GATU Webinar Part 1 March 2017 Presented by Carol Kraus, CPA

Similar documents
Internal Control Questionnaire and Assessment

Internal Control Questionnaire and Assessment

Single Audit Update: Internal Control over Compliance and the GAO s Green Book. MSBO s 80 th Annual Conference April 19, 2018

PART 6 - INTERNAL CONTROL

Internal Controls: Providing an Effective Control Environment. Why This Session Is Needed. Lesson Overview & Module Objectives

Guide to Internal Controls

Internal Controls: Need Them, Have Them, Love Them

Subrecipient Management Under 2 CFR 200

Subrecipient Management Under 2 CFR 200. Kris Rhodes, MS Director, Higher Education Practice

COSO What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions

Central Florida Expressway Authority

Internal Control in Higher Education

Internal Controls: COSO, the Uniform Guidance, and More!

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

The Ins and Outs: Audits Under FDICIA. Jennifer Gureckis and Kaylyn Landry BerryDunn February 27, 2018

Transparency in the Workforce System Establishing Firewalls & Internal Controls

FEDERAL AWARD PROGRAMS INTERNAL CONTROL EVALUATION. Cross-cutting characteristics (generally applicable to all fourteen requirements)

HUD-US DEPT OF HOUSING & URBAN DEVELOPMENT: Understanding Internal Controls. Ladies and gentlemen, thank you for standing by and welcome to the

Audit Training-of-Trainers Workshop, November 2014, Vienna Components of internal control within organization

Committee for Senior Business Administrators. Segregation of Duties

Internal Control Program

Internal Controls Integrating COSO

Chapter 7 Internal Controls

APPENDIX 2 COMMUNITY DEVELOPMENT COMMISSION FINANCIAL CHECKLIST REQUIRED FOR ALL APPLICANTS (A SITE VISIT MAY BE CONDUCTED LATER)

DECISION. mb a5 EFSA Internal Control Framework. Internal Control Framework of the European Food Safety Authority. Decision No.

FRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS

Company LOGO C B T. An Educational Computer Based Training Program

AUDIT UNDP SOUTH SUDAN GRANTS FROM THE GLOBAL FUND TO FIGHT AIDS, TUBERCULOSIS AND MALARIA. Report No.1400 Issue Date: 6 February 2015

INTERNAL CONTROLS. Revision A

What s New in Government Internal Control Standards? Going Green

Alyssa G. Martin, CPA Brandon Tanous, CIA, Using the COSO CFE, CGAP, CRMA Framework to Develop a Strong and Preventive Control Environment

Maryland School for the Deaf

Federal Fiscal Monitoring: Fostering Continuous Improvement

Assessment of the Design Effectiveness of Entity Level Controls. Office of the Chief Audit Executive

Community Bankers Conference

Ten Payment Fraud Protections

9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in

This Questionnaire/Guide is intended to assist you in decision making, as well as in day-to-day operations. Best Regards,

Understanding Internal Controls Office of Internal Audit

Office of the City Manager

METROPOLITAN TRANSPORTATION AUTHORITY

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

Corrective Action Plans Frequently Asked Questions. Intro. Agenda

Master Document Audit Program. Version 9.6, dated November 2017 B-1 Planning Considerations. Purpose and Scope

Focused Assessment Program Overview and Updates

Why do we need Internal Controls?

County of Sutter. Management Letter. June 30, 2012

Third Party Fiduciary Agent. Guam Department of Education. In partial fulfillment of Contract: Monthly Project Status Report.

Financial Resources: Control of finances The institution exercises appropriate control over all its financial resources.

RREGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT FUNCTION IN MICROFINANCE INSTITUTIONS. Article 1 Scope and Purpose

IDEA Part B, IDEA Preschool, and ECEA Fiscal Responsibilities

University of South Florida. Evaluation of Financial Management Systems and Financial Capability Questionnaire

Internal Control Vulnerability Assessment (January 2011) Unit Name. Prepared by. Title. Reviewed by. Title. Reviewer s Comments

Washington Metropolitan Area Transit Authority Board Action/Information Summary

Chapter 6 Field Work Standards for Performance Audits

Implementation Tool for Auditors

Council on Financial Assistance Reform s Uniform Guidance Training

Internal Audit. Orange County Auditor-Controller. Cash Compliance Audit: OC Community Resources/OC Parks

Protecting Fixed Assets: Internal Controls for Non Profits

What Happens When Internal Controls Fail

NYS Olympic Regional Development Authority INTERNAL CONTROL SUMMARY & CERTIFICATION FORM

1/12/2016. Standards for Internal Control in the Federal Government. Standards for Internal Control in the Government

Standards for Internal Control in New York State Government 2016 Update

An Overview of the 2013 COSO Framework. August 2013

The most commonly applied model for designing and auditing internal

Contents Introduction II. Ethics, Independence, and Confidentiality III. Professional Standards IV. Ensuring Internal Control

Department of Health and Mental Hygiene Clifton T. Perkins Hospital Center

Single Audit and Yellow Book / Govt. Audit Standards Update Presented by: William Blend, CPA, CFE

A Discussion About Internal Controls February 2016

UNIVERSITY OF CALIFORNIA, DAVIS INTERNAL AUDIT SERVICES. Subrecipient Monitoring Project # April 2013

2014 Integrated Internal Control Plan. FRCC Compliance Workshop May 13-15, 2014

Olympic Regional Development Authority 03/10/2009 Kathleen R Bushy

POLICY. Number: Title: Internal Control Responsible Office: USF System Audit I. PURPOSE AND INTENT

Focused Assessment Program Overview and Updates. Office of International Trade Regulatory Audit October 2, 2014

Fraud Risk Management

VGFOA Fall Conference October 23, 2014 John Montoro, Presenter

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Financial Internal Controls Initiative. Martha Kerner Assistant Vice Chancellor for Business Services

Appendix A. Simplified Sample Entity-Level Control Matrices

Defining Payroll Process

STATE OF NORTH CAROLINA

2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda

DEPARTMENTAL CONTROL SELF-ASSESSMENT. Dept.: Date:

COSO Internal Control Integrated Framework Proposed Update

John F. Buyce, CPA, CIA, CFE, CGFM Audit Director NYS OSC - State Government Accountability

University System of Maryland University of Maryland, College Park

MSD Internal Control Policy 01/16/08. Metropolitan Sewerage District of Buncombe County Internal Control Policy

INTERNAL CONTROLS 101

OPERATIONAL RISK EXAMINATION TECHNIQUES

Internal Control Integrated Framework. An IAASB Overview September 2016

Internal Control Integrated Framework. An IAASB Overview September 2016

3.6.2 Internal Audit Charter Adopted by the Board: November 12, 2013

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

2014 Integrated Internal Control Plan. FRCC Spring Compliance Workshop April 8-10, 2014

9/17/2017. An Overview of COSO s New Framework and Implementation Guidance SPEAKER. Laura Harden, CPA History

Master Document Audit Program

University System of Maryland University of Baltimore

GAIT FOR BUSINESS AND IT RISK

Present and functioning: Fine-tuning your ICFR using the COSO update

Transcription:

GATU Webinar Part 1 March 2017 Presented by Carol Kraus, CPA

Definition of Internal Controls COSO Internal Control Framework Internal Controls (2 CFR 200.303) Grantee responsibilities Awarding state agency responsibilities (2 CFR 200.205) Specific Conditions (2 CFR 200.207) 2

A process, effected by an entity s board of directors, management, personnel and others charged with governance, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiencies of operations Reliable, timely and accurate reporting Compliance with applicable laws and regulations 3

Each non-federal Entity must: Establish and maintain effective internal controls over the grant award Internal controls must provide reasonable assurance that the grantee is managing the award in compliance with state and federal statute, regulations and the terms and conditions of the grant agreement 4

Internal controls should comply with guidance: Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States, or Internal Control Integrated Framework, issued by the Committee of Sponsoring Organization of the Treadway Commission (COSO) 5

Internal controls must: Comply with State and Federal statutes, regulations, and grant agreement terms and conditions Evaluate and monitor compliance with statutes, regulations and the terms and conditions of the grant agreement Ensure prompt action when instances of noncompliance are identified - audit findings, onsite reviews and other regulatory reviews 6

Focused on critical points of operations Integratedinto established processes; not burdensome but a part of processing Accurate, in that they provide factual information that is useful, reliable, valid, and consistent Simple and easy to understand Accepted by employees Cost effective-controls should not cost more than the risks they mitigate 7

Common Basic Internal Control Principles Establish Responsibility Assign each task to only one person Segregate Duties Don t make one employee responsible for all parts of a process Restrict Access Limit access to system, information, assets, etc. to those that need it to complete assigned responsibilities Document Procedures and Transactions Prepare documents to show that activities have occurred Independently verify 8 Check others work

COSO Provides an Integrated Framework for Internal Controls 9

5 interrelated components of Internal Control 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring Along 3 main objectives A. Operations B. Reporting C. Compliance Across the organization, down to the process functions 10

Organizationdemonstrates a commitment to integrity and ethical values Board of directors (oversight team) demonstrates independence from management and exercises oversight of the development and performance of internal controls Under oversight, managementestablishes and structures reporting lines, appropriate authorities, and responsibilities to accomplish objectives 11

Organization demonstrates a commitment to attract develop, and retain competent individuals in alignment with objectives Organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives 12

Control Environment Demonstrates commitment to integrity and ethical values Establish tone at the top Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability 13

Controls should include: Hiring practices Training programs Whistleblower programs Code of Conduct Clear lines of responsibility and authority Control Environment must be documented and may include: Procedure manual that include process narratives, flow charts, job aid such as checklists Organizational charts Memorandums Questionnaires 14

Organization specifies objectives so it can identify and assess related risks Organization identifies risks posed and analyzes risks to determine how risks should be managed Organization considers potential for various types of fraud Organization identifies and assesses changes that could affect internal controls 15

Risk Assessment Specifies suitable objectives Identifies and analyzes risk Identifies and analyzes significant change 16

Risk management is a process strategically applied and designed to identify and manage risk within a tolerance level Risk assessment is an internal control element within risk management that allows management to identify and assess key risks The risk assessment is the basis for determining control activities 17

Organization selects and develops control activities, including use of technology, to mitigate risk and achieve objectives Organization deploys controls activities through policies to establish what is expected and procedures that put policies into action Actions established through policies and procedures help ensure management s directives to mitigate risks are carried out Control activities are performed at all levels within the entity 18

Types of control activities: Preventive and Detective Compensating Manual and automated Control activity examples: Approvals and authorizations Verifications Reconciliations Independent reviews Asset security Segregation of duties 19

Prevents the occurrence of a negative event in a proactive manner. Examples: Approvals for purchases over $3,000 Verification that equipment purchases are pre-approved or included in grant budget Passwords for access to IT systems Pre-numbered checks Holding petty cash in a lockbox 20

Detective controls detect the occurrence of a negative event after the fact in a reactive manner. Examples include: Supervisor review and approval Report run showing user activity Reconciliation of petty cash Physical inventory count Review missing and voided checks 21

If there is a control weakness or limitation, a compensating control may be relied upon to mitigate the risk Can be preventive or detective EXAMPLE: A entity lacks staffing for adequate segregation of duties. Potential compensating controls: Automate certain transaction data to limit altering Manager reviews detailed summary reports of transactions initiated by staff Manager selects sample transactions and vouches to supporting documentation 22

Manual controls require action by employees: Obtaining a supervisor s approval for overtime Reconciling a bank account Matching receiving to purchase orders Automated controls are built into systems or applications: Data entry validation checks Batch controls Automated controls are more reliable and cost effective than manual controls 23

Control Activities Based on the risk assessment and risk management policy: Select and develop control activities Select and develop controls over IT Deploy through policies and procedures 24

Organization obtains and uses relevant quality information to support the functioning of internal controls Organization internally communicates objectives and responsibilities for internal control to support functioning of internal controls Organization communicates with external parties regarding matters affecting the function of internal controls 25

Initiatives Goals Changes Opportunities Feedback Questions / Answers Policies and Procedures Standards Expectations Need to communicate Policies and procedures manual Memorandums Directives Training, training, training Website / intranet Meeting deliverables If you don t document it did not happen! Methods of communication 26

Information and Communication Communicate necessary information to personnel Provide adequate training of controls to responsible staff Communicate internally and externally 27

Organization selects, develops and performs ongoing and/or separate evaluations to determine whether components of internal control are present and functioning Organization considers internal and external risks Organization evaluates and provides timely communication to senior management and the board of directors, as appropriate regarding internal control deficiencies to foster corrective action 28

Evaluations that ascertain whether components of internal control are present and functioning 2 categories of monitoring Ongoing evaluations-built into business processes and provide timely information on underlying controls Separate evaluations-conducted periodically and vary in scope and frequency based on prior assessments of risk, the effectiveness of ongoingevaluations, and other management considerations (e.g., resource priorities) Internal Audit activities are a separate evaluation Confirm that findings of audits and other reviews are promptly resolved so internal controls are not compromised 29

Monitoring an activity means assessing the performance of an internal control system over a period of time to validate that the control system is operating as expected Includes supervisory review and sign off to help ensure proper checks and balances Findingsshould be evaluated against relevant criteria (e.g., how long has the control been compromised, and how high are the risks) Deficiencies, which are more significant than findings, should be communicated to the Board and Senior Management 30

Monitoring Activities Conduct ongoing evaluations Evaluate and communicate deficiencies Establish and follows up on corrective action plans of deficiencies 31

According to COSO, an effective system of internal control requires: Each of the 5 components of internal control with relevant principles present and functioning All 5 components operating together in an integrated manner 32

Grantee and Sub-recipient Responsibilities (200.303 and 200.302) 33

Grantees must take reasonable measures to safeguard protected personally identifiable information and other data the awarding agency designates as sensitive Grantees must consider applicable federal, state, and local laws regarding privacy and obligations of confidentiality 34

Grantees and subrecipients must carry out goals and objectives stated in the uniform grant agreement Grant funds must be used for their intended purposes Grant funds are subject to certain regulations, oversight and audit Grant recipients must account for costs and justify expenditures 35

Financial management system must include effective control over, and accountability for all funds, property, and other assets Records within the financial management system must identify the source and application of funds for grant-funded activities including: authorizations, obligations, unobligated balances, assets, expenditures, income and interest supported by source documentation 36

Effective control over and accountability for all funds, property, and other assets Comparisons of expenditures with budget amounts for each grant award Written procedures: To comply with cash management requirements For determining allowability of costs in accordance with Cost Principles and terms and conditions of the grant agreement If the grantee passes funds, the grantee must also comply with 200.331Requirements for Passthrough Entities 37

GATA separates the risk assessment into 2 parts: Fiscal and Administrative (F&A) -conducted once and shared with all grant making agencies Programmatic-conducted with each grant highlighting the programmatic requirements associated with the individual grant program 38

Conducted annually after registration and prequalification Utilizes Internal Control Questionnaire (ICQ) ICQ responses must be reviewed by the entity s cognizant agency Cognizant agency -state agency that provided the most funding to the entity in a previous fiscal year (currently FY15 and re-determined every three years) Follow-up is encouraged if the cognizant agency believes the entity responded incorrectly (based on prior experience/ knowledge of the entity) ICQ responses can be changed and re-submitted, when appropriate 39

ICQ covers 10 sections: 1. Quality of management systems (200.302) 2. Financial and regulatory reporting (200.237) 3. Budgetary controls (200.308) 4. Cost principles (200.400) 5. Audit (200.500) 6. Organizational governance (COSO) 7. Property standards (200.310-316) 8. Procurement standards (200.317-326) 9. Sub-recipient monitoring and management (200.330-332) 10.Fraud, waste and abuse (COSO) ICQ incorporates requirements under: 2 CFR 200 Subpart F Single Audit Compliance Supplement COSO 40

State Awarding Agency Responsibilities (200.205 and 200.207) 41

Grantee must complete both risk assessments (ICQ and programmatic) prior tomaking an award Allgrantees are subject to pre-award risk assessment, unless an exception has been authorized ICQsare automated and responses are reviewed once by the state cognizant agency Programmatic risk assessmentsare specific to the program application and performed by each awarding agency 42

Cognizant agency reviews and accepts the ICQ Automation grades the responses as low, medium or high risk for each of the 10 segments Pre-determined specific conditions are automatically assigned based on the risk profile Specific conditions advise grantees and state agencies of internal control weaknesses at the grantee-level State agencies utilize specific conditions to correct weaknesses that could result in noncompliance with fiscal and administrative grant requirements 43

Specific conditions can include: Requiring payments to be reimbursement based Withholding authority to proceed to the next phase, until performance improves Requiring more frequent and/or detail reporting Requiring additional project monitoring Requiring grantee to obtain technical or management assistance Establishing additional prior approvals 44

Awarding agency will use the Notice of State Award (NOSA) to notify the applicant of: Nature of additional requirements or specific conditions Reason why additional requirements are imposed Nature of action(s) needed to remove additional requirements, if applicable Time allowed for completing the action(s) Method for requesting reconsideration of additional requirements imposed Specific conditions must be removed immediately after acceptable corrective action(s) is taken 45

Internal controls are a backbone of effective operations and federally required The ICQ enables state agencies to assess internal controls at the grantee-level Capacity building must be needs based Specific conditions are grantee-specific in response to the risk profile 46

Carol Kraus, CPA Director, GATU Carol.Kraus@illinois.gov Jennifer Butler, CMC GOMB Deputy Director jennifer.butler@illinois.gov

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback