Idea Transcript
Working With Your Auditor Internal controls are used to ensure that financial statements are accurate and the plan is being operated effectively, efficiently and in compliance with laws and regulations. Ultimately, trustees are responsible for these controls.
46
benefits magazine april 2014
v51 no4
by | Patrick C. Stines and Ann Kellen
A
t a recent International Foundation conference session, trustees asked a multitude of questions about internal controls. It seemed as though, through no fault of their own, they didn’t clearly understand their role in the plan’s internal control process and how that relates to the functions of the external independent auditor. As a trustee, you likely are concerned with accurate financial reporting, protecting plan assets and complying with laws and regulations. A sound system of internal control is an integral part of these functions. This article is intended to be a quickreference tool to familiarize you with or enhance your understanding in the areas of: • What is internal control? • The role of your external independent auditor • Controls at your third-party administrator (TPA) • The audit committee • Basic plan controls and policies.
april 2014 benefits magazine
47
fiduciary responsibility
takeaways >> • �Internal controls are the practices and procedures used in running plan operations and reporting to interested parties. • �Benefit plans with clearly defined employee roles and accountability measures enhance the efficiency of trustee oversight. • �A plan’s control activities should be tailored to its specific needs. • �Internal control is a management function, not the responsibility of the external independent auditor. • �Trustees have a fiduciary responsibility to monitor third-party administrators. • �An auditor can help trustees or management by informing them of expiring or nonexistent plan policies and contracts.
• Policies and manuals including an ethics policy, a conflict of interest policy, human resource manuals and accounting manuals • Management’s response to known internal control weaknesses: Have prior recommendations been corrected or are practices unchanged? • Defined organizational structure: Who does what? Is there adequate segregation of duties? External auditors make inquiries of plan personnel. From those inquiries, we usually can determine if a strong system of internal control is in place. An answer such as “I don’t know” can be an indicator of a lax control environment. Benefit plans with clearly defined employee roles and accountability measures enhance the efficiency of trustee oversight function. Risk Assessment—What Could Go Wrong?
What Is Internal Control? As a trustee, you are a member of the plan’s governing body and, therefore, ultimately responsible for implementation and oversight of internal controls. Accounting standards define internal control as a process implemented by management to provide assurance regarding: • Reliability of financial reporting • Effectiveness and efficiency of operations • Compliance with laws and regulations • Safeguarding of assets. More than just a set of rules, internal controls are the practices and procedures used in running plan operations and reporting to interested parties. The goals of internal controls are to improve organizational performance, enhance oversight and prevent or detect fraud. Accounting standards use an internal control framework developed by the Committee of Sponsoring Organizations (COSO), a group of professionals from public accounting, government, education and related fields. The COSO model breaks down the reporting model into five core components: control environment, risk assessment, control activities, information and communication, and monitoring. Control Environment—“Tone at the Top” This is the foundation of an internal control system and is the demonstrated attitude of those who run the organization. The tone at the top includes:
48
benefits magazine april 2014
Risk assessment includes: • Addressing changes in regulatory and economic environments • Management-established objectives (e.g., budgets) • An outside review of high-risk areas • Assessment of fraud risk. Risk assessment involves establishing objectives at different levels (reporting, operational, compliance-based) and identifying and analyzing what could go wrong. For example, the process of developing a disaster recovery plan is part of the risk-assessment process. Control Activities—Policies and Procedures in Response to Risk Analysis Plan sponsors need to establish: • What should be done, how and by whom? • Policies and procedures regarding: —Performance —Information processing and reporting —Physical controls —Segregation of duties. These processes help plan management and employees ensure their directives are carried out and are working to achieve their objectives. A plan’s control activities should be tailored to its specific needs. Information and Communication The best policies and procedures will be ineffective unless they are communicated effectively. This includes insuring that:
fiduciary responsibility
• Financial results are recorded and communicated in a timely manner. • Documentation is retained in accordance with plan rules and legal requirements. • Employees are kept well-informed. Communication breakdown could be a recipe for disaster. Departments within the fund office should routinely meet and discuss individual roles and processes. Monitoring This includes any activity ensuring controls are operating as planned and designed and entails: • Ongoing evaluations • Identifying and correcting deficiencies. Examples of monitoring could be a discussion by the fund administrator at a board meeting, communications with the plan’s external auditor as a routine part of the audit committee function or a chat with the fund administrator. The objective would be to determine if established procedures are being followed and what areas require corrective enhancement.
External Independent Auditor Responsibilities A common misconception is that internal control is the responsibility of the external independent auditor. Internal control is an inside job; a management function. Under current audit rules, the auditor is required to obtain an understanding of internal control relevant to the audit. That means in order to design audit tests, the auditor must first gain an understanding of the key internal processes related to the area he or she is testing. For example, while reviewing cash disbursements, the auditor generally would need to know: • Who prepares bank reconciliations? • Who reviews bank reconciliations? • Who approves invoices prior to writing checks? • Who signs the checks and by what means (manual signature or stamp)? • How often are accounts payable processed? By obtaining the information related to that area’s process, the auditor can develop a plan on how to audit that key area. Generally, the audit approach is broken down to focus on key reporting cycles including but not limited to: • Cash disbursements • Employer contributions and receipts
• Benefit payments • Investment holdings and valuation • Related party transactions. Your auditor is required to inquire of plan personnel in order to understand what controls and processes are in place and to determine if they have been implemented and functioning properly. Control evaluation usually consists of the following: • What processes exist? • Is the plan using them? • Are they effective in preventing errors? After evaluating the control design, the auditor is required to report in writing any control deficiencies he or she has discovered. From the auditor’s perspective, a deficiency is any process, or lack thereof, that will not timely prevent a misstatement to the financial statements. This reporting could also include violations of current practices that have not resulted in a financial reporting error but could lead to such an event. Below are a few examples of internal control deficiencies: • Trustee expense reports are not reviewed prior to payment. • There is no monitoring of outside providers. • Money paid to the pharmacy benefits manager is not reconciled to detailed claims registers. • No employer payroll audits are performed.
learn more >> Education Essentials of Multiemployer Trust Fund Administration June 2-6, Brookfield (Milwaukee), Wisconsin Visit www.ifebp.org/essentialsme for more information. Accounting and Auditing Institute for Employee Benefit Plans June 23-25, Las Vegas, Nevada Visit www.ifebp.org/accountants for more information.
From the Bookstore Payroll Auditing: A Guide for Multiemployer Plans, Second Edition Lawrence R. Beebe and Philip Vivirito. International Foundation. 2014. Visit www.ifebp.org/books.asp?7303 for more details. Trustee Handbook: A Guide to LaborManagement Employee Benefit Plans, Seventh Edition Edited by Claude L. Kordus. International Foundation. 2012. Visit www.ifebp.org/books.asp?7068 for more details.
april 2014 benefits magazine
49