Financial Controls Self-Assessment Process

CAUBO 2008CAUBO 2008

Coordinator:Michele Pearce (Director, Accounting and Reporting)

Presenters:Lisa Nykolyshyn (Internal Auditor)

Cindy Armstrong-Esther (Manager, Financial Controls and Processes)

2

Presentation Overview

Reasons for initiating self-assessment project

How we started Checklist overview Roles and responsibilities Results of first implementation Lessons learned Future considerations

3

Reasons for initiating self-assessmentproject

One of many projects initiated to address the Auditor General of Alberta’s recommendation (2001): “modernize and significantly improve internal control systems”

Recognized interdependence between centralized and decentralized controls.

4

Reasons for initiating self-assessmentproject

Anticipated benefits of self-assessment process: Increases the awareness of desired

controls Provides a non-threatening means to

assess own area Provides assurance and/or inspires

change

5

How we started

2003-4: Internal Audit Services (IAS) and Financial Services (FS) develop a in-depth questionnaire covering a variety of areas (e.g., student grading, financial admin, records mgt)

2004-5: Piloted within a variety of depts, but received varying levels of support. Feedback suggested:

(+) Informative (--) Onerous

2006: Back to the drawing board!

6

How we started

2006: Limited the questionnaire to financial controls in a “checklist” format

Performed risk-assessment sessions with central service units for each major transaction stream

Used key controls to form the basis for each “checklist”.

In December 2006, began pilot testing in two faculties.

7

How we started

Early 2007: Developed a secure, on-line form

Password protected for each respondent

Can track respondents’ progress

Respondents can copy responses from one checklist to another, if required

Can generate reports for various audiences

8

How we started

Mid 2007: Project is rolled out to all units

Letter from VPFA introduces project to Senior Financial Officers (SFOs)

FS and IAS meet with SFOs/unit financial officers

All units with unique finance ids are to complete checklist

Submission deadline of January 31/08

9

Checklist overview

Ten sections:

1. Financial Administration (the only mandatory section)

2. Cash Handling – Point of Sale Operations

3. Cash Handling – Other

4. External Billing

5. Payroll

(Continued)

10

Checklist overview

Ten sections (continued):

6. Purchasing & Payables

7. Credit Card Purchases

8. Travel & Expense

9. Administration of Restricted Funds

10. Moveable Equipment

11

Checklist overview

Four Main Parts:

1. Section overview details who should complete each section, provides the annual $ and number of transactions for each transaction stream, and outlines the associated financial risks

2. Opt-outs allow respondents to identify why a section is not applicable to their unit:

• Don’t have that type of transaction.• Another unit processes that type of transaction for

us.• Etc.

12

Checklist Overview

3. Hyperlinks to policies, procedures and other guidance allow users to obtain further information, context.

4. Response options provide the means for the respondent to indicate whether each control is fully implemented:

Yes No, but will implement No, can’t implement (requires respondent to

explain)

13

Roles and responsibilities

Senior Financial Officers (SFOs) Take ownership of tracking completion of checklist

for units within faculty/portfolio Vet accuracy of responses Help units create action plans to address

weaknesses Communicate faculty/portfolio summary to Dean/VP

Financial Services/Internal Audit Services Provide support to SFOs Provide reporting to various parties

14

Reporting the results

1. Senior Financial Officers:

Two-page summary report and supplementary reports:

Units indicating that they need to implement a control. SFO to assess themes, track implementation

Units indicating that they could not implement a control. IAS/FS provided feedback to the SFO regarding whether

this environment presented additional risk to the unit/University.

SFO to determine actual risk.

Miscellaneous other reports

15

Reporting the results

2. Central Services Units Receive results related to applicable

section(s) of Checklist with no detail by portfolio

Purpose: Provides feedback on the quality of guidance &

related communications Leads to enhancements of Checklist itself (e.g.,

clarity of control questions) Allows central units to compare results with

own reviews.

16

Reporting the results

3. Vice President (Finance and Administration):

Receives a summary report of all portfolios, highlighting which major units need to address control weaknesses

4. Provost & Vice President (Academic), Board Audit Committee, Office of the Auditor General:

Receive a high-level report with no detail by portfolio listing trends and general areas for improvement.

17

Auditing the Results

No specific “Checklist” audits planned

BUT, we will compare results to other reviews/audits SMS regularly audits purchase orders, credit card

purchases, travel & expense claims

IAS is currently conducting a Payroll audit

IAS is implementing “continuous” (automated) auditing programs, analyzing full populations of data.

Will provide “gap analysis” to appropriate parties

18

Results of first implementation

Results for 460 Checklists, from 25 faculties/portfolios:

86 % answered “Yes” to control questions 8 % answered “No, but will implement” 6 % answered “No, can’t implement”

IMPT: Analysis of responses is required: Some respondents indicated “Yes” but

qualified their answer “No, can’t implement” used when control

“N/A”

19

Results of first implementation

Top 3 for “No, but will implement” response: Moveable Equipment, Purchases & Payables,

Miscellaneous Cash

Top 3 for “No, can’t implement” response: Financial Admin., Credit Card Purchases,

Payroll “Insufficient staff to implement control” “Control doesn’t make sense given our

business”

20

Results of first implementation

Feedback from respondents quite positive Examples:

“I appreciate the opportunity to complete this checklist. It has prompted a review of relevant policies and procedures, some of which have changed without my notice. Also, it has prompted some questions (see responses).”

“I found this exercise very helpful, if not as a refresher re. controls, also as a guide to assist in training and advising other members of the unit re. policies and procedures (reasons for ...)”

21

Lessons learned from first implementationThings we’d do again… Keep the number of controls to reasonable level

Risk-based approach Central services unit ownership, with IAS

facilitation

Continue to use focus groups to improve wording Can be used to improve policies and

procedures, too

Invest time with departments upfront (e.g., walkthroughs)

22

Lessons learned from first implementationThings we’d do differently…

Would offer “N/A” response option, with explanation required

Would not allow respondents to qualify “Yes” responses with comments

Would clarify scope for Restricted Funds section

23

Future considerations

Plans

Update checklist based upon respondent feedback, review of prior year’s risk assessments, and any recent changes to policies and procedures.

Develop additional sections re restricted funds and donations (high-risk areas)

Create opportunities for SFOs to be more involved in the process.

24

Future Considerations

Challenges

Consider how to deal with persistent internal control weaknesses in particular units

Review whether units complete a checklist for every “dept-id” , every year.

Place on dept-id different cycles, based on materiality?

Report results by user instead of dept-id?

25

Future Considerations

Potential Applications

Develop on-line quizzes for on-line training

Integrate checklists into on-line “Guide to Financial Management”

Standardize presentation of material in policies and procedures, highlighting key controls.

Create additional guidance regarding implementing segregation of duties in small departments

26

Future Considerations

Administration of Checklist FS responsible for administration of

Checklist from 08/09 onward. IAS to continue involvement in annual

analysis of results and risk-assessment facilitation.

FS to focus support on Senior Financial Officers in each major unit (approximately 25 individuals).

SFOs to oversee self-assessment process within their portfolios.