Role is Broader and More Strategic

Internal Control Transformation

IC’s

Internal Control Transformation – IC s

Role is Broader and More Strategic

Introduction

Cindy Bergy g Director

McGladrey LLP

201 N Harrison Street Davenport, Iowa 52801

@

cindy.berg@mcgladrey.com

Agenda

 Introduction

 Areas sensitive to fraud

 Internal control strategies

 SOC reports

Objectives

 Build awareness of areas at risk for potential fraudp

 Internal control strategies specific to higher education

 Basic knowledge of SOC reports and their role in your internal control system

COSO Internal control components

 Control Environment

 Risk Assessment

 Control Activities

 Information and Communication

 Monitoring Activities

Check out www.coso.org and whitepaper at

http://www aicpa org/InterestAreas/FRC/AuditAttest/D http://www.aicpa.org/InterestAreas/FRC/AuditAttest/D

Purpose of internal control

 Helps you be more successful by:p y y

-

Preventing or detecting errors

-

Preventing or identifying fraud. Impact of fraud can be felt through:

felt through:

•

Lost funds

•

Harm to the Institution’s reputation

L l l

•

Lower employee morale

 Stakeholders expect organizations to safeguard resources entrusted to them

Risk Assessment

 Principle 8 – The organization considers the p g potential for fraud in assessing risk to the achievement of objectives.

Various ways fraud can occur

-

Various ways fraud can occur

-

Risk factors

-

Incentives and pressures

-

Opportunities

-

Attitudes and rationalizations

Fraud triangle

Incentive/Pressure

Fraud Risk

Attitude/Rationalization Opportunity

Areas where greater risk for fraud

 Cash disbursements, especially Procurement cards , p y (P-Cards)

 Payroll

 Cash receipts (usually at remote or branch locations)

 Student financial aid

 Student financial aid

 Ticketing venues

“War” stories

 P-Cards - Charging personal items to P-Cards and g g p supervisor reviewing P.O.s or statements not

reviewing closely (or delegating the review)

E / i b t bb t f

 Expenses/reimbursements - rubber stamp for approval or inappropriate person approving

 Federal student loans – Financial aid directorFederal student loans Financial aid director

certifying loans to herself, getting disbursement and then dropping class

P ll ll l k h i h t ithh ldi

 Payroll – payroll clerk changing her tax withholding and replacing the page of the payroll register her information was on

“War” stories (continued)

 Work study funds – “Borrowing” funds from y g

students in exchange for stipends through work study

T l i b t Ad t l

 Travel reimbursements – Advancement personnel charging for trips to see potential donor but not actually meeting with donors

 Tickets at athletic events

-

Pocketing cash at the gate if no ticket system Scalping tickets

-

Scalping tickets

 Branch location accepting credit cards applying credits to employee’s personal credit cardp y p

Internal control strategies

 Getting the Governing Board/Audit Committee and g g senior management on board

-

Tone set

-

Whistleblower policyp y

 Risk assessment

 Putting controls in place

P li i t t bli h h t i t d d t d

-

Policies to establish what is expected and put procedures in place

-

Segregation of duties (or if not possible, then mitigating controls)

controls)

 Revising controls for changes in the environment or people

Internal control strategies

 Monitoring controls for effectivenessg

-

Accountability for those in review positions

 Keeping that skepticism

-

Periodic training for those in review positions

REMEMBER: None of your department heads

REMEMBER: None of your department heads

graduated with a degree in how to be a good

department head (OK maybe your business school

f lk l )

Client Community College

 Financial Reporting History (June 2006)

- State Auditors for 40 years since inception

- 40 years of “clean” reports

- 40 years of no constructive comments

- Audit focused on Iowa Code compliance

- Exec Director of Finance 30+ years

 Changes/Recommendations

- New VP CFO/COO June 2006

• Business vs Education mindset

• SEC and Sarbanes Oxley trained

- Replaced Exec Director of Finance June 2007

- Changed external auditors June 2009

Client Community College

 Changes/Recommendations (continued)g ( )

-

Changed silo finance structure to cross functional

-

Evaluated each staff position

•

Created new job descriptions

•

Created new job descriptions

•

Cross training

•

Of 23 finance staff in 2006, only 3 remain

•

Current staff size 21

-

More skilled

-

Higher paidg p

-

Created Board Audit Committee

-

Centralized vs Decentralized functions

-SOC reports – What are they?

 Service Organization Controls (SOC) reports (formerly known as SAS 70 reports)p )

 A service auditor may be engaged to examine and report on controls at a service organization related to various types of subject matter such as:yp j

-

controls that affect user entities’ financial reporting

-

controls that affect the privacy of information processed for user entities’ customers

 SOC 1: Statements on Standards for Attestation

Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, establishes the requirements and guidance for a CPA (service auditor) examining and reporting on a service organization’s description of its system and its controls that are likely to be relevant to user entities’ internal control over financial reporting user entities’ internal control over financial reporting.

SOC reports – What are they?

 SOC 2: An examination engagement to report on controls at a service organization intended to mitigate risks related to

service organization intended to mitigate risks related to security, availability, processing integrity, confidentiality, or privacy (trust services principles).

- AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security Availability Processing Integrity

Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, establishes guidance.

 SOC 3: TSP Section 100, “Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality and Privacy” provides criteria for evaluating Confidentiality, and Privacy provides criteria for evaluating and reporting on controls related to security, availability, processing integrity, confidentiality, and privacy. In the

examination report included in TSP Section 100, the auditor expresses an opinion on whether the service organization expresses an opinion on whether the service organization maintained effective controls over its system, based on the criteria in TSP Section 100 that are applicable to the

SOC reports – What are they?

 Although SOC 2 and SOC 3 reports address similar subject matter and use the same criteria in TSP Section subject matter and use the same criteria in TSP Section 100, a SOC 2 report differs from a SOC 3 report in that a SOC 2 report provides report users with the following

report components that are not included in a SOC 3 report components that are not included in a SOC 3 report:

- a description of the service organization’s system prepared

b t f th i i ti

by management of the service organization,

- a description of the service auditor’s tests of the operating effectiveness of the service organization’s controls and the results of those tests and

results of those tests, and

- in a type 2 report that addresses the privacy principle, a description of the service auditor’s tests of the service organization’s compliance with the commitments in its organization s compliance with the commitments in its

What is the subject matter of the

engagement?

SOC 1 SOC 2 SOC 3

Controls at a service organization relevant to user entities internal

t l fi i l

Controls at a service organization relevant to security, availability,

i i t it

Controls at a service organization relevant to security, availability,

i i t it control over financial

reporting

processing integrity confidentiality, or privacy.

If the report

processing integrity, confidentiality, or privacy

If the report p

addresses the privacy principle, the service organization’s

compliance with the

p

addresses the privacy principle, the service organization’s

compliance with the compliance with the

commitments in its statement of privacy practices

compliance with the commitments in its statement of privacy practices

What is the purpose of the report?

SOC 1 SOC 2 SOC 3

To provide information To provide To provide interested To provide information

to management and the auditor of a user entity about controls at

To provide

management of a service organization, user entities and other

To provide interested parties with a CPA’s opinion about controls at the service

a service organization that may be relevant to a user entity’s internal control over financial

specified parties with information and a CPA’s opinion about controls at the service

organization that may affect user entities’ security, availability, processing integrity, control over financial

reporting.

controls at the service organization that may affect user entities’ security, availability,

i i t it

processing integrity, confidentiality, or privacy. processing integrity, confidentiality or privacy.

Who are the intended users of the report?

SOC 1 SOC 2 SOC 3

Auditor’s of the user Parties that are Anyone entity’s financial

statements,

management of the user entities and

knowledgeable about:

• the nature of the service provided by the service

y

user entities, and management of the service organization.

provided by the service organization

• how the service org’s system interacts with user entities, subservice

organizations, and others • internal control and its limitations

limitations

• the criteria and how controls address those criteria

SOC reports – why you should care?

 Service organizations are part of your internal g p y control system

 Problems in their organization can lead to problems

ith th i i t i ti

with their services to your organization

 Compliance related findings in their organization can be compliance findings for your organization can be compliance findings for your organization

SOC reports – how you should be using them

 Obtaining reports and reading them for exceptions, g p g p , qualified opinion, etc.

 Determine impact of any exceptions or

lifi ti i ti

qualifications on your organization

 Consider the impact to your internal control system

 If considering a new service organization make the

 If considering a new service organization, make the SOC reports part of your due diligence

Conclusion

 Tone at the top matters – more what you do than p y what you say

 Internal control is an every changing subject – new

th d f t l

processes mean the need for new controls

-

COSO framework is being updated to keep in relevant in the current business world.

 In an electronic environment reviews are extremely important

 Do your department heads know what to be looking

 Do your department heads know what to be looking for?

Questions??

Q

For additional information contact:

Cindy Berg, Directory g, McGladrey LLP

201 N Harrison St., Suite 300 Davenport, Iowa 52801

cindy.berg@mcgladrey.com

Direct 563.888.4419

For more information on McGladrey’s Education practice visit

McGladrey LLP is the U.S. member of the RSM International (“RSMI”) network of independent accounting, tax and consulting firms The member firms of RSMI collaborate to provide services to global clients but are separate and distinct legal entities

McGladrey LLP

firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.

McGladrey, the McGladrey signature, The McGladrey Classic logo, The power of being understood, Power comes from being understood andExperience the power of being understoodare trademarks of McGladrey LLP.

© 2012 McGladrey LLP. All Rights Reserved.

201 North Harrison St, Suite 300 Davenport, Iowa 52801

563.888.4000 800.274.3978 www.mcgladrey.com