auditors: why do they ask all those questions? lgc resource april 2015 penny austin, assistant...

Auditors: Why do they ask all those questions?

LGC Resource April 2015

Penny Austin, Assistant Director – ISLocal Government Audit

Why those questions?

Professional Standards Internal Controls Fraud Applicable Laws Data Analytics

Professional Standards

GAO Yellow Book AICPA Standards OMB Uniform Guidance

Internal Controls Processes effected by an entity’s

management and other personnel designed to provide assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

COSO (Committee of Sponsoring Organizations) of the Treadway Commission

Simple Definition Internal controls are common sense

procedures that address:

What could go wrong? What steps should be taken to prevent

those events from happening?

Personal Internal Control System

Locking your car when you leave it in the parking lot

Comparing your receipts to your credit card statement

Balancing your personal check book

Why are Internal Controls Important?

Protect the strong from temptation Protect the weak from opportunity Protect the innocent from false accusation

From Once upon Internal Control by James Ulvog, CPA

Opportunity

Pressure Rationalization

FRAUD TRIANGLE

FRAUD

Frauds discovered in the recent years. Committed by one person Trusted employee Internal controls were either nonexistent or

not monitored

Examples of Good Internal Controls

Effective Controls- Cash Receipts and DepositsSeparate cash drawers Prenumbered cash receipts- 9-2-103,

TCAStamp checks “for deposit only” as soon

as they are receivedDrawer checkout proceduresDeposit timely- 3 day deposit lawDeposit Receipts Intact

Effective Controls- Cash Receipts and Deposits (cont.)

Deposit slips should be itemizedSign- “You must receive an official

receipt or your transaction is not complete”

Segregate Duties- Employees responsible for receipting should NOT also be responsible for posting receipts to the accounting records.

Effective Controls- Disbursements

Disbursements by official prenumbered checks

Review documentationDo not sign blank checksSegregate duties between writing checks,

signing, distribution, and posting to the accounting records

Effective Controls- Bank Reconciliations One employee should be responsible for

opening the bank statement, reviewing it, and initialing.

A separate employee should reconcile the bank statement monthly

Bank reconciliations should be reviewed by an employee not responsible for reconciling the statement.

Effective Controls- Procurement

Establish clear lines of authority for approving purchases before they occur

Purchase orders Verify availability of appropriations before

purchases are approved Payments for purchases should only be made

after documentation that the goods or services were received

Segregate duties between approval, payment and updating the accounting records

Effective controls- Journal Entries (JE’s) Use a standard journal entry form Supervisory review and approval of all journal

entries Segregate duties between preparation of the

JE, Approval of the JE, and posting to the records

Supervisory review that all JE’s were properly posted to the records

Effective IS Controls Proper back-up procedures

Daily backups should be stored in a secure location within the office.

Weekly backups should be rotated to a secure, fireproof off-site location.

A backup log documenting the location of all backups should be maintained.

Backups should be tested.

Effective IS Controls (cont.) Password Maintenance

All users should have a unique login and password. Shared logins should not be used.

Passwords should remain confidential. Passwords should be changed every 90

days. Passwords of former employees should be

immediately disabled.

Effective IS Controls (cont.) Disaster Recovery Planning

Specific steps to follow to restore system Emergency phone numbers of personnel and

vendors Backup storage location Manual procedures to follow until the system

is restored

Effective IS Controls (cont.) Policies and procedures manual

Operating system and application security Start-up/shut down procedures Back-up procedures Hardware software maintenance procedures Daily, monthly, and year-end procedures Output distribution list Hardware disposal policy Virus prevention policy

Effective IS Controls (cont.)

Loading Operating System Updates

Restricting Physical Access to System

Proper Application Controls Adequate audit trail exists. Audit logs are maintained and reviewed.

Audit Logs and Other Reports TnCIS

Delete Log Report Out-of Court Payments Report

Trustee Audit Changes By Date Report Unprorated Receipts Report Maximum Posting Date Report

Fund Offices Payroll Check Change Report Maximum Posting Date Report

Applicable Laws

Applicable Laws

City Charters/ Private ActsBudgeting LawsPurchasing LawsFees and Taxes Filing RequirementsElectronic Commerce

Applicable Laws TCA 6-54-903 – Requires cities to submit their travel

policies to the Comptroller

TCA 7-52-602 – Requires municipal electric systems to submit a business plan to the Comptroller

TCA 5-8-505 – Requires county officials to file an annual financial report with the county mayor and county clerk

Applicable Laws TCA 47-10-119 – Requires all local governments who

implement an electronic business system to file a statement with the Comptroller

TCA 4-30-103 – Requires all local governments who implement a new technology platform to file a statement with the Comptroller

New Legislation Amendment to Financial Integrity Act requiring

counties, municipalities, and metro governments to establish internal controls

Amendment requiring local governments to close their accounting records no later than two months after fiscal year-end

Amendment to CMFO Act changing the penalty provisions

Data Analytics

www.comptroller.tn.gov/la

Questions?

Penny AustinPenny.Austin@cot.tn.go

v