Upload
mayer-hoffman-mccann-pc
View
534
Download
0
Embed Size (px)
DESCRIPTION
Original air date: Nov. 7, 2013 View a recording at http://www.mhmcpa.com Managing risks has never been so important. The speed of changes in technology, regulatory and operations continue to change and evolve requiring management to be more proactive than ever in navigating risk. Not-for-profit and educational organizations are especially impacted given the nature of funders, people served and reputational risks. Presented by experts from Mayer Hoffman McCann’s Not-for-Profit and Education Practice Group, this course will feature new and emerging trends in business risks impacting not-for-profit and educational organizations. We will discuss health care reform; ACH and wire transfers; business continuity; accounting, enterprise and fraud control risks and best practices of current corporate governance.
Citation preview
New and Emerging Business Risks for Not-for-Profit and Educational Institutions
Presented by: Shareholders Mike Burns, Scott Goldberg and Michelle Spriggs
November 7, 2013
1 #MHMwebinar
To view this webinar in full screen mode, click on view options in the upper right hand corner.
Click the Support tab for technical assistance.
If you have a question during the presentation, please use the Q&A feature at the bottom of your screen.
Before We Get Started…
2 #MHMwebinar
This webinar is eligible for CPE credit. To receive credit, you will need to answer periodic polling questions throughout the webinar.
External participants will receive their CPE certificate via email immediately following the webinar.
CPE Credit
3 #MHMwebinar
Michael T. Burns, CPA Shareholder 617.761.0584 | [email protected] Mike is the Managing Director in Charge of the Firm’s National Not-For-Profit and Higher Education Practice. Additionally, Mike leads the New England Not-For-Profit and Higher Education Practice and provides services directly to a wide variety of educational, cultural and social service organizations. Mike has more than 25 years of audit experience and exclusively serves not-for-profit organizations. He assists clients in the areas of financial statement audits, audits under OMB Circular A-133, financial aid audits, internal control reviews and debt offerings, accounting matters, and related business concerns. Mike has built a reputation for quality service in the not-for-profit community and has been the lead partner on a wide array of New England-based organizations.
Today’s Presenters
Scott J. Goldberg, CPA Shareholder 212.790.5713 | [email protected]
Scott serves as the Not-for-Profit practice leader for the New York office and advises clients with best business approaches to diversified accounting and management issues. He has more than 18 years of experience serving nonprofit organizations including charter schools and charitable, cultural, and health and welfare organizations. Scott’s in-depth background encompasses audits of federal awards in accordance with OMB Circular A-133 and other third-party reimbursements. Scott shares his expertise as an instructor on topics related to nonprofit fiscal management and offers continuing education professional seminars in all areas of nonprofit accounting. In addition, Scott has delivered several presentations to various professional and industry associations.
Michelle E. Spriggs, CPA, MBA Shareholder 774.206.8336 | [email protected] Michelle is a Shareholder in the Firm’s Not-For-Profit and Higher Education Audit Practice. Michelle is the not-for-profit subject matter expert in the Firm’s National Professional Standards Group. She has over 20 years of audit experience and is solely dedicated to serving not-for-profit organizations. Her experience includes managing financial statement and OMB Circular A-133 audits; assisting in bond offerings; providing recommendations on internal controls; and training other accounting and auditing professionals to provide support to not-for-profit clients.
4 #MHMwebinar
The information in this Executive Education Series
course is a brief summary and may not include all the details relevant to your situation.
Please contact your MHM service provider to further
discuss the impact on your financial statements.
Disclaimer
5 #MHMwebinar
Today’s Agenda
1
2
3
4
Governance – Policies, Procedures and Protocol
Governance – Audit Committees: What We Are Seeing Governance – Effective Audit Committees
Management – What We Are Seeing
5 Health Care Reform
6 Questions and Answers
6 #MHMwebinar
Our objective today is to remind you about the various issues, trends and risks (and best practices) that we see impacting not-for-profit and educational organizations.
Our hope is that each of you will leave today with a few new thoughts, ideas or areas that might merit further attention and consideration at your organization.
New and Emerging Trends in Business Risks
GOVERNANCE
What We Are Seeing
8 #MHMwebinar
Our world demands good governance, accountability and transparency.
Our discussion is not intended to be exhaustive, but a primer to use as a reference of “best practices” Tailored to your individual organization Legal counsel review
Federally or State mandated vs. “strenuously advocated” Congress enacted SOX legislation:
whistle-blower (section 1107) document retention (destruction) (section 802)
Senators Charles Grassley/Max Baucus and Independent Sector
UPMIFA (state versions) Investment policies Endowment spending
Governance: Policies, Procedures and Protocol
8
9 #MHMwebinar
IRS redesigned form 990 (Red flags) Mission statement adoption by board Conflict of interest (and annual reaffirmation) Defining “conflict” Which steps to take to ensure
conflicts are handled properly Gift acceptance 990 review process Process for determining
compensation Intermediate sanctions –
Executive Compensation (IRC Section 4958)
Annually evaluate performance
Governance: Policies, Procedures and Protocol
9
10 #MHMwebinar
IRS redesigned form 990 (Red flags) Contemporaneous documentation of meeting held – board and
committees Process to make available – governing documents, conflict of
interest policy and financial statements Oversight of annual financial statement audit Selection of independent accountant Procedures for grant recipient selection Procedures for grant recipient monitoring Governance of local chapters, branches and affiliates
Governance: Policies, Procedures and Protocol
10
11 #MHMwebinar
Other policies: Expense reimbursement Travel Statement of Values and Code of Ethics
Formally adopted written code Often signed off by board, management, staff and volunteers
Familiarity with applicable federal, state and local laws and regulations Fiduciary responsibility Proactively staying current – on whom does the NFP rely?
Protection of assets Understand risks Establish and monitor controls
Governance: Policies, Procedures and Protocol
11
12 #MHMwebinar
Other policies: State solicitations and registrations Debt covenant compliance Review of organizing documents – articles of incorporation,
by-laws, etc. Review of board composition (talent, size, diversity and
structure) Experience Financial skills
Board education and communication
Governance: Policies, Procedures and Protocol
12
13 #MHMwebinar
Most audit committees have adopted fairly detailed charters to plot the agenda of their various meeting and activities they need to carry out to achieve their mission; if your organization does not have a detailed charter, that should be considered.
The AICPA has an excellent template available for free that can be tailored to your own needs.
Most audit committees are now at least asking to understand the results of benefit plan audits which we support given that sponsors are the “make whole” party for benefit plan defects. While often this does not rise to the inspection and oversight associated with the financial statement audit, this is a best practice.
Most audit committees now review IRS Form 990 prior to filing so as to answer questions most positively on that form; still others are reviewing IRS Form 990T. Some bring in their tax advisors for that meeting, while others do not.
Audit Committees - What We Are Seeing
14 #MHMwebinar
Many audit committees have insurance brokers and advisors present periodically about insurance trends, coverage, risk levels and related matter; we believe this is a wise consideration even if on a three-year cyclical basis.
Smaller organizations as seeking out more internal audit/special project support via firms or collaboratives that provide for such services on a outsourced basis.
Most commonly IT is a high exposure/high risk item that outside support is sought out to ensure best practices, good security and modern practices are being followed; this can make for a good road map to the future in IT which many organizations find valuable.
Some organizations now get a formal update from management annually on litigation and exposures which we believe is a best practice.
Audit Committees - What We Are Seeing
15 #MHMwebinar
Many audit committees have somewhat expanded their role to effectively become the “Risk Management Committee.”
Some of the activities already mentioned are evidence of this expanding role given that often oversight of these matters is not assigned to any other committee.
We have seen growth in organizations going through formal (consultant) driven enterprise risk assessments.
Still others have chosen to do it on a lower-cost, more-informal basis via tools and materials found on the Internet which can act as a guide to a methodology in such a process.
Those that have gone through this process have found that the role of the audit committee is to be the “risk quarterback”. Thus, the audit committee does not take over each risk, but ensures that a sufficient inventory of risks has been taken, that management has or will have mitigations in place and that oversight is assigned to various committees of the board.
Audit Committees - What We Are Seeing
16 #MHMwebinar
Thus, the audit committee assures itself that risk monitoring and oversight is reasonably understood by the committee taking on that charge.
Sometimes there is overlap with an objective. For example, the investment committee might be charged with achieving an investment return, but that needs to be in the context of the overall needs and risk tolerance of the organization; thus we have seen more joint meetings of board committees to calibrate competing demands such as financial conservatism with the need to take risks in the market or the level of need/demand for an endowment draw that is instructive to what committees carry out and recommend to the full board.
Thus committees seem to be increasingly aware that they cannot always carry out their work in isolation within the governance structure.
Audit Committees - What We Are Seeing
17 #MHMwebinar
Many audit committees have discussed the need to increase oversight over the CEO’s expenses which can cover two fronts: one expense reimbursements for business expenses and even expenses incurred by the office of the president or CEO.
This practice has emerged given the inherent conflict that exists in that without oversight the CEO’s expenses are effectively approved by subordinates.
In looking at NFP and educational organizations, CEO expenses have frequently been the cause of scandal and embarrassment causing risks to reputation and fundraising which cannot be afforded; often this resulted from the lack of oversight and monitoring.
Many boards now have their chair or audit committee chair review the expenses of the CEO on an after-the-fact basis to make sure they appear to be orderly, documented and reasonable.
Audit Committees - What We Are Seeing
18 #MHMwebinar
Increasingly we are seeing more legal talent as part of the audit committee in addition to the traditional financial expertise that has long been valued on the audit committee.
In our view, this is aligned with the evolving role of the audit committee in NFP governance.
We recommend that you consider where your organization is on this journey and consider what elements might make sense or be right to be considering in terms of best and emerging practices in corporate governance.
Audit Committees - What We Are Seeing
19 #MHMwebinar
An audit committee’s primary role is to instill confidence that the NFP has established sound internal controls that protect against reputational risk while securing procedures that ensure accountability and independence. Mitigate “headline” risk Manage business risks Avoid distractions Focus on mission Increase transparency
Governance: Effective Audit Committees
19
20 #MHMwebinar
Audit committee considerations Audit committee charter
Define member roles and responsibilities Annual review new laws, regulations, and best practices
Financial expertise considerations Invite individual possessing NFP expertise to join Education initiatives to improve the financial expertise of
the committee as a whole Membership
Independence Prohibit employee from serving
Governance: Effective Audit Committees
20
21 #MHMwebinar
Audit committee considerations Risk management
Inquire of management, general counsel, external counsel and the external auditors about significant risks or exposures facing the organization, as well as legal and regulatory issues that may have a material impact on the financial statements
Assess the steps management has taken or proposes to take to minimize such risks to the organization
Periodically review compliance with such steps
Governance: Effective Audit Committees
21
22 #MHMwebinar
Audit committee considerations Meetings
Scheduled as needed, but not less than twice each year Pre-audit
Engage external auditors Meet with external audit partner to discuss scope, timing, materiality,
the communications process, deliverables and fee If internal audit function exists, discuss the ability of the external
auditor to rely upon the results the internal audit team Review and execute engagement letter
Post-audit – Presentation from external auditors
Draft financial statements, including reports Communication with those charged with governance
Required communications Recommendations (“management letter”)
Oversee annual report to the board of directors/trustees Executive session
Governance: Effective Audit Committees
22
23 #MHMwebinar
Audit committee considerations Meetings
Other meetings/discussions during the year Critical accounting policies and practices used
by the organization If applicable, alternative treatments of financial information within
US GAAP discussed with management The ramifications of each alternative, and the treatment preferred
by the organization Any consultation with audit firms other than the external auditors,
including reasons for and results of the consultation
Governance: Effective Audit Committees
23
24 #MHMwebinar
Audit committee considerations “Findings” disclosed during annual audit
Discuss with management the course of action Request a timeframe in which these recommendations will be
addressed Set dates on calendar to assess progress
Governance: Effective Audit Committees
24
25 #MHMwebinar
Audit committee considerations Review various reports and policies annually with leadership
Interim financial statements with emphasis on changes in reporting, new and unusual transactions, and financial trends
Conflict of interest – reaffirmations Significant related party transactions Review all instances of fraud to determine enhancements to antifraud
programs and controls Major risk exposures to fraud and the programs and controls to aid in
its prevention and discovery Whistle-Blower Tracking – Review any complaints that might have
been received, current status and resolution if one has been reached Self-evaluation
Review the accomplishments Make recommendations for improving effectiveness
Governance: Effective Audit Committees
25
MANAGEMENT
What We Are Seeing
27 #MHMwebinar
Organizations are being assaulted with growing external requirements every day throughout the spectrum of types of NFPs.
Funders attach more strings, business jurisdictions impose local rules both nationally and internationally, more on-site inspections occur by funders and regulators, complexities of programs with federal or state dollars behind them are getting increasing challenging to carry out.
Most organizations continue to be highly decentralized relative to the responsibility and accountability for the managing of these operational complexities.
Larger organizations have long had offices of general counsel or compliance and regulatory affairs, but mid-sized and smaller places have not.
Management: What We Are Seeing
28 #MHMwebinar
Considering a Compliance Officer Role Increasingly non-giant organizations are establishing an internal corporate
counsel or chief compliance officer position. While budget challenges are a real issue here, many organizations have
concluded that the cost of not having this position is greater than the cost of having it.
This position will most often report directly to the CEO/president. This position most often has dotted-line oversight over the various aspects
of regulatory, contractual, human resources and related matters that are housed in various functional areas.
Part of the role of this function is to elevate risk awareness and to ensure uniformity and that best practices are followed across the organization to protect it from the risks and perils that may occur throughout operations.
If you embark on such a role, there will be some growing pains as traditional power centers need to share and collaborate on items.
Management: What We Are Seeing
29 #MHMwebinar
Use of Corporate Credit Cards We have seen heavy growth in the use of corporate credit cards, purchasing
cards and related changes in programs. We prefer the programs where the employee has responsibility to submit
expenses in order to be reimbursed rather than pay off of statements and having to follow up on documentation with the associate.
We prefer programs where the card is in fact a legal obligation of the employee rather than the employer.
We have seen increased use of outside software which allows for downloading of data from the credit card data which can lower the cost and increase the speed of transaction processing.
We are not big fans of corporate credit cards in general. We find many organizations have large quantities of cards floating around. In some cases, this may empower employees to feel a bit more entitled to spend funds than may really be necessary. There is also a cost of administrating these programs.
Management: What We Are Seeing
30 #MHMwebinar
Oversight of Decentralized Functions Many organizations have delegated or must delegate significant authority
to other departments to collect revenues on behalf of the organization. Some are very familiar — such as selling a ticket for entry, registering and
accepting payment for a service and other familiar revenue-generation functions.
Recent incidents of fraud suggest that decentralized functions are at a greater increased risk for fraud, the most common of which would be skimming.
Organizations large and small need to have more robust controls over being assured that revenue transactions are complete (thus ensuring that revenue events are recorded in the various systems).
Management: What We Are Seeing
31 #MHMwebinar
Oversight of Decentralized Functions Point-of-sale controls are the most common area, and probably the best
controlled. Often there is segregation between the sale of a ticket and the admission into a hall, event venue or exhibit. Also, point-of-sale systems tend to have good risk-reducing controls over voiding transactions, printing of tickets. Since accounting turns this function over to other departments in most cases, testing and monitoring by finance is advised.
Other areas do not have such systems. These have a much higher risk. Outside rentals of facilities is a common function run by various departments.
These groups tend to not think about systems, controls and records the way we might normally in accounting.
Often accounting has no role or duty in any aspect of the transaction but for depositing any revenues received which makes it ripe for skimming.
Management: What We Are Seeing
32 #MHMwebinar
Oversight of Decentralized Functions Here are some best practices with these cases:
Make sure there is a price list that must be followed that is signed off and approved by hopefully finance; require deposits in advance.
Require that contracts be issued in advance that outline terms. Make sure that finance is copied on all contracts so that expected cash flows can be monitored.
Do not allow a bank account. If one must be set up, make sure it carefully watched by accounting and that no checks can be written on the account.
Set a good and fair budget for the function. Get granular and understand the activity so budget to actual results have a reasonable chance to detect skim; get others involved (perhaps the supervisor) in the assumptions of that budget as the front-line person with control might have incentive to set that number low in order to reduce the ability to detect a negative trend.
Require that a log book or calendar publically post the use, and manage and monitor the utilization of such use. For example, in the case of athletic fields, periodically observe outside use and check that back to the outside use records. This could go a long way to help ensure that all rentals are reported – let folks know this is done.
Rotate this function and duty to different people over time so you limit the risk of one person being fully responsible for too long.
Management: What We Are Seeing
33 #MHMwebinar
Payment Controls False checks being presented on your bank account is the number one fraud
we are seeing with our clients. While this is most often not from within the organization, it nonetheless represents an ongoing risk.
Many organizations have partnered with their banks to upload payment data on issuance of checks so the bank can reject any presented items that are not on the authorized list. This service tends to check amount and check number. Payee data may still need to be checked on clearing to make sure the check was not altered/intercepted and replaced with a false payee so unless your bank assures you this payee info is checked as well, be cautious.
Reconciling vendor statements seems to have gone out of style, but this is still a valuable control to detect intercepted payments and routine errors. Ideally, somebody other than the payables clerk will work to reconcile these as the payables clerk could discard or otherwise manipulate vendor records to delay detection.
Management: What We Are Seeing
34 #MHMwebinar
Payment Controls The importance of keeping up with reconciliation of the main operating account
cannot be underestimated. False checks, altered payees, processing errors must be caught quickly for the bank to credit balances back. Again, someone other than the AP person needs to be assigned this duty.
Duplicate payments to vendors in error or to alter a check later to be diverted can be detected via a vendor statement and timely account reconciliation. This, along with the traditional review of checks and accounts payable back up before final approval of payment, continue to be very important to integrity in this process.
Too often organizations are too loose on authorization of a new vendor. Many organizations do not have approval procedures for this, but it remains important. Payments for fictitious vendors requested by those with spending authority is hard to detect if you do not have strong front-end vendor approval controls.
Management: What We Are Seeing
35 #MHMwebinar
Payment Controls Another issue we see in accounts payable is duplicate vendors. While often times needed
(for example a town might have a water department and an electric department that requires remittances to a different address), duplicate vendors should be justified on a cyclical basis.
We have also seen big growth in the use of ACH, wires and paperless invoicing. This places new challenges on the controls over disbursements that need to be considered.
With respect to wires and ACH transactions, most organizations have done a number of things such as requiring a second person to release such a transaction — sometimes the second party with have a perpetually changing password or other devise which avoids the risk of passwords being shared and thus segregation breaking down.
We have also seen that most banks will allow a pre-authorized list of parties that are eligible to receive such payments be cleared and approved in an effort to keep a check on the other end to reduce the risk of collusion of the parties who might be the preparer and releaser of such transaction.
Banks often do not stand behind these transactions in the same way they do with a falsely presented check. If there is theft here, it might have to be recovered via insurance rather than the traditional thinking we have relative to the bank.
Management: What We Are Seeing
36 #MHMwebinar
Payment Controls We have seen clients have their computers hacked where the hacker was able
to access the bank account and disburse funds. Care should be taken to protect against these threats in consult with IT, the bank and others knowledgeable in these matters.
Paperless invoicing presents its own set of hazards, particularly related to duplicate payment and payment alteration. For example, in traditional paper systems, invoices are often cancelled by stamp, hole punch or other means. That is harder to do paperless. Same for approvals. Manual signatures approving payment versus electronic signature make it easier for an invoice to be processed twice. While AP software always checks for duplicate invoice numbers, someone with mal intent has an easier time electronically.
The bottom line is that it is worth a look at these new methods of payment and invoicing to make sure that the traditional systems of controls more common in classical transactions somehow get adopted in a form needed in the evolved environment.
Management: What We Are Seeing
37 #MHMwebinar
Investment Controls We often see a lack of diligence over reconciliation of transfers into and out of
investments. This can take several forms: new money being transferred to investment managers, monies coming out of investment funds to the operating account or monies being transferred between existing investments.
The reason for this lack of diligence in our view is that investments are reported at market value and thus there can be a tendency to directly adjust the books to market value rather than taking the time to verify the transactional integrity of the ins, outs and transfers. Understandable, but a big risk.
Every organization should reconcile their investment accounts as if it was a checking account. Thus, transfers of all debits and credits to the investment account need to be 100% verified as coming into or going out of the investment funds to the GL control account. This makes sure that monies transferred to actually get there, and that funds transferred out actually come to the operating account. This is needed to make sure no errors happen or funds are absconded.
Management: What We Are Seeing
38 #MHMwebinar
Investment Controls An activity more difficult than checking transfers to or from the investment fund is
checking ins and outs between the funds. When a NFP sells a position, it will generally result in a liquidation and a deposit that
ends up in the checking account that the investment manager will use to fund future purchases. Both sides of this transaction should be checked to verify that the reduction of the position reported (say we sold half of something) is equal to the amount deposited into the central checking/money market fund of the investment funds. The same holds true for purchases – did the funds going out equal to new position posted?
Certainly many organizations would argue that a close watch on the overall investment return would catch any big issues here, which does have some merit, but that is much like saying reviewing budget to actual of operating expenses would be your only procedure to detect fraud. It is simply a bit too high level to prove the desired level of precision needed. Also, it would be like not reconciling your checking account because you know what you think the balance should be. Certainly we all know that is considered blasphemy in cash, so let’s hold the same truth with investments.
Management: What We Are Seeing
39 #MHMwebinar
Investment Controls The other area that we continue to see is that organizations tend to over-rely on
third parties with respect to the reliability of data. We just covered the reconciliation control aspect of that, but there is more to
this than just reconciliation. After the Bernie Madoff scandal, organizations are under more pressure than
ever to monitor their investments for existence and valuation. Alternatives are the challenge here as we tend to not have the comfort of a
third-party custodian who is telling us that the position exists, is owned and is linked up to the various markets to properly price the position. Thus, the alternative positions are where the heartburn resides.
While most organizations with any considerable endowment or investment portfolio have smart people on the investment committee and likely engage an investment management expert, this is only part of the due diligence needed.
Management: What We Are Seeing
40 #MHMwebinar
Investment Controls The main other control is to review and access the veracity of the investment
returns. We tend to see little to no documentation on this which means that the work done by the consultant and the good sense of the investment committee are the oversight elements relative to results.
Management should have some stake in this game; a review of actual reported returns to the proper benchmark should be carried out on each alternative investment position. The consultant will do this as part of their service. Importantly, they should document any significant variation from benchmark grounding their comments in how the alternative position would have done better or worse based on the specific investment nuances of the security. This is the area where some consultants fall short and they often can reasonably explain this.
Management: What We Are Seeing
41 #MHMwebinar
Investment Controls Management then can be in a position to evaluate that these considerations
where in fact looked at with due care by people with special expertise. This also allows management to make inquires of the expert after reviewing the
material and that review should be documented. This review does not require that you are an investment expert as much as it
requires that you are a business person taking a reasonable level of ownership of the data by exercising some surgical due diligence to the cause.
Many believe that with increased monitoring, ensuring that a third-party custodian is used when trading securities underlie the fund coupled with the use of a reputable audit firm would have caused the earlier detection (or even passing on the investment itself) of the Madoff Funds.
Perhaps you can be a hero in your organization by having enough diligence internally to avoid this from happening to you.
Management: What We Are Seeing
HEALTH CARE REFORM
43 #MHMwebinar
Health Care Reform
43
44 #MHMwebinar
Levies taxes and fees against health insurers and other groups to fund subsidies and risk management mechanisms
Institutes penalties for failing to purchase health insurance
Individual Mandate
Taxes and Fees
Key ACA provisions effective in
2014
Prohibits health plans from denying coverage or rating applicants based on their health status
Levels the playing field between health plans and mitigates the impact of guaranteed issue and pricing uncertainty in the short term
Institutes penalties for employers who fail to offer affordable comprehensive coverage (2015)
Lowers the cost of coverage for the low and middle income populations in the Individual market
Creates government regulated Individual and Small Group health insurance marketplaces
Risk Management Mechanisms
Employer Mandate
Guaranteed Issue (GI) and Rating
Changes
Tax Credits and Subsidies
Insurance Exchanges
PPACA provisions, effective in 2014, will have a significant impact on the health care market and significantly increase the number of insured individuals.
Source: Congressional Budget Office
Health Care Reform
45 #MHMwebinar
Questions?
46 #MHMwebinar
Recorded Webinar: What's New in Not-for-Profit Accounting and Auditing Standards?
Sign up for our Not-for-Profit Viewpoint e-newsletter
If You Enjoyed This Webinar…
47 #MHMwebinar
Connect with Mayer Hoffman McCann
linkedin.com/company/ mayer-hoffman-mccann-p.c.
@mhm_pc
youtube.com/ mayerhoffmanmccann
gplus.to/mhmpc
blog.mhmcpa.com
slideshare.net/mhmpc
facebook.com/mhmpc