accounting and auditing topics for school districts€¦ · cipp/us, ceh, chfi, ccfe principal –...
Post on 04-May-2020
2 Views
Preview:
TRANSCRIPT
Accounting and Auditing Topics for
School DistrictsPresented to
NJASBOJanuary 15 and 17, 2019
Scott Clelland, CPA, PSA, RMA
Partner –Wiss & Company, LLP 34 Years Experience working solely in Public Sector Reviewer for International ASBO Certificate of
Excellence in Financial Reporting Member of the NJCPA Government A&A Committee Member of the Trustees of the RMA Association
David Gannon, CPA, PSA, RMA
Partner – PKF O’Connor Davies 21 Years Experience working solely in Public Sector Member of the NJCPA Government A&A Committee Reviewer for International ASBO Certificate of
Excellence in Financial Reporting Member of the Trustees of the RMA Association
Thomas DeMayo, CISSP, CISA, CRISC, CIPP/US, CEH, CHFI, CCFE Principal – PKF O’Connor Davies 15 Years Experience in Information Technology and
Cyber Security Experience with a number of different industries,
including: governmental, not-for-private, private schools, higher education, healthcare and commercial entities
Agenda
Fraud and Internal ControlsCybersecurity for School DistrictsGASB UpdateCommon Audit DeficienciesOpen Forum for Questions
FRAUD AND INTERNALCONTROLS
Overview of Fraud Presentation
Understanding internal controls
Fraud risk areas
Real life examples of fraud in school districts
Internal controls to prevent and detect fraud
Understanding Internal Controls
Internal Controls are an integral part of any organization’spolicies and procedures, that can be effected by its Board,management, and other personnel, that is designed toprovide reasonable (not absolute!) assurance regarding theachievement of the following objectives:
• Protecting its resources against waste, abuse, fraud or inefficiency
• Reliability and accuracy of financial reporting
• Effectiveness and efficiency of operations
• Compliance with laws and regulations
Understanding Internal Controls
Helps protect us from bad things happening!
As accountants we are very risk adverseindividuals• Internal Controls help mitigate risk
• Won’t eliminate risk
Understanding Internal Controls
Types of Risk a District May Face: Strategic – the risk that would prevent a District from
fulfilling its mission Financial – the risk that could result in a negative
financial impact to the District Regulatory – the risk that could expose the District to
penalties from a regulatory agency due to non-compliance with laws or grant requirements
Understanding Internal Controls
Types of Risk a District May Face (continued): Reputational – the risk that could expose the District
to negative publicity• Affects ability to pass annual budgets• Affects ability to pass referendums
Understanding Internal Controls
Types of Risk a District May Face (continued): Operational – the risk that could prevent the District
from operating in the most effective and efficient manner• Especially important given the limited resources
currently available
Understanding Internal Controls
What Could Go Wrong???: Program decisions being made with incorrect financial
information Deficits in operations Amounts due back to the federal government Lose support of the residents of the District Basic functions of the District are not working Modified opinion to financial statements Appointment of State Monitor
Understanding Internal ControlsInternal Controls Are SimpleWhat do you worry about going wrong?
• What keeps you up at night?
What steps have been taken to assure it doesn’tgo wrong?• Where are those internal controls?
How do you know everything is under control?• Have you looked to see if anything is working properly?
Understanding Internal Controls COSO’s Internal Control Framework:
• Internal control consists of five integrated components:
− Control Environment
− Risk Assessment
− Control Activities
− Information & Communication
− Monitoring– 17 principles are associated with the components
Understanding Internal Controls
Control Environment− The foundation for any system of internal controls
− Pervasive influence on all the decisions and activities of anorganization
− Either sets a positive or negative “tone at the top”− Components of the control environment include: integrity,
ethical values, commitment to competence, management’soperating style, human resource policies and practices andorganizational structure
Understanding Internal Controls Risk Assessment
− Risks are internal and external events that threaten the accomplishment ofthe District’s objectives
– Economic conditions – changes in state aid– New systems– Breakdown in internal control– Regulatory changes/tax levy caps/FB taken by State
− Risk assessment is the process of identifying, evaluating and deciding howto manage these events
– What is the likelihood of the event happening?– What would be the impact of the event occurring?– What can the District do to prevent or reduce the risk of the event occurring?
Understanding Internal Controls
Control Activities− Provides the tools for success – Includes policies, procedures
and processes designed to ensure that directives from theBoard and Administration are implemented
− Assists in the prevention or reduction of risks that canundermine accomplishment of the District’s goals
− Occurs throughout the District within every level and function
− Includes the following: approvals, authorizations, verifications,reconciliations, segregation of duties, safe guarding of physicalassets and evaluation of overall performance
Understanding Internal Controls
Information and Communication• Information must be captured, identified and communicated
– Has to be timely!
– Has to be accurate!
– Has to be communicated to those that need it!
» Board members
» Employees
» Those outside of the organization – Tax payers,parents, and vendors
Understanding Internal Controls
Monitoring− After internal controls are put in place, their effectiveness
needs to be monitored from time to time to ensure that thecontrols in place continue to be adequate and continue tofunction properly
– Are they operating as intended?
– Have the controls become outdated, redundant or obsolete?
− Management and the Board of Education should alsomonitor previously identified deficiencies to ensure they arecorrected
Understanding Internal Controls
Segregation of Duties− Responsibilities should be assigned to employees to ensure
one employee does not have total control over all aspects ofan entire transaction
− The District should reduce the opportunity for an employee tocommit or conceal an error, whether it be intentional orunintentional, or to commit fraud
Understanding Internal Controls
Segregation of Duties− Board responsibilities – effective oversight over management
− Purchasing and Accounts Payable
− Human Resources and Payroll
− Cash receipts and cash disbursements
− Rights to modules with financial accounting system
− Bank reconciliation segregated from cash activities– May be difficult if the Treasurer of School Monies position was
eliminated based on size of district
Fraud Risk Areas
Instances of fraud or suspected fraud related to third party vendors Need to assess the risk of fraud in each of your
Districts Need to put in place better monitoring procedures
over third party vendors that are charged with managing a function The “Trust Factor”
How fraud is Committed
Schemes – typically three categories:• Asset Misappropriation
• Corruption
• Financial Statement Fraud
Characteristics of Fraud-The Fraud Triangle3 Conditions generally present when fraud occurs:
• Management or other employees have an Incentive or are under pressure, which provides a reason to commit fraud
• The absence of controls, ineffective controls, or the ability of management to override controls provides an opportunity for a fraud to be perpetrated
• Those involved are able to rationalize committing a fraudulent act. Some individuals possess an attitude, character, or set of ethical values that allow them to knowingly commit a dishonest act.
Cases and Headlines
Examples of cases that have been in newspapers Do not think any of us want to be mentioned in the
press for fraud
Cases and Headlines
Woman accused of stealing from North Jersey school district charged with tax fraud Ex-Poplar School District worker pleads guilty to wire
fraud Insurance agent in New Jersey admits to defrauding
school district | Insurance Worker who stole from school district will go to prison,
lose pension
Cases and Headlines New Jersey Teacher Charged With Health Care Fraud
Conspiracy Targeting New Jersey School Employees Health Benefits Program District alleges fraud in charter school application Treasurer headed to prison after hosing fire department out
of $40K Engineer, Contractors, School Business Administrator
Charged in Kickback Scheme School board employee arrested in connection with stolen
laptops
Cases and Headlines
Ex-official admits stealing $90K for pocketing lunch money Educator arrested in Billing Fraud Case
Areas Most Susceptible to Fraud in School Districts Purchasing/Contract Mgt. and Quotes Third Party Vendors Cash Receipts/Revenue Payroll/Taxes IT issues/access/hacking
Areas Most Susceptible to Fraud in School DistrictsPurchasing/Contract management
• Vendor Existence/Setup
• Kickbacks from Vendors− Cash Payments
− Gifts from vendors in exchange for business
− In-kind
− Work done on private residences
― Contract Splitting/manipulation of quotes or bids― Fictitious vendors
Case Study #1-Purchasing
Background• Audit initially identified unusual fluctuations in
expenses in certain accounts• Follow up with Bus Adm and directed to pursue
further• Director of department out on medical leave• Fraud interview conducted and clerk opened up and
shared all sorts of information
Case Study #1-Purchasing
What was identified• 2 new vendors established without supervisor
approval• Access to add vendors to system without supervisor
approval• Purchases of supplies well in excess of needs all
associated with the 2 new vendors• Possible collusion with vendor and kickbacks
Case Study #1-Purchasing
How to Prevent• Make sure vendor set up is properly controlled• Question purchase requisitions/orders that seem
extreme or unusual• Question unusual fluctuations in expenses
Case Study #2-Contracts with Third Parties Background
• Outside vendor hired to provide certain services to districts
• Significant vendor contract• Vendor submits monthly invoices in summary form• Vendor is paid based on hours incurred per contract• Detailed timesheets and other supporting
documentation not provided
Case Study #2-Contracts with Third Parties Background
• Invoices reviewed internally and approved for payment
• Request for detail to prove hours incurred not requested
Case Study #2-Contracts with Third Parties What was identified
• District questioned invoice and decided to request additional support including timesheets for each individual charged
• Services never performed• Dates of service were on weekends, holidays and in
certain cases were doubled up• Services provided exceeded any reasonable day of
services
Case Study #2-Contracts with Third Parties How to Prevent
• Impact was hundreds of thousands of dollars of potential overcharges
• Request additional information to support invoice• Careful review of invoice to verify reasonableness of
dates charged for services• Look for unusual amount of services that would not
be possible to provide in a given day
Case Study #3-Collusion with Vendor
Background• Approved contract in place
• Individual from vendor assigned on site at district
• Relationships
• Projects approved
• Proper internal approvals and bill list
• Kick backs
• Impact-over $3.5 million
Case Study #3-Collusion with Vendor
What was identified• Business Administrator received invoice from vendor for
a service that had been completed a year ago while the individual was a principal
• Questioned invoice with vendor• After numerous attempts to get answers, withheld
payments of the contract• After meeting with management of vendor, individual
assigned admitted to receiving kickbacks from vendor
Case Study #3-Collusion with Vendor
What was identified• Investigation of entire contract• Outside vendor had ability to approve contracts for
services with vendor• Vendor inflated invoices above actual cost• Excess used to provide kickbacks in exchange for
services rendered.
Case Study #3-Collusion with Vendor
How to Prevent• Should not allow third party vendor to hire
contractors on behalf of district-violates statute as well
• Don’t be afraid to question project costs that seem unreasonable
• Controls in place over the third party vendor that everyone understands
Case Study #4-Cash Receipts/Revenue
Background• Certain cash receipts not recorded• Replacement of cash with checks• Miscellaneous unanticipated revenue• Control over entire process by supervisor• Involved cafeteria cash and checks related to rent
and other miscellaneous unanticipated revenue
Case Study #4-Cash Receipts/Revenue
What was identified• Procedures to divert cash• Lack of approval and tracking of rental of facilities• Collections of rental checks that no one tracked• Replaced cafeteria cash with rental checks to
support cafeteria deposit and pocketed cash• Impact - $90,000
Case Study #4-Cash Receipts/Revenue
How to Prevent• Too much control for one person-lack of segregation
of duties• No controls or approvals of facility use charges• Stronger controls in place over the collection of cash
Case Study #5-Payroll and Tax
Background• Payroll person paid $4,000 stipend to reconcile
account• Went out on medical leave• Reconciliation turned over to other payroll clerk-
viewed as superstar within district• Control over payroll process, reconciliations and
system now by one person
Case Study #5-Payroll and Tax
What was identified• Other internal accountant was reconciling
information and could not find discrepancy• Bus Adm jumped in to assist and in looking at the
information noticed that the payroll clerk was getting three checks each pay period.
• Accountant performed review and identified it had been going on for some time (since 2012)
Case Study #5-Payroll and Tax
What was identified• Approved salary of PR clerk was $62K and W-2 was for
$147K• Also evaded taxes by deleting information in the system
so that it would not be reported on W-2 to IRS• $315K was identified as being paid in excess of
approved salary• Once identified, stop payment placed on her next check
Case Study #5-Payroll and Tax
What was identified• Check cashing company cashed check, as has
always done, and it bounced after being voided by district
• District still responsible to make good on check• Person had a gambling issue
Case Study #5-Payroll and Tax
How to Prevent• Better segregation of duties-lack of strong controls
to prevent theft• Not a great idea to have someone working in the
payroll process also reconciling the account-leads to ability to commit fraud
• No review or checks and balances over the individual
Case Study #6-Technology Access Outside hacking of financial accounting system and banking
activities Replicated the process and was able to watch what was happening Attempts to transfer significant funds to foreign bank accounts Had passwords and access Missing was the electronic secure ID number How the fraud was discovered-emails notifying the district of
attempted transfers at off times/ Impact – close but no cigar-did not get away with it
Internal Controls to Prevent or Detect Fraud Proper Segregation of Duties
Effective IT General Controls-passwords, change controls, system rights, timely removal upon termination from district
Effective Monitoring and Oversight
Fraud Hotline / Anonymous Tip Center
Know your District – identify unusual fluctuations or spending
Need to assess risk in District
Internal Controls to Prevent or Detect Fraud Annually should assess risk in District Control assessment should be considered Need to consider cost vs. benefit of implementing an
internal control
Internal Controls to Prevent or Detect FraudSegregation of Duties (Examples) New employee setup (HR) segregated from Payroll
processing (Payroll), when possible Entering of cash receipts (clerk) segregated from
performance of bank reconciliation (Treasurer) New vendor setup (BA) segregated from processing
payments to vendors (Purchasing)
Internal Controls to Prevent or Detect FraudIT General Controls New User Setup Timely removal of access rights for terminated employees Program change controls Limitation of “super user” access Controlling of access to modules based on job description Limitation of rights to post journal entries Passwords
Internal Controls to Prevent or Detect FraudEffective Monitoring and Oversight
Business Administrator
Board members
Superintendent
Principals
HR Manager
3rd Party Management Companies
Internal Controls to Prevent or Detect FraudReporting Fraud
Create internal confidential reporting process
Protection from retaliation for whistleblowers
Timely investigation of fraud allegations
Report to external parties deemed appropriate in the
circumstances
Internal Controls to Prevent or Detect FraudKnow your District–Fraudulent activity can be prevented or detected
Investigate significant transfer requests on monthly Board Secretary Reports – mis-postings may be done intentionally to conceal fraud
Look for unusual fluctuations
Keep your eyes open and listen
Annually make sure the District communicates its policy on fraud, illegal acts and conflicts of interest policies
Randomly question department heads on their monthly spending – let them know you are watching
Randomly contact vendors to confirm purchase orders/activity
Challenge the quote process and unusual requests
Internal Controls to Prevent or Detect Fraud
Ways to Prevent Fraud Surprise audits on specific district functions or operations
Payroll distribution audits-now required by AccountabilityRegulations
Require job rotation, when possible
Require mandatory vacations
Communicate the District’s views and policies regarding fraud
Annual Independent Financial Statement Audit
Conditions to Suggest the Possibility of Fraud Important contracts are “missing”
Subsidiary ledger is not satisfactorily reconciled to its control account
The results of an analytical procedure performed during the audit may not be consistent with expectations
These conditions, however, may be the result of circumstances other than fraud. Even reports of alleged fraud may not always be reliable because an employee or outsider may be mistaken or may be motivated for unknown reasons to make a false allegation.
Keys to Preventing or Detecting Fraud
Maintain a sense of skepticism
Work together with your auditors to identify areas that you consider to be high risk
Eliminate excessive authority residing with one individual
Effectively monitor the activities of your District and question any deviations
Maintain an effective line of communication throughout all levels of employees and encourage open dialogue
Conclusion and Wrap Up
Fraud is prevalent in all types of entities
Important for the Board and administration to set the tone
Ensure controls are in place and evaluated periodically to
prevent errors and fraud
Internal controls are implemented for the protection of the
administration and the District as a whole
Make sure the District is appropriately insured
Conclusion and Wrap-Up
Limitations on Internal Control Only as good as the people using it Management override of any control can cause a
deficiency to occur Collusion by two or more people can render a control
ineffective
Questions
CYBER SECURITY
Cybersecurity For School Districts
School Districts in the News
Cyber Fraud is Big Business
Cyber Fraud is Big Business Malware is specifically written to target bank accounts, credit card information, personal information,
etc.
Hackers for hire – A terminated employee recently paid hackers to launch a year-long denial of service campaign against the former employer.
Turn Key Solutions• Fraud As A Service (FAAS)• Attacks As A Service (AAAS)• Malware As A Service (MAAS)• Ransomware As A Service (RAAS)
Products and Services come with warranties, feature requests, training programs and customer support.
Web Layers
Dark Web Markets
Dark Web Markets
Dark Web Markets
Cyber Threat Landscape
Social Engineering Social Engineering – The act of tricking you to perform an action
or disclose information to a cyber criminal through social interaction.• Also, the primary method students use to obtain teacher
credentials Actions are things such as:
• Clicking on Links• Downloading and Executing a File• Opening a Microsoft Office type document or pdf • Submitting information into a form• Providing information over the phone
Social Engineering Key Types of Social Engineering
• Phishing – An malicious e-mail sent to a broad base.
• Spear Phishing – A malicious e-mail sent to a very specific set of individuals. May include elements of impersonation.
• Whaling – A malicious e-mail specifically targeting senior executives.
• Vishing – Fraudulent Phone calls• Smishing – All the elements of phishing but
in the form of a text message.
Social Engineering
Ransomware
Ransomware = Cyber extortion• It is evolving and becoming more targeted.• Ransoms are becoming more tailored. Ransomware may be designed to:
• Encrypt all data or systems on the network it can reach.• Take down systems by way of denial of service attacks.• Threaten to expose sensitive information
e.g, Social Security Numbers, Credit Card Numbers, etc.
Cyber Extortion Statistics
• 68% of companies reported that their networks went from functional to encrypted and useless in minutes.
• 85% of companies targeted by ransomware were down for a week or more.
• 15% percent of companies found their data completely unrecoverable.
• Cybercriminals pocketed over $1 Billion in 2016. − Source: The Grim Reality of Ransomware
Cloud and Mobility Many school districts are moving to cloud-based solutions
for their key applications. • Manage and store student records. • Support classroom education and assignments. − “Smart Classrooms”
• Allows for interaction and communication with parents. • Students are provided tablets, laptops, and/or chrome
books. • Faculty and Administrators connect their personal mobile
devices.
Cloud and Mobility
Cloud and Mobility
Data is being stored in places (e.g., employee personal devices) it can not be effectively controlled and protected. Shadow IT has increased dramatically.
• Faculty and administrators find their own solutions to interact with students, parents and store student data.
• Security and Privacy of theses systems are not assessed.
Known Weaknesses and Misconfigurations
The following are used by internal and external threat actors. • Known Vulnerabilities (Unpatched Systems)• Insufficient Endpoint Monitoring • Default Credentials• Vulnerable Web Applications• Weak Network Configurations and Design • Third Party Connections
Third Party Due Diligence
Third Party Risk Management
School districts have specific obligations to protect student data:• FERPA – Family Educational Rights and Privacy Act.• COPPA - Children's Online Privacy Protection Act.• State Breach Notification Laws. These obligations do not end when using Third
Parties.
Third Party Risk Management Any connection to your environment is an exposure point. Allowing a third party to create, maintain, use, transfer or
destroy information on your behalf creates risk. Vendor management and monitoring is critical. Vendors are a means to delegate a task. Responsibility will
always remain with the organization and cannot be delegated.• Issue security based questionnaires. • Obtain and review a vendor’s Service Organization
Control Report (SOC) 1 or 2.
Cybersecurity Playbook Senior Management/Board oversight and support is key
• The Board and Management must understand their role− National School Boards Association (NSBA) 2018
Cyber Risk Report (CRR) sited that most Board members don’t understand their role in overseeing cybersecurity risk management.
• Make cybersecurity an agenda item.• Educate the Board. Ensure you have a resource that can effectively
communicate cyber risks in understandable terms.
Cybersecurity Playbook Establish a role or department with the appropriate skill set and
sufficient authority to oversee, manage and communicate cyber risk. • NSBA 2018 CRR sited that it is often non-cybersecurity
professionals leading the efforts and communications. • This oversight should ensure that any procurement of an
application or third party that may impact the security and/or privacy of student and employee data is reviewed and approved by the designated individual/department. This will ensure a holistic and unified approach.
Do not underestimate your cyber risk and fraud exposure – SIZE DOES NOT MATTER!
Cybersecurity Playbook Do not assume that information security is only an IT issue.
• Cybersecurity is a District issue that requires the assistance of a technical solution.
Establish or verify you have a well-defined IT security governance and risk assessment/management program.• Cyber risks must factor in People, Process and Technology. • Cybersecurity is not just a business expense, but a key
component in providing a safe and effective educational environment.− It is no longer an expense to the business, it is your
business.
Cybersecurity Playbook Ensure the District has identified and documented all the
processes that result in the creation, transfer or storage of sensitive information (credit card numbers, social security numbers, etc.) Ensure Faculty and Administrators only use approved
District applications and store data in approved repositories. Ensure you have strong procedures around the electronic
transfer or movement of money. Ensure your e-mail security appliances are effectively
configured to detect malicious e-mails.
Cybersecurity Playbook Provide routine security awareness training.
• Your employees are your biggest security investment and vulnerability.
• Phishing training is essential. Perform due diligence on all third parties. Use two-factor authentication when possible.
• If not possible, strong passwords are key.• Train employees to use passphrases.
e.g., “PKFOD is the Best @ Cybersecurity!” Isolate key assets and data.
Cybersecurity Playbook
Ensure that a sound and well-tested backup and recovery methodology exists. Publish a business continuity, disaster recovery and
incident response strategy that is aligned to the District’s needs. Publish a mobile device strategy.
Cybersecurity Playbook
Obtain cyber liability insurance and know the role it will play in incident response situations. Have routine independent IT cyber/security
assessments.
Cybersecurity
GASB UPDATE
GASB 75 - OPEBs
Reporting for Postemployment Benefits Other Than Pensions Issued in June 2015 WHAT THE HECK IS TAKING SO LONG????
GASB 87 - Leases
Effective for School District financial statements June 30, 2021 No longer classifies leases as operating or capital All leases will be considered capital and liabilities in
the financial statements unless it is considered a short term lease Short term leases are leases that expire in less than
one year
GASB 88 – Disclosures Related to Debt
Effective for School District financial statements June 30, 2019 Requires additional information to be disclosed,
including, unused lines of credit; assets pledged as collateral, terms specified in debt agreements related to significant events of default, significant termination events and significant acceleration clauses Information to be provided for direct borrowings and
direct placements of debt separately from other debt
Financial Reporting Model Improvements Preliminary views dated September 12, 2018 with
comments due by February 15, 2019 Timing to finalize - 2022 Looking to improve the effectiveness of the current
financial reporting model (GASB 34 model) Concerns that GASB has:
• Governments use differing time frames for recognition in governmental statements, thereby reducing comparability
Financial Reporting Model Improvements (continued) Concerns that GASB has (continued):
• Current presentation lacks a conceptual foundation making it difficult for the GASB to establish standards for government funds for certain complex transactions, such as derivatives and service concession arrangements
Recognition of Elements of Financial Statements Preliminary views dated September 12, 2018 with
comments due by February 15, 2019 Timing to finalize - 2022 Objective – enhance consistency Purpose of PV document:
• The measurement focus of a specific financial statement determines what items should be reported as elements of that financial statement
• The related basis of accounting determines when those items should be reported
Revenues and Expenses
Prepared an invitation to comment in 2018 Looking at Revenue and Expense Recognition Timing - 2023 Objective?
• You guessed it – to improve comparability……
COMMON AUDIT DEFICIENCIES
Purchasing/Accounts Payable Confirming orders Mis-classification at year end between accounts payable and
reserve for encumbrances Obtaining verbal quotes instead of written quotes Quotes received from 2 vendors with different business names but
the same owner per signature on the W-9. One of the entities always wins the quote
Lack of Business Office oversight over quotation process Purchases for subsequent fiscal year charged to the current year
budget
Purchasing/Accounts Payable
Use of multi-vendor purchase orders
Use of cooperative purchasing agreements without ensuring rates charged agree to approved agreements
Expired contracts not renewed or not re-bid
Contracts in excess of $2 million (but less than $10 million) and contracts in excess of $10 million not sent to the State Comptroller’s Office
Human Resources/Payroll
Human Resource/Payroll documents not maintained in employee files – I-9’s, W-4, Pension forms, etc.
Inadequate analysis of payroll deduction payable balances
Accruing vs. Encumbering retro accruals related to unsettled CBA agreements
Time and effort reporting for grant funded employees
• Example - www.state.nj.us/education/title1/tech/
schoolwide/TimeandActivity.doc
Financial Statement Close Process
Material adjustments to the board secretary reports Prior year audit adjustments not posted Subsidiary ledgers and bank reconciliations do not
agree to the general ledger Interfund balances do not net to zero Posting revenue or expense transactions directly to
fund balance account
Financial Statement Close Process
Adjusting journal entries not properly supported with no evidence of review and approval Significant number of “expense adjustments” Some accounting funds not recorded in the general
ledger – trust & agency and certain enterprise funds FSCP not well documented
Other
Surety bond coverage not sufficient
Standard Operating Procedure manuals too generic and not detailed and specific enough to enable transition to a new employee
Budget transfers in excess of 10% that require County approval not submitted to the County
Capital Reserve
Funds transferred to capital projects fund for a project that was not part of a referendum, ESIP lease or SDA grant
Unexpended capital reserve funds used in capital outlay fund should be returned to capital reserve at end of year or end of project if in capital projects fund
Withdrawing funds without voter approval (statement of purpose) for a capital project that was not deemed an “Other Capital Project” which would otherwise be eligible for state support and not approved by the Office of School Facilities as eligible for State support
Monitoring Third Party Service ProvidersInadequate monitoring of the FSMC Operating Statement
Inaccurate reporting of Inventory
Incomplete recording of cash transactions
Inaccurate reporting of free and reduced meals
Inaccurate calculation of exemptions from the break-even/guaranteed profit contract provision
SOC 1 report not completed and provided on time
Monitoring Third Party Service ProvidersInadequate monitoring of self insurance TPA’s
Periodic review of claims being paid
Review of specific contractual provisions• Fees for “re-pricing” savings
SOC 1 report not reviewed for deficiencies
Proper establishment and recording of a self-insurance IBNR
Health BenefitsTerminated employees not being removed from health benefit coverage on a timely basis
• District requested the employee be removed but not removed by the insurance company
• District not monitoring additions and deletions to the health benefit billing effectively
Health benefit contributions not being collected to employees on un-paid leaves of absenceEmployees receiving waiver payments and receiving health benefits
Student Activity Funds
Items identified as control deficiencies or in violation of State guidelines-SAF
• No formal policy in place directing the schools as to how the funds can be utilized
• Items purchased from SAF that should be processed through the normal district purchasing process
• No oversight at all by business office. Although not required, it is a good idea to request information and review
Student Activity FundsItems identified as control deficiencies or in violation of State guidelines-SAF
• Sunshine funds maintained for special school parties and commingled with SAF
• Funds not used for the originally intended purpose or disbursed for non-student related purposes
• No policy in place to address what happens when there are funds remaining after the event or purchase
– Class funds that remain after that class has graduated
– Refunds
Student Activity FundsItems identified as control deficiencies or in violation of State guidelines-SAF
• No supporting documentation for receipts or disbursements
• One signature on checks
• Cash collected and held for significant period of time and not deposited
• Purchasing Home Depot/Lowes gift cards and using them as purchasing cards for supplies when needed
• Gift cards provided to students with insufficient documentation of who received the cards
Student Activity FundsItems identified as control deficiencies or in violation of State guidelines-SAF
• Employees paid from the SAF to chaperone, etc. and not included as income on employees W-2
• 1099s not issued for vendors that exceed the IRS threshold
• Circumvention of the procurement process/bids/quotes
• Bank accounts established without Board approval
• Outside organizations and sunshine accounts using the District’s bank accounts and ID numbers
Contact Information
www.pkfod.comDavid J. Gannon, CPA, PSA, RMA
Partner908-967-6855
dgannon@pkfod.com
www.wiss.com www.pkfod.com
Thomas J. DeMayo, CISSP, CISAPrincipal
646-449-6353tdemayo@pkfod.com
Scott A. Clelland, CPA, PSA, RMAPartner
973-994-9400sclelland@wiss.com
top related