Transcript Internal Controls and Department Head Certifications

The Future of the Departmental
Compliance Certification Program
and 2007 Results
2008 Business Practices Seminar
February 29, 2008
Presented by:
Ken Miller
University Controller
Departmental Certification
Process

The Departmental Certification Survey was completed for the
first time in FY07.

This certification process was requested by the Board of Visitors
and is consistent with the Sarbanes-Oxley (SOX)-like best
practices and the requirements of the Agency Risk
Management and Internal Controls Standards (ARMICS)
directive. It includes the following requirements for department
heads, center directors, etc.

Ensure the internal control self assessment questionnaire is
completed AND

Certify the adequacy of departmental internal controls
subject to any deficiencies noted in the self assessment
Departmental Certification
Process
The survey is comprised of several key questions in the following
categories









Internal Control Environment
Small Purchases
Sponsored Projects
Employee Compensation
Fixed Assets
Health and Safety
Funds Handling
Fiscal Responsibility
Travel and Personal Reimbursements




Information Technology
Security
Access and Key Controls
Accounts Receivable
Credit Cards (new to survey for
FY08)
FY07 Departmental
Certification Results
University Survey of Administrative and Business Practices
Fiscal Year 2007
Effective
Adequate
Significant
Improvement
Needed
Internal Control Environment
304
77
1
-
382
-
382
0.3%
Small Purchases
247
28
1
-
276
106
382
0.4%
98
58
1
-
157
225
382
0.6%
Employee Compensation
353
25
-
378
4
382
0.0%
Fixed Assets
253
99
23
1
376
6
382
6.4%
Health and Safety
164
86
77
39
366
16
382
31.7%
90
24
3
-
117
265
382
2.6%
Fiscal Responsibility
341
25
1
-
367
15
382
0.3%
Travel and Personal Reimbursement
353
21
-
374
8
382
0.0%
Information Technology Security
278
92
7
-
377
5
382
1.9%
Access and Key Control
276
34
36
353
29
382
12.2%
36
16
2
54
328
382
3.7%
2,793
585
152
47
3,577
1,007
4,584
5.6%
78.1%
16.4%
4.2%
1.3%
100.0%
Internal Control Category
Sponsored Projects
Funds Handling
Accounts Receivable
Total Responses
Percent in Each Rating Category
-
-
Unreliable
7
-
Total
Responses
Not
Applicable
Responses
Grand
Total
Percent
Needing
Improvement
Fixed Assets
% Effective or
Adequate
% Needing
Improvement
Proper Equipment Disposal
100%
0%
Fixed Asset Coordinator
82%
18%
Home use forms approved
87%
13%
Review of Home Use Equipment
76%
24%
Proper disposition of Federal
equipment at end of grant/contract
96%
5%
Equip Coordinator Updates Banner
93%
7%
Reconcile Equipment reports
96%
4%
Fixed Assets
24 (6.4%) of Departments needing improvement:
2/3 are Cooperative Extension offices with small asset base
 Almost all have had equipment inventories/confirmations during the last two
years
 Training opportunity to clarify what survey questions mean
 Overall, survey results do not indicate any significant control problems;
however there are some areas needing improvement

Health and Safety
% Effective or
Adequate
% Needing
Improvement
Designated Health & Safety
Coordinator
64%
36%
Employees Instructed in Work Related
Hazard Reporting
82%
19%
Personal Protective Equipment
89%
12%
Managing Training Attendance
67%
33%
Safety Training Completed prior to
working with hazardous materials
88%
12%
Emergency Action Plan
65%
35%
Operations recovery Plans and
Emergency Services
58%
42%
Health and Safety
116 (30%) of Departments needing improvement
1/3 are Cooperative Extension office housed in state or local government
offices
 Employees instructed in work related hazard reporting was also a key
weakness among department needing improvement

Health and Safety
Actions plans to mitigate control issues:



University Environmental Health and Safety Services (EHSS)
pilot evaluation program to assess departmental compliance
with Policy 1005; highest risk departments will be reviewed first
EHSS has reviewed emergency action plans for approx. 50%
of major administrative/academic related structures
EHSS has made significant progress towards completing
Continuity of Operations Plans (COOP) for 20 major
administrative depts. and two academic areas (College of
Veterinary Medicine and the Graduate School)

Appointment of Interim Director of Emergency Management



University wide Campus Emergency Management Program
Campus Emergency Action Plan
Continuity of Operations Plan for the University
Access and Key Control
% Effective or
Adequate
% Needing
Improvement
Designated Key Control Coordinator
85%
15%
Key Control Log
89%
12%
Unused Keys Safeguarded
94%
6%
Access and Key Controls
43 (11.3%) of Departments Needing Improvement
Of these departments, 47% do not have a designated key control
coordinator and 51% do not keep a key control log
 Many are small organizations with few employees
 76% are Cooperative Extension offices housed in state or local government
facilities

These risks should be easily correctible

Information
Technology Security
% Effective or
Adequate
% Needing
Improvement
Resource assigned to custodian
97%
3%
Need to secure confidential info.
100%
0%
Procedures to secure info.
92%
8%
Unique log-in ID and password
99%
1%
Password sharing is prohibited
91%
9%
Strong' passwords are encouraged
95%
5%
IT Security
Servers/workstations current security
96%
4%
Data backed up daily, stored remotely
78%
22%
Test periodically data recovery procedures
77%
23%
Critical servers kept physically secure
97%
3%
User access privileges reviewed annually
90%
10%
Knowledge of Acceptable Use Policy 2015
97%
3%
Business Impact Analysis submitted
50%
50%
•
Results indicate improvement
needed most in regards to
recovery, back up and risk
assessment planning

Where applicable (62% of
respondents), 22% of depts.
needing to improve the back
up daily and storage of
critical data

Where applicable (65% of
respondents), 23% of depts.
do not test data recovery
procedures periodically

Where applicable (54% of
respondents), 50% of depts.
have not prepared and
submitted a business
impact analysis/risk
assessment for information
assets within the last 3
years
Information Technology
Security
Business Impact Analysis/Risk Assessment

A business impact analysis helps identify business functions and how
they will be impacted by a loss of technology resources over a period of
time

IT Security identifies organizations that need a risk assessment, to be
completed every 3 years, or more frequently if there are major changes
in the technology environment. The level at which the assessment is
needed depends on centralization/decentralization of IT functions within
an organization.

Risk assessments were completed in 2004. New risk assessments are
being prepared for 2008. Questions should be directed to Wayne
Donald, IT Security Office, [email protected]
Information Technology
Security
Business Impact Analysis/Risk Assessment

The Information Technology (IT) Security Office has identified some
common risks, and put together a process and template for
departments to use in their effort. Individual departments are
encouraged to review those common risks to see which might apply to
their specific environment. They should then review their surroundings
to determine what specific risks exist for inclusion into the process.

http://www.security.vt.edu/RiskAssessment/riskassessmentmain.html

Website includes: fill in the blank template, list of common information
technology risks, spreadsheet for determining priorities for departmental
risks
Information Technology
Security
Business Impact Analysis/Risk Assessment


Describe specific business functions, process, research, or extension
environment that are unique within the realm of technology resources
7 Steps:









Identify Technology Assets
Aggregate and prioritize the assets: critical, essential or normal
Identify risks – problems and threats
Prioritize risks
List and define risks
Reference risks to critical assets
Recommendations for resolving risks
Need management assessment to balance impact of risk vs. cost of
security solution
Risk Assessments are to be sent electronically to IT Security Office
Departmental Certification
Process – FY08

This annual certification does not require additional
control processes be established. It only requires
individuals in the key roles (department heads,
directors, and all other university and college
administrators) to reaffirm and acknowledge their
existing responsibility for establishing effective
business practices and internal controls.

A new electronic survey tool, that will run in a web-hosting
environment, will be implemented this year to avoid
administrative and technical difficulties experienced with
the survey tool used in FY07.

As the survey is web based, it will require PID, password
authentication
Departmental Certification
Process – FY08

There will be 13 categories of questions; some categories may not be
applicable to all departments

For FY08 - 13th category added for Payment Card Industry Data
Security Standard (PCI DSS).

Standard developed by the major credit card brands and
represents a common set of industry tools and measurements to
help ensure the safe handling of sensitive information

Includes requirements for security management, policies,
procedures, network architecture, software design and other critical
protective measures

Applies to all university merchants who process, store, or transmit
credit card information
Departmental Certification
Process
Draft Questions For Funds Handling Portion of Self Assessment
Does your organization regularly (defined as either routinely receiving more than $250 per week or receiving
occasional receipts which total more than $10,000 annually) receive funds (cash and/or checks or credit cards)
directly for goods for services provided to faculty, staff, students, or the general public? (Y/N)
If you answered “N” or No to the above, then please skip the remainder of the questions related to funds
handling.

Are pre-numbered receipts or similar control documents issued to payers for all cash, checks, and other
payments received? (Y/N)

Are copies of all voided receipts retained and reviewed periodically by someone other than the receipt writer?
(Always, almost always, most of the time, some of the time, never)

Are all checks restrictively marked or stamped as “for deposit only (organization name), Virginia Tech”
immediately upon receipt? (Always, almost always, most of the time, some of the time, never)

Is a local cash receipts log or electronic record maintained and reconciled daily to receipts recorded in Banner
Finance by someone other than those who collect and receipt cash? (Always, almost always, most of the
time, some of the time, never)

Are the cash reconciliations maintained for further review and reference? (Y/N)

Are records kept of all cash over/short situations for daily receipts and amounts greater than $5 investigated by
someone other than those who collect and receipt cash? (Always, almost always, most of the time, some of
the time, never)

Have you implemented up-to-date procedures or a funds handling plan which clearly establishes the necessary
separation of duties for the roles and responsibilities of ‘’cash handler”, “depositor” and “reconciler”? (Y/N)

Has the funds handling plan been reviewed and approved by the Bursar’s Office? (Y/N)

Are funds physically protected (a safe is required for routine storage of amounts in excess of $500) until they are
deposited to prevent theft or misuse of customer financial information? (Y/N)

Survey Mechanics

Only one person will be able to access the survey tool and enter
responses per department /organization



Only one authorized data entry person is to avoid complications in FY07
survey process, where data was lost or could be overwrote by several
people for one department, or multiple surveys were submitted for the
same department
In late March, the Controller’s office will solicit from each department
who should have input access to the survey tool
Authorized user will receive an email invite with a link to the survey.
DO NOT FORWARD THE LINK TO OTHERS AS ONLY THE
AUTHORIZED USER MAY ENTER THE SURVEY. Also, do not
delete the email invite, this is the only way to access the survey.
Survey Mechanics

In the email invitation to complete the survey, there will be a link to
the Controller’s page to print a blank copy of the survey

SUGGESTED PROCESS: print a blank copy of the survey and
solicit input from all appropriate parties within a given
department/organization. Then have the designated authorized
user for the survey enter the answers into the survey tool

The survey may be printed:



As a blank survey with no answers – link to Controller’s page within
invitation email
Within the survey tool “Print” button with answers partially complete
Within the survey tool “Print” button when the survey is submitted and
finalized and answers are complete
Survey Mechanics

Each of the 13 sections will have several questions – scroll down
through the page to view all questions for a particular section.

“NEXT” button takes you to the next section/category of questions.
You can only go to the next section after an answer has been entered
for all questions within a given section.

Answers will be saved for the current screen when hit “NEXT” button.
DO NOT close the browser without saving your answers or you
will lose the answers entered for the current section

Answers to all 13 sections do not need to be entered during one log on session - you will be able to save your results and return to the
survey as many times as is necessary. Once the results are finalized,
you will not be able to re-enter the survey or change the answers.
Survey Mechanics

After answers to all the questions have been entered, the survey
must be finalized and submitted in the survey tool.

Double check all answers entered and that the
department head agrees with the answers
before finalizing and submitting the survey
within the tool. Answers may be changed up
until the survey is finalized and submitted. After
this time, answers are set and can not be
changed.

Users will receive an email, confirming that the survey has been
submitted.
Survey Mechanics

Assessment results, based on survey answers, will be communicated
via a Departmental Certification Letter and emailed to the department
head upon completion of the survey. For each of the 13 categories,
a rating will be given:




Effective
Adequate
Significant Improvement Needed
Unreliable

A printed and signed copy of the Departmental Certification Letter
must be returned to the Controller’s Office by June 25, 2008

All questions should be directed to [email protected]
Departmental Certification
Letter
This certification is a requirement for those holding a Dean, Vice President, department head, director, or other
administrative position with administrative and fiscal responsibilities for an organizational unit(s) within the University.
• I acknowledge it is my responsibility as a University department head to establish and
communicate effective business practices and internal controls for my department and to conduct
University business in accordance with University policies and procedures and applicable state
and federal laws or regulations.
• I acknowledge it is my responsibility to hire competent administrative personnel, to ensure that
they are adequately trained about university fiscal policies and procedures, and to create an
organizational structure that provides appropriate levels of authority, responsibility, and division
of duties.
• I am either not aware of any conflicts of interest within the last twelve months involving any
programs or personnel within my department(s) or other departments or have ensured that all
such conflicts have been reported and additional oversight procedures have been established to
properly manage any potential conflicts in accordance with the faculty handbooks and other
university policies.
• I am not aware of any violations of state or federal laws or regulations within the last twelve
months involving any programs or personnel within my department(s) or other departments, or
have ensured that all such violations have been reported and have made available to central
administration and the Controller all communications from state or federal agencies related to any
possible noncompliance with any such laws or regulations.
Departmental Certification
Letter (cont.)
• I acknowledge it is my responsibility to establish appropriate business practices and internal
controls to provide reasonable but not absolute assurance of adequate security for information
technology resources within my department in accordance with Policy 7010.
• I acknowledge it is my responsibility to establish appropriate business practices and internal
controls to provide reasonable but not absolute assurance of proper stewardship and safeguarding
of public assets such as requiring that all financial transactions are properly processed, reviewed,
approved, and reconciled and departmental financial, physical, special and technical resources
(such as monies, equipment, inventory, etc.) are protected from theft or fraud and controlled by
periodic physical inventories. At a minimum I, or members of my units, have completed the
University’s internal controls self assessment tool and reviewed the business processes and
internal controls related to the following areas:
• Employee compensation
• Other disbursements processes
• Fiscal Responsibility
• Equipment / Fixed Assets
• Funds Handling (if applicable)
• Physical Access and Key control
• Sponsored Projects processes (if applicable)
• Information Systems Security
• Health and Safety
• Accounts Receivable (if applicable)
• Credit Cards (if applicable)
Departmental Certification
Letter (cont.)
Furthermore, I affirm, based on the results of the self assessment, that I have established adequate
business practices and internal controls for my department(s) except for those areas needing
corrective action which I have listed below.
Self Assessment Results
General-Internal Control Environment
Small Purchases
Sponsored Projects
Employee Compensation
Fixed Assets
Health and Safety
Funds Handling (Bursar’s Procedure)
Fiscal Responsibility
Travel and Personal Reimbursements
IT Security
Key Controls
Accounts Receivable
Credit Cards
Effective
X
X
Adequate
Significant Improvement
Needed
X
X
X
X
X
X
X
X
X
X
X
Scoring in grid above is for illustrative purposes only. Actual results depend on survey answers.
Unreliable
Departmental Certification
Letter (cont.)
To the best of my knowledge and belief, I certify the above to be true and correct, for the following
departments: ______ except as noted below:
________________________________ _____________ Dept. Head
Signature Date
_______________________________ _ ______________ Business Mgr. or fiscal Staff
Signature Date
_______________________________ _ ______________ Other fiscal staff (if appropriate).
Signature Date
_______________________________ _ ______________ Other fiscal staff (if appropriate).
Signature Date
Based on the results of the survey, I have determined that business practices and controls should be
improved in the following areas:
I will work with the Controller’s Office and the central university administration to develop a cost
effective plan which considers available resources and establishes reasonable controls that correct these
deficiencies in a prompt and appropriate manner. If business practices and controls in other university units
affect my ability to have effective controls, I agree to participate in improving such controls with
these departments.
Departmental Certification
Process – FY08
Draft Time Line for Process

March 1 through March 15, 2008: Solicit departments to participate in
pilot test of the certification process.

April 1 through April 15, 2008: Distribute the cover letter, certification
form and self assessment tool to all departments in Dwight’s area plus
10 additional pilot departments from a cross section of the university
(academic, auxiliary, etc.). Gather and assess feedback on the process.
April 16 through May 14, 2008: Implement any changes needed based
on feedback from pilot group.
May 15, 2008: Distribute cover letter, certification form, and provide
access to self assessment tool to remaining departments
May 27, 2008: Run preliminary reports and send email reminders as
needed
May 30, 2008: All surveys must be complete and finalized in survey tool
June 25, 2008: Deadline for the receipt of certification letters





Regulatory Environment

Federal Government :

Sarbanes-Oxley Act of 2002 (SOX) -enacted in response to
numerous major frauds in publicly traded companies such as
Enron.







Established additional regulations for auditors’ independence
Requires increased expertise and fiduciary responsibilities for Audit
Committees of Boards of Directors
Requires certification by CEO and CFO about the financial
statements and internal controls
Created the Public Company Accounting Oversight Board (PCAOB)
to regulate publicly traded companies
Established tougher criminal penalties for corporate fraud
Currently, this law only relates to publicly traded
companies, but it is considered “best practices” for internal
control activities and SOX sections 302 and 404 are being
used as models for other companies and governmental
agencies.
OMB Circular A-123 Requires that Federal Agencies to adopt
SOX-like processes related to the establishment and assessment
of internal controls.
Regulatory Environment

AICPA – Statement on Auditing Standards 112
(SAS 112)



Established by the American Institute of Certified Public
Accountants (AICPA) to incorporate SOX-like internal
control evaluation and assessment requirements for
auditors of non-publicly traded corporations
SAS 112 lowers the thresholds for Internal Control
Deficiencies and gives auditors specific guidance on when
such deficiencies are considered “Material Weaknesses”
or “Significant Deficiencies”
Material Weaknesses may result in a Qualified Audit
Opinion for financial statements (This would have a
severe impact on the university should this happen!)
Regulatory Environment

State Comptroller – Issued final directive called “Agency Risk
Management and Internal Control Standards” (ARMICS) in
November 2006

ARMICS sets minimum requirements for the establishment
and assessment of state agency internal controls in order to
effectively manage risk and maintain accountability. That is, it
establishes SOX-like and other similar internal control
standards for the Commonwealth of Virginia.

In addition to this being best practices it is also being proactive
to the potential flow down of the OMB Circular A-123
requirements to entities that receive federal grants and
contracts.
ARMICS Directive

The overall goal of the ARMICS is to create
procedures to document and evaluate internal
control processes related to the following areas:

Recording financial transactions into the general ledger
system

Compliance with financial reporting and audit
requirements

Compliance with laws and regulations

Stewardship over University and Commonwealth assets
and other resources
ARMICS Directive

ARMICS will have three major requirements:

Completed – Phase 1:



Perform a university-wide analysis of components of five internal
control processes
Because these controls are generally broad and high-level or
“soft” controls, most of our approach involved documenting the
existence, strength and implementation of these controls rather
than testing them
The university’s Phase 1 response was coordinated and
reviewed by the Controller and the newly hired Director of
Internal Controls/ARMICS coordinator with input and assistance
from various financial managers throughout the university
ARMICS Directive

In Progress - Phase 2:



By June 30, 2008 - complete a review and assessment of
fiscal processes and fiscal transactions level internal
controls and certify to the State Comptroller that these
controls are also effective or provide descriptions of the
deficiencies.
The assessment process will include a description of each
fiscal process (including flow diagrams), a formal risk
assessment, and an internal control evaluation and
documentation of testing procedures performed to ensure
the controls for these processes were effective.
Phase 3:

By July 31, 2008 - provide a corrective action plan for any
fiscal process deficiencies.
ARMICS – Phase 1
The ARMICS directive included sample self-assessment
questions for each of the five internal control components:
1.
2.
3.
4.
5.
Control Environment
Risk Assessment
Control Activities
Information and communication
Monitoring
We reviewed the university’s fiscal processes and the following
areas were deemed “significant”:
Human Resources
Payroll
Accounts Payable
Bursar’s Office
General Accounting
Cost Accounting
Financial Reporting
Capital Budgeting
Capital Design and Construction
Financial Aid
Budget Office
Facilities
Capital Assets & Fin. Mgt.
Information Technology
Fixed Assets/ Equip. Inv.
Purchasing
IT Purchasing
Insurance / Risk Mgt.
Investment & Debt Mgt.
Office of Sponsored Programs.
* = Abbreviated Reviews:
Admissions *
Registrar *
ARMICS – Phase 1
The managers in areas deemed “significant” completed a modified
version of the ARMICS survey. The composite results were used
to determine the university’s response to the survey. The
composite results were generally positive and were between 3.5
and 4.5, with 5 being the highest score indicating optimum internal
controls existed.
In our division, this control condition's reliability is…………"Optimized"……………so I strongly agree, giving a score of…………."5"
In our division, this control condition's reliability is…………"Integrated"……………so I agree , giving a score of……………..………."4"
In our division, this control condition's reliability is…………"Systematic"……………so I somewhat agree, giving a score of…..…"3"
In our division, this control condition's reliability is…………"Informal"……………so I somewhat disagree, giving a score of……."2"
In our division, this control condition's reliability is…………"Initial"……………so I strongly disagree, giving a score of……...……."1"
In our division, this control does not or cannot exist……………………………………giving a score of……………………………………………….."NA"
Control Environment
The Statement of Business Conduct Standards (SBCS) was used as
our Code of Ethics. We emphasized how this document was initially
acknowledged by full-time faculty and staff in 2005 and subsequently
given to all new faculty and staff for acknowledgment in the mandatory
orientation processes.

Attitudes towards risk, integrity and ethical values





Core values from the strategic plan
University level policies
EO/AA statements
Faculty and staff handbook
Fraud, Waste and Abuse Hotlines
Control Environment

Promotion of ethics and appropriate conduct




Robust Internal Audit department
Finance and Audit committee (F&AC) of the BOV
Authority and Accountability



Capital Assets and Financial management department functions
University’s organization and accountability structure
Fiscal responsibility and contract signature policies
Commitment to workforce competence and development



HR policies and procedures
Training programs
Performance review process
Risk Assessment

Strengths, Weaknesses, Opportunities and Threats (SWOT)
type of analysis used to update to 2006-2012 strategic plan
and annual budget process

Completed risk assessments for highest risk and most
significant fiscal processes




HR/Payroll
Accounts Payable
Cash Receipts in Bursar’s Office
Completed Phase 1 questionnaires
Fixed Assets
Financial Reporting
Cost Accounting
Control Activities





Significant System managers indicated controls were well
functioning on questionnaire (average above 4)
University wide system level controls were identified
IT controls highlighted
In conjunction with the risk assessments mentioned above, we
only completed the identification of control activities to mitigate
the risks for the highest risk and most significant fiscal
processes.
The questionnaire and certifications from the Financial and
Business Management Compliance also served as
documentation of the effectiveness of controls over our
significant fiscal processes.
Information & Communication

“Top-down” communications from management





“Bottom-up” communications from faculty and staff





Emergency notification process
Professional media relations function
DDDH memos (Deans, Directors and Department Heads)
Training programs and newsletters from administrative offices
University Governance Systems
Fraud, Waste & Abuse Hotline
Task forces and ad-hoc committees
Surveys on topics of interest
Information policies and processes




7xxx policies related to IT
Main fiscal processes reports and data warehouses
BOV reports
Audit reports
Monitoring







Quarterly Financial Performance Report
BOV oversight and approvals
Quarterly analysis, reporting and follow-up processes by the
Controller’s Office
Enrollment management monitoring
Equipment inventory monitoring
Financial reporting process related to variance analysis and
preparation of management’s discussion and analysis for
published financial statements
Internal Audit and APA audit processes and special reports
ARMICS Phase 2
For each significant fiscal process, we are required to perform the
following:

Complete a risk assessment matrix which includes:
Process
overview narrative/data flow diagram
List of potential risks and relative ranking as to impact and probability
List of associated control activities to mitigate these risks
Determination of the effectiveness of the controls
Documentation of testing of each major control


Overall evaluation of the system controls
Development of corrective action plan if needed
ARMICS Phase 2
Conclusion


If you would like to volunteer to be part
of the pilot group of departments
please send an email to
[email protected]
Questions?