?for discussion purposes only - subject to revision - 4I9I14 . 751! men. 5 .4: 32:33.13 J. ?unit-Lava?: '1 Audit Committee University of Louisville Dear Audit Committee Members: You engaged us to provide consulting services for the University of Louisville (the "University'). We have performed our services in accordance with Statements on Standards for Consulting Services issued by the Amerin Institute of Certi?ed Public Accountants (except for item C) in the areas listed below: A. Review ail internal audit reports issued by the University's Audit Services Department ("Audit Services?) at the University since 2007 and comment on the status of the implementation of the key recommendations in these reports. B. Review the operation of Audit Services and make recommendations for improvement. Survey of banks within a 50-mile radius of Louisville. D. Assess the intemai controls and personnel quali?cations of individuals with signature authority over bank accounts. .0 E. Review the internal procedures and ?nancial controls for all faculty professional practice plans at the Health Science Campus with the independent CPA engaged for this examination. F. Review the controls over the vendor approval process. Our ?ndings. observations and related recommendations follow on the attached pages. We did not audit. review. or othenlvise verify the accuracy or completeness of your ?nancial statements or accounting records. We relied on the accuracy and completeness of the documents and information you and University employees provided or made available to us. Our engagement cannot be relied upon to disclose errors. fraud. or other illegal acts that may exist. We have no responsibility to identify and communicate signi?cant de?ciencies or material weaknesses in your internal controls as part of this engagement, and our engagement cannot. therefore be relied upon to make disclosure of such matters. We appreciated being selected to perform this engagement. and are available to answer any questions or to assist in the implementation of recommendations included in this report. Louisville. Kentucky February 28. 2014 . .mnam;z: 13?: 29:: "rm em: 331'; in: miner: ?TE-me I A A - for discussion purposes only - subject to revision - 449!? Review of Audit Services Reports University of Louisville February 2014 Our ?rm was asked to review all the reports issued by the University's Audit Services Department (?Audit Services?) from 2007 through 2013 and comment on the status of the implementation of the recommendations in these reports. A team of Strothman and Company CPAs visited all of the colleges and many departments at the University to interview management and employees. inspect records, and perform other procedures as deemed necessary in order to assess the status of the reports. From 2007 through 2013, we were provided with nearly 100 reports issued by Audit Services. as follows: 2007- 15 2008- 14 2009- 15 2010-16 2011 - 7 2012 - 16 2013 - 13 Exhibit A which follows this report is a listing of all of the reports issued. For each report, we have provided the following information: 1. What was our risk assessment? Based on our review of the report and applicable follow up. we have listed our opinion of the risk assessment of the area audited, categorized into high. medium or low. 2. In our opinion. was follow-up called for? We hve listed whether. in our opinion, follow-up was needed based on the recommendations presented by Audit Services in their report. 3. Did internal audit follow up in person? if follow-up on the recommendations presented in the report was needed, we noted whether Audit Services followed up in person or not 4. What is the current importance of the issues? Based on everything that we learned about the report. we provided our assessment whether the matters identified in the repert were currently still important for the University to address. These were categorized as high. medium or low. We coordinated the above work with our overall assessment of the University's internal controls (beginning on page 8). We believe that the review of these Audit Services reports was a useful exercise for the University to undertake. We found that the vast majority of recommendations made by Internal Audit were valid and important to improving the University's internal control structure. Audit Services is responsible for following up on recommendations made in their reports. We believe this process could be improved. It was unclear to us as to who has primary responsibility for compelling the various colleges and departments to adopt the recommendations made by Audit Services. In the section of this report which follows related to our overall assessment of the University's internal controls, we make recommendations regarding having stronger central leadership and control of the University?s ?nancial functions. This could aid in making sure that Audit Services recommendations are implemented on a timely basis. -2- 91.27.31 i I A A - for discussion purposes only subject to revision - #9114 il Assessment of the University?s Intemai Audit Function University of Louisville Wary-2944 ?rm was asked to review the operation of the University's Audit Services Department (?Audit Services") and make recommendations for improvement. We have worked with a number of internal audit departments over the years. in addition, one of our managers working on our team was previously employed by a Fortune 500 intemai audit group for 10 years. We found the leadership of Audit Services to be competent and dedicated. The of?ce follows this standards for intemai audit work as promulgated by the institute of Intemai Auditors intemationei Standards for the Professional Practice of Internal Auditing are the stanst followed most large intemai audit departments. Intemai Audit underwent a quality assessment process in May 2013 conducted by an independent CPA firm. That firm gave Audit Services a ranking of "General! Conforms" with respect to following the standards referred to above. This is the highest rating allowed the standards. Audit Services should be commended for their professional practice of the standards of their profession. However, we have the following recommendations for improvement of the intemai audit function at the University. improve Audit Planning and Risk Assessment Process. While Audit Services approaches the audit planning and risk process diligently, we believe the process could be improved. Because of the limited resources of Audit Services. the annual audit plan should be focused on those areas that. in the collective opinion of Audit Services and management, present the highest risks to the University. We understand that the University has considered implementin an enterprise risk management process. ERM goes beyond a traditional intemai Audit risk assessment and includes ?nancial, operational, strategic and other risks. it includes involvement of key executives throughout the organization. We recommend that the University move towards implementing an ERM process. We believe this process could begin within existing budget constraints. We understand that Audit Services presented a recommended plan for implementation of ERM in 2010. which seems like a reasonable place to begin. Follow-up On Audit Recommendations In Person. Prior to mid-2012. Audit Services generain followed up on the status of matters raised in their audit reports via email or verbal communication with the collegeldepartment audited. Since mid-2012, Audit Services has revised their follow-up policy to include in person visits when deemed appropriate. In our view. if an area is worthy of an audit. it is worthy of subsequent follow-up visit conducted in person unless there were no ?ndings of any signi?cance. Such visits could take as little as 1-2 hours. A memo or similar documentation should be prepared related to this follow-up visit. We recommend that such visits be conducted for all audits. v.1 I .: :2 muz. erefor discussion purposes only subiect to revision 449114 .. .. :mm :11" .?75 :?Il 3. Review Staf?ng Levels to Ensure Audit Services Has Proper Resources and Skill Sets. One of the areas we were asked to comment on was whether Audit Services had adequate resources to conduct their work. We compared the University of Louisville's Audit Services department to what we felt were similar universities as well as other government agencies. We found that the University?s intemai audit staffing levels were consistent with these other organizations. That is not to say that an increase in Audit Services staff could not prove bene?cial and improve the University?s intemai control environment. Hiring additional staff is a costlbene?t analysis that the University?s Audit Committee needs to mite. One thing we noted was that Audit Services has spent signi?cant blocks of time in the last few years investigating frauds that have come to light. This pulls resources away from them being able to execute their normal audit plan. If additional audit resources are needed. one alternative is to have Audit Services expand its resources by contracting with outside auditors on a temporary basis when special needs arise. Outside CPAs andlor Certi?ed intemai Auditors could be hired for specific projects that needed immediate attention. If the need for additional audit work is due to lack of compliance with policy by a college/department, the additional fees for the outside help could be charged to that area. We did note that many of the audit areas. especially with respect to information technology and the Health Sciences Campus. are tachnical and complex and require specialized skills. This should be taken into consideration as future Audit Services hires are made. 2: '32_3L>mm_ I I A A - for discussion purposes only subject to revision 117;- 2.1.2. If: I- 2? L. h" w?r Survey of Area Banks University of Louisville February 2014 Procedures and Findings Our firm was asked to survey banks within a 50-mile radius of Louisville with the goal of identifying any bank accounts that existed in the name of the University. University of Louisville Physicians or a derivative thereof that did not appear on the books and records of the University or ULP. Unlike the other consulting components of the engagement we were asked to perform for the University, we considered this part of our engagement as an agreed-upon procedures engagement under the of our profession. Following are the agreed-upon procedures. which the University speci?ed. and the results of these procedures: a We obtained a list of authorized bank accounts from the University. - The University provided us a list of 11 authorized bank accounts at PNC Bank in the name of the University of Louisville and one authorized bank account at PNC Bank in the name of the University of Louisville Athletic Association. Of these. only two accounts allowed disbursements and the remainder were deposit only. 0 We compiled a list, from publicly available sources. of banks within a 50-mile radius of downtown Louisville. We used our best efforts to determine that we identified all banks within this territory; however. we cannot provide assurance that every single bank within this radius was found. We presented this list to management of the University for their review. - For the banks on the list. we sent two copies of letters of inquiry. signed by the President and Controller of the University. asking whether the bank in question had any accounts listed in the name of the University or ULP. One letter was addressed to the bank's President or equivalent position and the second letter was sent to the bank?s fraud department along with a cover letter explaining the reason for the survey. Our original mailing included 101 banks. For institutions that did not respond to the ?rst inquiry. we sent second and. if needed. third requests. - 0f the 101 letters originally mailed. we received a total of 87 responses. Of these, 81 responses indicated that the bank had no accounts in the name of the University. One bank indicated that they would only respond with a court ordered subpoena. Following is information about the live banks who reported accounts of which we were not previously aware: 1. Republic Bank reported bank accounts open in the following names: - of Development Co LLC 0 of Health Care of Neurological Faculty Group PLLC - of Kma-Mss - of Rehabilitation Faculty Group - of KPHA - of School of Medicine Classes - of Medical Student Association 0 University of Louisville Hospital Isl-L? .- 121-1173931212 w. 3 i Ana-:for discussion purposes only - subject to revision - 449114 mt?imm -. ?It: -. 2. Kentucky Telco Federal Credit Union reported bank accounts open in the following names: University of Louisville German Club University of Louisville Debate Society University of Louisville Student Veterans Association of l. Sports Administration Club of FOP Lodge #30 of Baseball 3. Metro Bank reported that there were four certi?cates of deposit in the name of the University and the University of Louisville Research Foundation with a face amount of $100,000 each. 4. US Bank reported a bank accounts open in the following names: a of Parking - of Dental School - of IT 0 of Campus Card - of Athletics 5. PNC Bank responded and listed the accounts of which we were aware. They also listed one account of which we were unaware in the name of of Pi Tau Sigma. In our work related to the University's Health Science Campus we learned that two bank accounts with Fifth Third Bank still exist in the name of University Medical Associates. However, Fifth Third Bank replied to the survey that they were unaware of any ccounts in the name of the University or a derivative thereof. Also. during our work at HSC, we became aware that a number of additional bank accounts apparently exist related to the predecessor entities to ULP. These were not reported because the letter of inquiry we sent did not ask to identify accounts that simply had the word "University" In the name. Di osue i 'nl Our engagement to apply agreed-upon procedures was conducted in accordance with attestation established by the American Institute of Certi?ed Public Accountants. The suf?ciency of the procedures is solely the responsibility of the management and Audit Committee of the University. Consequently, we make no representation regarding the suf?ciency of the procedures described above either for the purpose for which our report has been requested or for any other purpose. Because the agreed-upon procedures listed above do not constitute an examination. we do not express an opinion related to the University?s bank accounts. In addition. we have no obliation to perform any procedures beyond those listed above. This report on our procedures and ?ndings is intended solely for the use of the University and its Audit Committee. and should not be used by anyone else. Had we performed additional procedures. other matters might have come to our attention that would have been reported to you. We were not engaged to. and did not, conduct an audit. the objective of which would be the expression of an opinion on the accounting racerds. Accordingly, we do not express such an opinion. Had we performed additional procedures. other matters might have come to our attention that would have been reported to you. -17; 7353-321 for discussion purposes only subject to revision 419114 .mm summary For all of the bank accounts identi?ed during this project. and for those additional accounts that exist at that simply have the word ?University? in their title, management should ensure that follow-up procedures be performed to determine that these accounts are not being used for fraudulent or inappropriate purposes. This could be done by Audit Services. by the University's Finance Of?ce, or by outside CPAs. While surveying local banks was a effort. please keep in mind that there may be instances where inappropriate accounts are being used with respect to fraudulent activity committed against the University other than those surveyed. For example, someone could set up a bank account under hislher own control with initials similar to an actual University college or department. and divert funds to it. As an example. someone who wished to steal receipts from University of Louisville Athletics could set up a bank account in the name of ULA. LLC and make deposits into that account if they were able to physically divert the check. .: "f h! I A A - for discussion purposes only sublectto revision - 419114 ..-. -- -w . .- .- .- . w?v? - - ?0 av- "2 ALT-1 - 9.. - Overall Assessment of the University?s lntemal Controls University of Louisville February 2014 Our ?rm was asked to ?assess internal controls and personnel quali?cations of all individuals with signature authority for bank expenditures and deposits for all bank accounts?. After discussion management of the University and its Audit Committee chair, we understood that this meant you wanted us to comment on the overall control structure of the University. in the course of our work. we conducted numerous interviews with a wide variety of personnel and visited every college and many individual departments. The individuals we interviewed included. but are not limited to, the following: - Dr. James Ramsey. Preident - Kathleen Smith. Chief of Staff Shirley willihnganz, Provost - Angela Koshewa, University Counsel 0 Jeffrey Jewell, Detective Lieutenant University Police 0 Lany Zink, Controller and Treasurer - Kerry Schmidt, Director of Accounting Operations - David Martin. Purchasing 0 Robert Cochran, Director of Payroll Services a Dr. David Dunn, Executive Vice President for Health Affairs In total, our intentiows included nearly 400 University personnel. The University of Louisville is an excellent organization with many ?ne qualities. However. the way the University is organized and managed has made it susceptible to fraud in the past. Because the circumstances that allowed the frauds to occur have not substantially changed. we believe the University is still at risk for future fraudulent activity. This report will provide recommendations for changing the University's control environment to be in a position to better prevent fraud from occurring. Our report Includes what we considered our most signi?cant recommendations. We also communicated other department-speci?c. recommendations to management that are not included in this report. lower risk Also. please keep in mind that the consulting work we performed did not constitute an in-depth review of all the University's internal controls. The majority of recommendations we make below will need additional investigation as to the feasibility of the implementation of the recommendation and the related cost/benefit analysis. We are presenting our observations and recommendations in two sections: a General - those that we believe apply to the University as a whole. a Speci?c - those that apply to speci?c colleges/departments, but that could have University wide applicability. ?tV' A ?lm?'3 Hu? mm .3: 3. ?rm-151?: 12.11:: ill I A A - for discussion purposes only - subject to revision - 419"77.12connection with the work we performed. we had several observations that were pervasive to the University. Following are our observations. alon with recommended solutions. 1. Designate a Quali?ed Chief Financial Of?cer to be Responsible for the University's internal Controls During the course of our work, we noted that the University does not always compel corrective action to occur when de?ciencies in internal control are identi?ed. Needed improvements in intemai control recommended by the University's internal auditors and others often do not get implemented on a timely basis. University internal controls and policies are often applied inconsistentiy or not at all. it was unclear to us who had primary responsibility for this area; We recommend that a Chief Financial Officer who has training and experience in the design and implementation of lntemal controls. be given overall responsibility for this area. This person would be the one with ultimate responsibility for ensurin that appropriate internal controls are developed for all colleges and departments within the University, and that they are applied consistently University-wide. This person would also be responsible for developing systems to monitor University-wide compliance with internal controls and policies. 2. Have Unit Business Managers be Accountable to the CFO We noted that Unit Business Managers generally work exclusively for a dean or department chair. Vl?thin a college. UBMs often have limited interaction with each other and generally do not report to the college's primary UBM. UBMs have limited accountability and reporting responsibilities to the University's Finance Of?ce. As a result. UBMs often do not get the day-to-day training. direction. and oversight they need to effectively cany out their job responsibilities. in addition. University internal controls and policies are often applied inconsistentiy from college to college or from department to department. We understand that UBMs need to be responsive to deans. department chairs. and others within their department. However. we recommend that UBMs report primarily to the University's Finance Of?ce and to the CFO position mentioned above. Additionally. we recommend that the CFO be involved In the hiring process for all future UBMs, including evaluation of their skills and quali?cations. This would provide better accountability and consistency with respect to the University's ?nancial activities. 3. Add an Additional Layer of Review for Selected Accounts Payable Transactions Once requests for disbursements have the necessary approvals of the various colleges and departments. there is little additional review by the Finance Office. This lack of checks and balances has led disbursements to be made by the University that were inappropriate. We recognize that the sheer volume of transactions processed through accounts payable would prevent a review of each transaction processed by the Finance Of?ce. However, we recommend that a new position be created in the Controller?s of?ce that is dedicated to review accounts payable requests. The accounts payable requests could be separated into one of three categories: 1. Disbursements processed as submitted without any further review. 2. Disbursements processed as submitted with a ?ag for further follow-up review. 3. Disbursements held until a pro-issuance review can be performed. . mm I till I A A - for discussion purposes only subject to revision 4I9I14 .- . - - a, lat?.414. $2241.22: 1? {rust?p.33? . The determination of which category the disbursement falls into would be determined by a variety of factors including the nature of the transaction. the size of the transaction. and the risk pro?le of the college/department requesting it. For example. departments that were determined to have a higher risk pro?le would have a lower dollar threshold related to the above categories. We believe that the University's computer systems could be programmed to automatically categorize the transactions and select the ones needing further review. Transactions selected in categories 2 and 3 above would then be subjected to additional procedures such as a detailed inspection of the underlying documentation, comparison to contracts/agreements and veri?cation of the receipt of goods and/or work product. . Develop Standard Financial Processes for each College and Department We observed that formats and preparation of month-end reconciliations and other supporting documents is inconsistent among colleges and depertrnents across the University. Furthermore. the accounting activities performed by UBMs month and vary from department to department. as does the timeliness of their completion. We recommend that the Finance Of?ce develop standardized formats and example workpapers to be used University-wide. Thi would improve the consistency of the accounting documentation. In addition. we recommend that a standardized closing checklist be developed to help ensure that all of the activities needed to properly close the books In each department are performed on a timely basis. Based on our observation and inquiries of the processes utilized by the various colleges and depertrnents. we recommend the Finance Of?ce develop, publish and review on an on-going basis a standard set of procedures or duties that are to be followed by every UBM in all colleges and departments. We envision these standards include, but not exclusively. a process and deadline for reconciling all active speed types within colleges and departments. a process and documentation requirements for reconciling and approving ProCard transactions. and speci?c cash handling procedures. We also recommend position quali?cations be standardized for the UBM role throughout the University in regards to education. experience. and aptitude in ?nancial matters. . improve the Cash Receipt Handling Function We noted that most departments are directly receiving sh andlor checks. These relate to items such as donations. payments on contracts. amounts received from ULP for services and payments for academic program support. Checks and cash are ultimately sent to the University's Bursar?s Of?ce for deposit (except for University Advancement. who handles their own deposits). However. there is not a consistent process across all departments on handling receipts prior to deposit. One particular concern we had are donations which often initially come to the development employee in the college and departments. In some departments. a development employee has been assigned to that speci?c department. yet reports to the Of?ce of University Advancement. Donation checks are often received by a receptionist and given directly to the development employee. who is responsible for the revenue coding and deposit. We found that several UBMs (or their equivalent) can only reconcile their revenue to spreadsheets prepared by the development employee who received the checks originally. They have no way of knowing if the total of reported donations is complete. Using a lockbox to centralize the cash receipt function is good way to improve the controls over receipts. Since employees would not have direct contact with receipts from donors or others, the risk of mishandling or misappropriation is virtually eliminated. Another bene?t would be the time the University?s accounting personnel would save by not having to prepare a deposit and physically transparted to the Bursar's Of?ce. -10- mitt; .zu-Ifor discussion purposes only - subject to revision - 419114 . 13:23:24! .7. - 1'1: {32' .122 '7 .1 Even with a iockbox, we understand that some checks may still come to the various departments. For these receipts. we recommend the University Implement a policy that a receipts log be maintained at the point of entry. In most instances this would Ideally be the responsibility of the receptionist. All receipts should be logged and immediately stamped with a restrictive endorsement prior to being routed to a ?nance department The log should be reconciled to the revenue posted in PeopleSoft by an employee other than the employee responsible for creatin the log. Reconcile Speed Types on a Timely Basis We noted that several departments throughout the University are not reconciling all of their speed types on a basis. Speed types are basically an account to which a particular expense is assigned. Some departments were over ?ve months behind on their reconciliations. The timely reconciliation of accounts and subsequent review and approval of those reconciliations is an integral component of a good system of internal controls. We found that several department employees were unclear about the University policy regarding the timeframe in which speed types are required to be reconciled. We recommend that the University policy is reviewed in regards to the timeliness of speed type reconciliations. A sound business practice would be to require the speed types to be reconciled within 30 days of the availability of PeopieSoft reports. A responsible ?nancial of?cial should be in charge of ensurin that all speed types throughout the University are reconciled on a timely basis. . Summarize and Codlfy University Accounting Standards and Policies The University has a number of policies. some of which are issued and intended to be applied University-wide, and some are issued by various colleges andlor departments. We noted that University policies are not always property followed andlor applied consistently. We also noted that the University does not have standardized internal accounting guidance for UBMs and others responsible for accounting and recordkeeping. We recommend the following with respect to the University?s accounting standards and policies: 0 Someone should be given primary responsibility for gathering and summarizing all of the University's accounting standards and policies. 0 The should be organized into one volume and codi?ed using a numbering system. a A procedure should be developed for adding. deleting and updating standards and policies. - A procedure should be developed for communicating changes. 0 Training programs regarding the new policy manual should be conducted. implement Dlsbursement Approval Levels Across the University We noted that the University does not have a policy regarding the approval level required based on the amount of a disbursement From our meetings in the various colleges and departments. this policy is at the discretion of the dean or chair of the department. Requiring the UBM (or their equivalent) and the dean or chair to approve disbursements over a certain dollar threshold would reduce the likelihood of a large fraudulent disbursement. We recommend that the University require the UBM and the dean/chair to approve and manually sign-off on any disbursement greater than a certain amount. -11- - M. . - ?128222.for discussion purposes only - subject to revision 4I9I14 .mz? m, -: "z 3:22.123: :1 9. Improve Controls Over Payroll We noted that it is possible for employees to be paid at an incorrect rate. For example. an employee can be incorrectly paid using the same Position Control Number as another employee. PeopleSoft will allow a user to assign a PCN to more than one employee. The system prompts the user with an error message; however. the error message can be ignored. The system will allow the assignment of the PCN to multiple employees. Such employees may be at different pay rates. We recommend that an electronic control be put in place that will not allow a PCN to be issued to multiple employees. 10. improve Standards and Training for UBMs In our meetings with the various colleges and departments. we learned that the UBM training currently being provided is a good tool to give individuals a broad overview of the UBM role and responsibilities. Former participants mentioned that the training provided them with important information and valuable contacts with other UBMs throughout the University. However. many former participants in this training program also offered the following suggestions for improvement of the program: - Shorten the time period of the program. Several participants stated that the program was too and spread out over too long of a time period to be effective. 0 Focus more on the speci?cs of how to produce the proper documentation required by various departments (Controller's of?ce. ProCard Department. Human Resources Department. etc). - Make the training more of a ?hands on? Ieaming experience. 0 Improve the training skills of the individuals tasked with providing the training. 0 Require UBM training prior to being able to assume this role within the University. - Split the training into two separate curriculums for individuals who are or have been UBMs previously and for individuals potentially aspiring to becoming a UBM. We recommend that the University consider revamping the initial UBM training to encompass some of these suggestions. Furthermore. we recommend the University expand the UBM training throughout the year by hosting quarterly UBM workshops to communicate issues with University policies and processes and come to productive solutions that could be applied throughout the University. 1 1. Obtain Annual Acknowledgment of Compliance with Con?ict of interest Policies Currently. the University obtains annual. oniine certi?cations from certain employees that they have read the University's con?ict of interest statements and are in compliance with them. Such certi?cations are obtained primarily from employees associated with the various research programs the University conducts. We recommend that the University obtain annual acknowledgment from all key employees regarding compliance with con?ict of interest policies. Such acknowledgment will require employees to actually read the policies. If a violation occurs, the employee in question could not claim ignorance. -12- I A A - for discussion purposes only subject to revision - 419m Observatiogg Related t9 Spacing and DOEQMQDE The following observations and recommendations generally relate only to various colleges and departments within the University; however. we believe they might have wider applicability throughout the Jniversity. 1. Improve Segregation of Duties During our visit to one department. we found the segregation of duties over financial functions could be improved. Currently. the UBM is responsible for all accounting related duties includln budget. payroll. ProCard reconciliations. purchasing. speed type reconciliations, deposits, and other various duties. She has a ProCard and is performing the peed type reconciliations. The reconciliations are not being reviewed by another individual. The current lack of segregtion of duties presents the opportunity for the UBM to misappropriate University resources. in order to alleviate some of the segregation of duties issues. this department is currently in the process of hiring an Administrative Assistant to handle purchasing. administer the ProCrd and be involved in the speed type reconciliations. We recommend that responsibilities be allocated appropriately in order to improve segregation of duties. The Administrative Assistant should receive and log checks as well as perform purchasing dutie. Also. all reconciliations should be reviewed by the Dean of that department to improve controls and reduce the risk of fraudulent transactions. (16.1) 2. All Requests for Disbursement Should Be Independently Approved During our visit to one department. we found that a request for disbursement can be requested by the same individual who is responsible for approving the RFD. The UBM will complete the RFD form at the request of a department head. Accounts Payble will process the transaction because it appears the RFD was initiated by the UBM and approved by the department head. However. the UBM is actually just initiating the transaction on behalf of the department head. This presents an intemel control structure issue. Additionally. prior approvals are only being obtained for signi?cant purchases. Obtaining a prior approval is at the discretion of the requisitioner and not required by department policy. We recommend that all RFDs be signed by the actual person who initiates the transactions and approved by a second individual. Furthermore, all RFDs should also be approved prior to the expenditure. (7.1) 3. Ensure That All the University?s Computer Systems are Subject to the Same Controls The University currently employs a decentralized two tier support system for computer and applications support. There are over 300 Tier 1 employees who are authorized to perform activities including adding accounts. changing passwords. and installing software on computers. Tier 1 employees generally work for the colleges and departments. The Enterprise lT staff provides Tier 2 support through the iT Help Desk. Enterprise IT also has responsibility for managing and monitoring the University's network infrastructure and datacenter resources. Some collegesldepartments have more developed IT support groups which have implemented systems and devices which are not managed by Enterprise if staff. These systems and devices are owned by the University, but are subject to the controls that Enterprise lT has in place. As such. this could cause the University to be subject to risks including data breach. data loss. media or legal exposure and health risks related to ices or misuse of patient data. -13. .?mht _1 I A A - for discussion purposes only - subject to revision - 419114 12331;?? 73:23:35 7: m1 We recommend that policies. procedures and tools be implemented to ensure Enterprise IT has control over all devices and systems owned by the University. Tier 1 staff may provide support for these systems. but they should not be outside the scope of control of Enterprise IT. (6.1) Controls Over Hiring of Certain Employees Could Be Improved For temporary and student employees. UBM's generally have the authority to: process the ?new hire? packet sign as authorizer on the ?new hire? packet create the position in the PeopleSoft system determine the funding source enter the hours worked into the PeopleSoft system change the pay rate change the employee?s address reconcile the payroll charges that hit their department compare the budget amounts against the actual amounts terminate the employee in PeopIeSoft The concern we have is that a UBM (or someone else servln in this role) would be in a position to add a ?ctitious employee to the payroll system. In some departments, there are adequate segregation of duties to reduce the risk this would happen. We recommend a review of the processes relating to the addition of temporary employees be made with the goal of improving segregation of duties In this area. For example. someone other than the UBM should review amounts paid to employees of the college and department. (8.3) . Have Vendor Invoices Mailed Directly to the Accounts Payable Department The majority of vendor invoices are mailed directly to the Individual colleges and departments instead of to the Accounts Payable Department This creates the following potential issues: - Invoices could be manipulated at the department level 0 Invoices can be lost or misplaced Invoices may not be processed on a timely basis We recommend all vendor invoices be miled directly to the Accounts Payable Department. Timely receipt and entry of invoices into the Accounts Payable database improves segregation of duties and provides management with information necessary for analyzing current obligations in order to effectively manage cash. Additionally. it allows the University to have a more complete record of Its accounts payable obligations at any given time. resulting in improved internal controls and ensuring proper month-end and year-end cutoffs for ?nancial reporting purposes. (1.2) -14- i I A A - for discussion purposes only subject to revision -4l9114 i 31 rm: 6. Standardize Guidelines and Procedures for the ProCard Reconciliation and Review Currently. there is no standard procedure across all colleges and departments for reconciling and approving ProCard transactions. From our meetings with various staff throughout the University, we found a variety of methods being used to reconcile ProCards. Additionally. we found one department where the ProCard liaison had certi?ed that the ProCards had been reconciled and approved. when in fact the ProCard reconciliation had not been approved. We recommend the University standrdize guidelines for ProCard reconciliations to ensure the guidelines are being followed. (10.1) 7. Monitor Speed Types with Negative Balances We noted that a speed type had a negative balance for some time. The chair of the department continued to approve expenditures for this speed type without having the funds available. The UBM indicated that the school had a guest speaker from another university come and because of the de?cit in the fund, the invoice for the speaker had not been submitted to accounts payable. The ?rst issue is that expenditures should not be incurred without the funds necessary to pay for goods or services. The second issue is that the University could have legitimate unrecorded liabilities. Except in limited circumstances when timing is an issue, we recommend that speed types should not be permitted to have a negative balance. (14.2) 8. Automate the Accounts Payable Process The Accounts Payable Department is primarily pper based concerning the processing of invoices. By using an automated workflow system. invoices could be scanned and routed to the proper employees electronically. This would improve ef?ciency and reduce administrative costs. Other potential bene?ts include: 0 Improved cash controls 0 Ability to interface with vendors that use automated systems 0 Ability to investigate and resolve issues and problems that may arise on a timely basis - More timely. accurate, and useful reports We recommend the University automates the ccounts payable 'process by implementing an electronic work?ow for documents. (1.3) -15- for discussion purposes only - subject to revision - mm I Assessment of Vendor Controls University of Louisville February 2014 lemma Our ?rm was asked to review the process for approving and maintainin vendors. Even an organization with the strongest internal controls over the check writing process can be a victim to fraud if the controls over adding new vendors are not adequate. Vendor schemes are not generally complex. but can be very costly. Typically. the scheme 1 as simple as adding a company controlled by the fraudster to the vendor master list and writing checks to that vendor. Another common scheme is where a fraudulent vendor is setup with a name similar to a legitimate vendor. Currently, the colleges and/or departments have primary responsibility for determining whether a company or individual should be designated as an authorized University vendor. Once a vendor is in the University system as an approved vendor. it is much easier to authorize disbursements to that vendor. Because of the size and complexity of the University. someone wishing to commit fraud is halfway there if they can get the vendor set up in the system. Currently, a limited review of vendors is performed before they are authorized. Federal identification numbers are veri?ed. any potential conflicts of interest with University personnel are reviewed. and sanction check is used to see if a vendor has been debarred. These are good procedures. in addition to those steps. we recommend that all vendors be further checked by verifying that they: - Have a phyical street address - Have a website that appears to be legitimate - Are registered with the Secretary of State in which they are domiciled. We realize that not all vendors will have these additional items. but any exceptions can be documented. We also recommend that all vendors have a reasonable maximum dollar amount entered into the system that they can be paid in any given year at the time they are set up. The maximum amount could always be raised later if reasons for the increase could be justi?ed. Monitoring of Existing Vendors Not only is it important to have proper internal controls and procedures in place for when a new vendor is added, but once they are added. they should be subject to an ongoin monitoring process. We recommend periodic vendor maintenance procedures be developed and implemented. These procedures should be performed by someone without authorization to process vendor payments. Each examination may help to uncover potential instances of vendor-related fraud, highlight opportunities for strengthening controls. and potentially mitigate future exposures. These procedures can be adjusted based on risk pro?les. .15. I A RY A - for discussion purposes only - subject to revision - 419114 I We recommend a comparison of the current vendor master list to the previous year's list to identify differences or discrepancies that should be investigated. This review can be performed manually or have a report generated to computerize the process and flag differences such as: 0 New vendors added during the year - Vendors that had address changes - Inactive vendors that were activated 0 Disbursements made to different vendors with the same mailing address 0 Disbursements to vendors with similar names - Vendors that have a PO. Box listed for an address 0 Comparison of vendor address against University employees addresses 0 Comparison of vendor bank accounts against employee bank accounts We recommend deleting inactive vendors from the system within a speci?ed period of time two years). We recommend a vendor purchase analysis be performed. This analysis could be a report that provides a recap of total purchases for the year. the purchase order total for the year. discounts takenllost and the amount of prior year's purchases. This analysis could also ?ag vendors that had consecutive invoice numbers. We also recommend follow up on vendors that have had a credit memo balances for an extended length of time. Note: Some of the above regarding ongoing monitoring of vendors was taken from the article. ?Review Your Master Vendor List to Fight Fraud? by Marion Williams. CPA. Used with permission. .17.