1. Auditors: Why do they ask all those questions? LGC Resource April 2015 Penny Austin, Assistant Director – IS Local Government Audit

2. Why those questions?  Professional Standards  Internal Controls  Fraud  Applicable Laws  Data Analytics

3. Professional Standards GAO Yellow BookAICPA StandardsOMB Uniform Guidance

4. Internal Controls Processes effected by an entity’s management and other personnel designed to provide assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

5. COSO (Committee of Sponsoring Organizations) of the Treadway Commission

6. Simple Definition  Internal controls are common sense procedures that address: What could go wrong? What steps should be taken to prevent those events from happening?

7. Personal Internal Control System  Locking your car when you leave it in the parking lot  Comparing your receipts to your credit card statement  Balancing your personal check book

8. Why are Internal Controls Important?  Protect the strong from temptation  Protect the weak from opportunity  Protect the innocent from false accusation From Once upon Internal Control by James Ulvog, CPA

9. Opportunity PressureRationalization FRAUD TRIANGLE

10. FRAUD  Frauds discovered in the recent years. Committed by one person Trusted employee Internal controls were either nonexistent or not monitored

11. Examples of Good Internal Controls

12. Effective Controls- Cash Receipts and Deposits  Separate cash drawers  Prenumbered cash receipts- 9-2-103, TCA  Stamp checks “for deposit only” as soon as they are received  Drawer checkout procedures  Deposit timely- 3 day deposit law  Deposit Receipts Intact

13. Effective Controls- Cash Receipts and Deposits (cont.)  Deposit slips should be itemized  Sign- “You must receive an official receipt or your transaction is not complete”  Segregate Duties- Employees responsible for receipting should NOT also be responsible for posting receipts to the accounting records.

14. Effective Controls- Disbursements  Disbursements by official prenumbered checks  Review documentation  Do not sign blank checks  Segregate duties between writing checks, signing, distribution, and posting to the accounting records

15. Effective Controls- Bank Reconciliations  One employee should be responsible for opening the bank statement, reviewing it, and initialing.  A separate employee should reconcile the bank statement monthly  Bank reconciliations should be reviewed by an employee not responsible for reconciling the statement.

16. Effective Controls- Procurement  Establish clear lines of authority for approving purchases before they occur  Purchase orders  Verify availability of appropriations before purchases are approved  Payments for purchases should only be made after documentation that the goods or services were received  Segregate duties between approval, payment and updating the accounting records

17. Effective controls- Journal Entries (JE’s)  Use a standard journal entry form  Supervisory review and approval of all journal entries  Segregate duties between preparation of the JE, Approval of the JE, and posting to the records  Supervisory review that all JE’s were properly posted to the records

18. Effective IS Controls  Proper back-up procedures Daily backups should be stored in a secure location within the office. Weekly backups should be rotated to a secure, fireproof off-site location. A backup log documenting the location of all backups should be maintained. Backups should be tested.

19. Effective IS Controls (cont.)  Password Maintenance All users should have a unique login and password. Shared logins should not be used. Passwords should remain confidential. Passwords should be changed every 90 days. Passwords of former employees should be immediately disabled.

20. Effective IS Controls (cont.)  Disaster Recovery Planning Specific steps to follow to restore system Emergency phone numbers of personnel and vendors Backup storage location Manual procedures to follow until the system is restored

21. Effective IS Controls (cont.)  Policies and procedures manual Operating system and application security Start-up/shut down procedures Back-up procedures Hardware software maintenance procedures Daily, monthly, and year-end procedures Output distribution list Hardware disposal policy Virus prevention policy

22. Effective IS Controls (cont.)  Loading Operating System Updates  Restricting Physical Access to System  Proper Application Controls Adequate audit trail exists. Audit logs are maintained and reviewed.

23. Audit Logs and Other Reports  TnCIS Delete Log Report Out-of Court Payments Report  Trustee Audit Changes By Date Report Unprorated Receipts Report Maximum Posting Date Report  Fund Offices Payroll Check Change Report Maximum Posting Date Report

24. Applicable Laws

25.  City Charters/ Private Acts  Budgeting Laws  Purchasing Laws  Fees and Taxes  Filing Requirements  Electronic Commerce

26. Applicable Laws  TCA 6-54-903 – Requires cities to submit their travel policies to the Comptroller  TCA 7-52-602 – Requires municipal electric systems to submit a business plan to the Comptroller  TCA 5-8-505 – Requires county officials to file an annual financial report with the county mayor and county clerk

27. Applicable Laws  TCA 47-10-119 – Requires all local governments who implement an electronic business system to file a statement with the Comptroller  TCA 4-30-103 – Requires all local governments who implement a new technology platform to file a statement with the Comptroller

28. New Legislation  Amendment to Financial Integrity Act requiring counties, municipalities, and metro governments to establish internal controls  Amendment requiring local governments to close their accounting records no later than two months after fiscal year-end  Amendment to CMFO Act changing the penalty provisions

29. Data Analytics

30. www.comptroller.tn.gov/la

40. Questions?

41. Penny Austin Penny.Austin@cot.tn.gov