2 Agenda I.Recap From Last (May 2, 2008) Audit Committee Meeting II.Risk Assessment Summary III.Risk Assessment Results Major audit risk areas Other findings IV.Risk Assessment Internal Audit Plan V.Next Steps
3 Recap From Last Audit Committee Meeting Reviewed all pertinent management information (including annual reports and audit reports) Interviewed 27 key management personnel and stakeholders Conducted an electronic risk assessment survey Composed of 20 questions Distributed to 125 employees Received 70 responses
4 Recap From Last Audit Committee Meeting (cont’d) Assessed and summarized key risks based on interviews with World Learning personnel and risk assessment survey Prepared the risk assessment report Validated risk assessment report with management
5 Risk Assessment Summary Note: In determining the risk rating, BDO considered the likelihood of the risks happening and the impact. The results of the documents review, perceptions of the key personnel interviewed and the results of the electronic survey were aggregated and analyzed.
7 Risk Assessment Results (cont’d) Audit Risk AreaKey FindingAction Plan Investigative Due Diligence Due diligence is not performed on organization’s vendors, partners, sub- grantees, sub-contractors and/or donors. In addition, comprehensive background investigations are not conducted on all of the organization’s employees and individuals in key positions. Develop and implement a comprehensive due diligence process for the organization that includes employees, sub- contractors, sub-grantees, significant vendors and business partners. Perform a review of the process used by home stay coordinators and subcontractors to determine if appropriate due diligence is performed on prospective home stay families. Global Risk Management A program to monitor on-going compliance with the local laws and WL policies and procedures does not currently exist. In addition, the organization faces the risk of incurring prohibited costs under US grant funding regulations for the International Development programs. Perform a review of the corporate compliance function and oversight controls to ensure that instances of non- compliance with local laws and government funding rules and regulations are identified and corrected on a timely basis. Assist management with the formalization and implementation of a global risk management program and provide on-going monitoring to ensure compliance with the applicable funding rules and regulations. Develop compliance training programs for the field office staff related to government contracts and funding regulations. Lack of Transparent Financial Information The financial systems are unable to provide detailed financial data and ad-hoc management reports. As a result, it is difficult to identify the real costs of operating each business unit due to the lack of quality and transparent financial information available for management review. Perform an in-depth business process improvement review to identify and develop the reports needed to provide management with adequate information to effectively identify, resolve issues and manage the business risks. Treasury – Bank Resolutions and Wire Transfers Formal policies and procedures regarding the establishment of WL Corporate Bank accounts have not been developed and communicated throughout the organization. In addition, adequate controls are not established over the wire transfer process. Perform a review of the treasury function including, but not limited to, the process for establishing and making changes to bank accounts, corporate resolutions, and the wire transfer payment process.
8 Risk Assessment Results (cont’d) Audit Risk AreaKey FindingAction Plan Management Oversight of the Field Office Finance Function There is inadequate management oversight of the finance function for the international field offices. Assist management in developing oversight controls for the field office finance function. Standard Operating Procedures (“SOP”) and Policies For a significant number of key functions and departments formal Standard Operating Procedures and Policies do not exist, or are outdated, and have not been effectively communicated across all functional areas of the WL organization. Perform an in-depth organization-wide review of existing policies and procedures to identify critical financial, operational, compliance and IT processes for which SOPs and policies need to be developed or updated. Application of Accounting Policies The organization may not be appropriately applying various accounting policies. Perform a review the financial accounting policies and procedures manual to ensure accounting policies listed in the manual are in compliance with GAAP. Budget Process There is a considerate amount of manual effort involved in preparing and consolidating the budget for the organization. Perform an assessment of the current budget reporting system and process. Disaster Recovery and Business Continuity Plan No formal documented Disaster Recovery and Business Continuity Plan presently exists. Perform an independent review of the critical resources (systems and documentation) necessary to recover from a disaster. Data Privacy, Security and Document Retention Policies regarding data privacy, security, retention and electronic data storage and email archiving have not been developed or communicated throughout the organization. Develop comprehensive data retention, privacy, and security policies for the organization.
9 Risk Assessment Results – Other Findings Audit Risk AreaKey FindingRecommendation Hiring Process The Human Resources department is not consistently informed when temporary adjunct faculty is contracted by the organization. Review and improve the process for employing temporary adjunct faculty. In addition, assist management in establishing effective background checks and work eligibility verification processes. Philanthropy/ Donations The organization’s current reporting systems are unable to provide detailed reporting on the utilization of donor funds. Perform a review and assessment of the organization’s current fundraising practices as well as the compliance with the existing donor reporting requirements. Assist management with the development of an efficient process to provide donors with appropriate monitoring and activity reports. Student Enrollment Services The student enrollment, admission, and registration processes are not efficient and from a new student perspective can appear to be disorganized. Perform a review and assessment of the current student enrollment, admission, and registration practices and processes to identify areas where efficiencies can be achieved and process can be streamlined. Key Performance Indicators (“KPIs”) A number of Key Performance Indicators (“KPIs”) are not readily available for management’s review and analysis. Perform a review of the current KPIs being reported to and analyzed by management. In addition, identify other KPIs that would provide management with necessary and timely information about the operating and financial health of the business. Expense Reporting A consistent process is not place for reimbursing individuals accompanying visitors to the US or students abroad. Perform a review of the process to reimburse individuals accompanying visitors to the US or students abroad to ensure adequate controls are in place to reduce the risk of misappropriation of funds.
10 Risk Assessment Results – Other Findings (cont’d) Audit Risk AreaKey FindingRecommendation Other Process Efficiencies and Cost Savings Opportunities There is no centralized procurement process in place. As a result, opportunities for obtaining volume discounts for purchases and services are missed. Develop and implement a centralized procurement process. In addition, review existing purchase and service agreements to identify opportunities for obtaining volume discounts from the vendors. Credit card processing fees are not passed on to the students.Perform a review of credit card fees to determine if savings can be realized by passing the credit card processing fees to the students. An electronic document management system to transmit financial supporting documentation from the field to the DC or Vermont offices is not in place. Instead, fax, mail, or fed-ex are used to transmit this information. Perform a review the potential cost savings and efficiencies that can be realized through the implementation of an electronic document management system to transmit documentation from field offices to the corporate finance offices. The finance functions for the Visitor Exchange and Capacity Building divisions are handled by three different departments. Perform a review the potential cost savings and efficiencies that can be realized through the consolidation of Visitor Exchange and Capacity Building finance functions into the DC finance function. There is no participant or student database capable of generating demographic statistics as required by the government agencies that provide funding for the Capacity Building program. Instead, these statistics are compiled using EXCEL files. Perform a review of the process utilized to maintain, manage, and generate these reports for the government agencies. In addition, identify automated solutions that can be applied to reduce manual calculations, errors and increase efficiency and timeliness involved in generating these reports. The organization utilizes hand-written anonymous surveys to obtain feedback from students regarding their experience during the semester abroad. Perform a review of the customer survey process to identify opportunities and automated solutions to increase efficiency and integrity of the survey process.
11 Proposed Internal Audit Plan - 2008 Note: Timeline is a range in hours Risk Area QTR. 1QTR. 2QTR. 3QTR. 4 JanFebMarAprMayJunJulAugSepOctNovDec Inadequate Financial Systems 230 to 320 Financial Reporting 120 to 160 Segregation of Duties Including System Access Review 230 to 320 Governance / Tone at the Top 340 to 440 Lack of Transparent Financial Information 320 to 400
12 Proposed Internal Audit Plan - 2009 Note: Timeline is a range in hours TBD = To be determined Risk Area QTR. 1QTR. 2QTR. 3QTR. 4 JanFebMarAprMayJunJulAugSepOctNovDec BDO Recommendation Follow-UpTBD Investigative Due DiligenceTBD Budget TBD Global Risk Management TBD Standard Operating Procedures and Policies TBD Disaster Recovery and Business Continuity TBD
13 Proposed Internal Audit Plan – 2010 Note: Timeline is a range in hours TBD = To be determined Risk Area QTR. 1QTR. 2QTR. 3QTR. 4 JanFebMarAprMayJunJulAugSepOctNovDec BDO Recommendation Follow-UpTBD Management Oversight of the Field Office Finance FunctionTBD Treasury-Bank Resolutions and Wire Transfers TBD Application Accounting Policies TBD Data Privacy, Security and Document Retention TBD Other Findings TBD
14 Next Steps Obtain Senior Management and Audit Committee approval of the proposed 2008 Internal Audit Plan Execute the 2008 Internal Audit Plan Internal Audit Engagement Planning Fieldwork Review Report Preparation Review internal audit findings with Grant Thornton Key Internal Audit Deliverables Internal Audit Report Remediation Plan Remediation Plan Follow-up High Risk Findings – Every 90 Days Moderate Risk Findings – Every 180 Days