Internal Audit Report. Post Implementation Review PeopleSoft Accounts Payable TxDOT Internal Audit Division
|
|
- Martin Gaines
- 6 years ago
- Views:
Transcription
1 Internal Audit Report Post Implementation Review PeopleSoft Accounts Payable TxDOT Internal Audit Division
2 Objective To determine if the Oracle PeopleSoft Accounts Payable system is providing effective and efficient business operations. Opinion Based on the audit scope areas reviewed, control mechanisms require improvement and only partially address risk factors and exposures considered significant relative to impacting reporting reliability, operational execution, and compliance. The organization s system of internal controls requires improvement in order to provide reasonable assurance that key goals and objectives will be achieved. Improvements are required to minimize existing process variation and control gap corrections that may result in potentially significant negative impacts to the organization including the achievement of the organization s business/control objectives. Overall Engagement Assessment Needs Improvement Title Findings Control Design Operating Effectiveness Rating Finding 1 History Xtract (HX) File Security x x Unsatisfactory Finding 2 Protecting PII in PeopleSoft x x Needs Improvement Finding 3 Fraud Report Utilization x x Needs Improvement Management concurs with the above findings and prepared management action plans to address deficiencies. Control Environment Testing of operating controls provided assurance that Oracle PeopleSoft ( PeopleSoft ) has helped the Texas Department of Transportation (TxDOT) 1) process payments in accordance to the three-way match controls, 2) make more timely payments, and 3) execute proper access controls for creating vendors and approving/releasing payments. While these operating controls have worked, other monitoring controls were not fully developed to ensure secure, accurate, and complete transmission of payment data to/from the Comptroller s Uniform Statewide Accounting System (USAS) and that the Accounts Payable process is paying for valid TxDOT purchases. Further, current processes and procedures for these operating and monitoring controls were not documented to help provide better assurance that staff understood their roles and responsibilities in working with these controls. In addition, safeguarding Personally Identifiable Information (PII) within PeopleSoft could have been further improved. April
3 Summary Results Finding Scope Area Evidence Security reviews for user access and data contained in USAS interface files showed the following: Observed and reviewed USAS History Xtract (HX) Files in non-encrypted plain text, which includes payment information (e.g. bank routing, account number, and the Texas Identification Number (TINS) information) that can be viewed or modified by multiple users. 4 of 13 (31%) TxDOT users no longer needed 1 USAS Interface access to the interface files on TxDOT servers, but still had the ability to read and write these files. No determination could be made if any changes were made to the files by these users. Two additional interface file user accounts were identified to have a shared username and password allowing for the ability to read and write these files on TxDOT servers. No determination could be made as to how many users may have gained access. Finance employees have access to Personally 2 Accounts Payable Segregation of Duties Identifiable Information (PII) in PeopleSoft where social security numbers, banking account numbers, and banking routing numbers were visible. These employees do not have a business need to access this information. A detection tool/report is not being utilized to monitor and assess segregation of duty issues for employee access within the Comptroller s Uniform Statewide Accounting System (USAS) used to make payments on 3 Accounts Payable Segregation of Duties behalf of TxDOT: The report identifies individuals who can enter, modify, and process payments and other transactions Review of the report identified one TxDOT transaction that was entered and released by the same user for a budget item done by a Texas Comptroller user. Audit Scope The scope of the audit included PeopleSoft and USAS user system access, the USAS interface, and the PeopleSoft three-way match process. Audit testing in these three areas included reviewing system access for creating vendors, approving the created vendors, initiating a payment transaction, and releasing a payment transaction. System access was reviewed in the USAS and PeopleSoft systems. The interface between these two systems was also reviewed to provide assurance that the information transmitted was accurate and April
4 the information was protected. Finally, testing was performed on the PeopleSoft three-way match process. Data selected for all the above testing was from October 7, 2014 (PeopleSoft implementation) to September 30, The audit was performed by Rita Ruiz, Tracey Garza, Jessica Esqueda, and Anne Heitke (Engagement Lead). The audit was conducted during the period from October 27, 2015 to December 7, Methodology The methodology used to complete the objectives of this audit includes: Reviewed TxDOT internal documents, including policy and procedure manuals, organizational charts, process maps, and technical reports Reviewed state regulations, such as the Texas Government Code Reviewed previously issued reports from TxDOT s Internal Audit Division, such as the Accounts Payable and Post-Implementation Review PeopleSoft: Recruiting and Payroll Interviewed key personnel, such as the current Chief Financial Officer (formerly the Finance Division Director), East Accounts Payable Manager, Section Director of Payments, Central Manager of Accounts Payable, Support Services, and Contract Services personnel within Information Management (formerly the Information Technology Division (ITD) Tested TxDOT users ability to create and approve new vendors in PeopleSoft and their access rights within USAS Reviewed daily and monthly reconciliation documentation between USAS and PeopleSoft to determine if they were being conducted and issues were being resolved Tested 35 direct entries into USAS for corresponding PeopleSoft entry to determine if payments were accurately recorded Tested 40 purchases and 40 payments to determine if the three-way match was done properly Reviewed purchases and payments that had the three-way match overridden to determine if override was appropriate Determined if PII information contained in interface files was encrypted Determined if PII information contained in interface files had appropriate limited access These procedures were applied as necessary to perform the audit fieldwork. Background This report is prepared for the Texas Transportation Commission and for the Administration and Management of TxDOT. The report presents the results of the Post Implementation Review PeopleSoft Accounts Payable audit, which was conducted as part of the Fiscal Year 2016 Audit Plan. TxDOT implemented a new PeopleSoft system in October PeopleSoft is an integrated suite of software, which provides a common technology platform across core business areas like human resources, finance, supply chain, and payroll. PeopleSoft replaced over 20 April
5 mainframe and legacy systems in Finance, Human Resources, and General Services. The new PeopleSoft consists of three main applications: Enterprise Learning Management (ELM), Human Capital Management (HCM), and Financial Supply Chain Management (FSCM). The FSCM application includes purchasing and payment functions that were reviewed for this audit. The FSCM application is used as TxDOT s financial system of record. The payments are entered and processed in the FSCM module and then sent to Texas Comptroller (Comptroller) of Public Accounts Uniform Statewide Accounting System (USAS) for official payment. Payments and vendor creation can initiate in PeopleSoft and pass through to USAS in an interface file. The information in the interface file is stored in a History Xtract (HX) File. Payments and vendor creation can also be entered directly into USAS, and bypassing PeopleSoft, if needed. Transactions originating in PeopleSoft that have associated Purchase Orders (POs), in general, must match entries in the PO, receipt of goods, and invoice. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Recommendations to mitigate risks identified were provided to management during the engagement to assist in the formulation of the management action plans included in this report. The Internal Audit Division uses the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework version A defined set of control objectives was utilized to focus on reporting, operational, and compliance goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of the enterprise risk management activities throughout the audit period and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against reporting misstatement and reliability, operational sub-optimization, or non-compliance particularly in areas not included in the scope of this audit. April
6 Detailed Findings and Management Action Plans (MAP) Finding No. 1: History Xtract (HX) File Security Condition The Uniform Statewide Accounting System (USAS) History Xtract (HX) files, which contain the transmitted information between PeopleSoft and USAS, were stored in plain text, or not encrypted, and could be modified or read by several users. Auditors were not able to determine if any changes had been made to the files as no logs exist to review. In addition, two user accounts on TxDOT servers that house the HX files were identified to have shared usernames and passwords that could be accessed by multiple users. Effect/Potential Impact Information on the HX files could be altered. Information stored unencrypted in servers could also lead to disclosure of confidential and/or sensitive information of employees and vendors. Criteria The TxDOT Information Security manual states that TxDOT is required to protect against unauthorized access, disclosure, modification or destruction - whether accidental or deliberate; as well as, to assure the availability, integrity, authenticity, and confidentiality of information. Cause Appropriate assignment and subsequent monitoring of user access rights to HX files and protection of information within those files is not being performed. Evidence The evidence obtained in the review included: Auditors observed and reviewed the payment files in Notepad, which showed all the payment information (e.g., bank routing, account number, and the Texas Identification Number (TINS) information) in plain text and not encrypted. Auditors reviewed directory access and file permissions where 13 unique users had access to the interface file, the following was noted: o 4 of 13 (31%) TxDOT users no longer needed access to the HX files. These users still had the ability to read and write the files. Auditors were not able to determine if any changes were made to the files by these users as no logs exist to review. Two additional user accounts were identified that had shared usernames and passwords. The accounts had the ability to read and write the interface files. Auditors were not able to identify how many users had knowledge or access to these accounts. Auditors were also not able to determine if any changes were made to the files using these accounts as no logs exist to review. April
7 Management Action Plan (MAP): MAP Owner: Ben Hayes, IT Business Analyst, Information Management Division (IMD) MAP 1.1: IMD will determine which users require read and write access to the HX files and restricted access to all other users. IMD will remove all users that do not require access. IMD will create a script to perform monthly tracking and monitoring to determine which HX files were modified. Completion Date: Action Completed MAP 1.2: IMD will research and test changes that will prevent the two shared accounts being accessed by multiple users. The goal is to require system administrators to log in using their individual accounts and switch to the system accounts when needed. The research, actions taken, and testing will be documented. Completion Date: May 15, 2016 MAP 1.3: Based on actions taken in MAP 1.2, IMD will modify the two system accounts to prevent system administers from logging in directly with these accounts. Support personnel will log in with their individual account and switch to the system accounts when needed. Completion Date: August 15, 2016 April
8 Finding No. 2: Protecting PII in PeopleSoft Condition Personally Identifiable Information (PII) in PeopleSoft (i.e., Social Security numbers, banking account numbers, and banking routing numbers) was visible to Financial Management Division employees and Information Management staff that support the application. Retention of this information within the system was not necessary since payments are not directly made out of PeopleSoft. Effect/Potential Impact Unsecured information within the PeopleSoft system could lead to disclosure of confidential or sensitive information, identity theft, and/or a negative impact on TxDOT s reputation. Criteria National Institute of Standards and Technology (NIST) Special Publication and Title 1, Texas Administrative Code, Section recommends and requires the confidentiality of certain types of information including PII. In addition, The TxDOT Information Security manual states that TxDOT is required to protect against unauthorized access, disclosure, modification or destruction - whether accidental or deliberate; as well as, to assure the availability, integrity, authenticity, and confidentiality of information. Cause The necessity and risk of showing confidential information after it has been entered into the system was not considered during implementation. Evidence The evidence obtained in the review included: Auditors observed multiple PeopleSoft screens that are available to Financial Management Division employees where the social security numbers, banking account numbers, and banking routing numbers were visible. Management Action Plan (MAP): MAP Owners: Lanny Wadle, Director, Financial Management Division Heather Burgess, Accounts Manager, Financial Management Division Accounts Payable East Section MAP 2.1: The Financial Management Division has entered an AR, application request, RITM to have to have the bank account and routing information removed from PeopleSoft Completion Date: Action Completed April
9 Finding No. 3: Fraud Report Utilization Condition TxDOT was not using all available fraud detection tools, including the Risky Document Report (DAFR9840), to monitor TxDOT payments or other accounting transactions (e.g., changes to accounting files or release of batches) that have been entered or modified and then released for processing by the same user within Uniform Statewide Accounting System (USAS). Effect/Potential Impact Without proper and continuous monitoring of expenditure processing, where one user has the ability to enter, modify, and then process payments, TxDOT funds can be susceptible to fraudulent or other unauthorized activity. Criteria As a best practice to ensure system security, the IT Governance Institute s framework for Control Objectives for Information and Related Technology (COBIT) states that a monitoring function will enable the early detection of unusual activities that may need to be addressed. Cause TxDOT was not aware of the reporting tool (DAFR 9840 Report) provided by the Texas Comptroller of Public Accounts. The Financial Management Division did not identify the risk associated with same user access and did not implement detective controls to monitor activity of those users. Evidence The evidence obtained in the review included: The DAFR 9840 report had not been requested from the Comptroller s office since implementation of PeopleSoft in October Review of the report identified one TxDOT transaction that was entered and released by the same user. Auditors determined that this was an appropriate action. Management Action Plan (MAP): MAP Owners: Paul Campbell, Section Director, Financial Management Division - Payments Management Section Bryce Bayles, Accounting Manager, Financial Management Division - Accounts Payable Central Section MAP 3.1: As part of the bi-annual security review process, the TxDOT Financial Management Division Support Services Section will request and review the Risky Document Report (DAFR9840) and communicate exceptions to management for remediation. Completion Date: April 15, 2016 April
10 Observations and Recommendations Audit Observation (a): Three-Way Match Override Condition Purchasing and Accounts Payable users are able to override the match process in PeopleSoft to allow for a discrepancy of the quantity and dollar amount between the Purchase Order, Invoice, and Receipt of goods documents. Most of the exceptions identified in the audit occurred when PeopleSoft was initially implemented. After more training was provided, the number of overrides reduced. As of September 30, 2015, only 69 of 120,545 (.06%) vouchers had purchasing overrides. No inappropriate transactions were identified. Effect/Potential Impact Without proper monitoring and training overrides could result in incorrect payments to vendors and fraud. Audit Recommendation The Financial Management Division should monitor No Match overrides, educate users on appropriate use of the PeopleSoft feature, and establish criteria for acceptable overrides. April
11 Summary Results Based on Enterprise Risk Management Framework Closing Comments The results of this audit were discussed with the Financial Management (formerly Finance) Division Director, the Financial Management Division Deputy Director, the Financial Management Division Payments Management Director, the Financial Management Division Accounts Payable East Manager, the Financial Management Division Accounts Payable Central Manager, the Information Management Division (IMD, formerly Information Technology) Enterprise Resource Planning Director, and the IMD Operation Excellence Specialist in December (Note: employee staff positions mentioned above represent those as of the December 2015 meeting.) We appreciate the assistance and cooperation received from IMD, the Financial Management Division, and third party providers contacted during this audit. April
Internal Audit Report. Post Implementation Review PeopleSoft Project Costing TxDOT Internal Audit Division
Internal Audit Report Post Implementation Review PeopleSoft Project Costing TxDOT Internal Audit Division Objective To determine if the implementation for project costing and the control design provides
More informationInternal Audit Report. Contract Administration: 601CT Contracts TxDOT Internal Audit Division
Internal Audit Report Contract Administration: 601CT Contracts TxDOT Internal Audit Division Objective Review contract administration and governance of 601CT contracts for structural compliance with laws
More informationInternal Audit Report. Rail Project Management TxDOT Office of Internal Audit
Internal Audit Report Rail Project Management TxDOT Office of Internal Audit Objective To evaluate the contract management and oversight of state wide rail projects and programs, specifically, Railroad
More informationInternal Audit Report. Contract Administration TxDOT Office of Internal Audit
Internal Audit Report Contract Administration TxDOT Office of Internal Audit Objective Determine whether contract management and governance at TxDOT is designed and operating effectively in regards to:
More informationFLORIDA DEPARTMENT OF TRANSPORTATION
FLORIDA DEPARTMENT OF TRANSPORTATION 6-month Follow-up to the Office of the Auditor General Information Technology Operational Audit-Department of Transportation Electronic Estimate Disbursement System
More informationInternal Audit Report. Professional Engineering Procurement Services (PEPS) Consultant Procurement Process TxDOT Internal Audit Division
Internal Audit Report Professional Engineering Procurement Services (PEPS) Consultant Procurement Process TxDOT Internal Audit Division Objective To evaluate the effectiveness and efficiency of the PEPS
More informationTxDOT Internal Audit Internal Audit Report Purchase of Services Audit
TxDOT Internal Audit Internal Audit Report Purchase of Services Audit Objective To determine if purchase of services processes and activities are designed and operating to ensure goods and services are
More informationInternal Audit Report
Internal Audit Report Purchasing Process Efficiency TxDOT Internal Audit Division Objective To assess and evaluate the impacts on purchasing categories to determine areas of improvement in the efficiency
More informationAN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org PRELIMINARY STAFF VIEWS AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL
More informationGOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.
GOVERNANCE 8.A.1 - Objective: Information Technology strategies, plans, personnel and budgets are consistent with AES' business and strategic requirements and goals. Objective Risk Statement(s): - IT Projects,
More informationWire Transfer Audit. Craig Hametner, CPA, CIA, CMA, CFE City Auditor. Prepared By: Jed Johnson Senior Audit Analyst. Michelle Taylor Audit Analyst
Wire Transfer Audit Craig Hametner, CPA, CIA, CMA, CFE City Auditor Prepared By: Jed Johnson Senior Audit Analyst Michelle Taylor Audit Analyst INTERNAL AUDIT DEPARTMENT March 1, 2010 Report 0902 Table
More informationCHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS
5-1 CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION In accordance with Statements on Auditing Standards Numbers 78 and 94, issued by the American Institute of Certified Public Accountants
More information2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda
Segregation of Duties/ Internal Controls 2017 WASBO Accounting Conference David Maccoux, Shareholder Objectives Discuss failures of internal controls to detect or prevent fraud and learn how to implement
More informationDepartment of Labor, Licensing and Regulation Office of the Secretary Division of Administration
Audit Report Department of Labor, Licensing and Regulation Office of the Secretary Division of Administration November 2008 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL
More informationInternal Audit Report. Unified Transportation Program TxDOT Office of Internal Audit
Internal Audit Report Unified Transportation Program TxDOT Office of Internal Audit Objective To determine if legislative changes to the Unified Transportation Program process have been implemented effectively
More informationOVERVIEW 4/19/10. Internal Controls and the Audit Process May 4, 2010 OVERVIEW. Definition and historical perspective of internal auditing
and the Audit Process May 4, 2010 Presented by: Deborah A. Stevens CPA Wichita County Auditor 1 OVERVIEW Definition and historical perspective of internal auditing Role and responsibilities of the internal
More informationFinancial Statement Close Process
Financial Statement Close Process Process Control Objective Risk Control Considerations Segregation of Duties Accounting functions are properly segregated. Unauthorized and inaccurate transactions may
More informationUniversity System of Maryland University of Baltimore
Audit Report University System of Maryland University of Baltimore January 2018 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY For further information concerning
More informationDiocese of Covington Policies & Procedures Manual Section: Compliance Accounting Policy: Internal Control & Segregation of Duties
Internal Control refers to the policies and procedures established to provide reasonable assurance that parish assets are safeguarded, that accountability is achieved, and that errors in financial records
More informationSeattle Public Schools The Office of Internal Audit
Seattle Public Schools The Office of Internal Audit Internal Audit Report September 1, 2014 through Current Issue Date: June 21, 2016 Executive Summary Background Information The function is centralized
More informationInternal Audit Report. Toll Operations Contract Management TxDOT Office of Internal Audit
Internal Audit Report Toll Operations Contract Management TxDOT Office of Internal Audit Objective To determine whether the Toll Operations Division (TOD) contract management structure is designed and
More informationThe University of Texas MD Anderson Cancer Center Internal Audit Annual Report for FY2016
Purpose of the Annual Report Table of Contents I. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit information on
More informationAccounts Payable Process Overview. The attached document provides an overview of the following topics:
Accounts Payable Process Overview The attached document provides an overview of the following topics: Process for all payment requests submitted by Accounts Payable from receipt of documentation to issuance
More informationEric Anderson, City Manager. Scottie Nix, Internal Auditor
City of Tacoma Internal Audit Office Memorandum TO: FROM: SUBJECT: Eric Anderson, City Manager Scottie Nix, Internal Auditor Improving SAP Roles Assignment and Monitoring at the City of Tacoma Follow Up
More informationTHE UNIVERSITY OF TEXAS AT DALLAS Office of Internal Audit 800 West Campbell Rd., ROC 32, RICHARDSON, TX (972)
THE UNIVERSITY OF TEXAS AT DALLAS Office of Internal Audit 800 West Campbell Rd., ROC 32, RICHARDSON, TX 75080 (972) 883-2233 July 31, 2014 Dr. Daniel, President Ms. Lisa Choate, Chair of the Audit and
More informationASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016
ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016 Charles J. Brennan Chief Information Officer Office of Innovation and Technology 1234 Market
More informationSegregation of Duties Employee Compensation
Segregation of Duties Employee Compensation Internal Controls A process the provides reasonable assurance that the objectives of the institution will be achieved. Not one event, but a series of actions
More informationCITY OF CORPUS CHRISTI
CITY OF CORPUS CHRISTI CITY AUDITOR S OFFICE Audit of Purchasing Program Project No. AU12-004 September 20, 2012 City Auditor Celia Gaona, CIA CISA CFE Auditor Nora Lozano, CIA CISA Executive Summary In
More informationVIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY OPERATIONAL. 1. Operating Concerns of the Assessable Unit and/or Business Process
ASSESSABLE UNIT: Enter name of the Assessable Unit here BUSINESS PROCESS: Enter the Business Process here BANNER INDEX CODE: Enter Banner Index Code here 1. Operating Concerns of the Assessable Unit and/or
More informationWhat does an external auditor look for in SAP R/3 during SOX 404 Audits? Ram Bapu, CISSP, CISM Sandra Keigwin, CISSP
What does an external auditor look for in SAP R/3 during SOX 404 Audits? Ram Bapu, CISSP, CISM Sandra Keigwin, CISSP What does an external auditor look for in SAP during SOX 404 Audits? Corporations have
More informationCorporate Background and Experience: Financial Soundness: Project Staffing and Organization
A motion by Kentucky, on behalf of the Certification Committee, to adopt changes to the Governing Board Rules, Appendix C, Criteria and Minimum Standards for CSP Certification: Appendix C (04/07/2015)
More informationThe University of Texas at Tyler. Contract Administration Audit
November 2016 THE UNIVERSITY OF TEXAS AT TYLER OFFICE OF AUDIT AND CONSULTING SERVICES 3900 UNIVERSITY BOULEVARD TYLER, TEXAS 75799 BACKGROUND This audit was conducted to determine if The University of
More informationFraud and the Accounting Information System
10 CHAPTER TEN Fraud and the Accounting Information System INTRODUCTION Except for certain limited off-the-books schemes, fraud transaction data are almost always contained in the accounting information
More informationAuditing Application Controls
Auditing Application Controls Auditing Application Controls Authors Christine Bellino, Jefferson Wells Steve Hunt, Enterprise Controls Consulting LP July 2007 Copyright 2007 by The Institute of Internal
More informationSheena Tran, CPA May 19, 2014
Internal Controls Review 2012/13 Sheena Tran, CPA May 19, 2014 TO: ACCCA BOARD OF DIRECTORS This is considered to be a financial review and recommendations for the Association of California Community College
More informationManaging Risk in Your P2P Process: 10 Ways that Automation Can Help Mitigate Risk
Managing Risk in Your P2P Process: 10 Ways that Automation Can Help Mitigate Risk Chris Doxey, CAPP, CCSA, CICA, CPC President, Doxey, Inc. chris@chrisdoxey.com 571-267-9107 Agenda Introduction to Risk
More informationInternal Control Questionnaire and Assessment
Bureau of Financial Monitoring and Accountability Florida Department of Economic Opportunity September 15, 2016 107 East Madison Street Caldwell Building Tallahassee, Florida 32399 www.floridajobs.org
More informationThe Metropolitan Transportation Authority. Report to Management
The Metropolitan Transportation Authority Report to Management Year Ended December 31, 2011 Deloitte & Touche LLP Two World Financial Center New York, NY 10281-1414 USA Tel: +1 212 436 2000 Fax: +1 212
More informationCorporate Governance Update. SOX 404 and Internal Controls
Corporate Governance Update SOX 404 and Internal Controls Speakers Barbara Borden bborden@cooley.com 858.550.6243 Brad Peck bpeck@cooley.com 858.550.6012 Steven Spector (858) 453-7200 x229 sspector@arenapharm.com
More informationInternal Control Questionnaire and Assessment
Bureau of Financial Monitoring and Accountability Florida Department of Economic Opportunity September 30, 2017 107 East Madison Street Caldwell Building Tallahassee, Florida 32399 www.floridajobs.org
More informationEntity level controls Design/implementation 530 Page 1 of 9
Page 1 of 9 Entity Period ended Objective: To document the design and implementation of the following elements of internal control: Environment Assessment Financial Reporting (part of information systems)
More informationINTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS
INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT (Effective for audits of financial statements for periods beginning
More informationAuditing Standards and Practices Council
Auditing Standards and Practices Council PHILIPPINE STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT PHILIPPINE STANDARD ON AUDITING
More informationUniversity System of Maryland University of Maryland, College Park
Audit Report University System of Maryland University of Maryland, College Park May 2015 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY For further information
More informationK-State Athletics, Inc. Report on Internal Controls related to the Contracting, Travel, and Expenditure processes.
K-State Athletics, Inc. Report on Internal Controls related to the Contracting, Travel, and Expenditure processes. October 30, 2009 October 30, 2009 Mr. John Currie Director of Athletics K-State Athletics,
More informationREPORT 2015/170 INTERNAL AUDIT DIVISION. Audit of the implementation of Umoja in the Economic and Social Commission for Western Asia
INTERNAL AUDIT DIVISION REPORT 2015/170 Audit of the implementation of Umoja in the Economic and Social Commission for Western Asia Overall results relating to the audit of the implementation of Umoja
More informationAssessment of the Design Effectiveness of Entity Level Controls. Office of the Chief Audit Executive
Assessment of the Design Effectiveness of Entity Level Controls Office of the Chief Audit Executive February 2017 Cette publication est également disponible en français. This publication is available in
More informationAudit of. Accounts Payable Procedures
Audit of Accounts Payable Procedures November 20, 2015 Report #2015-16 MISSION STATEMENT The School Board of Palm Beach County is committed to providing a world class education with excellence and equity
More informationContinuous Controls Monitoring for Transactions: The Next Frontier for GRC Automation
Research Publication Date: 15 January 2009 ID Number: G00164382 Continuous Controls Monitoring for Transactions: The Next Frontier for GRC Automation French Caldwell, Paul E. Proctor Continuous controls
More informationThe University of Texas at Tyler. Procurement and Travel Card Audit
February 2016 THE UNIVERSITY OF TEXAS AT TYLER OFFICE OF AUDIT AND CONSULTING SERVICES 3900 UNIVERSITY BOULEVARD TYLER, TEXAS 75799 BACKGROUND The University of Texas at Tyler (UT Tyler) offers University
More informationInternal Controls Integrating COSO
Community Action Partnership 2016 Annual Convention August 30 September 2, 2016 Austin, TX J.W. Marriott Austin Internal Controls Integrating COSO Thursday, September 1, 2016 9:15 am 10:45 am Presented
More informationREPORT 2013/123. Audit of Managing for Systems, Resources and People System interfaces FINAL OVERALL RATING: PARTIALLY SATISFACTORY
INTERNAL AUDIT DIVISION REPORT 2013/123 Audit of Managing for Systems, Resources and People System interfaces Overall results relating to the effective management of manual and electronic controls, built
More informationGATU Webinar Part 1 March 2017 Presented by Carol Kraus, CPA
GATU Webinar Part 1 March 2017 Presented by Carol Kraus, CPA Definition of Internal Controls COSO Internal Control Framework Internal Controls (2 CFR 200.303) Grantee responsibilities Awarding state agency
More information15 Benefits of a Revenue Assurance Solution
Achieving Sarbanes-Oxley Compliance: 15 Benefits of a Revenue Assurance Solution A WeDo Technologies white paper Contents Contents... 2 1 References... 4 2 Introduction... 5 3 Sarbanes-Oxley... 5 4 Key
More informationIn Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015
In Control: Getting Familiar with the New COSO Guidelines CSMFO Monterey, California February 18, 2015 1 Background on COSO Part 1 2 Development of a comprehensive framework of internal control Internal
More informationCollege of Engineering and Computer Science Dean's Office
THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES College of Engineering and Computer Science Dean's Office Report No. 13-16 OFFICE OF INTERNAL AUDITS THE UNIVERSITY OF TEXAS
More informationFINANCE - CORPORATE FINANCIAL MANAGEMENT SYSTEM (CFMS)
),1$1( 25325$7( ),1$1,$/ 0$1$*(0(17 6
More informationHFTP Hospitality Financial and Technology Professionals
About our Sample Accounting Jobs Descriptions for Clubs: The HFTP Americas Research Center, with guidance from members of the HFTP Club Advisory Council, has developed example job descriptions for accounting
More informationMelinda J. DeCorte, CPA, CFE, CGFM, PMP
Melinda J. DeCorte, CPA, CFE, CGFM, PMP Melinda DeCorte has over 19 years of accounting, auditing and government financial management experience. She directs, manages and serves in a quality assurance
More informationAssurance Hand Note Professional Stage-Knowledge Level By: Shafique Ahmed-Sr. Officer (Internal Audit-BSRM) Assurance
Assurance 1 CONTENTS OF ASSURANCE 01. Preliminary of Assurance: 1.01 Assurance Engagement: 1.02 Key elements of an assurance engagement: 1.03 Levels of assurance 1.04 Objective of an Audit: 1.05 True &
More informationTHE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Communication Report No
THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES Report No. 15-02 OFFICE OF INTERNAL AUDITS THE UNIVERSITY OF TEXAS - PAN AMERICAN 1201 West University Drive Edinburg, Texas
More informationAUDIT OF EARNINGS LOSS
May 2013 AUDIT OF EARNINGS LOSS Page i Acknowledgements The audit team would like to gratefully acknowledge the staff at the Centralized Processing Centre, Finance Division, and the Service Delivery Branch.
More informationAn Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements
AUDITING STANDARD No. 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements March 9, 2004 AUDITING AND RELATED PROFESSIONAL PRACTICE STANDARDS
More informationUnderstanding Internal Controls Office of Internal Audit
Understanding Internal Controls Office of Internal Audit July 2015 Objectives for this manual Provide guidance to help management understand their responsibility to ensure that internal controls are established,
More informationCOSO Updates and Expectations. IIA San Diego Chapter January 8, 2014
COSO Updates and Expectations IIA San Diego Chapter January 8, 2014 Agenda Overview of 2013 Internal Control-Integrated Framework and Companion Guidance 2013 Framework General Enhancements by Component
More informationPART 6 - INTERNAL CONTROL
PART 6 - INTERNAL CONTROL INTRODUCTION The A-102 Common Rule and OMB Circular A-110 (2 CFR part 215) require that non-federal entities receiving Federal awards (i.e., auditee management) establish and
More informationInternal Control and the Computerised Information System (CIS) Environment. CA A. Rafeq, FCA
Internal Control and the Computerised Information System (CIS) Environment CA A. Rafeq, FCA 1 Agenda 1. Internal Controls and CIS Environment 2. Planning audit of CIS environment 3. Design and procedural
More informationKeep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques
Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques Chris Doxey, CAPP, CCSA, CICA, CPC President, Doxey, Inc. chris@chrisdoxey.com 571-267-9107 2 May 7-9, 2017 Chris Doxey, CAPP,
More informationSarbanes-Oxley Compliance Kit
Kit February 2018 This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has acquired the rights to use it for a SINGLE Disaster Recovery
More informationIT Audit Process. Michael Romeu-Lugo MBA, CISA March 27, IT Audit Process. Prof. Mike Romeu
Michael Romeu-Lugo MBA, CISA March 27, 2017 1 Agenda Audit Planning PS 1203 / PG 2203 Evidence PS 1205 / PG 2205 References: ITAF 3 rd Edition Information Systems Auditing: Tools and Techniques Creating
More informationEvaluating Internal Controls
A SSURANCE AND A DVISORY BUSINESS S ERVICES Fourth in the Series!@# Evaluating Internal Controls Evaluating Overall Effectiveness, Identifying Matters for Improvement, and Ongoing Assessment of Controls
More informationCompany LOGO C B T. An Educational Computer Based Training Program
C B T An Educational Computer Based Training Program The University of Texas at Dallas Compliance Training Effectively Controlling Risks Company Effectively Controlling Risks What is the purpose of this
More informationContract Management Handbook. Texas Government Code, Title 10, Subtitle F, Chapter Statewide Contract Management
Texas Medical Board Contract Management Handbook Purpose: Policy: Authority: To provide the agency with a consistent policy that delineates staff roles and responsibilities for contract management. Pursuant
More informationNEW YORK CITY HOUSING DEVELOPMENT CORPORATION PURCHASING PROCEDURES. Updated as of November 19, 2015 (Reaffirmed on March 10, 2017)
NEW YORK CITY HOUSING DEVELOPMENT CORRATION I. ORDERING ITEMS PURCHASING PROCEDURES Updated as of November 19, 2015 (Reaffirmed on March 10, 2017) All requests for purchases are to be coordinated through
More informationSample Audit Committee. of Auditors and Management
Sample Audit Committee Questions to Ask of Auditors and Management 2 Sample Audit Committee Questions to Ask of Auditors and Management u Sample Audit Committee Questions to Ask of Auditors and Management
More informationFiscal Oversight Fundamentals
Fiscal Oversight Fundamentals Module 1: School District Finances: Roles and Responsibilities 2012 New York State School Boards Association, Latham NY The Five-Point Plan 1. Requires training for school
More informationLA16-19 STATE OF NEVADA. Performance Audit. Department of Motor Vehicles Legislative Auditor Carson City, Nevada
LA16-19 STATE OF NEVADA Performance Audit Department of Motor Vehicles 2016 Legislative Auditor Carson City, Nevada Audit Highlights Highlights of performance audit report on the Department of Motor Vehicles
More informationUniversity Internal Audit
University Internal Audit Compliance Audit Overview Bill Abplanalp Audit Manager Agenda Introductions What is Internal Audit Compliance Review Questions Internal Audit Mission Provide independent, objective
More informationREPORT NO MARCH 2012 UNIVERSITY OF SOUTH FLORIDA. Operational Audit
REPORT NO. 2012-132 MARCH 2012 UNIVERSITY OF SOUTH FLORIDA Operational Audit BOARD OF TRUSTEES AND PRESIDENT Members of the Board of Trustees and President who served during the 2010-11 fiscal year are
More informationACL ESSENTIALS. Get insight into your ERP process health, compliance & financial exposure SEGEREGATION OF DUTIES
ACL ESSENTIALS Get insight into your ERP process health, compliance & financial exposure SEGEREGATION OF DUTIES Page Analytic Name User creates a vendor and an invoice for this vendor SD Analytic 01 User
More informationAn Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements
ASB Meeting July 30 August 1, 2013 Agenda Item 3B AT Section 501 An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Source:
More informationQuality Assessments what you need to know
Quality Assessments what you need to know Patty Miller, Partner Deloitte & Touche LLP Cavell Alexander, VP-Internal Audit Intermountain Healthcare Overview of requirements Scope of assessment Approaches
More informationInternal Control Evaluation
INTERNAL CONTROL EVALUATION Adapted from a checklist created by Jackie F. Breland, CPA (www.jackiebreland.com) Organization: Date Prepared or Updated: Prepared by: Introduction The purpose of this checklist
More informationDesk Audit of. Based on Federal Transit Administration (FTA) Quality Assurance and Quality Control Guidelines FTA-IT
Desk Audit of Based on Federal Transit Administration (FTA) Quality Assurance and Quality Control Guidelines FTA-IT-90-5001-02.1 Reviewed by: Element Requirements Applicable 1. Is a quality policy defined
More informationPay Grade: Effective Payroll Management
8:30 10:10 May 9, 2018 Room 240 112 th Annual Conference May 6-9, 2018 St. Louis, Missouri Moderator/Speakers: Joni Butler Payroll Analyst, Allegheny County, PA Tracy Arner, MEd, CPA, CPFO Program Manager,
More informationLeverage T echnology: Turn Risk into Opportunity
Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright. Fulcrum Information Technology, Inc. Learn to improve Period-End Close Process with effective
More informationPOSITION DESCRIPTION
State of Michigan Civil Service Commission Capitol Commons Center, P.O. Box 30002 Lansing, MI 48909 Position Code 1. ACCOUTEB02 POSITIO DESCRIPTIO This position description serves as the official classification
More informationREPORT 2016/033 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2016/033 Advisory engagement on the Statement on Internal Control project at the United Nations Joint Staff Pension Fund 25 April 2016 Assignment No. VS2015/800/01 CONTENTS
More informationUsing Transactional Analysis for
Using Transactional Analysis for Effective Fraud Detection Date: 15 th January 2009 Nishith Seth Seth Services.P. Ltd. www.sspl.net.in Cost Indirect costs: image, morale Fraud Issues & Impact Direct costs:
More informationWelcome to the course on the working process across branch companies.
Welcome to the course on the working process across branch companies. In this course we will review the major work processes across branch companies. We will start with the intercompany trade process.
More information9/13/2017 CHA-CHING! PAYROLL CONTROLS THAT PAY OFF PERSONAL INTRODUCTION. Personal Introduction. Melinda Stinnett, CPA, CIA Managing Director
CHA-CHING! PAYROLL CONTROLS THAT PAY OFF Melinda Stinnett, CPA, CIA Managing Director September 15, 2017 1 PERSONAL INTRODUCTION Professional Bachelor s Degree (Accounting) Oklahoma State University Public
More informationSOX106. Accounts Payable and Sarbanes-Oxley; Strengthening your Internal Controls- 10 hours. Objectives
SOX106 Accounts Payable and Sarbanes-Oxley; Strengthening your Internal Controls- 10 hours Objectives This course describes how Sarbanes Oxley requirements should be implemented as they pertain to accounts
More informationInternal Audit Follow-Up Report
Internal Audit Follow-Up Report Travel Information Center Safety TxDOT Internal Audit Division Objective Assess the status of corrective actions for high risk Management Action Plans (MAPs) previously
More informationP13-1 ANS. a. Table of Entities and Activities for Internet Payment Platform (Accounts Payable and Cash Disbursements Processes)
Accounting Information Systems, 7e 1 P13-1 ANS. a. Table of Entities and Activities for Internet Payment Platform (Accounts Payable and Cash Disbursements Processes) Entities Para Activities 2 1. Log on
More informationInternal Audit. Orange County Auditor-Controller. Internal Control Audit: Auditor-Controller Procurement & Contract Administration
Orange County Auditor-Controller Internal Audit Auditor-Controller Procurement & Contract Administration For the Year Ended June 30, 2016 Audit Number 1522 Report Date: September 11, 2017 O R A N G E C
More informationFRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS
FRAUD SCHEMES WITH RELATED INTERNAL CONTROLS South Carolina HFMA Finance & Reimbursement Forum November 13, 2012 2 Fraud Facts: Estimated loss of 5% of annual revenues to occupational fraud Financial statement
More informationAUDIT OF KEY FINANCIAL PROCESSES AT MAINLAND NOVA SCOTIA FIELD UNIT FINAL REPORT PREPARED BY PROGESTIC INTERNATIONAL INC.
AUDIT OF KEY FINANCIAL PROCESSES AT MAINLAND NOVA SCOTIA FIELD UNIT FINAL REPORT PREPARED BY PROGESTIC INTERNATIONAL INC March 2005 Report tabled and approved by A&E Committee TABLE OF CONTENTS 1. BACKGROUND...
More informationThe University of Texas MD Anderson Cancer Center Internal Audit Annual Report for FY 2017
Purpose of the Annual Report The purpose of the internal audit annual report is to provide information on the assurance services, consulting services, and other activities of the internal audit function.
More informationAUDIT RISK ASSESSMENT AND RESPONSES TO ASSESSED RISK BY Geoffrey Byamugisha Partner, Ernst & Young. Lessons on Audit Risk. Responding to fraud risk
AUDIT RISK ASSESSMENT AND RESPONSES TO ASSESSED RISK BY Geoffrey Byamugisha Partner, Ernst & Young ICPAU Page 1 COURSE CONTENT Lessons on Audit Risk Identification of audit risk and audit risk assessment
More informationMinimizing fraud exposure with effective ERP segregation of duties controls
Minimizing fraud exposure with effective ERP segregation of duties controls Prepared by: Luke Leaon, Manager, RSM US LLP luke.leaon@rsmus.com, +1 612 629 9072 Adam Harpool, Manager, RSM US LLP adam.harpool@rsmus.com,
More information