FALL 2006 FOCUS November 14-15, 2006 APA UPDATE Bill Cole, Deputy Auditor Auditor of Public Accounts

Discussion Topics  NCAA Reporting – The Second Year  Risk Assessment Standards  Auxiliary Enterprise Project  SJR 51- Data Security  Capital Appropriations Available  Audit Timing and Scheduling  Timely Financial Reporting

NCAA Reporting – The 2 nd Year  Most control work has been completed  Waiting on completion of the Schedules  Reporting issues Complimentary tickets Complimentary tickets Indirect costs Indirect costs Advisory services Advisory services

Risk Assessment Standards

AICPA Standards Assessment Suite Of Standards  Statements on Auditing Standards (SAS) Nos  Most far-reaching changes in standards in 20 years  Amends or revises 8 existing standards

AICPA Standards Assessment Suite Of Standards  Amends SAS 1, Due Professional Care (104)  Amends SAS 95, GAAS (105)  Audit Evidence (106)  Audit Risk and Materiality (107)  Planning and Supervision (108)  Understanding the Entity and Assessing Risks (109)  Performing Audit Procedures and Evaluating Evidence (110)  Amends SAS 39, Audit Sampling (111)

Assessment Suite Of Standards Objectives  More in-depth understanding of entity and internal control  More rigorous assessment of risks of misstatement  Improved linkage between assessed risks and audit procedures performed

Understanding Entity/ Assessing Risks  Gaining understanding about entity, its environment, internal controls  Brainstorming session  Evaluate internal control design and implementation  Identify and assess risks to design additional procedures  Consider risks at financial and assertion levels  Identify significant risks (Required testing of those identified)

Performing Procedures  Do procedures that respond to risks Overall response Overall response Procedures at assertion level Procedures at assertion level  Always perform: Tests for assertions for transactions, account balances, and disclosures Tests for assertions for transactions, account balances, and disclosures F/S tie to the accounting records F/S tie to the accounting records Material JEs and F/S adjustments Material JEs and F/S adjustments

New Assertions Class Trans. Acct. Bal. Pres./ Discl. Occurrence/Existence Occurrence/ExistenceXXX Rights and Obligations Rights and ObligationsX Completeness CompletenessXXX Accuracy/Valuation Accuracy/ValuationXXX Cut-off Cut-offX Classification/Understandability Classification/UnderstandabilityXX

Assertions Used by Auditors  Occurrence and Existence Transactions, events that have been recorded have occurred and pertain to the entity Transactions, events that have been recorded have occurred and pertain to the entity Assets, liabilities, and equity interests exist Assets, liabilities, and equity interests exist Disclosed events and transactions have occurred and pertain to the entity Disclosed events and transactions have occurred and pertain to the entity

Assertions Used by Auditors  Rights and Obligations The entity holds or controls the rights to assets, and liabilities are obligations of the entity The entity holds or controls the rights to assets, and liabilities are obligations of the entity

Assertions Used by Auditors  Completeness All transactions and events that should have been recorded have been recorded All transactions and events that should have been recorded have been recorded All assets, liabilities, and equity interests that should have been recorded have been recorded All assets, liabilities, and equity interests that should have been recorded have been recorded All disclosures that should have been included in the financial statements have been included All disclosures that should have been included in the financial statements have been included

Assertions Used by Auditors  Accuracy and Valuation Amounts and other data relating to the recorded transactions and events have been recorded appropriately Amounts and other data relating to the recorded transactions and events have been recorded appropriately Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded Financial and other information are disclosed fairly at the appropriate amounts Financial and other information are disclosed fairly at the appropriate amounts

Assertions Used by Auditors  Cut-Off Transactions and events have been recorded in the correct accounting period Transactions and events have been recorded in the correct accounting period

Assertions Used by Auditors  Classification / Understandability Transactions and events have been recorded in the proper accounts Transactions and events have been recorded in the proper accounts Financial information is appropriately presented and described and disclosures are clearly expressed Financial information is appropriately presented and described and disclosures are clearly expressed

How Does This Impact You?  Auditors have responsibility for risk assessment  First place to start, what is management’s assessment of risk?  ARMICS – State Comptroller’s Directive

Auxiliary Enterprises Project

 Still a work-in-progress, but completion is getting closer  Tuition vs. Mandatory Fees What services are covered? What services are covered?  Guidance is outdated Similar activities accounted for differently Similar activities accounted for differently Accounting principles have changed Accounting principles have changed  Inconsistencies in accounting and monitoring A/E

Auxiliary Enterprises Project  Draft findings Develop principle-based definition of activities funded by mandatory fees Develop principle-based definition of activities funded by mandatory fees Update and refine auxiliary enterprise guidance Update and refine auxiliary enterprise guidance Identifying activities as auxiliariesIdentifying activities as auxiliaries Accounting proceduresAccounting procedures Allocation of debt service and indirect costsAllocation of debt service and indirect costs Consistent guidance for outsourced auxiliariesConsistent guidance for outsourced auxiliaries Application of self-supporting activitiesApplication of self-supporting activities

Auxiliary Enterprises Project  Draft findings Best practices for A/E management Best practices for A/E management Monitoring for self-supporting basisMonitoring for self-supporting basis Documenting and approving transfersDocumenting and approving transfers Develop specific, consistent procedures for preparing the Schedule of A/E Revenues and Expenses Develop specific, consistent procedures for preparing the Schedule of A/E Revenues and Expenses Develop specific, consistent procedures for preparing a separate Schedule of A/E Reserves Develop specific, consistent procedures for preparing a separate Schedule of A/E Reserves

SJR51 – Information Security

 2006 General Assembly passed SJR No. 51, directing the APA to report on the adequacy of the security of state government databases and data communications from unauthorized uses.  Focusing data security efforts on only databases and data communications does not consider the amount and nature of information held by the Commonwealth; nor does it consider the various methods of storing and using potentially sensitive information.

SJR51 – Information Security  As part of this review, we compiled from available sources, the industry concerned best practices for an information security program.  We evaluated the Commonwealth’s information security programs against the best practices of the industry and as a means of completing the review survey checklist.

SJR51 – Information Security  Information Security Program Objectives and Issues A well-defined, clear and documented information security program will minimize unauthorized uses of information contained within databases and transmitted through data communication lines. A lack of sufficient policies, procedures and standards creates a highly diversified information security environment, which limits an organization’s ability to govern information security at an enterprise level. A well-defined, clear and documented information security program will minimize unauthorized uses of information contained within databases and transmitted through data communication lines. A lack of sufficient policies, procedures and standards creates a highly diversified information security environment, which limits an organization’s ability to govern information security at an enterprise level.

SJR51 – Information Security  Roles and Responsibilities for IT Security in the Commonwealth Role of VITA Role of VITA Role of Agencies (including roles of information security officers) Role of Agencies (including roles of information security officers)

SJR51 – Information Security  Review survey checklist (120 questions) administered by APA with each agency and institution  Results evaluated judging key components (30-40 questions)  Rating of policies and procedures Non-existent Non-existent Inadequate Inadequate Adequate Adequate Model Model

Capital Appropriations Available

 Fund 0811 – General Obligation Bonds  Fund 0817 – 21 st Century Bond Program  DOA has issued Accounting Procedures for these programs available on their web site.  Some Colleges had to make significant prior period adjustments due to overstating appropriations.

DOA Instructions 1. Calculate project to date allotments since 1993 by adding prior year expenditures to current allotments. 2. Compare to prior year appropriation revenue from previously reported in the financial statements. 3. Difference is current year appropriation revenue or reversion.

Revenue and Receivables  Appropriations available are generally equal to current year allotments less current year expenditures including payables.  Current year appropriation revenue is generally equal to current year allotments less beginning appropriations available.

Issues  Note that allotments and not appropriations are used to compute revenue and receivables.  When appropriations are used or prior year revenue is not excluded, appropriation revenue can be significantly overstated.

Conclusion  APA and DOA will work together to address accounting issues and clarify instructions.

Audit Timing

AUDIT TIMING  Scheduling and Specialties NCAA – interim work on controls, final work when Schedule is completed NCAA – interim work on controls, final work when Schedule is completed Research & Development – interim work on controls, final work when SEFA is completed Research & Development – interim work on controls, final work when SEFA is completed Student Financial Aid – interim work on controls, final work when FISAP is completed Student Financial Aid – interim work on controls, final work when FISAP is completed Payroll and Revenue – interim work on controls, final work when financial statements and notes are completed Payroll and Revenue – interim work on controls, final work when financial statements and notes are completed Acquisitions and Capital Assets – interim work on controls, final work when financial statements and notes depending on specialists’ schedules Acquisitions and Capital Assets – interim work on controls, final work when financial statements and notes depending on specialists’ schedules

Timely Financial Reporting

 Financial Management Standard  Timeliness  Accuracy  Deadlines are only going to get tighter  Closing books timely  Start early  Documentation of financial reporting process

QUESTIONS?