STATEMENT OF AUDITING STANDARDS 112 (SAS112)STATEMENT OF AUDITING STANDARDS 112 (SAS112)Communicating Internal Control Matters Identified in an AuditCommunicating Internal Control Matters Identified in an AuditUC Riverside June 2007UC Riverside June 2007

" Today's  audit environment  encourages  transparency and

accountability. Therefore, an integrated

campuswide effort is  needed  to  effectively

steward the funds entrusted to UCR.”

Chancellor Córdova

1- Why SAS1121- Why SAS1122- What is SAS1122- What is SAS1123- Impact of 3- Impact of SAS112 SAS112 4- Internal Control4- Internal Control5- Minimizing risk in 5- Minimizing risk in dept. operationsdept. operations6- What to do?6- What to do?

AGENDAAGENDA

WorldCom WorldCom Enron Enron

- American Institute of Certified - American Institute of Certified Public AccountantsPublic Accountants

For non-profit organizations For non-profit organizations (UCR)(UCR)

- SAS 112- SAS 112

Why SAS112?Why SAS112?

- United States Federal Law and SEC- United States Federal Law and SEC For Public CompaniesFor Public Companies

-Sarbanes–Oxley (SOX):-Sarbanes–Oxley (SOX):Requires Requires

conducting an conducting an assessment of the assessment of the effectiveness of effectiveness of internal controls internal controls by management, by management,

to be audited and to be audited and approved by the approved by the company’s company’s independentindependent accountantsaccountants

SAS112 is our SOXSAS112 is our SOX

Northwestern University (2003). Fine = $5.5m

Harvard University (2004). Fine = $2.6m

Florida International University (2005). Fine= $11.5m

University of Alabama Birmingham (2005). Fine =$3.4 m

Non-Compliance Fine$ - Contract & GrantsNon-Compliance Fine$ - Contract & Grants

Mayo Foundation (Mayo Clinics). Fine = $6.5m

University of California (2002). Fine =$1.8 m

What is SAS112?What is SAS112?Establishes standards for communicating internal Establishes standards for communicating internal control issues relating to:control issues relating to:

-integrity of financial reportingintegrity of financial reporting-compliance with applicable laws and regulationcompliance with applicable laws and regulation

Establishes standards that classifies Establishes standards that classifies communicated control issues as:communicated control issues as:

- control deficiencies- control deficiencies - significant deficiencies - significant deficiencies - material weaknesses- material weaknesses

SAS112 standards have been adopted SAS112 standards have been adopted by the federal agencies and the by the federal agencies and the Government Audit Standards has been Government Audit Standards has been updated to incorporate SAS112updated to incorporate SAS112

Impact of SAS 112 on UCRImpact of SAS 112 on UCR

Due to significant changes in the evaluation of control exceptions

and more stringent audit standards, UCR is more likely to encounter

control issues being identified and reported

- Increased scrutiny- Increased scrutiny- Larger audit samples- Larger audit samples

- More evidence and documentation - More evidence and documentation required during auditsrequired during audits

- Lower audit materiality thresholds- Lower audit materiality thresholds

Impact of SAS 112 on UCRImpact of SAS 112 on UCR

SAS 112 requires UCR to disclose deficiencies to 3rd parties:

RegentsSponsors (Federal, State &

Private)3rd party creditors

Accrediting agenciesRating agencies

Insurers

Impacts of deficiencies and weaknesses disclosures:Impacts of deficiencies and weaknesses disclosures:

-negative impact on reputation for UC, UCR, VCA, and -negative impact on reputation for UC, UCR, VCA, and DepartmentDepartment-increased internal and external audits-increased internal and external audits-audit disallowances, fines and penalties-audit disallowances, fines and penalties-potential negative impact on resource allocation-potential negative impact on resource allocation

Control Issues withControl Issues with - Ledger reconciliation & review- Ledger reconciliation & review - Budget variance analysis- Budget variance analysis - Revenue monitoring - Cash handling - Payroll processing- Payroll processing - Timekeeping & billing- Timekeeping & billing - Cost Transfers- Cost Transfers - Fiscal Year End Processes - Fiscal Year End Processes - PAN Reviews- PAN Reviews

Generally, internal controls Generally, internal controls at UCR are in order and adequate, at UCR are in order and adequate,

but there are departments,but there are departments,functions and areas where functions and areas where

we noted….we noted….

The campus goals, related to SAS112, are to:The campus goals, related to SAS112, are to: - Enhance understanding of Internal Controls- Enhance understanding of Internal Controls - Minimize Control Issues- Minimize Control Issues

Internal Control

Internal control is broadly defined as a process, effected by the UC

Regents, management and other personnel, designed to provide

reasonable assurance regarding the achievement of objectives in the

following categories:

•Effectiveness and efficiency of operations.

•Reliability of financial reporting. •Compliance with applicable laws and

regulations.

INTERNAL CONTROL

INTERNAL CONTROL

Who is responsible for implementing internal controls?

Executive Executive ManagementManagement

Departments Departments (Chair/ (Chair/

Director, Director, MSO, Staff)MSO, Staff)

CentralCentral Offices Offices

((Accounting, Audit & Accounting, Audit & Advisory Services, Advisory Services,

AP&B, OR,AP&B, OR,etc.)etc.)

PARPARTNETNERSRSHIPHIP

Control Units Control Units (Deans/VC(Deans/VC & CFAO)& CFAO)

Minimizing the Risks Department Head:

Oversees and is integrated into the financial management process

Ensures proper controls and monitoring procedures are in place

Ensures financial reports are accurate and meaningful Ensure SAAs, transactors and reviewers are

appropriately trained and supported in their key business process roles

Minimizing the Risks

Timely reconciliation and review of monthly ledgers Budget to Actual review

Analysis of causes for variances Review of payroll transactions by financial staff

and responsible manager Regular review of financial reports by

department manager and business officer Evidence of ledger reconciliation and review

New Ledger Recon Tool-coming soon

Minimizing the Risk

Timely resolution of errors Frequent and late cost transfers can be a symptom of a

deficiency Ensure sufficient segregation of duties

No one person should have complete control over the key processing functions for financial transactions

Provides for prevention and detection Errors Inappropriate activities

Post Audit Notification (PAN) Reviews Payroll/Personnel System and UCRFS transactions Timely Adequate

What to do:What to do:

•TrainingTraining

1- Self-report1- Self-report

2-Assistance2-Assistance

Everyone is responsibleEveryone is responsible

•Control AssessmentControl Assessment

When issues are identified:When issues are identified:

3-Escalate/Remediate3-Escalate/Remediate

4-Proactive Approach4-Proactive Approach

When control issues When control issues or policy non-complianceor policy non-complianceare recurring and systemicare recurring and systemic::

It will be transparent It will be transparent and there will be consequencesand there will be consequences

Contacts

Gretchen Bolar, Vice Chancellor-Academic Planning & Budget gretchen.bolar@ucr.edu

Bobbi McCracken, Asst. Vice Chancellor-Financial Services bobbi.mccracken@ucr.edu

Mike Jenson, Director-Audit & Advisory Services michael.jenson@ucr.edu

Bruce Morgan, Asst. Vice Chancellor-Office of Research bruce.morgan@ucr.edu

Toffee Jeturian, Asst. Director-Audit & Advisory Services rodolfo.jeturian@ucr.edu

Marc Guerra, Director-Financial Control & Accountability marc.guerra@ucr.edu