Effective Internal Control,Establishing an Internal Audit

Function,and Compliance Plans

2014 Governmental Accounting For Local Public HealthSeptember 11, 2014

2

Presented by:

Stephen W. Blann, CPA, CGFM, CGMADirector of Governmental Audit QualityRehmann

3

Session Outline

• Effective internal control– COSO Framework

• Internal audit function– GFOA Best Practices

• Compliance Plans– Internal control over compliance

4

Overview of Internal Control

• Internal Control—Integrated Framework – COSO Report (1992 & 2013)– Committee of Sponsoring Organizations (AICPA,

AAA, IIA, IMA, FEI)– Codified in Auditing Standards by AICPA, GAO, and

PCAOB (SOX)

5

Overview of Internal Control

• Management’s responsibilities– Effectiveness– Efficiency– Compliance– Financial Reporting

• Internal controls are the framework management establishes to ensure it meets these responsibilities

6

Overview of Internal Control

• Limitations of internal controls– Cost vs. benefit– No “perfect” system– Management override

7

Overview of Internal Control

• Responsibility for internal control– Management is primarily responsible• Independent auditors “gain an understanding” – not a

substitute for management • Internal auditors work for management

– The governing body is ultimately responsible

8

Overview of Internal Control

• Management is responsible for:– Design– Implementation– Monitoring– Reporting

9

The Internal Control Framework

• The Control Environment• Risk Assessment and Monitoring• Control-related Policies and Procedures• Information and Communication• Monitoring

10

The Internal Control Framework

Control Environment• Management’s attitude / example• Communication• The Internal Auditor• The Audit Committee

11

The Internal Control Framework

Risk Assessment and Monitoring• Changes in:– Operating environment– Personnel– Information systems / technology– Rapid growth– New programs / services– Structure

12

The Internal Control Framework

Risk Assessment and Monitoring• Inherent risk• Prioritization– Significance – Likelihood

13

The Internal Control Framework

Control-Related Policies• Essential tasks of an accounting system– Assemble data– Analyze, classify, and record data– Report on data– Maintain accountability over assets

14

The Internal Control Framework

Control-Related Policies• Management’s implicit assertions– Existence / occurrence– Completeness– Rights / obligations– Allocation / valuation– Presentation / disclosure

15

The Internal Control Framework

Control-Related Policies

– Authorization– Properly designed

records– Security of assets

and records– Segregation of

incompatible duties

– Periodic reconciliations

– Periodic verifications– Analytical review– Timely external

reporting (GAAP)

• Policies and procedures

16

The Internal Control Framework

Information and Communication• Information needs– Appropriate content– Timely / current– Accurate– Accessible

• Methods of communication• Accounting policies and procedures manual

17

The Internal Control Framework

Monitoring• Purpose (smoke alarm)• Ongoing• Evaluation of internal controls (internal audit)

18

Evaluating Internal Controls

• Identify control cycles• Document processes• Identify potential risks

http://www.coso.org/Guidanceonmonitoring.htm

19

Evaluating Internal Controls

– Authorization– Properly designed

records– Security of assets

and records– Segregation of

incompatible duties

– Periodic reconciliations

– Periodic verifications– Analytical review– Timely external

reporting (GAAP)

• Identify compensating controls

20

Establishing an

Internal Audit Function• GFOA Best Practices:– Establishment of an Internal Audit Function– Enhancing Management Involvement with Internal

Control– Audit Committees

http://www.gfoa.org/best-practices

21

GFOA Best Practices

• Government Finance Officers Association of the United States and Canada– Professional organization– Issues best practices and advisories on a variety of

topics relevant to government financial management

22

GFOA Best Practices

• A BP identifies specific policies and procedures as contributing to improved government management. It aims to promote and facilitate positive change rather than merely to codify current accepted practice. Partial implementation is encouraged as progress toward a recognized goal.

23

GFOA Best Practice

Establishment of an Internal Audit Function

• Definition of an “internal auditor”:– any audit professional who works directly for

management, at some level, and whose primary responsibility is helping management to fulfill its duties as effectively and efficiently as possible.

24

GFOA Best Practice

Establishment of an Internal Audit Function

• Role(s) of an internal auditor:– Monitoring the design and proper function of

internal control policies and procedures– Function as an additional level of control– Conduct performance audits– Special investigations and studies

25

GFOA Best Practice

Establishment of an Internal Audit Function

• Recommendations:– Every government should either• Establish a formal internal audit function;• Assign internal audit responsibilities to its regular

employees; or • Hire a CPA firm (other than the independent auditor)

for this purpose

26

GFOA Best Practice

Establishment of an Internal Audit Function

• Recommendations:– The internal audit function should be formally

established by charter, enabling resolution, or other appropriate legal means

– Internal auditors should follow the GAO’s Government Auditing Standards, including standards applicable to independence

27

GFOA Best Practice

Establishment of an Internal Audit Function

• Recommendations:– The head of the internal audit function should

possess at least a college degree and relevant experience; a professional certification is encouraged (CIA, CPA, CISA)

– The annual internal audit work plan and all reports of internal auditors should be made available to the audit committee

28

GFOA Best Practice

Enhancing Management Involvement w/ IC

• Purpose of internal control:– Adequately protect public funds by prudent

management– Provide a reasonable basis for finance officers to

assert the financial information they provide can be relied upon

29

GFOA Best Practice

Enhancing Management Involvement w/ IC

• Stakeholders in internal control:– Independent auditors provide assistance in

meeting internal control-related responsibilities, but are not a substitute for management’s direct and informed involvement with internal controls

– Elected officials must ensure that managers who report to them fulfill their responsibilities in implementing IC

30

GFOA Best Practice

Enhancing Management Involvement w/ IC

• Recommendations:– Financial managers should obtain information and

training needed to meaningfully take responsibility for internal control

– Obtain sound understanding of COSO’s comprehensive framework of internal control

31

GFOA Best Practice

Enhancing Management Involvement w/ IC

• Recommendations:– Internal control procedures should be

documented– Design a practical means for lower level

employees to report instances of management override of controls that could be indicative of fraud

– Internal controls should be monitored and reevaluated for adequacy

32

GFOA Best Practice

Enhancing Management Involvement w/ IC

• Recommendations:– Evaluations of controls should include

effectiveness and timeliness of corrective action for identified deficiencies

– Control effectiveness requires a baseline for future monitoring, which should be adjusted for changes in controls

– Corrective action plans should have timetables and be monitored

33

GFOA Best Practice

Audit Committees• There are 3 groups responsible for the quality

of financial reporting:– Governing body– Financial management– Independent auditors

• The governing body must be seen as “first among equals”

34

GFOA Best Practice

Audit Committees• Audit Committees are a practical means for a

governing body to provide much needed independent review and oversight of:– the government’s financial reporting processes,– internal controls, and – the independent auditors

35

GFOA Best Practice

Audit Committees• Selected recommendations:– The governing body of every state and local

government should establish an audit committee– The audit committee should be formally

established by charter, enabling resolution, or other appropriate legal means

36

GFOA Best Practice

Audit Committees• Selected recommendations:– The documentation establishing the audit

committee should prescribe the scope of the committee’s responsibilities, its structure, and membership requirements

– The audit committee should be directly responsible for the appointment, compensation, retention, and oversight of the independent auditor

37

GFOA Best Practice

Audit Committees• Selected recommendations:– All members should possess or obtain a basic

understanding of governmental financial reporting and auditing

– The committee should have access to the services of at least one financial expert (either a committee member or outside party engaged for this purpose)

38

GFOA Best Practice

Audit Committees• Selected recommendations:– The audit committee should provide independent

review and oversight of a government’s financial reporting processes, internal controls and independent auditors

– The audit committee should have access to the reports of internal auditors, as well as access to annual internal audit work plans

39

Compliance Plans

• Internal control over compliance– Differences and similarities with IC over financial

reporting– Existing and new requirements for grants– Auditor involvement

40

Compliance Plans

• Existing requirements:– OMB Circulars A-102 Common Rule and A-110

Administrative Requirements– Requires management to establish and maintain

internal controls designed to provide reasonable assurance of compliance with Federal laws, regulations and program compliance requirements

41

Compliance Plans

• New Uniform Grant Guidance (2 CFR 200):– Establish and maintain effective internal control

over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award

– Consistent with COSO

42

Compliance Plans

• Auditor involvement– Yellow Book engagements (material to financial

statements)– Single audit (material to major federal programs)– Other (Medicare, etc.)

43

Questions?

44

For more information...

Stephen W. Blann, CPA, CGFM, CGMADirector of Governmental Audit QualityRehmannstephen.blann@rehmann.com www.rehmann.com/government