Post on 20-Dec-2015
transcript
2
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
SAS No. 112
Was implemented during the CSU’s June 30, 2007 audits
Established standards and provided guidance on communicating matters related to internal control
Defined control deficiencies as either: Control deficiencies
Significant deficiencies
Material weaknesses
3
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
“Control Deficiencies” Exist…
When the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
4
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Deficiency in Design Exist When…
A control necessary to meet the control objective is missing or
An existing control is not properly designed so that, even if it operates as designed, the control objective is not always met.
5
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
A Deficiency in Operation Exists When…
A properly designed control does not operate as designed or
When the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
6
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Unconditional Requirements
An auditor is required to evaluate whether identified control deficiencies are, individually or in combination:
significant deficiencies or
material weaknesses
Significant deficiencies and material weaknesses are required to be communicated in writing to those charged with governance.
7
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Definitions of Significant Deficiency and Material Weakness
Significant deficiency: a control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles (GAAP) such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected.
Material weakness: a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.
8
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Magnitude
The magnitude of a misstatement may be:
Inconsequential
More than inconsequential but less than material
Material
Factors that may affect the magnitude of a misstatement that could result in a deficiency or deficiencies in controls include by are not limited to the following:
The financial statement amounts or total of transactions exposed to the deficiency
The volume of activity in the account balance or class of transactions exposed to the deficiency in the current period or expected in future periods.
9
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Significant Deficiency Indicators Controls over the selection and application of GAAP accounting
principles
Antifraud programs and controls
Controls over non-routine and nonsystematic transactions
Controls over period-end financial reporting process, including controls over procedures used to enter transaction totals in the general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements.
10
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Significant Deficiency Indicators (Continued) Examples of situations which indicate the controls over the period-
end financial reporting process were either not designed appropriately or were not operating effectively:
When adjustments and/or financial statement reclassifications are identified by the auditor which were not originally identified by management, these represent factors that indicate the controls over the financial reporting process were either not designed appropriately or were not operating effectively.
The quantitative and qualitative nature of the adjustments and/reclassifications are then required to be evaluated to determine if the amounts are either more than inconsequential or material to the respective financial statements. In addition to the actual amounts of the adjustments or reclassifications identified, the auditor is also required to consider the potential for unrecorded amounts.
Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a significant deficiency or material weakness, even though such deficiencies are individually insignificant.
11
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Material Weakness Indicators
Ineffective oversight of the entity’s financial reporting process and internal control by those charged with governance
Restatement of previously issued financial statements Identification by the auditor of a material misstatement in the
financial statements not initially identified by the entity’s internal control
An ineffective internal audit function or risk assessment function Identification of fraud of any magnitude on the part of senior
management Failure by management or those charged with governance to
assess the effect of a significant deficiency previously communicated to them or either correct it or conclude that it will not be corrected.
12
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Magnitude/Likelihood
Magnitude of Misstatement that
Occurred, or could have occurred
More than remote Remote
Quantitatively or qualitatively material
Material weakness Control deficiency but not a significant deficiency or a material weakness
More than inconsequential but less than material
Significant deficiency but not a material weakness
Control deficiency but not a significant deficiency or a material weakness
Inconsequential (i.e., clearly immaterial)
Control deficiency but not a significant deficiency or a material weakness
Control deficiency but not a significant deficiency or a material weakness
Likelihood of misstatement
13
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
The Prudent Official Test
The last step in the evaluation is to conclude the following:
Would a prudent official consider an identified control deficiency to be at least a significant deficiency? If yes, would the prudent official consider the same to be a material weakness?
The prudent official test is used only to increase the severity of a control deficiency and NOT to justify a decrease in the severity.
14
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Examples of Significant Deficiencies and Material Weaknesses noted during CSU’s June 30, 2007 Audits
Financial Reporting Issues were noted related to the conversion of legal basis accounting
records to the accrual basis of accounting in accordance with U.S. generally accepted accounting principles (GAAP).
The following are examples of the issues noted: Incomplete account reconciliations Lack of support of components comprising financial statement
amounts Detailed listings and support ledgers that do not support amounts
reflected in the financial statements Inaccurate completion of the required financial reporting packages
requiring various audit adjustments and reclassification entries not initially identified by management
Inaccurate completion of the respective entities financial statements requiring various audit adjustments and reclassification entries not initially identified by management
15
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Examples of Other Significant Deficiencies Noted During CSU’s June 30, 2007 Audits
Information Technology – Segregation of Duties
At one of the campuses, we noted that all payroll department employees have access to both Personal Information Management System (PIMS) and Common Management System (CMS)/Financial Reporting System (FRS). Thus all employees can add/delete/change employee pay, while also submitting changed files to State Controller's Office. We noted overall that campus management (IT or Business Process Management) does not perform a periodic review to help ensure proper segregation of duties exists among critical business functions within the PeopleSoft Finance and HR modules.
16
May 2008 GAAP Reporting Workshop
© 2
00
8 K
PM
G L
LP,
the U
.S.
mem
ber
firm
of
KPM
G In
tern
ati
on
al, a
Sw
iss
coop
era
tive.
All
rig
hts
rese
rved
. Pri
nte
d in
U.S
.A.
KPM
G a
nd
th
e K
PM
G log
o a
re r
eg
iste
red
tra
dem
ark
s of
KPM
G In
tern
ati
on
al.
Examples of Other Significant Deficiencies noted during CSU’s June 30, 2007 Audits
Information Technology – User Access Based on our review of security and access privileges in-scope
applications and systems at the campuses, we observed that certain obsolete, inactive, or otherwise inappropriate user profiles have not been disabled. Below is the list of the issues we encountered during our review which were present in varying degrees at each of the campuses tested in the current year:
Users have inappropriate system administrative access to the PeopleSoft Finance and HCM applications and the PeopleSoft database,
Users had inappropriate access to override the matching rules within the PeopleSoft Finance application.
Users had inappropriate access to enter and modify grades within PeopleSoft application.
Users with system administrative access to PeopleSoft FIN application had inappropriate access rights.