Uniform Guidance and Internal Controls: A Case Study Rick Moyer, Stanford University Kim Ginn, Baker Tilly Ashley Deihr, Baker Tilly Expected outcomes from this session: Translate university expectations and approaches to complying with the internal controls provisions of the Uniform Guidance. Understand a comprehensive approach to Uniform Guidance compliance, including roles, timeline, and challenges (Stanford University case study). Identify best practices in addressing Uniform Guidance internal controls requirements. 1
CFR 200.303 Internal Controls The non-federal entity (i.e. University or College) must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States and the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards. (c) Evaluate and monitor the non-federal entity's compliance with statute, regulations and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings. (e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-federal entity considers sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality. What does Single Audit (previously A-133) guidance say? 1. Transactions are properly recorded and accounted for in order to: Permit the preparation of reliable financial statements and Federal reports; Maintain accountability over assets; and Demonstrate compliance with Federal statutes, regulations, and the terms and conditions of the Federal award; 2. Transactions are executed in compliance with: Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program; and Any other Federal statutes and regulations that are identified in the Compliance Supplement; and 3. Funds, property, and other assets are safeguarded against loss from unauthorized use or disposition. 2
Discussion Time How has your institution addressed the emphasis on internal controls? Case Study Stanford University One of the advantages of being disorganized is that one is always having surprising discoveries. A.A. Milne/Winnie the Pooh 3
Pooh also said this. It is more fun to talk with someone who doesn't use long, difficult words but rather short, easy words like "What about lunch? Value Add of Stanford Sponsored Research Project Developed a sustainable model of reviewing and updating process documentation and testing internal controls for sponsored research and financial reporting processes. Provided guidance on technical matters related to interpretation of Uniform Guidance Created a central repository to store all COSO Internal Controls documentation (e.g., process narratives, RCMs, and Master RCM), controls review documentation (e.g., testing workpapers, samples, populations), and resources (e.g. trainings, templates, emails). Coordinated drafting of Financial Reporting key control test plans and reviewed draft test plans. Held monthly status meetings with the COSO Steering Committee to discuss progress of the review Provided insights on revising account reconciliation controls and review processes. 4
Governance Structure of Sponsored Research Internal Controls Project Stanford s project was governed by the following groups: Sponsored Research IC Executive Steering Committee Members Rick Moyer, Senior AVP for Audit, Compliance, Risk and Privacy Susan Calandra, Senior AVP for Finance Frequency of meeting- Quarterly Sponsored Research IC Steering Committee Members Henry Gusman, Senior Director of Internal Audit Ken Schulz, AVP for Research Financial Compliance & Services Russell Brewer, AVP of the Office of Sponsored Research Sue Schmitt, University Controller Frequency of meeting- Every 1-2 months Weekly meetings between Project Director, Stanford Internal Audit Services, and Baker Tilly Considerations for Successful Implementation of a Sponsored Research Internal Controls Project Obtain initial buy-in from senior leadership. Begin the project on a pilot basis to gain an understanding of the most effective approach, appropriate roles, and effort expectations. Stanford performed pilot controls documentation on two business processes, Subrecipient Monitoring and Property Management Hold orientation and training sessions with relevant process owners to disseminate broader university knowledge of the Uniform Guidance. Hold ongoing status meetings or updates with the COSO Steering Committee and Executive Steering Committee. 5
Tools Includes project management tools for your perusal. Summary Level Project Approach 6
On-Site: Summary Level Project Timeline FY15 Single Audit (A-133) Single Audit (UG) P2P Testing Walkthroughs Financial Audit Walk - throughs FY15 A M F M F J F M J J A S O N D J A M J J A S O N D J M A M J J A 2015 2016 2017 Stanford Internal Activities: Phase 1 Docs Process Stanford Documentation of Internal Controls to Mgmt Leads Update Docs scoping Documentation to meeting Stanford Internal Controls Testing (sample selection from same FY) Stanford Internal Controls Testing (sample selection from same FY) FY 16 Phase II FR, Entity Level, IT, PII, Indirect Cost Pools, and Fin Aid Phase I Status (Controls Documentation): as of February 2016 1 Two P2P sub-processes sent to Steering Committee week of 2/8/16. Comments due week of 2/22/16 Remaining five P2P sub-processes to be sent to Steering Committee week of 3/7/16. Comments due week of 3/21/16. 7
Phase I Status (Controls Review): as of February 2016 Business Process Percent Complete Date to Steering Committee Subrecipient Monitoring 100% 10/28/2015 Property Management (PMO) 100% 10/28/2015 Award Setup and Maintenance 70% 3/31/2016 Financial Reporting and Award Closeout 70% 3/31/2016 Cost Transfers 70% 3/31/2016 Burdening 70% 3/31/2016 Quarterly PI Review 25% 3/31/2016 Labor Charging 25% 3/31/2016 Sponsored Receivables Management 70% 3/31/2016 Procurement-to-Payment Slated to begin May 2016 June 2016 Capital Accounting TBD TBD Service Centers TBD TBD Expenditure Allocation PTAs TBD TBD Phase I Status: as of May 2016 Process Documentation Steering Committee Review and Incorporation of Comments Testing PTA Setup and Maintenance Completed Completed Completed Labor Charging Completed Completed Completed Procurement-to-Payment Completed Completed June 2016 Cost Transfers Completed Completed Completed Property Management Completed Completed Completed Capital Accounting* Completed Completed FY 2017 Subrecipient Monitoring Completed Completed Completed Service Centers* Completed Completed FY 2017 Expenditure Allocation PTAs* Completed Completed FY 2017 Burdening Completed Completed Completed Sponsored Receivables Management Completed Completed Completed Quarterly PI Certification and Revenue Review and Monitoring Completed Completed Completed Federal Financial Reporting and Award Closeout Completed Completed Completed 8
Phase I Controls Review: Dashboard and Observations Key Controls Documented 107 13 processes Key Controls Tested 62 tested - 9 processes 34 in process 1 process (P2P) 11 to be tested - 3 processes** Key Controls Functioning as Intended Key Controls with Exceptions Remediatio n Plans Submitted Key Controls Retested Remaining Exceptions 55 7 7 6 1 Cost Transfers Of the 7 Key Controls with Exceptions: 2 Key Controls (1 remaining exception) - Process documentation (i.e., narrative and RCM) was not consistent with the design of the control or how the control is executed in practice. 3 Key Controls - Evidence of approval was not available. 2 Key Controls - Issue resolution or escalation was not documented. Resolution of Remaining Exception: OSR has updated the Cost Transfer policy and it is under review by the Research Policy Working Group. * See Appendix Phase I Controls Review: Exception and Remediation Plan Details (slides 9-11). ** 11 key controls to be tested in includes Capital Accounting, Service Centers, and Expenditure Allocation PTAs key controls and 6 key controls from P2P and Burdening that were not applicable to. Phase I Controls Review: Pilot Controls Review Outcomes Property Management Office Key controls tested 11 Key controls functioning as intended 7 Key controls pending testing 4 Key controls with observations 1 KC-06.01: This control is functioning as intended. However, the Fabrication Request Form contains some inconsistencies as to whether the PI or a designee must approve a new fabrication. Subrecipient Monitoring Key controls tested 6 Key controls functioning as intended 5 Key controls with observations 1 KC-02.01: Invoices were not always signed by the Principal Investigator as required by SU subaward monitoring policy. KC-02.01: The level of detail included on certain Subrecipient invoices was not sufficient to understand the costs. 9
Phase I Controls Review: Exception and Remediation Plan Details Process PMO Subrecipient Monitoring Key Control KC- 07.01 KC- 02.01 Exception Remediation Plan Remediation Plan Status An error in the award name was noted in the PMO Sponsored Agreement Access Database, but there was not evidence of the error being corrected. Invoices were not always signed by the Principal Investigator as required by SU subaward monitoring policy. The level of detail included on certain Subrecipient invoices was not sufficient to understand the costs. Correct award name in the PMO Sponsored Agreement Access Database. Remediation plan is documented and monitored by Internal Audit Management Action Plans. Closed Closed Scope Area Approach Process Owner Percent Complete Internal Controls over Financial Reporting Entity Level Controls IT Controls Phase II Status: as of February 2016 Consolidate sponsored research processes RCMs with Financial Reporting RCM To be completed per PwC entity level controls template Collate existing documentation on IT Controls relevant to sponsored research COSO Sponsored Research Steering Committee COSO Sponsored Research Steering Committee IT; COSO Sponsored Research Steering Committee 30% 3/15/2016 70% 3/15/2016 20% 3/15/2016 Date to Steering Committee Personally Identifiable Information (PII) Collate existing documentation on PII relevant to sponsored research Stanford University Privacy Office Coordinating with Office of Compliance and Privacy NA Indirect Cost Pools To be modeled after other business process documentation RFCS CMA Slated to begin May 2016 NA Financial Aid To be modeled after other business process documentation Financial Aid Initial meeting with Karen Cooper held 2/23 NA 10
Phase II Status: as of May 2016 Process Documentatio n Steering Committee Review and Incorporation of Comments Testing Sustainability Framework for COSO Internal Controls Completed Completed N/A Entity Level Controls Completed Completed Complete d IT General Controls In process July 2016 July 2016 Personally Identifiable Information In process July 2016 July 2016 Indirect Cost Pools In process July 2016 FY 2017 Financial Aid In process July 2016 FY 2017 Sustainability Phase Considerations Upon completion of Phases I and II, Stanford will have a comprehensive set of sponsored research internal controls documentation Considerations for sustainability Regular scheduled updates to documentation performed by process owners (e.g., annually prior to A-133 audit fieldwork) Ongoing process and controls enhancement Ongoing controls review to assess operational effectiveness of controls (e.g., round robin testing or Internal Audit testing) Development and maintenance of a comprehensive controls repository Proposed approach to be discussed at next Executive Sponsor meeting 11
Proposed Sustainability Framework for and Beyond Proposed Sustainability Framework for and Beyond Responsible Party FMS Quality Project Months Project Phases Internal Audit Process Owner Manager Steering Committee September Management Scoping for Current FY Audit October November Update Current FY Process Documentation (Phase I) December (review only) January February Current FY Internal Controls Review/ Testing (Phase II) March (review only) April Send Current FY Process Documentation to (Phase III) May June Ad Hoc Updates to Current FY Process Documentation (Phase IV) July August * Green check marks indicate the project phases leading responsible party. Summary Level Project Timeline: Next Steps Financial Audit Single Audit (UG) Walk - throughs M J J A S O N D J F M A M J J A 2016 2017 Mgmt scoping and testing planning Process Leads Update Documentation Docs to Stanford Internal Controls Testing 12
Questions? Contact us: Rick Moyer, rick.moyer@stanford.edu Kim Ginn, kim.ginn@bakertilly.com Ashley Deihr, ashley.deihr@bakertilly.com 13