Post on 26-Dec-2015
NASC Presentation – March 2014
An Overview of Pennsylvania’s Internal Controls
By: Anna Maria Kiehl, CPAState Comptroller/Chief Accounting Officer
Governor’s Office of Budget / Office of Comptroller Operations
2
Pennsylvania’s Internal Control Structure
Statewide Audit Committee- Functions of the Audit Committee- Goals and Objectives of the Committee- Frequency of Committee Meetings- Questions?
Single Audit Finding Prompts need to improve Access Controls with SAP’s Governance Risk Compliance
- Background- Overview- Challenges- Actions- Useful Tools- Sample internal flowcharts & reporting- Questions?
Agenda
2
NASC Presentation – March 2014
3
Examples of Internal Controls in Pennsylvania
3
NASC Presentation – March 2014
Implement controls through effective policies & procedures:• General System Controls/data security • System access controls• Month-end closing processes and reconciliations
Methods for identifying and assessing risk:• Recommendations of Audit Committee/Audit
findings/MLCs• System Development Life cycle Reviews /Post
implementation reviews• Examining new programs and areas most
vulnerable (e.g., systems, financial reporting, operational)
Control Environment
Risk Assessment
Control Activities
Components Process
Methods for maintaining integrity, ethics and competency: • Governor’s Code of Conduct/Ethics Disclosure Forms• Statewide Audit Committee/Bureau of Internal Audits• Auditor General Audits & Inspector General
Investigations• Bureau of Quality Assurance• Independent annual audits • Continuous IC Training & Employee
Development/Standards• Increased accounting and auditing entry level
requirements
4
PA’s Process to Ensure Effective Internal Controls
4
NASC Presentation – March 2014
Information & Communication
Components ProcessInformation must be disseminated timely:
• Monthly /Quarterly/Comprehensive Annual Financial Reporting
• Required Communications with Management on Audit findings & Required Resolutions
• Quarterly Audit Committee Meetings/Annual Audit Plan/Findings
• Policy communications , e.g., New OMB Grant Reform standards
• Entity-wide business process communications
• On-line and classroom training for fraud detection and prevention, ethics, accountability and transparency requirements
5
PA’s Process to Ensure Effective Internal Controls
Monitoring Activities
Methods to continuously monitor internal controls include:
• Monitoring of role assignments & segregation of duties
• Continuous control payment monitoring
• Performance metrics and analysis/ management dashboards
• Quality assurance processes to ensure compliance with laws, regulations, and policies.
• Weekly system access Controls risk reporting
• Inventory and Fixed Asset monitoring
• Management reviews/System Development Life Cycle Reviews
Components Process
66
NASC Presentation – March 2014
Questions or
Comments?
PA’s Process to Ensure Effective Internal Controls
7
The audit committee reviews and discusses the following with the external auditors: Annual financial statements (CAFR) Single Audit report and findings Significant written communications between the independent
auditors and management (i.e. management letter, unadjusted audit differences)
Significant disputes or difficulties with management encountered during the audit
Matters required to be discussed in accordance with SAS 114, “The Auditors Communication with Those Charged with Governance”
Functions of an Audit Committee
7
NASC Presentation – March 2014
8
Internal Controls Review the following with the internal auditors:
Significant risks or exposures facing the Commonwealth, as well as steps taken by management to mitigate these risks
The audit scope and plan for the internal auditors Any significant findings and recommendations, from internal
audits, along with management’s response Any difficulties the internal audit team encountered in the course
of their audits
Functions of an Audit Committee
8
NASC Presentation – March 2014
9
Oversee the internal and external auditing and reporting process
Provide direction for the Commonwealth’s limited internal audit resources
Review and approve the Commonwealth annual audit plan to promote accountability and ensure management maintains appropriate internal controls
Review audit findings and recommendations and directs the necessary follow-up to ensure appropriate corrective action is initiated across state agencies.
Goals and Objectives of the Committee
9
NASC Presentation – March 2014
10
PA has been moving forward with five strategic goals. These strategic goals are as follows:
Established a Commonwealth-wide audit committee. Facilitate Control Self Assessment sessions with agency
heads and management Complete a Commonwealth-wide audit risk assessment Develop an annual audit plan based on risk Established a Bureau of Quality Assurance to provide
continuous monitoring for improper payments, compliance, and continuous process improvements.
Enterprise Risk Management (ERM)
10
NASC Presentation – March 2014
11
Notifications will be provided to the committee when the following occur:
Department of the Auditor General Opens a Special Performance Audit
US Office of the Inspector General Opens an Audit Department of the Auditor General Releases a Special
Performance Audit US Office of the Inspector General Releases an Audit BOA Releases a High Profile Audit
Audit Committee Communications
10
NASC Presentation – March 2014
12
The Audit Committee meets 3-4 times annually Usually meets at least twice with independent auditors to
discuss CAFR and Single audits, auditor adjustments, audit findings, and management letter comments.
Usually meets to approve annual internal audit plan and requests management reviews and audits of risk areas
Agenda is typically set by the Director of the Bureau of Audits Comptroller and Director of Reporting attend the meetings
and provide content.
Frequency of Audit Committee Meetings
12
NASC Presentation – March 2014
13
Audit Committee
13
NASC Presentation – March 2014
Questions or Comments?
14
Background:
Segregation of Duties risks within the Commonwealth’s SAP system resulted in a recurring single audit finding for 8 consecutive years.
Previous attempts were made to address SAP Access Controls: Approva failed since it was not directly integrated with SAP.
Number of users – Large organization with thousands of core users – needed a tool that could analyze large numbers of users with extensive access to multiple modules of SAP.
SAP’s Governance, Risk & Compliance Module (GRC)
14
NASC Presentation – March 2014
15
“Governance” is how we manage strategic initiatives
“Risk” is the effect of uncertainty on business objectives. Risk management is the process that helps minimize financial losses
“Compliance” goes beyond our conformity with laws and regulations to include all facets that affect integrity, reputation, and our “brand”
SAP’s GRC module provides the Commonwealth with an enterprise view across these activities throughout our organization.
15
NASC Presentation – March 2014
SAP’s Governance, Risk & Compliance Module (GRC)
16
GRC is the system access control tool that helps:
Protect key information Prevent unauthorized access Prevent unauthorized transactions Prevent errors and fraudulent activity Ensures proper Segregation of Duties (SoD) Ensure the security & integrity of our financial systems &
reporting
16
NASC Presentation – March 2014
SAP’s Governance, Risk & Compliance Module (GRC)
17
Challenges:
The complexity of the GRC module/ significant learning curve. The complexity and extent of access issues that developed over ten years that
SAP was in place. Little understanding of GRC from a rule set /business perspective Few resources to dedicate to such a large project Budget constraints prevented hiring SAP consultants Minimal guidance on how to best implement the system within our current
business environment. PA’s role assignment process is managed by another state agency and sits
outside of SAP. Multiple agency involvement – role development (OA-IT), role assignment
(OA/HR) and risk monitoring (Comptroller) 17
NASC Presentation – March 2014
SAP’s Governance, Risk & Compliance Module (GRC)
18
Year 2010 – Year of Planning and gaining an understanding of the system tools
Small project team developed to coordinate the clean-up of SoD risks.
The group led workshops of technical and business representatives to determine how to identify and resolve risks.
Process is on-going
18
NASC Presentation – March 2014
SAP’s Governance, Risk & Compliance Module (GRC)
19
Tremendous Progress within the last 6 months
Resolving risks identified within our Office of Budget Systematizing & automating processes Documenting processes & procedures Improving communication between agencies Reporting And training personnel
19
NASC Presentation – March 2014
SAP’s Governance, Risk & Compliance Module (GRC)
20
The Future:
To continue GRC rollout to agencies with greatest number of risks
Expect the cleanup to benefit the remaining agencies who share same roles/risks.
Expect roles to stay clean going forward using GRC simulation tool.
Most current pain: establishing a process to help agency HR reps interpret SoD risk results before requesting a role for their users.
20
NASC Presentation – March 2014
SAP’s Governance, Risk & Compliance Module (GRC)
2121
NASC Presentation – March 2014
2222
NASC Presentation – March 2014
2323
NASC Presentation – March 2014
2424
NASC Presentation – March 2014
2525
NASC Presentation – March 2014
2626
NASC Presentation – March 2014
27
SAP’s Governance, Risk & Compliance
27
NASC Presentation – March 2014
Questions?