement of cash with checks• Miscellaneous unanticipated revenue• Control over entire process by supervisor• Involved cafeteria cash and checks related to rent

and other miscellaneous unanticipated revenue


What was identified• Procedures to divert cash• Lack of approval and tracking of rental of facilities• Collections of rental checks that no one tracked• Replaced cafeteria cash with rental checks to

support cafeteria deposit and pocketed cash• Impact - $90,000


How to Prevent• Too much control for one person-lack of segregation

of duties• No controls or approvals of facility use charges• Stronger controls in place over the collection of cash

Case Study #5-Payroll and Tax

Background• Payroll person paid $4,000 stipend to reconcile

account• Went out on medical leave• Reconciliation turned over to other payroll clerk-

viewed as superstar within district• Control over payroll process, reconciliations and

system now by one person


What was identified• Other internal accountant was reconciling

information and could not find discrepancy• Bus Adm jumped in to assist and in looking at the

information noticed that the payroll clerk was getting three checks each pay period.

• Accountant performed review and identified it had been going on for some time (since 2012)


What was identified• Approved salary of PR clerk was $62K and W-2 was for

$147K• Also evaded taxes by deleting information in the system

so that it would not be reported on W-2 to IRS• $315K was identified as being paid in excess of

approved salary• Once identified, stop payment placed on her next check


What was identified• Check cashing company cashed check, as has

always done, and it bounced after being voided by district

• District still responsible to make good on check• Person had a gambling issue


How to Prevent• Better segregation of duties-lack of strong controls

to prevent theft• Not a great idea to have someone working in the

payroll process also reconciling the account-leads to ability to commit fraud

• No review or checks and balances over the individual

Case Study #6-Technology Access Outside hacking of financial accounting system and banking

activities Replicated the process and was able to watch what was happening Attempts to transfer significant funds to foreign bank accounts Had passwords and access Missing was the electronic secure ID number How the fraud was discovered-emails notifying the district of

attempted transfers at off times/ Impact – close but no cigar-did not get away with it

Internal Controls to Prevent or Detect Fraud Proper Segregation of Duties

Effective IT General Controls-passwords, change controls, system rights, timely removal upon termination from district

Effective Monitoring and Oversight

Fraud Hotline / Anonymous Tip Center

Know your District – identify unusual fluctuations or spending

Need to assess risk in District

Internal Controls to Prevent or Detect Fraud Annually should assess risk in District Control assessment should be considered Need to consider cost vs. benefit of implementing an

internal control

Internal Controls to Prevent or Detect FraudSegregation of Duties (Examples) New employee setup (HR) segregated from Payroll

processing (Payroll), when possible Entering of cash receipts (clerk) segregated from

performance of bank reconciliation (Treasurer) New vendor setup (BA) segregated from processing

payments to vendors (Purchasing)

Internal Controls to Prevent or Detect FraudIT General Controls New User Setup Timely removal of access rights for terminated employees Program change controls Limitation of “super user” access Controlling of access to modules based on job description Limitation of rights to post journal entries Passwords

Internal Controls to Prevent or Detect FraudEffective Monitoring and Oversight

Business Administrator

Board members

Superintendent

Principals

HR Manager

3rd Party Management Companies

Internal Controls to Prevent or Detect FraudReporting Fraud

Create internal confidential reporting process

Protection from retaliation for whistleblowers

Timely investigation of fraud allegations

Report to external parties deemed appropriate in the

circumstances

Internal Controls to Prevent or Detect FraudKnow your District–Fraudulent activity can be prevented or detected

Investigate significant transfer requests on monthly Board Secretary Reports – mis-postings may be done intentionally to conceal fraud

Look for unusual fluctuations

Keep your eyes open and listen

Annually make sure the District communicates its policy on fraud, illegal acts and conflicts of interest policies

Randomly question department heads on their monthly spending – let them know you are watching

Randomly contact vendors to confirm purchase orders/activity

Challenge the quote process and unusual requests

Internal Controls to Prevent or Detect Fraud

Ways to Prevent Fraud Surprise audits on specific district functions or operations

Payroll distribution audits-now required by AccountabilityRegulations

Require job rotation, when possible

Require mandatory vacations

Communicate the District’s views and policies regarding fraud

Annual Independent Financial Statement Audit

Conditions to Suggest the Possibility of Fraud Important contracts are “missing”

Subsidiary ledger is not satisfactorily reconciled to its control account

The results of an analytical procedure performed during the audit may not be consistent with expectations

These conditions, however, may be the result of circumstances other than fraud. Even reports of alleged fraud may not always be reliable because an employee or outsider may be mistaken or may be motivated for unknown reasons to make a false allegation.

Keys to Preventing or Detecting Fraud

Maintain a sense of skepticism

Work together with your auditors to identify areas that you consider to be high risk

Eliminate excessive authority residing with one individual

Effectively monitor the activities of your District and question any deviations

Maintain an effective line of communication throughout all levels of employees and encourage open dialogue

Conclusion and Wrap Up

Fraud is prevalent in all types of entities

Important for the Board and administration to set the tone

Ensure controls are in place and evaluated periodically to

prevent errors and fraud

Internal controls are implemented for the protection of the

administration and the District as a whole

Make sure the District is appropriately insured

Conclusion and Wrap-Up

Limitations on Internal Control Only as good as the people using it Management override of any control can cause a

deficiency to occur Collusion by two or more people can render a control

ineffective

Questions

CYBER SECURITY

Cybersecurity For School Districts

School Districts in the News

Cyber Fraud is Big Business

Cyber Fraud is Big Business Malware is specifically written to target bank accounts, credit card information, personal information,

etc.

Hackers for hire – A terminated employee recently paid hackers to launch a year-long denial of service campaign against the former employer.

Turn Key Solutions• Fraud As A Service (FAAS)• Attacks As A Service (AAAS)• Malware As A Service (MAAS)• Ransomware As A Service (RAAS)

Products and Services come with warranties, feature requests, training programs and customer support.

Web Layers

Dark Web Markets

Cyber Threat Landscape

Social Engineering Social Engineering – The act of tricking you to perform an action

or disclose information to a cyber criminal through social interaction.• Also, the primary method students use to obtain teacher

credentials Actions are things such as:

• Clicking on Links• Downloading and Executing a File• Opening a Microsoft Office type document or pdf • Submitting information into a form• Providing information over the phone

Social Engineering Key Types of Social Engineering

• Phishing – An malicious e-mail sent to a broad base.

• Spear Phishing – A malicious e-mail sent to a very specific set of individuals. May include elements of impersonation.

• Whaling – A malicious e-mail specifically targeting senior executives.

• Vishing – Fraudulent Phone calls• Smishing – All the elements of phishing but

in the form of a text message.

Social Engineering

Ransomware

Ransomware = Cyber extortion• It is evolving and becoming more targeted.• Ransoms are becoming more tailored. Ransomware may be designed to:

• Encrypt all data or systems on the network it can reach.• Take down systems by way of denial of service attacks.• Threaten to expose sensitive information

e.g, Social Security Numbers, Credit Card Numbers, etc.

Cyber Extortion Statistics

• 68% of companies reported that their networks went from functional to encrypted and useless in minutes.

• 85% of companies targeted by ransomware were down for a week or more.

• 15% percent of companies found their data completely unrecoverable.

• Cybercriminals pocketed over $1 Billion in 2016. − Source: The Grim Reality of Ransomware

Cloud and Mobility Many school districts are moving to cloud-based solutions

for their key applications. • Manage and store student records. • Support classroom education and assignments. − “Smart Classrooms”

• Allows for interaction and communication with parents. • Students are provided tablets, laptops, and/or chrome

books. • Faculty and Administrators connect their personal mobile

devices.

Cloud and Mobility

Cloud and Mobility

Data is being stored in places (e.g., employee personal devices) it can not be effectively controlled and protected. Shadow IT has increased dramatically.

• Faculty and administrators find their own solutions to interact with students, parents and store student data.

• Security and Privacy of theses systems are not assessed.

Known Weaknesses and Misconfigurations

The following are used by internal and external threat actors. • Known Vulnerabilities (Unpatched Systems)• Insufficient Endpoint Monitoring • Default Credentials• Vulnerable Web Applications• Weak Network Configurations and Design • Third Party Connections

Third Party Due Diligence

Third Party Risk Management

School districts have specific obligations to protect student data:• FERPA – Family Educational Rights and Privacy Act.• COPPA - Children's Online Privacy Protection Act.• State Breach Notification Laws. These obligations do not end when using Third

Parties.

Third Party Risk Management Any connection to your environment is an exposure point. Allowing a third party to create, maintain, use, transfer or

destroy information on your behalf creates risk. Vendor management and monitoring is critical. Vendors are a means to delegate a task. Responsibility will

always remain with the organization and cannot be delegated.• Issue security based questionnaires. • Obtain and review a vendor’s Service Organization

Control Report (SOC) 1 or 2.

Cybersecurity Playbook Senior Management/Board oversight and support is key

• The Board and Management must understand their role− National School Boards Association (NSBA) 2018

Cyber Risk Report (CRR) sited that most Board members don’t understand their role in overseeing cybersecurity risk management.

• Make cybersecurity an agenda item.• Educate the Board. Ensure you have a resource that can effectively

communicate cyber risks in understandable terms.

Cybersecurity Playbook Establish a role or department with the appropriate skill set and

sufficient authority to oversee, manage and communicate cyber risk. • NSBA 2018 CRR sited that it is often non-cybersecurity

professionals leading the efforts and communications. • This oversight should ensure that any procurement of an

application or third party that may impact the security and/or privacy of student and employee data is reviewed and approved by the designated individual/department. This will ensure a holistic and unified approach.

Do not underestimate your cyber risk and fraud exposure – SIZE DOES NOT MATTER!

Cybersecurity Playbook Do not assume that information security is only an IT issue.

• Cybersecurity is a District issue that requires the assistance of a technical solution.

Establish or verify you have a well-defined IT security governance and risk assessment/management program.• Cyber risks must factor in People, Process and Technology. • Cybersecurity is not just a business expense, but a key

component in providing a safe and effective educational environment.− It is no longer an expense to the business, it is your

business.

Cybersecurity Playbook Ensure the District has identified and documented all the

processes that result in the creation, transfer or storage of sensitive information (credit card numbers, social security numbers, etc.) Ensure Faculty and Administrators only use approved

District applications and store data in approved repositories. Ensure you have strong procedures around the electronic

transfer or movement of money. Ensure your e-mail security appliances are effectively

configured to detect malicious e-mails.

Cybersecurity Playbook Provide routine security awareness training.

• Your employees are your biggest security investment and vulnerability.

• Phishing training is essential. Perform due diligence on all third parties. Use two-factor authentication when possible.

• If not possible, strong passwords are key.• Train employees to use passphrases.

e.g., “PKFOD is the Best @ Cybersecurity!” Isolate key assets and data.

Cybersecurity Playbook

Ensure that a sound and well-tested backup and recovery methodology exists. Publish a business continuity, disaster recovery and

incident response strategy that is aligned to the District’s needs. Publish a mobile device strategy.

Cybersecurity Playbook

Obtain cyber liability insurance and know the role it will play in incident response situations. Have routine independent IT cyber/security

assessments.

Cybersecurity

GASB UPDATE

GASB 75 - OPEBs

Reporting for Postemployment Benefits Other Than Pensions Issued in June 2015 WHAT THE HECK IS TAKING SO LONG????

GASB 87 - Leases

Effective for School District financial statements June 30, 2021 No longer classifies leases as operating or capital All leases will be considered capital and liabilities in

the financial statements unless it is considered a short term lease Short term leases are leases that expire in less than

one year

GASB 88 – Disclosures Related to Debt

Effective for School District financial statements June 30, 2019 Requires additional information to be disclosed,

including, unused lines of credit; assets pledged as collateral, terms specified in debt agreements related to significant events of default, significant termination events and significant acceleration clauses Information to be provided for direct borrowings and

direct placements of debt separately from other debt

Financial Reporting Model Improvements Preliminary views dated September 12, 2018 with

comments due by February 15, 2019 Timing to finalize - 2022 Looking to improve the effectiveness of the current

financial reporting model (GASB 34 model) Concerns that GASB has:

• Governments use differing time frames for recognition in governmental statements, thereby reducing comparability

Financial Reporting Model Improvements (continued) Concerns that GASB has (continued):

• Current presentation lacks a conceptual foundation making it difficult for the GASB to establish standards for government funds for certain complex transactions, such as derivatives and service concession arrangements

Recognition of Elements of Financial Statements Preliminary views dated September 12, 2018 with

comments due by February 15, 2019 Timing to finalize - 2022 Objective – enhance consistency Purpose of PV document:

• The measurement focus of a specific financial statement determines what items should be reported as elements of that financial statement

• The related basis of accounting determines when those items should be reported

Revenues and Expenses

Prepared an invitation to comment in 2018 Looking at Revenue and Expense Recognition Timing - 2023 Objective?

• You guessed it – to improve comparability……

COMMON AUDIT DEFICIENCIES

Purchasing/Accounts Payable Confirming orders Mis-classification at year end between accounts payable and

reserve for encumbrances Obtaining verbal quotes instead of written quotes Quotes received from 2 vendors with different business names but

the same owner per signature on the W-9. One of the entities always wins the quote

Lack of Business Office oversight over quotation process Purchases for subsequent fiscal year charged to the current year

budget

Purchasing/Accounts Payable

Use of multi-vendor purchase orders

Use of cooperative purchasing agreements without ensuring rates charged agree to approved agreements

Expired contracts not renewed or not re-bid

Contracts in excess of $2 million (but less than $10 million) and contracts in excess of $10 million not sent to the State Comptroller’s Office

Human Resources/Payroll

Human Resource/Payroll documents not maintained in employee files – I-9’s, W-4, Pension forms, etc.

Inadequate analysis of payroll deduction payable balances

Accruing vs. Encumbering retro accruals related to unsettled CBA agreements

Time and effort reporting for grant funded employees

• Example - www.state.nj.us/education/title1/tech/

schoolwide/TimeandActivity.doc

Financial Statement Close Process

Material adjustments to the board secretary reports Prior year audit adjustments not posted Subsidiary ledgers and bank reconciliations do not

agree to the general ledger Interfund balances do not net to zero Posting revenue or expense transactions directly to

fund balance account

Financial Statement Close Process

Adjusting journal entries not properly supported with no evidence of review and approval Significant number of “expense adjustments” Some accounting funds not recorded in the general

ledger – trust & agency and certain enterprise funds FSCP not well documented

Other

Surety bond coverage not sufficient

Standard Operating Procedure manuals too generic and not detailed and specific enough to enable transition to a new employee

Budget transfers in excess of 10% that require County approval not submitted to the County

Capital Reserve

Funds transferred to capital projects fund for a project that was not part of a referendum, ESIP lease or SDA grant

Unexpended capital reserve funds used in capital outlay fund should be returned to capital reserve at end of year or end of project if in capital projects fund

Withdrawing funds without voter approval (statement of purpose) for a capital project that was not deemed an “Other Capital Project” which would otherwise be eligible for state support and not approved by the Office of School Facilities as eligible for State support

Monitoring Third Party Service ProvidersInadequate monitoring of the FSMC Operating Statement

Inaccurate reporting of Inventory

Incomplete recording of cash transactions

Inaccurate reporting of free and reduced meals

Inaccurate calculation of exemptions from the break-even/guaranteed profit contract provision

SOC 1 report not completed and provided on time

Monitoring Third Party Service ProvidersInadequate monitoring of self insurance TPA’s

Periodic review of claims being paid

Review of specific contractual provisions• Fees for “re-pricing” savings

SOC 1 report not reviewed for deficiencies

Proper establishment and recording of a self-insurance IBNR

Health BenefitsTerminated employees not being removed from health benefit coverage on a timely basis

• District requested the employee be removed but not removed by the insurance company

• District not monitoring additions and deletions to the health benefit billing effectively

Health benefit contributions not being collected to employees on un-paid leaves of absenceEmployees receiving waiver payments and receiving health benefits

Student Activity Funds

Items identified as control deficiencies or in violation of State guidelines-SAF

• No formal policy in place directing the schools as to how the funds can be utilized

• Items purchased from SAF that should be processed through the normal district purchasing process

• No oversight at all by business office. Although not required, it is a good idea to request information and review

Student Activity FundsItems identified as control deficiencies or in violation of State guidelines-SAF

• Sunshine funds maintained for special school parties and commingled with SAF

• Funds not used for the originally intended purpose or disbursed for non-student related purposes

• No policy in place to address what happens when there are funds remaining after the event or purchase

– Class funds that remain after that class has graduated

– Refunds


• No supporting documentation for receipts or disbursements

• One signature on checks

• Cash collected and held for significant period of time and not deposited

• Purchasing Home Depot/Lowes gift cards and using them as purchasing cards for supplies when needed

• Gift cards provided to students with insufficient documentation of who received the cards


• Employees paid from the SAF to chaperone, etc. and not included as income on employees W-2

• 1099s not issued for vendors that exceed the IRS threshold

• Circumvention of the procurement process/bids/quotes

• Bank accounts established without Board approval

• Outside organizations and sunshine accounts using the District’s bank accounts and ID numbers

Contact Information

www.pkfod.comDavid J. Gannon, CPA, PSA, RMA

Partner908-967-6855

[email protected]

www.wiss.com www.pkfod.com

Thomas J. DeMayo, CISSP, CISAPrincipal

[email protected]

Scott A. Clelland, CPA, PSA, RMAPartner

[email protected]

accounting and auditing topics for school districts€¦ · cipp/us, ceh, chfi, ccfe principal –...

Documents