Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • . Welcome. Why Me. Inventory of audits- right here, including equipment. Tools available- resources available- you are not in it alone. Ask us why and we’ll try to make it less painful.
  • . Welcome. Why Me. Inventory of audits- right here, including equipment. Tools available- resources available- you are not in it alone. Ask us why and we’ll try to make it less painful.
  • To give you a perspective of why we do audits, I first would like to give you an overview of who we are and what we do for the University. Our mission statement is very focused on our value add to the University. Independent ---- JCI Allows us to do audits across the University Part of a risk management network through out the University to manage those things that could impact the University doing business EH&S, OGC, OSP You are also part of the network Risk is broadly defined Compliance – sponsored research Financial – fraudulent activity e.g. Operational - hiring fictitious ee, vendors Control processes – we’ll talk about these later but they are integral to managing the risk at the U. We are primarily here to help the U. understand how well the controls are working to manage the risks identified.
  • We offer these services to the U. The service you most likely would have experienced is either the F&O or the compliance audits. In some cases the PAA where we may have to come back to understand actions taken on a previous audit.
  • Audit are the checking on controls that are managing the risks. We want to find out where we may have weak controls that could cause unpleasant events. For example, you would want to know that the controls over charging expenses to an award aren’t working resulting in inappropriate charges before the government comes in to audit. Not just disallowance but the disallowance could be extrapolated. So we look for control weaknesses and work with the appropriate people to have changes implemented. We also give an assessment of the control environment to management. Management has usually a good idea of what they want to happen to manage risks but not always get sufficient information to know it is happening.
  • Anything that does not allow an organization to achieve its objective. Organization could be the U or a dept or a function. Depends on the management of the org. Positive – stem cell research For example, there is risk to doing research on human subjects. An unfortunate event could either impact the financial objectives of the U or if really severe impact the ability to do research on human subjects thereby impacting research objectives In evaluating risk – likelihood and impact
  • Economic changes – cost of living in this area – faculty hiring Federal regulations – more requirements which translate to possible fines and penalties if they are not met. Untrained personnel – Could lead to lawsuits if inappropriate steps are taken in handling people. Some recent external issues Hackers New systems – PS and people not getting paid
  • Internal controls are put in place to manage risks. Internal controls are usually defined in policies and carried out by people. Operational control – reference checking for a new hire. Financial control – review and approval of transactions for accuracy prior to GL Compliance - training
  • Tone at the time – how does management set the tone for ethics and compliance with sound business practices Information & communication – are you getting the right information on a timely basis to do your job So – in a nutshell – our role is to evaluate how all these components are working at the U. And we do this through audits.
  • Some of these are on the list because of changes taking place. Some because they are naturally risky. Protocols New systems While these are risks of particular concern, they are not the only risks we think about in developing a plan. Other risks that are not so new- Sponsored research Procurement Cash management
  • WE are responsible to go to management and the joint committee on inspection and give them a report card on the control environment . We do this by performing audits. Coverage
  • Our work is to help you improve your operations so- You can survive outside audits Help set up processes that are efficient, effective, result in safeguarding of assets, result in compliance with rules, reg and help you achieve your objectives
  • OMB is the Office of Management and Budget arm of the government that oversees the budget and issues information and instruction to Federal agencies- called circulars- that apply to using federal funds. This is required, not optional.
  • OMB is the Office of Management and Budget arm of the government that oversees the budget and issues information and instruction to Federal agencies- called circulars- that apply to using federal funds. This is required, not optional.
  • OMB is the Office of Management and Budget arm of the government that oversees the budget and issues information and instruction to Federal agencies- called circulars- that apply to using federal funds. This is required, not optional.
  • Basically departments have to journal off transactions that are found inappropriate by the A-133 audit.
  • Slides

    1. 1. Min Xiao, OSP Gail McDermott, RMAS Greg Murray, RMAS Miriam Vazquez, RMAS Sarah T. Axelrod, FOA HMS Audit Training June 3, 2005
    2. 2. Agenda <ul><li>Introduction </li></ul><ul><li>Types of Audits </li></ul><ul><li>Preparation for Audits </li></ul><ul><li>Tools </li></ul><ul><li>Case Study </li></ul><ul><li>Summary </li></ul>
    3. 3. Introduction <ul><li>Explain why these various audits happen, and how frequently we can expect them to occur </li></ul><ul><li>Describe how you can prepare for the audits in a proactive way rather than reactive </li></ul><ul><li>Highlight the tools available here at HMS to survive the audits </li></ul><ul><li>Emphasize the partnership of the various service offices who are here to protect the interest of faculty and administrators, HMS, and HU. </li></ul>
    4. 4. Types of Audits <ul><li>Internal Audits (RMAS) </li></ul><ul><li>Compliance Audits (A 133) </li></ul><ul><li>Federal Audits </li></ul><ul><ul><li>F&A (Indirect Cost) Audits </li></ul></ul><ul><ul><li>Agency Audits </li></ul></ul><ul><li>Not for Case Audits </li></ul>
    5. 5. RMAS Mission Statement <ul><li>“ Provide an independent, objective assurance and consulting service which is used within Harvard as an integral part of its risk management and control processes ” </li></ul><ul><li>“ Help the University accomplish its objectives by bringing a systematic disciplined approach to evaluate and improve the effectiveness of risk management and control processes” </li></ul>
    6. 6. Services and Types of Audits <ul><li>Financial & Operational Audits </li></ul><ul><li>Compliance Audits </li></ul><ul><li>Information Systems </li></ul><ul><li>Special Projects/Consulting </li></ul><ul><li>Investigations </li></ul><ul><li>Post Audit Appraisals (PAA) </li></ul><ul><li>Training </li></ul>
    7. 7. Why Audits <ul><li>Part of Risk Management & Internal Control Processes </li></ul><ul><ul><li>Independent, objective assurance that risks are being managed in a cost effective manner </li></ul></ul><ul><ul><li>Recommend changes to improve risk management </li></ul></ul>
    8. 8. What is Risk? <ul><li>Anything that does not allow an organization to achieve its objectives </li></ul><ul><ul><li>Risk is inherent in any business. </li></ul></ul><ul><ul><li>Example of risk: unallowable and unallocable spending on an award causing sponsor to curtail future monies. </li></ul></ul><ul><li>Risk assessment considers: </li></ul><ul><ul><li>Likelihood of an event occurring </li></ul></ul><ul><ul><li>Impact should the event occur </li></ul></ul><ul><li>Risk assessment leads to risk management </li></ul>
    9. 9. What is risk (cont.) <ul><li>External risk – such as </li></ul><ul><ul><li>Economic changes </li></ul></ul><ul><ul><li>Natural disasters </li></ul></ul><ul><ul><li>Changes to Federal regulations </li></ul></ul><ul><li>Internal risk – such as </li></ul><ul><ul><li>New systems </li></ul></ul><ul><ul><li>Untrained personnel </li></ul></ul><ul><ul><li>Unexpected turnover </li></ul></ul><ul><ul><li>Fraud </li></ul></ul>
    10. 10. Internal Controls <ul><li>A process designed to provide reasonable assurance objectives are achieved: </li></ul><ul><ul><li>Operational Objectives – efficient and effective operations, safeguarding of assets, HR practices to hire quality personnel </li></ul></ul><ul><ul><li>Reporting Objectives- Accurate and complete financial reports </li></ul></ul><ul><ul><li>Compliance Objectives – compliance with all legal, regulatory and policy requirements </li></ul></ul><ul><li>Example: </li></ul><ul><ul><li>Approval of web vouchers separate from person doing the transaction </li></ul></ul><ul><ul><li>Monthly review of detailed listings </li></ul></ul><ul><ul><li>Approval of effort reports </li></ul></ul>
    11. 11. Components of Internal Control <ul><li>There are five interrelated components of internal control derived from basic operations and administrative processes. The control environment is at the bottom because it is the foundation for all the others. </li></ul>Control Environment (Policies, Style, and Ethics) Risk Assessment Control Activities Monitoring Information Communication
    12. 12. How Do We Determine What to audit? <ul><li>Annual evaluation based on RMAS risk assessment process: </li></ul><ul><ul><li>Management input on concerns </li></ul></ul><ul><ul><li>Audit results – internal & external </li></ul></ul><ul><ul><li>Changes to operations including new systems </li></ul></ul><ul><ul><li>Regulatory Agency focus </li></ul></ul><ul><ul><li>Events at other Universities </li></ul></ul><ul><ul><li>JCI observations </li></ul></ul><ul><ul><li>Emerging issues </li></ul></ul>
    13. 13. FY06 Risk Activities <ul><li>Stem Cell Research </li></ul><ul><li>International Operations </li></ul><ul><li>Student Travel Abroad </li></ul><ul><li>Cross Faculty Initiatives </li></ul><ul><li>Business Continuity Planning </li></ul><ul><li>Information Systems Security </li></ul><ul><li>Technology Transfer & Licensing </li></ul><ul><li>Construction </li></ul>
    14. 14. How do we determine where to audit: <ul><li>Risk assessment results </li></ul><ul><ul><li>Activities to audit </li></ul></ul><ul><ul><li>Groups that perform those activities </li></ul></ul><ul><li>Other factors such as: </li></ul><ul><ul><li>Size, volume or complexity of activity </li></ul></ul><ul><ul><li>Date of last audit </li></ul></ul><ul><ul><li>University coverage </li></ul></ul><ul><ul><li>Management request </li></ul></ul>
    15. 15. When will you know you are to be audited? <ul><li>Routine audit- </li></ul><ul><ul><li>Audit plan is completed in the summer of the fiscal year </li></ul></ul><ul><ul><li>Audit plan is shared with schools in the fall </li></ul></ul><ul><li>PAA’s </li></ul><ul><ul><li>At time initial audit is complete </li></ul></ul><ul><li>Special Projects </li></ul><ul><ul><li>When you ask </li></ul></ul>
    16. 16. Audit Approach <ul><li>Understand the operations including risks </li></ul><ul><li>Understand business processes and risk mitigating approach </li></ul><ul><li>Determine audit scope; agree with management </li></ul><ul><li>Focus is on “internal controls” </li></ul><ul><ul><li>What is in place to manage the operational and financial risks e.g. policies, review & approval practices, management and financial reports, monitoring, system controls and access privileges etc. </li></ul></ul><ul><ul><li>Are the controls working effectively </li></ul></ul><ul><ul><ul><li>Testing </li></ul></ul></ul><ul><ul><ul><li>Analytical review </li></ul></ul></ul><ul><ul><ul><li>Trends </li></ul></ul></ul><ul><li>Audit Report Process </li></ul>
    17. 17. Common Activities in an Audit <ul><li>Tone at the top </li></ul><ul><li>Budgeting and Management Reporting </li></ul><ul><li>HR processes e.g. hiring and performance review practices </li></ul><ul><li>International Operations </li></ul><ul><li>Transaction Processing and Approval </li></ul><ul><ul><li>Web Voucher, Pcard, Payroll </li></ul></ul><ul><li>Post Award Management </li></ul><ul><ul><li>Allocable costs, award terms and conditions </li></ul></ul><ul><ul><li>Effort reporting and cost transfers </li></ul></ul><ul><li>Service Centers </li></ul><ul><ul><li>Costs, billing and rates </li></ul></ul><ul><li>Vendor management including use of contracts </li></ul><ul><li>Cash and receivable processing </li></ul>
    18. 18. WHAT…is A-133? <ul><li>An Office of Management and Budget (OMB) Circular requiring an annual external audit of non-profits receiving federal funds for sponsored programs in excess of $500k (as of 12/31/03) </li></ul><ul><li>Sample of federal awards & their direct cost transactions are selected for audit to determine if expenditures and procedures were appropriate according to the federal guidelines, sponsor terms/conditions & University policies </li></ul>
    19. 19. WHAT …IS A-133 ? <ul><li>Other testing includes: </li></ul><ul><ul><li>effort reporting </li></ul></ul><ul><ul><li>internal control testing </li></ul></ul><ul><ul><li>cost transfers </li></ul></ul><ul><ul><li>program income </li></ul></ul><ul><ul><li>equipment testing </li></ul></ul><ul><ul><li>financial & non-financial reporting </li></ul></ul><ul><ul><li>sub-recipient monitoring </li></ul></ul><ul><ul><li>service centers </li></ul></ul><ul><ul><li>student financial aid </li></ul></ul><ul><ul><li>F&A rate application </li></ul></ul>
    20. 20. A133 Audit Process <ul><li>A-133 audit process involves the following: </li></ul><ul><li>External groups: PricewaterhouseCoopers (PWC) and federal government </li></ul><ul><li>Internal groups: schools, OSP, RMAS, Office of General Counsel, VP Finance </li></ul><ul><li>FOA is HMS’s local liaison for the A-133 audit </li></ul><ul><li>OSP coordinates the audit with PWC auditors and works with school liaisons for audit resolution </li></ul>
    21. 21. A133 Audit Schedule <ul><li>May - June: The planning & audit selection </li></ul><ul><li>July: The Orientation begins with PWC, OSP, and departments </li></ul><ul><li>August - September: PWC auditors perform direct cost & compliance testing, includes interview PI and grant administrators </li></ul><ul><li>October - November: OSP and RMAS work with PWC and departments to clear findings before report is finalized </li></ul><ul><li>December - January: PWC issues a final report; the schools submit a corrective action plan </li></ul>
    22. 22. Why Me? <ul><li>A-133 Audit departments are selected with the following criteria in mind: </li></ul><ul><ul><li>Total Department Federal Dollars by audit year </li></ul></ul><ul><ul><li>Frequency of the last A-133 audit </li></ul></ul><ul><ul><ul><li>Departments are rotated, as are some schools with fewer federal dollars </li></ul></ul></ul><ul><ul><ul><li>HMS is ALWAYS selected because it has the top federal $ ( HMS comprises 40% of the total sponsored expenditures in FY04 ( 238M ) </li></ul></ul></ul><ul><ul><li>The award types and research locations </li></ul></ul><ul><ul><li>Rotation of service centers </li></ul></ul><ul><ul><li>High risk area that are determined by PWC ( e.g. PEPFAR, Broad Institute, Stem Cell Research ) </li></ul></ul>
    23. 23. WHY…do we care? <ul><li>All Federal and increasingly more non-federal sponsors look at A-133 as a ‘report card’ of how we spend their money </li></ul><ul><li>Findings are reported to federal government and become public record, distributed to all federal agencies through a clearing house </li></ul><ul><ul><li>Harvard’s reports can be found at </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Each department performing sponsored research is accountable for demonstrating that the reported expenditures are appropriate with the terms and conditions of the award and federal costs principles ( A-21, A-110) </li></ul>
    24. 24. WHAT are the auditors looking for? <ul><ul><li>Costs incurred for the same purpose in like circumstances should be treated consistently as either direct or as facilities and administrative costs </li></ul></ul><ul><ul><ul><li>Exceptions of different purpose and circumstance need to be documented </li></ul></ul></ul><ul><ul><li>Allowability and allocability of expenses </li></ul></ul><ul><ul><ul><li>Costs identified specifically with a particular sponsored project/activity, or can be directly assigned to such activity relatively easily with a high degree of accuracy </li></ul></ul></ul><ul><ul><li>Documentation completed at the time of transaction processing </li></ul></ul>
    25. 25. Common A-133 Findings <ul><li>Unallowable costs charged to grants </li></ul><ul><ul><li>Sales tax, travel expenses, office supplies </li></ul></ul><ul><li>Timely and Accurate Annual Financial Reporting </li></ul><ul><ul><li>90 calendar days after the end of the grant year </li></ul></ul><ul><ul><li>In FY 04, 7 reports were late out of a selection of 60 </li></ul></ul><ul><li>Timely and signed Effort Reporting </li></ul><ul><ul><li>Evidence of timely review by someone with first-hand knowledge </li></ul></ul><ul><li>Cost Transfers </li></ul><ul><ul><li>Timeliness, justification, authorization </li></ul></ul>
    26. 26. Federal Audits <ul><li>F & A Audit </li></ul><ul><li>Agency Audits </li></ul>
    27. 27. F & A Audit <ul><li>What </li></ul><ul><ul><li>DHHS audit of the HMS proposed F&A (indirect cost) rate </li></ul></ul><ul><li>Why </li></ul><ul><ul><li>To test/verify HMS’s data that supports the proposed F&A rate </li></ul></ul><ul><li>Who </li></ul><ul><ul><li>2 staff from the NY DHHS office </li></ul></ul><ul><li>When </li></ul><ul><ul><li>HMS submits a rate proposal every 4 years </li></ul></ul><ul><ul><li>DHHS auditors spend approximately one week on campus </li></ul></ul>
    28. 28. F & A Audit - Cycle <ul><li>Prepare for base year (1/04-6/04) </li></ul><ul><li>Base Year (7/04-6/05) </li></ul><ul><li>Analysis and Proposal Preparation (7/05-1/06) </li></ul><ul><li>DHHS Desk Review (Winter to Spring 06) </li></ul><ul><li>DHHS Field Audit (Spring – 1 week) </li></ul><ul><li>Requests for additional information (Spring 06) </li></ul><ul><li>Negotiation Session in NY (Summer 06) </li></ul><ul><li>Effective dates of negotiated rates (AY 07 – AY 10) </li></ul><ul><li>Next base year (AY 09 – starts 7/1/08) </li></ul>
    29. 29. F & A Audits <ul><li>What is the audit focus </li></ul><ul><ul><li>Space </li></ul></ul><ul><ul><li>General Ledger coding </li></ul></ul><ul><ul><li>Facilities Costs </li></ul></ul><ul><ul><li>Library Costs </li></ul></ul><ul><ul><li>Allocations </li></ul></ul>
    30. 30. F&A Audits Departmental Involvement <ul><li>How are departments involved? </li></ul><ul><li>In June 2002 DHHS visited 4 departments and met with 3 PIs in each department </li></ul><ul><li>Reviewed payroll detail for the 4 departments </li></ul><ul><li>Auditor “walked the space” </li></ul><ul><li>Interviewed each PI </li></ul><ul><li>Physically inventoried all equipment listed as located within these labs </li></ul>
    31. 31. F&A Audits Other Data Requests <ul><li>Sample of other information the auditors requested? </li></ul><ul><li>Departmental space </li></ul><ul><ul><li>Room by room breakdown of the functionalization of space for the 4 departments reviewed </li></ul></ul><ul><li>O&M salary and cost details </li></ul><ul><li>Specific questions relating to library costs </li></ul>
    32. 32. F&A Audits Other Data Requests <ul><li>Sample of other information the auditors requested (continued)? </li></ul><ul><li>Cost sharing detail </li></ul><ul><li>Equipment location </li></ul><ul><li>Documentation regarding expense reclassification </li></ul><ul><li>Other occupants in research labs (visiting professors, students, admin staff) </li></ul>
    33. 33. What to do to Prepare for an Audit? <ul><li>Operations Self-Assessment </li></ul><ul><li>Continuously Assess your Business Processes </li></ul><ul><ul><li>Very often what you are worried about represents a control weakness </li></ul></ul><ul><li>Practice Fiduciary Responsibility </li></ul><ul><li>Keep abreast of: </li></ul><ul><ul><li>HMS/University Policies </li></ul></ul><ul><ul><li>Award Terms and Conditions </li></ul></ul><ul><ul><li>System capabilities </li></ul></ul><ul><ul><li>Regulatory changes </li></ul></ul><ul><li>Document Transactions </li></ul><ul><ul><li>Business purpose – who, what, when, where, why </li></ul></ul><ul><ul><li>Basis for allocating costs among awards </li></ul></ul><ul><ul><li>Reason for journal entries </li></ul></ul><ul><li>Review Financial Reports </li></ul><ul><ul><li>The Devil is in the details </li></ul></ul>
    34. 34. Tools Available for Survival <ul><li>Training </li></ul><ul><ul><li>HMS Aspire sessions, HU sessions, external (NCURA, SRA, RADG) </li></ul></ul><ul><li>Network </li></ul><ul><ul><li>SPA, OSP, FOA , ORC, peers in other departments </li></ul></ul><ul><li>Policies </li></ul><ul><ul><li>HMS, HU, Federal </li></ul></ul><ul><li>Websites </li></ul><ul><ul><li>E-commons (FOA, OSP, H/R), SPA, OSP, ABLE, other schools, government agency sites </li></ul></ul><ul><li>Data </li></ul><ul><ul><li>Financial, sponsored (GMAS, HMS SPAR), Peopleview </li></ul></ul>
    35. 35. Tools Available for Survival <ul><li>Key data/reports for proactive reviews </li></ul><ul><li>PERs </li></ul><ul><li>Detail listings </li></ul><ul><li>E-tads and Peopleview </li></ul><ul><li>Key policies for grants management </li></ul><ul><li>HMS Sponsored expenditure policy </li></ul><ul><li>Cost transfer policy </li></ul><ul><li>Financial management guide to policies, procedures and best practices </li></ul>
    36. 36. Tools Available for Survival <ul><li>ASK QUESTIONS! </li></ul><ul><li>Do not assume that how something has always been done is the only way or the correct way </li></ul>
    37. 37. Case Study - One <ul><li>Sara, is the grants coordinator who is managing 10 grants ( 7 federal, 3 non-federal ) for several PI’s in the department. When she tries to approach the PI’s for assistance on the allocation of lab supplies costs, they are often out of the town or too busy for these matter. So Sara developed a strategy to allocate all costs first on to the federal grants, but with the intention of journaling out portion of costs later when she can figure out how much should be re-allocated to non-federal grants. Sara thinks this is a better approach because a 90 days cost transfer policy does not apply to journals transferring costs from federal grants to non-federal grants. </li></ul><ul><li>One day she received a call from OSP and learned that one of her federal grants has been selected by PWC for the annual A-133 audit. </li></ul>
    38. 38. Case Study - Two <ul><li>Dr. Globe made his own flight arrangements for a trip to conferences in Washington DC. His travel expenses were selected for an A-133 audit, by now though, Dr. Globe had left Harvard for a west coast institution. </li></ul><ul><li>David, the Harvard department administrator, contacted Dr. Globe and asked him to document how he had selected the lowest available fares for his journey. He emailed in response that he booked airfares through Travelocity.Com because it was the lowest airfares he could find at the time. But he didn’t keep any documentation to support his claim. </li></ul><ul><li>What should David do now ? </li></ul>
    39. 39. Questions? Comments?