NASC Presentation – March 2014 An Overview of Pennsylvania’s Internal Controls By: Anna Maria...

NASC Presentation – March 2014

An Overview of Pennsylvania’s Internal Controls

By: Anna Maria Kiehl, CPAState Comptroller/Chief Accounting Officer

Governor’s Office of Budget / Office of Comptroller Operations

2

Pennsylvania’s Internal Control Structure

Statewide Audit Committee- Functions of the Audit Committee- Goals and Objectives of the Committee- Frequency of Committee Meetings- Questions?

Single Audit Finding Prompts need to improve Access Controls with SAP’s Governance Risk Compliance

- Background- Overview- Challenges- Actions- Useful Tools- Sample internal flowcharts & reporting- Questions?

Agenda

2


3

Examples of Internal Controls in Pennsylvania

3


Implement controls through effective policies & procedures:• General System Controls/data security • System access controls• Month-end closing processes and reconciliations

Methods for identifying and assessing risk:• Recommendations of Audit Committee/Audit

findings/MLCs• System Development Life cycle Reviews /Post

implementation reviews• Examining new programs and areas most

vulnerable (e.g., systems, financial reporting, operational)

Control Environment

Risk Assessment

Control Activities

Components Process

Methods for maintaining integrity, ethics and competency: • Governor’s Code of Conduct/Ethics Disclosure Forms• Statewide Audit Committee/Bureau of Internal Audits• Auditor General Audits & Inspector General

Investigations• Bureau of Quality Assurance• Independent annual audits • Continuous IC Training & Employee

Development/Standards• Increased accounting and auditing entry level

requirements

4

PA’s Process to Ensure Effective Internal Controls

4


Information & Communication

Components ProcessInformation must be disseminated timely:

• Monthly /Quarterly/Comprehensive Annual Financial Reporting

• Required Communications with Management on Audit findings & Required Resolutions

• Quarterly Audit Committee Meetings/Annual Audit Plan/Findings

• Policy communications , e.g., New OMB Grant Reform standards

• Entity-wide business process communications

• On-line and classroom training for fraud detection and prevention, ethics, accountability and transparency requirements

5


Monitoring Activities

Methods to continuously monitor internal controls include:

• Monitoring of role assignments & segregation of duties

• Continuous control payment monitoring

• Performance metrics and analysis/ management dashboards

• Quality assurance processes to ensure compliance with laws, regulations, and policies.

• Weekly system access Controls risk reporting

• Inventory and Fixed Asset monitoring

• Management reviews/System Development Life Cycle Reviews

Components Process

66


Questions or

Comments?


7

The audit committee reviews and discusses the following with the external auditors: Annual financial statements (CAFR) Single Audit report and findings Significant written communications between the independent

auditors and management (i.e. management letter, unadjusted audit differences)

Significant disputes or difficulties with management encountered during the audit

Matters required to be discussed in accordance with SAS 114, “The Auditors Communication with Those Charged with Governance”

Functions of an Audit Committee

7


8

Internal Controls Review the following with the internal auditors:

Significant risks or exposures facing the Commonwealth, as well as steps taken by management to mitigate these risks

The audit scope and plan for the internal auditors Any significant findings and recommendations, from internal

audits, along with management’s response Any difficulties the internal audit team encountered in the course

of their audits

Functions of an Audit Committee

8


9

Oversee the internal and external auditing and reporting process

Provide direction for the Commonwealth’s limited internal audit resources

Review and approve the Commonwealth annual audit plan to promote accountability and ensure management maintains appropriate internal controls

Review audit findings and recommendations and directs the necessary follow-up to ensure appropriate corrective action is initiated across state agencies.

Goals and Objectives of the Committee

9


10

PA has been moving forward with five strategic goals. These strategic goals are as follows:

Established a Commonwealth-wide audit committee. Facilitate Control Self Assessment sessions with agency

heads and management Complete a Commonwealth-wide audit risk assessment Develop an annual audit plan based on risk Established a Bureau of Quality Assurance to provide

continuous monitoring for improper payments, compliance, and continuous process improvements.

Enterprise Risk Management (ERM)

10


11

Notifications will be provided to the committee when the following occur:

Department of the Auditor General Opens a Special Performance Audit

US Office of the Inspector General Opens an Audit Department of the Auditor General Releases a Special

Performance Audit US Office of the Inspector General Releases an Audit BOA Releases a High Profile Audit

Audit Committee Communications

10


12

The Audit Committee meets 3-4 times annually Usually meets at least twice with independent auditors to

discuss CAFR and Single audits, auditor adjustments, audit findings, and management letter comments.

Usually meets to approve annual internal audit plan and requests management reviews and audits of risk areas

Agenda is typically set by the Director of the Bureau of Audits Comptroller and Director of Reporting attend the meetings

and provide content.

Frequency of Audit Committee Meetings

12


13

Audit Committee

13


Questions or Comments?

14

Background:

Segregation of Duties risks within the Commonwealth’s SAP system resulted in a recurring single audit finding for 8 consecutive years.

Previous attempts were made to address SAP Access Controls: Approva failed since it was not directly integrated with SAP.

Number of users – Large organization with thousands of core users – needed a tool that could analyze large numbers of users with extensive access to multiple modules of SAP.

SAP’s Governance, Risk & Compliance Module (GRC)

14


15

“Governance” is how we manage strategic initiatives

“Risk” is the effect of uncertainty on business objectives. Risk management is the process that helps minimize financial losses

“Compliance” goes beyond our conformity with laws and regulations to include all facets that affect integrity, reputation, and our “brand”

SAP’s GRC module provides the Commonwealth with an enterprise view across these activities throughout our organization.

15



16

GRC is the system access control tool that helps:

Protect key information Prevent unauthorized access Prevent unauthorized transactions Prevent errors and fraudulent activity Ensures proper Segregation of Duties (SoD) Ensure the security & integrity of our financial systems &

reporting

16



17

Challenges:

The complexity of the GRC module/ significant learning curve. The complexity and extent of access issues that developed over ten years that

SAP was in place. Little understanding of GRC from a rule set /business perspective Few resources to dedicate to such a large project Budget constraints prevented hiring SAP consultants Minimal guidance on how to best implement the system within our current

business environment. PA’s role assignment process is managed by another state agency and sits

outside of SAP. Multiple agency involvement – role development (OA-IT), role assignment

(OA/HR) and risk monitoring (Comptroller) 17



18

Year 2010 – Year of Planning and gaining an understanding of the system tools

Small project team developed to coordinate the clean-up of SoD risks.

The group led workshops of technical and business representatives to determine how to identify and resolve risks.

Process is on-going

18



19

Tremendous Progress within the last 6 months

Resolving risks identified within our Office of Budget Systematizing & automating processes Documenting processes & procedures Improving communication between agencies Reporting And training personnel

19



20

The Future:

To continue GRC rollout to agencies with greatest number of risks

Expect the cleanup to benefit the remaining agencies who share same roles/risks.

Expect roles to stay clean going forward using GRC simulation tool.

Most current pain: establishing a process to help agency HR reps interpret SoD risk results before requesting a role for their users.

20



2121


2222


2323


2424


2525


2626


27

SAP’s Governance, Risk & Compliance

27


Questions?

NASC Presentation – March 2014 An Overview of Pennsylvania’s Internal Controls By: Anna Maria...

Documents

Transcript of NASC Presentation – March 2014 An Overview of Pennsylvania’s Internal Controls By: Anna Maria...