Assessment of Internal Controls Over Financial Reporting ...

University of North Carolina

Finance Improvement & Transformation Project

Assessment of Internal Controls

Over Financial Reporting For Fiscal Year 2012

North Carolina State University

North Carolina State University Assessment of Internal Controls over Financial Reporting Fiscal Year 2012

-2-

Table of Contents

Page Section Topic 4 A Internal Controls Over Financial Reporting Overview 5 B Internal Controls Office And Internal Controls

Assessment Committee 6 C Key Individuals 7 D Review of Control Environment Over Financial

Reporting 7 D.1 Integrity and Ethics 8 D.2 Commitment to Competence 8 D.3 Board of Trustees or Audit Committee Participation 9 D.4 Management’s Philosophy and Operating Style 10 D.5 Organizational Structure 11 D.6 Assignment of Authority and Responsibility 11 D.7 Human Resource Policies and Procedures 13 E Evaluation of Risks That Affect Financial Reporting 13 E.1 General Risks 14 E.2 Specific Process Risk 15 E.2.1 Bank Account Reconciliation 16 E.2.2 Journal Entries 17 E.2.3 Maintain Fund Accounts 18 E.2.4 Maintain Daily Cash 19 E.2.5 Month End Close 20 E.2.6 Year End Close 22 E.2.7 Spending Guidelines 22 E.2.8 Capital Assets 24 E.2.9 Cash Receipts and Deposits 25 E.2.10 Revenues and Receivables 25 E.2.11 Payroll and Labor Management 26 E.2.12 Expenses and Accounts Payable 28 E.2.13 Contracts and Grants 29 E.2.14 Student Financial Aid 30 E.2.15 Student Accounts 31 E.2.16 Other Areas of Interest 35 F Information and Communication 35 F.1 Accounting and Financial Reporting Information

Systems


-3-

36 F.2 Communication 39 G Monitoring 39 G.1 Internal Audits 40 G.2 External Audits 40 G.3 Internal Monitoring 41 G.3.1 Ongoing Monitoring 42 G.3.2 Annual Monitoring 43 H Fraud Prevention and Detection 43 H.1 Material Fraud 44 H.2 Fraud, Whether or not Material, That Involves

Management or Other Employees Who Have a Significant Role in the University’s Internal Control over Financial Reporting

44 H.3 Controls over Fraud 46 I Summary Findings on Review and Evaluation of Risk

that Affect Financial Reporting 46 I.1 Prior Year Summary Findings 48 I.2 Current Year Summary Findings 50 J Certification

NOTE: As you work this document, it is most likely that the page numbers will change. Therefore, please update the page numbers in the table of contents prior to completing the assessment to ensure that accurate page numbers are reflected.


-4-

A. INTERNAL CONTROLS OVER FINANCIAL REPORTING OVERVIEW: Internal controls over financial reporting at [University] is a process affected by the University’s Board of Trustees, the Chancellor, the Vice Chancellor over Finance and Business, and the personnel they assign to oversee, design, direct, and monitor financial reporting activities to provide reasonable assurance as to the reliability of the University’s financial reporting. Internal Controls consists of five interrelated components, which are:

Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal controls, providing discipline and structure.

Risk assessment is the entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.

Control activities are the policies and procedures that help ensure that management directives are carried out.

Information and communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

Monitoring is a process that assesses the quality of internal controls performance over time.


-5-

B. THE UNIVERSITY’S INTERNAL CONTROLS OFFICER AND INTERNAL CONTROLS ASSESSMENT COMMITTEE: The following assessment report presents an analysis and assessment of the University’s Internal Controls over Financial Reporting for the five interrelated components. This report is the result of the University’s Internal Controls Assessment Committee review and evaluation of the University’s processes and controls over accounting and reporting objectives as directed by the Internal Controls Officer. Internal Controls Officer:

University Controller Charles Cansler, MBA

Internal Controls Assessment Committee:

Director over Financial Reporting Kimberly Miller, CPA

Director over Accounts Payable Kim Kelly

Director over General Ledger Heidi Kozlowski, MBA

University Budget Officer Barbara Moses, CPA

Director of Foundations Accounting and Investments Jill Tasaico, CPA

Director of Contract and Grants Julie Brasfield, MBA

Director of Internal Audit Cecile Hinson, CISA

Director of Payroll Franki Senter

Director of Cashiers Office Bruce Forinash, MBA, CIA

Representative of the University Financial Officers Michael Walker, CPA

Director of Security and Compliance (OIT) Mardecia Bell


-6-

C. KEY INDIVIDUALS ASSIGNED BY THE VICE CHANCELLOR OVER FINANCE AND BUSINESS TO OVERSEE, DESIGN, DIRECT, AND/OR MONITOR FINANCIAL REPORTING ACTIVITIES Associate Vice Chancellor Office Level Management

Associate Vice Chancellor over Finance and Resource Management

Steve Keto

University Treasurer and Associate Vice Chancellor Mary Peloquin-Dodd

Associate Vice Chancellor of Human Resources Barbara Carroll

Central Office Level Management

University Controller Charles Cansler, MBA

Director over Financial Reporting Kim Miller, CPA

Director of Material Management Sharon Loosman

Director of Contracts and Grants Julie Brasfield, MBA

Director of Cashiers Office Bruce Forinash, MBA, CIA

Director of Strategic Debt Management Lori Johnson, CPA

University Budget Officer Barbara Moses, CPA

Director of Foundations Accounting and Investments

Jill Tasaico, CPA

Director of Payroll Franki Senter


-7-

D. REVIEW AND EVALUATION OF THE UNIVERSITY’S CONTROL ENVIRONMENT OVER FINANCIAL REPORTING:

Factors affecting the control environment of the University include: integrity and ethical values, commitment to competence, board of director or audit committee participation, management’s philosophy and operating style, organizational structure, assignment of authority and responsibility, and human resource policies and practices.

For each control environment factor that follows, note with an “X”, the associated control procedures that are in place, an “I” if improvement is needed or “C” if compensating controls exist to mitigate the risk of associated error, or an “N” if not applicable or not considered necessary. The control procedures listed are examples and, if different, should be changed to reflect the actual procedure in place. An “N” should not be used, nor should the example control procedure be removed or deleted, if the intended control procedure is applicable but not in place. In those cases, an “I” should be used. If “I” or “C” is noted, please provide a discussion of the plan for improvement or the compensating controls in place that mitigates the risk of associated error in the Summary Findings Section at the end of this assessment. Other control factors relative to the various control environment factors that are in place but not listed as an example should be added to the list if deemed important to financial reporting. Please note that the indication of control procedures in place can result from either direct written evidence or implied knowledge of an informed person.

D.1 Integrity and Ethical Values:

The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of the control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of the entity’s ethical and behavioral standards, how they are communicated, and how they are reinforced in practice. They include management’s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct and by example. X The Finance or Controller’s Office has established a Code of Ethics / Conduct X The Finance or Controller’s Office has established Core Values that emphasize Integrity

and Ethical Behavior X The Finance or Controller’s Office conducts periodic Director meetings to discuss

principles of leadership, integrity and ethical behavior X Management has established guidelines or rules over conflicts of interest X Management requires for key employees and researchers to sign conflict of interest

statements. Key employees include persons that are classified as SPA and others that are


-8-

in a functional office management position or those that may influence or change policy. X Management has established guidelines or rules that prohibit key employees involved

with the approval of purchases from acceptance of gifts from vendors X Management has established guidelines or rules regarding appropriate spending and use

of funds X Management issues official communications to key employees and researchers regarding

appropriate behavior X Management has established a hot line for reporting of fraud, waste and abuse X Management has established responsibility for the reporting and follow up on fraud,

waste and abuse X Management has established guidelines or rules requiring background checks on new

employee hires X Employees that are implicated in unlawful activities are subject to management review

and disciplinary actions including possible termination (List other policies or practices that exhibit management’s integrity and ethical values)

D.2 Commitment to Competence: Competence is the knowledge and skills necessary to accomplish tasks that define the individual’s job. Commitment to competence includes management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge. X The University requires specific knowledge and skills relevant to a position’s role and

responsibility X The University advertises and recruits employees by identifying specific job

requirements and qualifications X The University conducts interviews with job applicants and checks references to assess

the applicants knowledge and skill before hiring X Management has established guidelines or rules over the establishment of positions

including identification of position qualifications X Management requires that job applicants certify that the information provided in

applications is accurate X Management has established a performance management program requiring annual

performance appraisals of all employees. X Management has established procedures to address employee performance issues X Management provides training for managers and supervisors regarding the performance

management program (List other policies or practices that exhibit management’s commitment to competence)

D.3 Board of Trustees or Audit Committee Participation: An entity’s control consciousness is influenced significantly by the entity’s board of trustees or audit committee. Attributes include the board or audit committee’s independence from management, the experience and stature of its members, the


-9-

extent of its involvement and scrutiny of activities, the appropriateness of its actions, the degree to which difficult questions are raised and pursued with management, and the interaction with internal and external auditors. X The Board of Trustees is independent from the management of the University X The Board of Trustees has established a Finance/Audit Committee X The Finance/Audit committee includes members with business experience and leaders in

the community X The Board and its committees conduct open meetings and maintain minutes recording

the discussions and actions taken in the meetings X Board members must disclose any conflict of interest prior to the conducting of meetings

and must remove themselves from acting if a conflict exists X Board agendas and minutes of meetings demonstrate interest in and influence over

university operations X Board minutes are posted on the University’s website or made available upon request X The Finance/Audit committee meets on a scheduled basis with planned agendas

including budget/financial matters, new program requests, debt and investment matters, internal audit plans and reports, business operations updates, financial audit reports, and other matters relative to financial/business matters

X The Finance/Audit committee meets with and receives reports from the internal auditor X The Finance/Audit committee meets with and receives reports from the State Auditor (List other policies or practices that exhibit the Board of Trustees influence over financial

matters) D.4 Management’s Philosophy and Operating Style: Management’s philosophy and operating style encompass a broad range of characteristics. Such characteristics may include the following: management’s approach to taking and monitoring business risks, management’s attitudes and actions towards financial reporting (conservative or aggressive selection from available alternative accounting principles, and conscientiousness and conservatism with which accounting estimates are developed); and management’s attitude toward information processing and accounting functions and personnel. X Management is generally conservative as to business risk and takes risk only when

considered appropriate by a reasonable person X Management takes risk only after appropriate review and analysis of the effect on the

university’s business reputation, and its operational efficiency and program effectiveness X Management applies GAAP as directed and interpreted by the Office of State Controller

and as advised by the Office of State Auditor X Management reviews and analyzes appropriate financial history and related matters when

developing and applying accounting estimates X Turnover at management and supervisory levels related to financial reporting has not

been frequent X Management deems the accounting and reporting functions valuable and has established

access and security controls over related data


-10-

X Senior management (AVC level) interacts with and provides appropriate support to related functional offices to ensure management objectives are meet

X Management has published guidelines / rules over spending, establishing trust funds, making journal entries

X Management exemplifies the attributes of Customer Service and Excellence X Management provides the necessary resources to ensure accountability and appropriate

controls over information processing, accounting and reporting functions X The Controller’s Office maintains a comprehensive year end plan to provide step by step

directions for the completion of the annual financial statements X Management assigns the production of the annual financial statements to qualified

accountants having knowledge of established accounting and reporting standards for universities

(List other policies or practices that exhibit the characteristics of Management’s philosophy and operating style)

D.5 Organizational Structure: An entity’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. Establishing a relevant organizational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. An entity develops an organizational structure suited to its needs. The appropriateness of an entity’s organizational structure depends, in part, on its size and the nature of its activities. X Management has established an organization structure that emphasizes appropriate

separation of duties, and administrative and programmatic functional responsibilities X Management has established separate administrative functional offices based on related

functional requirements including, financial and resource management functions (budget office, controller’s office, and contracts and grants), treasury functions (cashiering and student receivables, purchasing, debt, investments, foundations) and, human resource functions (compensation, benefits, payroll)

X Management has authority and responsibility over the Financial System including its input and output requirements including work flow requirements for initiating, approving, processing, summarizing, reporting and monitoring financial information

X The Controller’s Office has authority and responsibility over the planning, analysis, review, coordination, development, and preparing and posting year end adjustments and disclosures, and preparing and publishing the year end financial statements

X The Controller’s Office has the authority and responsibility over coordination of year end financial reporting activities with the Office of State Auditor and the Office of State Controller

X Based on the size and complexity of the organization, management has provided appropriate authority and responsibility by organization code as to managing, initiating, approving and monitoring of financial transactions

(List other policies or practices that exhibit the establishment of the organization structure and its controlling factors)


-11-

D.6 Assignment of Authority and Responsibility: This factor includes how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that all personnel understand the entity’s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. X Management has assigned authority and responsibility for administrative and

programmatic functions to central office directors and department heads based on organization structure and functional controls

X Management has provided adequate resources to carry out functional responsibilities and to prepare and publish financial statements within established time frames that will not require adjustment by auditors

X Management has established rules and guidelines for employees and departments to understand their responsibilities including making journal entries, requesting trust funds, spending funds and other functional matters

X Management provides official communication and training for employees to understand their responsibilities

X Employees are given work plans that provide for expectations and responsibilities X The Controller’s Office has developed a month end close plan with assigned

responsibilities and provides routine communications with related staff X Management has developed a year end cash close plan and provides instructions to

campus/departments for the efficient and effective close of cash activities for the year X The Controller’s Office has developed a year end cash accrual plan and provides

instructions to assigned employees regarding the efficient and effective close of accrual activities for the year

X Management has developed and provides training programs for campus users of the Financial System including how to use the system and policies and procedures regarding administrative requirements, accounting, approving and monitoring transactions

(List other policies or practices that exhibit the assignment of authority and responsibility over financial reporting)

D.7 Human Resource Policies and Practices: Human resource policies and practices relate to hiring, orientation, training, evaluating, counseling, promoting, compensating, and remedial plans. For example, standards for hiring the most qualified individuals with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior demonstrate an entity’s commitment to competent and trustworthy people. Training policies that communicate prospective roles and


-12-

responsibilities and include practices such as training schools and seminars illustrate expected levels of performance and behavior. Promotions driven by periodic performance appraisals demonstrate the entity’s commitment to the advancement of qualified personnel to higher levels of responsibility. X Management has established human resource policies and practices for hiring,

orientation, training, evaluating, counseling, promoting, compensating, and developing remedial plans

X Management has established human resource standards for hiring the most qualified individuals with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior

X Management has established a separate functional office for Human Resource (HR) activities

X HR provides training that communicates organizational and functional roles and responsibilities at the university through the Quick Start and HR Academy programs

X HR provides face to face training for improvement of management and administrative skills through the Pathways and Performance Leadership programs

X HR provides services including the establishment of positions and related compensation, receiving employment applications, screening applications, referring of qualified applicants, reviewing and approving of applicant selections, and performing background checks and credential checks when required

X HR provides counseling for departments and employees with difficulties on the job X Management has developed and provides training programs for campus users of the HR

System including how to use the system and policies and procedures regarding administrative requirements, approving and monitoring transactions

X HR provides international employment and taxation service to ensure appropriate work eligibility, visa compliance and associated taxation

X HR provides face-to face new employee orientation to benefits for eligible SPA, EPA and Post-Doc employees for the purpose of enrollment into both mandatory and optional benefit programs

(List other human resource policies and practices significant to financial statement reporting)


-13-

E. REVIEW AND EVALUATION OF RISKS THAT AFFECT FINANCIAL REPORTING:

Risk assessment for financial reporting purposes is the identification, analysis, and management of risks relevant to the preparation of financial statements to ensure that they are fairly presented in conformity with generally accepted accounting principles. For example, risk assessment may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions.

Risk relevant to financial statement reporting include external and internal events and circumstances that may occur and adversely affect an entity’s ability to record, process, summarize and report financial data consistent with the assertions of management in the financial statements. Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they should be managed. E.1 General Risk Risks can arise or change due to changes in the operating environment, new personnel, new or revamped information systems, rapid growth or declines in revenues, new technology, new programs or activities, organizational restructurings, foreign operations, new accounting pronouncements, use of different accounting estimates, new policies from the State Controller’s Office and University audit concerns or reported issues. Risk Related to Change – For the following areas, note with a “S” indicating that a significant change has occurred for the current period that affects risk relevant to financial reporting and “N” if no significant change occurred: S Key Personnel S Information Systems (relates to new enterprise system implementations or upgrades to

existing enterprise systems) S Revenue / Resources S Debt N Investments S Technology (relates to computerized hardware or software - excluding information

systems discussed earlier) N Programs or Activities S Organization Structure N Foreign Operations N Accounting Pronouncements N Accounting Estimates S UNC-GA FIT Standards S State Controller Accounting and Reporting Requirements


-14-

N State Audit Concerns and or Reported Issues on Universities N Affiliated Organizations S Significant Transactions with Affiliated Organizations S Controls Procedures (List other changes increasing risk relevant to financial statement reporting For all items noted with a “S”, please provide a description of the change and how the change is being managed to reduce risk relevant to financial reporting: Key Personnel & Organization Structure – The new Controller Charles Cansler began work in September 2011. Office of Scholarships and Financial Aid Director Julie Mallette retired in December 2011. One of her assistant directors, Krista Domnick, was named to fill her position. University Treasurer Kathy Hart retired in April 2012, and Mary Peloquin-Dodd was hired. Foundations Accounting and Investments Controller Margaret Holder resigned in 2011, and Erin Delehanty was hired in early 2012. Vice Chancellor of Student Affairs Dr. Thomas Stafford will retire at the end of June and the search for his successor is in progress. Dr. Paul Lunn was named the Dean of the College of Veterinary Medicine in September 2011. Chandler Thompson took office as Student Body President and ex officio member of the Board of Trustees for academic year 2011-2012. Assistant Controller Milburn Holbrook moved to a position with NC State Contracts and Grants. He will continue to perform his year end tasks. His other tax and receivable tasks have been reassigned within the Controller’s Office. Assistant Controller Ralph McLester took a position with UNC-GA. Many of his year end tasks have been reassigned to the new accountant, who will start work in June. Replacing key personnel followed the hiring/interview process required by the University, thus ensuring qualified employees, minimizing disruption to their departments and reducing risk relevant to financial reporting. Scott Inkley was hired in December 2011 as the Executive Director of Business Operations to lead the Business Operations Realignment Steering Team. As part of the realignment, the reporting lines for lead finance/HR representatives were changed to include a direct reporting line to Finance and Business while keeping the college division line. Otherwise, no organization changes affecting financial reporting have been implemented as a result of the strategic realignment proposals current being discussed. The divisions of Student Affairs and Academic Programs merged to form the Division of Academic and Student Affairs. The Chancellor announced the College of Physical and Mathematical Sciences will be replaced with a more comprehensive College of Sciences in July, 2012. This new college will include the undergraduate biology program which will be moved from the College of Agriculture and Life Sciences. Information Systems & Technology – The Financials 9.1 upgrade was implemented in March, 2012. The upgrade included Asset Management, a new PeopleSoft module for NC State. The upgrade also included the Chartfield Request System so campus users can go to one site to request new projects. Groupwise mail users were moved to Google Mail in November, 2011. Departments that track their temporary employees’ time switched from KRONOS to KABA timekeeping devices. Workstations will be upgraded to Windows 7 in coming months. System upgrades and changes were tested and monitored to reduce risks relevant to financial reporting.


-15-

Revenue / Resources – Appropriations were slightly lower than the prior year after the Board of Governors was required to make cuts across the system. Even adding back enrollment growth funding was not sufficient to bring the University back to the 2011 appropriation level. Student tuition and fees were increased. The push for other types of funding, the increased student revenues, and strategic planning have softened the effect of the reductions. Debt – Commercial Paper debt has increased from $10 million at June 30, 2011 to $50 million and may increase again before year end. The 2002B bonds (balance of $3.4 million at June, 30, 2011) were called in April 2012. Most of the 2003A bonds (balance of $25.9 million at June 30, 2011) were advance refunded this fiscal year and $16 million in 2012 bonds were issued. All bond issues are subject to the UNC Board of Governors oversight. UNC-GA FIT Standards – The KPIs for the newest FIT processes, Student Accounts and Capital Assets, were modified during the year and likely will not be included in the reports/dashboard to the Chancellor until the next fiscal year. State Controller Accounting and Reporting Requirements – The most significant reporting change is that the final financial statements (including the cash flows statement), notes, and MD&A must be completed by September 20. This requirement moves the deadline up 10 days. The foundations template is due September 10, moving that deadline up 5 days. Yearend task assignments and completed by dates have been modified to meet these new deadlines. Foundations Accounting and Investments and the Student Aid Association auditor have been notified that their foundation information will be required a few days earlier. The OSC CAFR package has one new worksheet (Investments Held Outside the State Treasurer, Valuation of Investments) requiring disclosure of any investments not reported at fair value. NC State has land reported at cost of some $20 million held by Endowments as quasi-endowments and/or also used for teaching/research purposes. OSC also asked whether the new GASB 64, Derivative Instruments: Application of Hedge Accounting Termination Provisions would effect NC State’s reporting of our swaps. The Debt Manager responded that GASB 64 would have no effect unless we made changes to our swaps. Based on OSC’s early requests for information, NC State has already dealt with these changes. Significant Transactions with Affiliated Organizations – The NC State University Partnership Corporation (through the NC State Residence, LCC) transferred the completed chancellor’s residence to the University in fiscal year 2012. The Corporations and its LLCs are a blended part of the University’s reporting entity. Controls Procedures – The Controller’s Office updated travel guidelines and implemented new mobile device requirements. The Chancellor issued a memorandum in August 2011 notifying the campus that purchases from/through employees require State Purchase Office approval. With the upgrade there is a new control within Accounts Payable where all payments to independent contractors are being routed to Controllers Office tax staff for review and approval before they are college approved. This helps identifying those payments early in the process. With increased payment card transactions and resulting requirements, the University now has a formal group to evaluate, advise and implement PCI directives.

E.2 Specific Process Risk Control activities over processes are either preventive or detective.


-16-

Preventive controls are built in as part of the system and look at each transaction similarity to stop errors before they are recorded in the system. Preventive controls include segregation of duties, appropriate organizational lines of responsibility/authority, proper communication, signed statements/representations, written contracts/agreements, trustworthy employees, knowledgeable employees, performance management (work plans/ gaining commitment/ counseling/ monitoring/ evaluation), employee training/ reinforcement, supervision/oversight, independent authorization, documented accounting procedures and controls, adequate supporting documentation and records (including pre-numbered documents and the cancellation of documents), proper record-keeping procedures (including the timeliness of processing), budgetary accounting, physical security/control over assets and documents (including document controls, safe deposits, timeliness of deposits and computer security), and pre audits of transactions (including matching of documents). Detective controls are dependent on manual review of recorded information and are considered compensating controls when preventive controls are not in place. They require timely correction procedures. Detective controls include recalculations, checking control totals, analysis and review, independent reconciliations, follow up on questionable accounts/transactions, customer complaints/employee complaints, observations, rotation of staff, inspection of documents, confirmations, and post review/audits of accounts/transactions/exception reports/aging reports, etc. For each specific process section that follows, the various risks that could adversely affect the entities ability to initiate, record, process, summarize and report financial information are identified, as well as the control procedures that may be utilized to reduce those risks. For each control section within the specific process sections that follow, note with an “X”, the associated control procedures that are in place, an “I” if improvement is needed or “C” if compensating controls exist to mitigate the risk of associated error, or an “N” if not applicable or not considered necessary. The control procedures listed are examples and, if different, should be changed to reflect the actual procedure in place. An “N” should not be used, nor should the example control procedure be removed or deleted, if the intended control procedure is applicable but not in place. In those cases, an “I” should be used. If “I” or “C” is noted, please provide a discussion of the plan for improvement or the compensating controls in place that mitigates the risk of associated error in the Summary Findings Section at the end of this assessment. Other specific process control procedures in place but not listed as an example should be added to the list if deemed important to financial reporting. Please note that the indication of control procedures in place can result from either direct written evidence or implied knowledge of an informed person. E.2.1 Bank Account Reconciliations


-17-

Risks to Financial Reporting: Transactions not recorded Transactions recorded incorrectly (amount/period/account) Unauthorized transactions recorded Unsupported transactions recorded Duplicated transactions Missing transactions Invalid transactions Others: _____________________________________________

Controls Utilized to Reduce These Risks: X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Review of large checks outstanding for 6 months X Timely review and resolution of discrepancies in reconciliations X Approval of reconciliation templates by the Controller X Review of bank statements for unrecorded transactions X Review of old checks for escheat purposes and correction of errors X Review of supporting documentation by the approver X Separation of duties between authorizing/processing/reconciling X Reconciliation of bank activity/balances to general ledger activity/balances X Maintenance and safeguarding of documentation X Documented management oversight of the reconciliation process X Proper access over online banking information Others: _____________________________________________

E.2.2 Journal Entries

Risks to Financial Reporting: Transactions not recorded Transactions recorded incorrectly (amount/period/account) Unauthorized transactions recorded Unsupported transactions recorded Inappropriate transfers recorded Inadequate identification of transaction on the system Others: _____________________________________________ Controls Utilized to Reduce These Risks:


-18-

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Approval of journal entry templates by the Controller X Requirements for journal entries to have a reference number and meaningful descriptions X Requirements for journal entries to have identification of the preparer and approver with

the effective dates X Requirements for journal entries to have unique identification codes to identify the class

of transaction X Management has published journal entry guidelines for financial users X Review of supporting documentation by the approver X Separation of duties between authorizing/processing/reconciling. College / school /

department management is responsible for establishing compensating controls where a limitation of staff exists

X Independent review of journals prior to posting X Limiting the upload of journal entries to employees with appropriate training and

security X Validation of feed journal entries either by the initiating or receiving department X Identification of internal sales transactions using account or journal system logic X Identification of fund transfer transactions using account or journal system logic X Reconciliation of journals to supporting documentation and general ledger X Maintenance and safeguarding of documentation X Management oversight of the process X The automated journal entry system has automated work flow to ensure segregation of

duties for entry into the system and approval by the college and central offices (if required by journal rules)

Others: _____________________________________________

E.2.3 Maintain Fund Accounts Risks to Financial Reporting:

Transactions not recorded Transactions recorded incorrectly (amount/period/account) Unauthorized transactions recorded Unsupported transactions recorded Inappropriate fund activity authorized Non compliance with state statutes Non compliance with UNC-GA policies over institutional or special funds Unauthorized system access Inappropriate system access Fund account activity not authorized Fund classification recorded incorrectly Fund rollup wrong Others: _____________________________________________


-19-

Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Validation of mapping procedures for matching NCAS account codes to the Financial

system account codes X Management has designated persons responsible for authorizing funds X Management has established written requirements for authorization of new fund accounts X Documented review of requests for new fund accounts / activities X Management has established trust fund guidelines explaining fund accounting rules and

policies for establishing and using trust funds X Management has established a standard template for trust fund requests and approval to

ensure proper application of UNC policy X Documented authorization of fund account set up values X Written communication with new fund authorizations providing conditions for approval X Monitoring of new trust fund activities X Separation of duties between authorizing/processing/reconciling. College / school /


X Independent verification of fund account set up values posted to the system X Maintenance and safeguarding of documentation X Management oversight of the process X Written procedures or automated processes for and authorization of data access X Management has established a standard template for application and approval of new

data access or changes to access X Written procedures or automated processes exist for removing access rights upon

termination or change in job functions X Periodic review of data access with management certification X Periodic review of trust fund negative cash balances is performed by the Controller’s

Office Others: _____________________________________________

E.2.4 Maintain Daily Cash

Risks to Financial Reporting:

Transactions not recorded Transactions recorded incorrectly (amount/period/account) Unauthorized transactions recorded Unsupported transactions recorded Overdrafts in disbursement accounts Certification to State as to monthly cash incorrect Certification to State as to Cash Management Plan not current Cash Management Plan not complete Cash Management Plan not properly approved


-20-

Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Daily matching of deposits to bank record, deposit slip or other support, CMCS, and

general ledger record X Claiming of cash performed daily via CMCS X Daily matching of credit card collections to merchant service account X Timely reconciliation of immediate postings of credit card or e-check payments on

student accounts to the actual collection X Disbursement needs are determined based on automated requisition reports from the

financial system X Utilization of a standard template to document disbursement needs

X Timely processing of CMCS requisition transfers X Month end reconciliation of CMCS transfers X Utilization of CMCS for and timely processing of transfers between state entities X Utilization of Positive Pay procedures on disbursing account X Utilization of Debit Blocks on non-state treasurer depository accounts X Supporting documentation reviewed by the approver X Separation of duties between authorizing/processing/reconciling. College / school /


X Reconciliation of CMCS cash activity, general ledger cash activity and Budget Reports at month end

X Maintenance and safeguarding of documentation X Management oversight of the process and review of cash journals X Timely review of Cash Management Plan X Proper approval of Cash Management Plan Others: _____________________________________________

E.2.5 Month End Close


Transactions not recorded Transactions recorded incorrectly (amount/period/account) Unauthorized transactions recorded Unsupported transactions recorded General ledger balances not in agreement with sub-system balances General ledger balances not in agreement with confirmed third party balances Material general ledger balances not correct Monthly reports not complete Monthly reports not filed timely


-21-

Monthly reports to the State not in agreement with general ledger balances Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Management has established a calendar / schedule to ensure the appropriate close of

monthly activities X Standard template checklist for ensuring all month end close steps / procedures have

been performed X Management sign off on completion of the month end checklist X Established guidelines / rules require documented journal entries X Established guidelines / rules require identification of standard monthly journal entries

and instructions for their completion X Communication of key monthly processing dates to accounting and business staff

including central office, auxiliary and campus staff, when necessary based on organization size

X Identification of key accounts established by the Controller including bank accounts, fiscal agent accounts, student accounts receivable, student loans, and labor distribution

X Reconciliation of key accounts and key clearing accounts X Management approval of reconciliation templates X Establishment of rules / guidelines for campus to reconcile monthly P-card statements X Monitoring of monthly campus P-card statement reconciliations by appropriate central

office X Establishment of rules / guidelines for campus to reconcile monthly activity reports X Training of campus users regarding reconciliation of monthly P-card statements and

monthly activity reports X Review and monthly adjustment of NCAS crosswalk tables X Review of supporting documentation by the approver X Separation of duties between authorizing/processing/reconciling. College / school /


X Timely adjustment of errors identified in material general ledger balances X Maintenance and safeguarding of documentation X Management oversight of the process and review of reconciliations and month end

journals Others: _____________________________________________

E.2.6 Year End Close


Transactions not recorded Transactions recorded incorrectly (amount/period/account)


-22-

Unauthorized transactions recorded Unsupported transactions recorded New GAAP not applied New GAAP not applied correctly Inconsistent classification or reporting of information Year end reports not file timely Year end reports filed not complete Errors in reporting identified by audit Transactions/balances misclassified Transactions/balances recorded not complete Disclosures not recorded Disclosures recorded incorrectly Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Management has established a calendar / schedule to ensure appropriate close of year end

cash activities X Communication of key year end cash processing dates to accounting and business staff

including central office, auxiliary and campus staff, when necessary based on organization size

X Standard template checklist utilized for ensuring all year end month close steps / procedures have been performed

X Established guidelines / rules require special journal entry types for year end accruals including reversal entries, accrual entries to be reversed, accrual entries not to be reversed (reclassification entries), accrual entry with permanent adjustment, and beginning balance adjustments

X Year end task list established and approved by the Controller to provide a step by step list of procedures including persons assigned to perform the task, persons assigned to review procedures and work performed, and required timelines

X A year end workshop is conducted with the staff assigned work on the accrual year end process to discuss roles and responsibilities, task list assignments, adjustment procedures, documentation requirements, timeline requirements, audit concerns, new requirements, changes effecting the process, and ongoing management review of the process

X Year end task list includes steps to identify and obtain necessary information from other units or information not readily available in a timely manner to meet established timelines

X Year end plan includes the use of classified trial balances and automated financial statements as tools in the efficient and effective preparation of year end financial statements and disclosures

X Year end plan includes a review of changes in GAAP, OSC requirements, OSA requirements, affiliated organizations, and estimates

X Year end plan includes the identification of standard accrual entries and instructions for their completion

X Year end plan establishes requirements for documentation of steps performed and journal


-23-

entries made X Standard template is utilized for documenting year end tasks X Year end plan includes the identification of accounts with high risk that are material X Year end plan includes lead sheets, analysis, analytical review and reconciliations to

validate accuracy of material accounts X Year end plan includes consideration of prior audit concerns X Year end work and journal entries are reviewed by the assigned reviewer as part of the

year end process X Year end work papers are organized and indexed for easy retrieval and review by

auditors X Year end plan utilizes a comparative trial balance of statement caption accounts to

determine unusual and unexpected differences and to detect and correct material errors in the account balances

X Year end plan includes analytical procedures such as comparison of current and prior year account balances, auxiliary gross profit ratios, recomputation of tuition and student fee income, reconciliation of salaries between the statements and disclosures

X Utilization of the State auditor pro forma financial statements X Utilization of a cash flow template X Reconciliation of NCAS and general ledger balances prior to year end certification X Review of supporting documentation by the approver X Separation of duties between authorizing/processing/reconciling X Maintenance and safeguarding of documentation X Management oversight of the process and review of reports Others: _____________________________________________

E.2.7 Spending Guidelines


Misclassification of expenditures Inappropriate transactions Improper changes to State, auxiliary or restricted funds Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Published Spending Guidelines by funding source X Review of supporting documentation by the approver X Separation of duties between authorizing/processing/reconciling X Maintenance and safeguarding of documentation X Documented management oversight of the process Others: _____________________________________________


-24-

E.2.8 Capital Assets


Transactions not recorded Transactions recorded incorrectly (amount/period/account) Unauthorized transactions recorded Unsupported transactions recorded Inconsistent classification or reporting of information Transactions/balances misclassified Transactions/balances recorded not complete Acquisitions/items lost/stolen/embezzled Items impaired and not adjusted Class lives not reviewed for prospective adjustment of depreciation estimate Equipment not tagged Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Sequentially numbered item tags X Equipment inspected and tagged by the central office staff or department staff with

appropriate training and experience X Separate accounting system for inventory of capital assets X Written procedures for identification of and recording of capital assets X Establishment of campus capital asset coordinators X Communication to and training of campus capital asset coordinators X Establishment of standard templates for identification of information required by the

system X Annual inspection, reconciliation and reporting by the campus capital asset coordinators X Proper authorization/processing procedures for changes/adjustments in location and

condition X Documentation and proper approval of items transferred or held for home use is

maintained by departments X Spot checks by the central office of inventories conducted by campus capital asset

coordinators X Reconciliation of the capital asset system to the general ledger X Capital assets reported as lost, stolen or missing are reported to the department heads X Financial statement adjustments made for reported lost, stolen or missing items X Capital project accounts analyzed and adjustments made to record real property changes

including construction in process and completed construction projects X Changes in capital assets reconciled to financial statements X Capital assets depreciated in accordance with OSC policy using commodity and or class

live codes and review of industry or historical data to determine appropriate useful lives


-25-

X Construction in process accounts moved to depreciable asset classes when construction project is completed and a certificate of occupancy is approved

X Amounts recorded for construction in process is based on approved architect certificates as of or as close as possible to June 30th

X Estimate of outstanding construction project payables is made based on review and analysis of architect certificates and trend of work completed when current billings are not available

X Construction project contract retainage is recorded at year end as part of capital assets X Separation of duties between custodian and persons performing annual inventory in

larger departments. Spot checks performed by the Controller’s Office to compensate for resource issues with smaller departments and Internal Audit checks based on risk assessments

X Maintenance and safeguarding of documentation X Management oversight of the process and review of adjustments made, write-offs and

inventories X Annual review of fully depreciated capital assets and determination of revised class lives

by commodity code Others: _____________________________________________

E.2.9 Cash Receipts and Deposits


Transactions not recorded or not recorded timely Transactions recorded incorrectly (amount/period/account) Cash lost / stolen / embezzled Transactions/balances misclassified Transactions/balances recorded not complete Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Background check on new employees X Mandated vacations. (If employees that handle cash receipts or deposits take vacations

or sick leave without it being mandated then mark this item as met. If employees that handle cash receipts or deposits do not take vacations or sick leave, this would indicate an increase in control risk. In those cases, you will need to mark either with a “C” to indicate a compensating control or an “I” to indicate planned improvements.)

X Guidelines / Rules published for departmental receipt activities X Sequentially numbered receipts/deposit slips X Mail logs/copy of checks or scanned copies X Early restricted endorsement of checks X Lock box/ safe/ safeguarding procedures for undeposited receipt items


-26-

X More than one person opening the mail at Cashiers Office, Controller’s Office and major auxiliaries

X Separation of duties between receipting/recording/ reconciling. College / school / department management is responsible for establishing compensating controls where a limitation of staff exists

X Reconciliation of receipts/ mail logs/ copied checks to deposits X Establishment of rules / guidelines requiring daily deposits X Armed Security Officer pick-up X Reconciliation of deposits to general ledger X Maintenance and safeguarding of documentation X Management oversight of the process and review of revenues X Safeguarding of check copies (paper or scanned documents) X Safeguarding and protecting sensitive information including credit card numbers in

accordance with PCI requirements X Remote capture deposits are utilized for the contracts and grants office, foundation

office, controller’s office, and other various departments deposits Others: _____________________________________________

E.2.10 Revenues & Receivables


Collections embezzled Transactions not recorded Transactions recorded incorrectly (amount/period/account) Collections not pursued Write off of accounts Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Background check on employees X Mandated vacations. (If employees that handle account receivables take vacations or sick

leave without it being mandated then mark this item as met. If employees that handle cash receipts or deposits do not take vacations or sick leave, this would indicate an increase in control risk. In those cases, you will need to mark either with a “C” to indicate a compensating control or an “I” to indicate planned improvements.)

X Proper authorization procedures for charges/adjustments/write offs X Reconciliation of daily receipts to collections X Separation of duties between authorizing/ processing/ reconciling/ answering billing

complaints. College / school / department management is responsible for establishing compensating controls where a limitation of staff exists

X Immediate billing after services provided


-27-

X Monthly billing of outstanding balances X Production of aging report on receivables X Guidelines / Rules published on management of receivables including using aging

reports by departments X Guidelines / Rules published for writing off accounts X Reconciliation of interface systems X Reconciliation of charges/collections to financial reporting X Maintenance and safeguarding of documentation X Management oversight of the process and review of aging report, adjustments made,

write-offs and revenues Others: _____________________________________________

E.2.11 Payroll & Labor Management


Paychecks embezzled Transactions not recorded Transactions recorded incorrectly (amount/period/account) Services not received Terminations not made timely Payroll changes not properly approved Payments not made or not made timely Payment of duplicate payments Calculations not made correctly Non compliance with policies, regulations or rules Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Independent HR office to process and approve new positions / hires X Proper documentation and dept/college/VC authorization procedures X Supporting employee personnel files with signed applications and approvals

(electronically or not) X Supporting documentation for authorization of supplemental compensation signed by

employee and supervisor with description of work to be performed is required by HR and maintained at the college / department level. SPA actions require HR approval prior to work performed. Validation of time worked is the responsibility of the college / departments

X Time sheets for hourly payments are reviewed for accuracy and maintained at the college / department level

X Use of time records for part time/ temporary/ hourly paid employees signed by employee and approved by supervisor


-28-

X Use of leave recording system for leave earning employees with automated process for amounts earned and available and supervisory approval for leave taken

X Separation of duties between authorizing/ processing/ reconciling. College / school / department management is responsible for establishing compensating controls where a limitation of staff exists

X Timely processing of payroll registers X For employees paid on an hourly basis, time worked verified before payment approved X Reconciliation of payroll registers to financial reporting X Reconciliation of payroll registers to Labor Distribution X Maintenance and safeguarding of documentation X Management oversight of the process and review of documentation, expenditures for the

month/year X Redistributions of Contracts and Grants payroll charges greater than 90 days are

reviewed for accuracy and timeliness by the Contract and Grants Office prior to posting X In addition to federally-mandated I-9 compliance, and the State of North Carolina

required E-Verify compliance, HR voluntarily submits a quarterly file through the Social Security’s Administration’s Business Services Online/Social Security Number Verification System tool to verify name, SSN, date of birth, and gender. This ensures correct and valid information is submitted on year-end wage and tax documents.

Others: _____________________________________________

E.2.12 Expenses & Accounts Payable


Expenditure related items embezzled Transactions not recorded Transactions recorded incorrectly (amount/period/account) Expenditure related items not received Items not properly approved Payments not made timely Payment of duplicate invoices Credits/ Discounts not properly applied Discounts not pursued Purchasing and Contract requirements not followed Travel requirements not followed Spending guidelines not followed Improper charge to State/restricted funds Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Sequentially numbered vouchers / checks


-29-

X Proper authorization procedures X Independent maintenance of the vendor file X Management has established guidelines or rules for using the Market Place or other e-

procurement applications, P-cards and limiting activity for which employees may request personal reimbursements

X Management has established guidelines or rules for employee travel reimbursements X Management has established guidelines or rules for student and other non-employee

travel reimbursements X Controller’s office provides performance information reports to campus business officers

regarding the timeliness of processing invoices for payment X Controller’s office has established guidelines / rules for timely processing of invoices X Duplicate invoices are checked by the system using a four way match on vendor name or

id#, invoice #, invoice date and $amount X Additional procedures performed to determine duplicate invoices for example using a

quarterly report to provide campus with a two way match on vendor name or id# and $amount during the three month period

X Routine queries have been established and made available for review of old open vouchers and to make necessary corrections

X Discounts are pursued when made available by vendors X Communication is made by the Controller’s office to business staff for review of open

vouchers X Communication is made by the Controller’s office to business staff for questions related

to incomplete documentation or other problems with invoice payment requests X Original Invoice required for payment X Vendor confirmation of credit memos on major vendors by AP X Supporting purchase order / invoice documentation X Use of receiving/approval stamp X Verification of travel compliance X Reconciliation of invoice to purchase order/ encumbering documentation/ receiving

documentation X Separation of duties between authorizing/ vendor approval/ processing/ receiving and

reconciling. College / school / department management is responsible for establishing compensating controls where a limitation of staff exists

X Timely processing of invoices for payment X Receiving of goods / services verified before payment approved X Reconciliation of AP subsystem to general ledger X Maintenance and safeguarding of documentation X Management oversight of the process and review of documentation, expenditures for the

month/year Others: _____________________________________________

E.2.13 Contracts and Grants


Transactions recorded incorrectly (amount/period/account)


-30-

Unauthorized transactions recorded Unsupported transactions recorded Inadequate time and effort reporting Unsupported time and effort reporting Untimely adjustments related to time and effort reporting Indirect cost charged as direct cost Sub contracts not monitored Inappropriate transactions Inappropriate expense transfers Improper charges to Grant funds Charges not billed or not billed timely Collections not pursued or not pursued timely Write off of accounts Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Central office establishes guidelines or rules regarding budgets, budget revisions, budget

overruns, budget transfers, expense transfers, and salary reallocations inclusive of sponsor agreement terms

X Central office is responsible for and records authorized budgets and budget revisions for grant activities. Colleges / schools / departments are responsible for revision requests.

X Reports available for campus users regarding budget overruns X Published guidance on grant compliance X Established Time and Effort reporting policies and procedures X Compliance reviews by the appropriate central office based on cause or request X Detail pre audits and/or close out reviews are performed at College / school / department

level X Certification of all charges is required by the College / school / department to the Office

of Contracts and Grants on the close out of a contract / grant X Colleges / schools / departments are responsible for approval of expense transfers or

salary allocations related to grants X Audits required and reviewed for sub grants as required by OMB A-133 X PIs are responsible for monitoring contract performance X Production of aging reports X Management review of aging report summary X Guidelines published for management of receivables and the use of aging reports X Billing of services based on agreement terms X Use of standard billing letters at 30 / 60 / 90 days X Referral of uncollected amounts not in dispute to AG’s office or proper collection agency

after 90 days X Draw down of federal grants on LOC method as close to the expenditure date as possible X Guidelines published for the funding and recovery of charges or billings that are

considered uncollectible


-31-

X Supporting documentation reviewed by the approver X Separation of duties between authorizing/processing/reconciling. College / school /


X Maintenance and safeguarding of documentation X Management oversight of the process Others: _____________________________________________

E.2.14 Student Financial Aid


Transactions recorded incorrectly (amount/period/account) Unauthorized transactions recorded Unsupported transactions recorded Inadequate student progress reporting Unsupported student progress reporting Untimely adjustments related to student errors Untimely adjustments related to institutional errors Over awards to students Ineligible students given awards Indirect cost charged incorrectly or as direct cost Perkins Loans not collected or monitored Inappropriate aid transactions Inappropriate expense transfers Non compliance with regulations Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Published Student Financial Aid Compliance Guidelines X Established student progress reporting policies and procedures X Compliance reviews by central office. (This is when a central office performs testing on

functional procedures to ensure that official policy and procedures are being met as intended by management – this can be done by the functional central office or other central office such as the Controller’s Office.)

X Student eligibility verified prior to award X Calculation of award amount verified prior to award X Calculation of award verified and adjusted after class hour changes X End of Class reviews and adjustments for dropped classes and withdrawals X Separate central office responsible for student loan accounting, billing and collection X Communication by central office with students having loans prior to leaving university

regarding students requirement to repay loans


-32-

X Communication by central office with students not having current accounts X Supporting documentation reviewed by the approver X Separation of duties between authorizing/processing/reconciling X Maintenance and safeguarding of documentation X Management oversight of the process X Review of frequency of refunds to stay within federal guidelines Others: _____________________________________________

E.2.15 Student Accounts


Transactions recorded incorrectly (amount/period/account) Unauthorized transactions recorded Unsupported transactions recorded Student Accounts not collected or monitored Bills not prepared timely/accurately Refunds processed incorrectly Past due balances not identified Write-offs are performed out of policy Others: _____________________________________________ Controls Utilized to Reduce These Risks:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Documented Student Accounts Guidelines X More than one person opening the mail and logs checks X Reconciling funds to the general ledger X Segregation of the disbursing and applying of aid to accounts X Payments received are reconciled and deposited timely X Guidelines are issued on how payments enter the office X Monthly billing of outstanding balances X Production / review of aging reports X Guidelines issued for write-offs X Write-offs are approved by management X Supporting documentation reviewed by the approver X Separation of duties between authorizing/processing/reconciling X Maintenance and safeguarding of documentation X Management oversight of the process Others: _____________________________________________

E.2.16 Other Areas of Interest


-33-

Risks to Other Areas of Interest:

Transactions not recorded

Transactions recorded incorrectly (amount/period/account) Unauthorized transactions recorded

Unsupported transactions recorded

Fraud

Embarrassment Identity Theft Violation of Federal or State Privacy Laws Others: _____________________________________________ Controls over Employee Travel and other Employee Reimbursements:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Published Compliance Guidelines / Rules X Compliance reviews. (This is when a central office performs testing on functional

procedures to ensure that official policy and procedures are being met as intended by management – this can be done by the functional central office or other central office such as the Controller’s Office.)

X Supporting documentation reviewed by the approver X Separation of duties between authorizing/processing/reconciling. College / school

/ department management is responsible for establishing compensating controls where a limitation of staff exists


Controls over Payments to Individuals – Non Employees:





X Maintenance and safeguarding of documentation


-34-

X Management oversight of the process Others: _____________________________________________

Controls over Student Travel and other Student Payments:






Controls over Pcard Transactions:


procedures to ensure that official policy and procedures are being met as intended by management – this can be done by the functional central office or other central office such as the Controller’s Office or the Purchasing Office.)

X Supporting documentation reviewed by the approver X Monthly statements on the P-card expenditures required with sign off by the

cardholder and approver. If approver is the same as the cardholder then a supervisor is required to sign off


Controls over Imprest Account Transactions:

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Published Compliance Guidelines / Rules


-35-

X Compliance reviews. (This is when a central office performs testing on functional procedures to ensure that official policy and procedures are being met as intended by management – this can be done by the functional central office or other central office such as the Controller’s Office.)




Controls over Petty Cash Transactions:






Controls over Identity Theft and Privacy Laws - Specific control procedures utilized to reduce the risks related to identity theft and privacy laws (including PCI requirements, GLBA requirements, FTC - Red Flags requirements, and NC Identity Theft Act requirements):

X Supervision of activities X Proper communication of policies/procedures X Proper training of staff X Published Data Security Plan Guidelines / Rules X Annual Data Security Plan reviews X Routine PCI compliance testing through IT and other offices as necessary X Employees required to sign confidentiality statements X Established data steward, data custodian and security administrator requirements X Established management committee to develop and monitor data security and


-36-

Red Flags guidelines and compliance X Established plan for data security including social security numbers and other

personal identifying information X Established plan for Red Flags including the identification, detection and

mitigation of potential fraud resulting from identity theft X Established procedures for reporting data breaches X Supporting documentation reviewed by the approver X Maintenance and safeguarding of documentation X Management oversight of the process Others: _____________________________________________

F. INFORMATION AND COMMUNICATION:

F.1 Accounting and Financial Reporting Information System The information system relevant to accounting and financial reporting objectives consists of the methods and records established to record, process, summarize, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity. The quality of system-generated information affects management’s ability to make appropriate decisions in managing and controlling the entity’s activities and to prepare reliable financial reports.

An information system encompasses methods and records that:

Identify and Record all transactions. Describe on a Timely Basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.

Measure the Value of transactions in a manner that permits recording their proper monetary value in the financial statements.

Determine the Time Period in which transactions occurred to permit recording of transactions in the proper accounting period.

Present Properly the transactions and related disclosures in the financial statements.

Information System – Note with an “X”, the following control factors relative to the Accounting and Financial Reporting System in place, an “I” if improvement is needed or “C” if compensating controls exist to mitigate the risk of associated error, or an “N” if not applicable or not considered necessary. The control factors listed are examples and, if different, should be changed to reflect the actual procedure in place. An “N” should not be used, nor should the example control factor be removed or deleted, if the intended factor is applicable but not in place. In those cases, an “I” should be used. If “I” or “C” is noted, please provide a discussion of the plan for


-37-

improvement or the compensating controls in place that mitigates the risk of associated error in the Summary Findings Section at the end of this assessment. Other information system control factors in place but not listed as an example should be added to the list if deemed important to financial reporting. Please note that the indication of control factors in place can result from either direct written evidence or implied knowledge of an informed person. X Management provides adequate resources for the design and implementation of

accounting and reporting systems X Management provides support for improvements to accounting and reporting systems X Management considers the needs of departmental, functional and external reporting and

includes representatives from departments and functional offices in decisions for the design, implementation and improvement of systems

X Departmental and functional business processes are considered during the design of the system

X Testing of the design and application processes are made before implementation of new or upgraded systems and modifications made for improvements

X Feedback is encouraged from departments and functional offices regarding adequacy and appropriateness of system performance and accuracy

X Financial information is provided to departments for review of transactions that are related to their operations

X Financial information reported to departments is monitored monthly through reconciliations of financial activities

X Key financial accounts are monitored by the controller’s office to ensure that amounts recorded are accurate and reconcile to sub systems or third party confirmations

X System has journal rules and data base logic that controls information being reported for cash based reports vs. accrual based reports

X Financial reports are supported by transaction files / data bases that are secured and for which access is controlled to ensure integrity of the data

X Data stewards are appropriately assigned to approve access to financial data X Management has rules or guidelines to ensure privacy of confidential information X Automated edits and audits are utilized to ensure integrity of data processing and

appropriate postings X Password protection and firewalls are utilized to protect system data X Central or remote computers and data storage hardware are protected by using secured

locations and access controls, and from environmental hazards X Management has established data backup rules and guidelines to ensure recovery of lost

data X Management had established Disaster Recovery plans to ensure recovery of data from a

disaster X Management has established access controls to secure main frames, remote processor

rooms, and server rooms X Management has established Business Continuity plans to ensure recovery of business

processes after a disaster or interruption X Management has established rules or guidelines for PCI compliance X Management has developed rules or guidelines to review and report on data breaches X Internal and or External auditors perform IT audits and findings, if any, are timely


-38-

addressed Others: _____________________________________________

F.2 Communication

Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communication channels help ensure that exceptions are reported and acted on.

Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made orally and through the actions of management.

Communication – Note with an “X”, the following control factors relative to communication in place, an “I” if improvement is needed or “C” if compensating controls exist to mitigate the risk of associated error, or an “N” if not applicable or not considered necessary. The control factors listed are examples and, if different, should be changed to reflect the actual procedure in place. An “N” should not be used, nor should the example control factor be removed or deleted, if the intended factor is applicable but not in place. In those cases, an “I” should be used. If “I” or “C” is noted, please provide a discussion of the plan for improvement or the compensating controls in place that mitigates the risk of associated error in the Summary Findings Section at the end of this assessment. Other communication control factors in place but not listed as an example should be added to the list if deemed important to financial reporting. Please note that the indication of control factors in place can result from either direct written evidence or implied knowledge of an informed person. X Employees are provided unique work plans and job descriptions that explain job duties

and responsibilities X Central functional offices utilize monthly and / or year end schedules to communicate

required dates for action to ensure transactions are recorded or activity is recorded X Management publishes rules or guidelines to provide requirements regarding processes X Management provides on the job training to assist new employees X Management provides classroom training to assist new employees and to provide

improved knowledge for existing employees X Hands on training is provided to employees to assist with using system procedures X Central functional office personnel meet regularly with departmental business personnel

to communicate new procedures or policies, to demonstrate new system enhancements and to answers questions and receive feedback

X Checklist is utilized to ensure that monthly and annual close out procedures are properly


-39-

performed X Central functional offices use websites to provide for communication of procedures or

policies, to provide resources and training programs, and to assist in the understanding of accounting, reconciliation, and reporting requirements

X Channels of communicating have been established for requesting and approving funds X Management utilizes official memos to deans, directors and department heads to

communicate important matters especially regarding organization-wide issues X E-mail is utilized to communicate day to day matters and to arrange meetings X Performance indicators are measured and communicated by central functional offices to

assist management in understanding whether goals are met X Standard queries or reports are provided by central functional offices to assist colleges /

schools / departments in monitoring financial activities X Controller’s Office communicates significant noncompliance matters or controls issues

that remain uncorrected, to appropriate Deans and Vice Chancellors to enhance the consequences of non compliance or lack of controls at a campus department.

X Major computer system application require annual certification and semiannual review of security access rights

X Security access rights for employees terminating or transferring to a different department are immediately removed from the system based on the HR action date

X Business continuity plans are documented, tested and communicated to the appropriate staff

Others: _____________________________________________

G. MONITORING:

Monitoring is a process that assesses the quality of internal controls performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.

Ongoing monitoring activities are built into the normal recurring activities of the entity and include regular management and supervisory activities. Managers are in touch with operations and may question reports that differ significantly from their knowledge of operations.

In many entities, internal auditors or personnel performing similar functions contribute to the monitoring of an entity’s activities through separate evaluations. They regularly provide information about the functioning of internal controls, focusing considerable attention on evaluating the design and operation of internal controls. They communicate information about strengths and weaknesses and recommendations for improving internal controls.

Monitoring activities may include using information from communications from external parties. Customers implicitly corroborate billing data by paying their invoices or complaining about their charges. In addition, regulators may


-40-

communicate with the entity concerning matters that affect the functioning of internal controls, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider communications relating to internal controls from external auditors in performing monitoring activities.

G.1 Internal Audits

Internal Audit – Note the separate evaluations performed by the internal auditor during the year or within 3 years to review and test controls associated with financial reporting. If none were performed, note “N”. If review or results are pending, note “P”. If performed, note the various reviews and tests performed and if no findings significant to financial reporting were determined note an “X” or an “I” if the review and test results indicated significant deficiencies in controls over the financial reporting. If “I” is noted, provide a discussion of the plan for improvement or changes made in response to the review in the summary findings section at the end of this assessment. The internal audits provided in the assessment template are examples. Other internal audits completed but not listed as an example should be added to the list if deemed important to financial reporting. Please note that the indication of internal audits completed can result from either direct written evidence or implied knowledge of an informed person. X Internal auditors perform annual risk assessments to determine plan of work X Internal auditors perform reviews of IT systems X Internal auditors perform reviews of functional processes X Internal auditors perform reviews of reported hot line issues X Internal auditors communicate concerns with the central functional offices X Internal auditors perform reviews on contracts and grants X Internal auditors perform reviews on student financial aid X Internal auditors perform reviews on departmental reconciliations X Internal auditors perform reviews on risky departments X Internal auditors perform reviews on transactions with unusual vendors or expenditure

activity Other _____________________________________________-

G.2 External Audits

External Audit – Note the audits performed by external auditors during the year or within 3 years to review and test controls associated with financial reporting. If none were performed, note “N”. If audit results are pending, note “P”. If performed, note the various audits performed and if no findings significant to financial reporting were determined note an “X” or an “I” if the audit results indicated significant deficiencies in controls over financial reporting. If “I” is noted, provide a discussion of the plan for improvement or changes made in response to the audit in the summary findings section at the end of this assessment. The external audits provided in the assessment


-41-

template are examples. Other external audits completed but not listed as an example should be added to the list if deemed important to financial reporting. X State Auditor performs reviews over financial statements X State Auditor performs reviews over accounting functional processes X State Auditor performs reviews of state and federal compliance X OSC contract auditors review potential overpayments X Federal Auditors performs reviews over indirect cost proposals X State Auditors performs reviews over IT systems X State Auditors performs reviews over contract and grants X State Auditors performs A-133 audit including the University’s student financial aid X State Auditors performs reviews over CAFR package X External Auditors perform reviews over specific contracts and grants X External Auditors perform reviews over the various Foundations and LLCs X External Auditors perform reviews over the Athletic Club X UNC-GA monitors compliance with FIT standards and KPI reporting Other ___________________________________________

G.3 Internal Monitoring

Internal Monitoring – Management is responsible for the oversight and monitoring of controls deemed most important (KEY) to ensuring the fair presentation of the University’s financial statements in accordance with the applicable accounting and reporting standards. The specific processes previously reviewed include monitoring procedures related to this responsibility. This section is provided to identify and highlight those monitoring procedures so that the user of this assessment will have a better understanding of the university’s internal monitoring procedures over financial reporting. To reinforce the identification and understanding of the university’s internal monitoring procedures over financial reporting, please note with an “X”, the monitoring procedures in place, an “I” if improvement is needed, or an “N” if not applicable or not considered necessary. The monitoring procedures listed are examples and, if different, should be changed to reflect the actual procedure in place. An “N” should not be used, nor should the example monitoring procedures be removed or deleted, if the intended procedure is applicable but not in place. In those cases, an “I” should be used. If “I” is noted, please provide a discussion of the plan for improvement in the Summary Findings Section at the end of this assessment. Other internal monitoring procedures in place but not listed as an example should be added to the list if deemed important to financial reporting. Please note that the indication of internal monitoring procedures in place can result from either direct written evidence or implied knowledge of an informed person.

G.3.1 Ongoing Monitoring


-42-

X Controller monitors the completion of key account reconciliations on a monthly basis X The University Budget office, and colleges / schools / departments review for negative

budget balances on a periodic basis X Colleges / schools / departments are responsible to reconcile monthly financial activity X Daily cash procedures monitored and verified by management X Month end close procedures monitored by management X Aging reports on outstanding receivables utilized and monitored by management X Key accounts are reconciled monthly and reviewed by supervisor X Journal entries are reviewed and approved prior to posting to ensure accuracy and

appropriateness of entries X Expenses must be approved prior to payment X Disbursements processed through the voucher system must be matched with invoice,

college approval, and receiving report X High risk expenditures identified and subject to review during the year X System test for duplicates by matching invoice number, invoice date, payee and amount X Review of old outstanding checks over the established threshold amount X Purchasing Department performs monthly reviews on transactions with unusual vendors

or expenditure activity for personal items X HR-Payroll creates and sends out a quarterly report to each campus unit to provide

management information regarding off-cycle check activity (manual checks) X HR-Payroll creates and sends out a quarterly report to each campus unit to provide

management information regarding salary overpayments deemed avoidable, along with an invoice for collection of a 25% processing fee for those items

X Each unit of HR compiles SACS assessment / performance indicator data on a semi-annual basis

X The Financial and Management Resources Division prepares and publishes standard matrix information regarding performance for reporting to the Chancellor and Vice Chancellor and is available for use by campus managers.

X The Controller’s Office prepares and sends out information regarding #days it takes to process invoices, potential duplicates that may have passed the system, and currently initiating #days to process travel reimbursements to campus units.

X The Controller’s Office constantly maintains and monitors information regarding volume of initiated or pending AP transactions.

X The Controller’s Office performs overpayment audits to determine whether credit memos are outstanding or/and if credits exist with vendors through periodic confirmations with the vendors

Other ______________________________________ G.3.2 Annual Monitoring

X Account analysis and testing performed for ensuring accuracy of year end reporting X Meetings are conducted to discuss transactions / balances with departments when

necessary X Year End meetings are conducted with Athletics, Foundations, Investments and

Endowment offices to ensure understanding of entries and to ensure appropriateness and to make adjustments if necessary


-43-

X Testing is performed on high risk transactions at year end X Current to prior year comparisons performed to detect abnormal variance X Ratio analysis on auxiliary gross profit performed to detect abnormal variance X Analysis of expenditure transactions over a threshold amount performed to detect errors

in recording X Analysis of various accounts performed to detect errors in recording X Student tuition and fees are recalculated to determine reasonableness of amounts

recorded X Lead sheets completed on major accounts to detect errors in recording and to ensure

appropriate adjustments or disclosures X Units under the Finance and Business Division prepare and send an annual report of

activities, accomplishments and challenges to the Associate Vice Chancellor’s each year. X Colleges prepare and send an annual report of activities, accomplishments and challenges

to the Provost each year X Annual inventory inspections are conducted at the direction of the Controller’s Office

and spot checks performed to ensure proper reporting. X Assets noted as missing during the annual inspections are reported to the department

head. Information regarding items not located within 90 days of the annual inventory date is sent to the Vice Chancellor and Dean.

X Annually, the University Budget Office performs a review of selected auxiliary, sales and service units, and all student fee units. This review evaluates current and projected revenue of the unit, as well as the associated budget for the related activities.

Other ______________________________________

H. FRAUD PREVENTION AND DETECTION: Types of Fraud:

Misrepresentation in financial reports False or overstated expense reimbursements False or overstated vendor invoices Check tampering Lapping of cash receipts Bogus credits Fictitious vendor Substitution Altering bank deposits Forging checks Kickbacks Bid-rigging Ghost employees Skimming Overstatement of payroll hours/effort Asset misappropriations / Stealing Theft / Larceny

Formula for Fraud:


-44-

Incentive / Pressure to commit fraud Opportunities to commit fraud Attitudes / Rationalization

KEYS TO FRAUD PREVENTION AND DETECTION: Have a strong internal controls system in place. Control environment and risk assessment are the most important components. Ensure that all transactions have more than one person involved from the beginning of the business process to the end. When risks are high due to the limitation of staff, closer supervision over the business process, independent reconciliations/reviews, and audits are important to compensate for control weaknesses. H.1 Material Fraud Describe any material fraud effecting the financial statements occurring since the last review and the actions taken to reduce the risk of fraud. (If no material fraud has occurred, indicate “none”.) None H.2 Fraud, Whether or not Material, That Involves Management or Other Employees Who Have a Significant Role in the University’s Internal Control over Financial Reporting Describe any fraud, whether or not material, that involves management or other employees who have a significant role in the University’s internal control over financial reporting occurring since the last review and the actions taken to reduce the risk of fraud. (If no fraud has occurred involving management or other employees who have a significant role in the University’s internal control over financial reporting, indicate “none”.) None H.3 Controls over Fraud

Controls over Fraud –Note with an “X”, the following control procedures relative to fraud prevention or detection in place, an “I” if improvement is needed or “C” if compensating controls exist to mitigate the risk of associated error, or an “N” if not applicable or not considered necessary. The control procedures listed are examples and, if different, should be changed to reflect the actual procedure in place. An “N”


-45-

should not be used, nor should the example control procedure be removed or deleted, if the intended control is applicable but not in place. In those cases, an “I” should be used. If “I” or “C” is noted, please provide a discussion of the plan for improvement or the compensating controls in place that mitigates the risk of associated error in the Summary Findings Section at the end of this assessment. Other fraud control procedures in place but not listed as an example should be added to the list if deemed important to financial reporting. Please note that the indication of fraud controls in place can result from either direct written evidence or implied knowledge of an informed person. X Segregation of duties C Rotation of duties in positions susceptible to fraud X Security cameras are utilized to monitor cash activities in high risk areas (for

example, the Cashier’s Office, Dining Cash Room, Bookstore, and Transportation Cash Room)

X Adherence to organizational policies and procedures especially those concerning documentation and authorization of transactions

X Physical security over assets such as locking doors and restricting access to certain areas

X Proper training of employees X Independent reviews and monitoring of tasks X Clear lines of authority X Conflict of interest policies, which are enforced X Regular independent audits of areas more susceptible to fraud X Independent reconciliations X Inspections of documents based on cause or inquiry X Positive pay procedures utilized to validate checks prior to payment by the bank X Review of old outstanding checks X Review of unusual vendors or expenditure activity X Follow up on employee, customer, vendor or third party complaints X Discovery of unusual items that indicate follow-up is necessary X Problems detected by audits X Unusual or unexplained report variances or financial statement trends X System access has password strength and forced password changes Other ______________________________________


-46-

I. SUMMARY FINDINGS ON REVIEW AND EVALUATION OF RISKS

THAT AFFECT FINANCIAL REPORTING: Based on the self assessment of internal controls over financial reporting, the internal control committee has identified the following areas that need improvement or that have compensating controls that mitigate the risk of associated error. Provided below in I.2 is the related plan for improvement if identified compensating controls are not sufficient. In addition, I.1 provides for the committee’s follow up on prior year areas noted as needing an action plan. Findings that are considered to be a significant deficiency or a material weakness in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the university’s ability to record, process, summarize and report financial information, should be noted as such in the summary finding and corrective action taken immediately to address the concern prior to the end of the year, the OSC certification and commencement of the state audit. I.1 – Prior Year Summary Findings I.1.1 Improvement Needed in Controller’s Office Disaster Recovery Plans that could affect the ERP Systems (F.1) Discuss the prior year condition or event, causing the need for improvement of controls and whether the condition is a significant deficiency or material weakness: The ERP systems are operated through two separate data centers with one center housing the production version of the administrative application and the other center housing the reporting version of the same software. If one data center fails the other center can provide service with as minimal disruption as possible. Loss of both data centers for an extended time period would disrupt the ability of the University to conduct business and would require central financial offices to use manual processes. However, we believe it is highly unlikely that both data centers would simultaneously experience major failures for an extended time period. Discuss the prior year action plan(s) for implementing the recommended improvement: The Controller’s Office, Cashiers Office, Payroll Office and Office of Information Technology (OIT) reviewed their business continuity plans to assure that manual operating arrangements will be sufficient in case the ERP systems are unavailable for up to 30 days. The plans were updated in December, 2011. Has the prior year condition been resolved and the related risk over financial reporting mitigated:


-47-

Yes. The business continuity plan will allow for the basic operation of NC State University even if both data centers fail. The plan insures adequate controls and a viable financial reporting environment. If both data centers fail, a read only database would be created at MCNC. Having read only financial data at MCNC would be less than ideal from an operational standpoint, but would provide clear audit trails. NC State is exploring the possibly of enhancing the data recovery at MCNC if both data centers fail on campus. If not, discuss the current year status of the condition and action plan(s) for implementing the recommend improvement: Not Applicable I.2 – Current Year Summary Findings I.2.1 Rotation of Duties (H.3) Discuss the condition or event causing the need for improvement of controls and whether the condition is a significant deficiency or material weakness: The University does not have the resources to systematically rotate duties for all employees who are in positions susceptible to fraud. This condition is not a significant deficiency or material weakness. Discuss the compensating controls in place that mitigates the risk of associated error: Although lean operating budgets have not allowed for optimal rotation schedules for employees in positions susceptible to fraud, other employees have been cross-trained to take over these tasks during vacation or sick leave. Also, employees do take vacation leave, thus providing the opportunity to discover any irregularities. If compensating controls are not in place or not sufficient to mitigate the associated risk, discuss the action plan(s) for implementing the recommended improvement: Not Applicable

Assessment of Internal Controls Over Financial Reporting ...

Documents

Transcript of Assessment of Internal Controls Over Financial Reporting ...