HomeMy Public PortalAbout2021-2022 Management Audit
Entity-level Controls Review
January 17, 2023
2 | P a g e
EXECUTIVE SUMMARY
OVERVIEW
Metropolitan St Louis Sewer District (MSD) management, along with the Internal Audit Department,
identified the need to review Entity-level controls. Metropolitan St Louis Sewer District’s Internal Audit
Department partnered with UHY Advisors to review the program. The review covered the processes in
place during the period January 2021 to April 2022.
Entity-level controls are important as they help ensure that management directives pertaining to the
company are implemented and functioning as intended. UHY’s philosophy uses the COSO – Internal
Control Framework combined with our own project methodology to provide our clients quality audits and
great customer service throughout the audit process.
OBJECTIVE
The objective of the Entity-level controls review was to: i) assess the efficiency and effectiveness of
internal controls that adapt to business changes, operating environments and mitigate risks to an
acceptable level; ii) determine if all components of internal controls are present and operating; iii)
determine if there were gaps or deficiencies requiring mitigating actions.
In efforts to continually improve MSD operations, UHY looked for opportunities for improvement that can
be applied to MSD and provided examples when possible.
SCOPE
AREAS IN SCOPE: The scope was to review entity-level controls to identify whether they were in place
and operating effectively, and whether staff along with leadership were aware of and performing the
controls. The following components were reviewed:
● Control Environment – Integrity and ethical values, commitment to competence, management’s
philosophy and operating style, organizational structure, assignment of authority, Human resource
policies and procedures
● Risk Assessment – Company-wide objectives, activity-level objectives, risk identification and
management, and managing change
● Information and Communication – Information availability, reliability of IT systems, and
communication
● Monitoring – Ongoing monitoring, reporting deficiencies and separate evaluations
PROCEDURES PERFORMED
We executed the testing agreed within the Audit Program/Risk and Control Matrix which included the
following:
● Interviewed eight Directors and six Trustees from March to May (Appendix C)
● Analyzed documentation to determine the adequacy of the design and effectiveness of the internal
controls, monitoring and management oversight
● Conducted an anonymous survey of approximately 20% of the employees
● Determined the impact of any errors (deficiency, significant deficiency or material weakness)
● Reviewed documentation, including policies, procedures, job aides and standards
● Documented test work in workpapers
● Prepared a Report clearly and concisely communicating results
3 | P a g e
CONCLUSION AND RISK RATINGS
Metropolitan St Louis Sewer District has a very collaborative leadership team. Open discussions take
place regularly, some with challenging conversations. Leadership is open to change and improvement
opportunities to strengthen controls and put formal documentation in place.
As a result of the review, it was noted that there are several issues that require attention and mitigation
plans. The key items include whistleblower line, discipline, Audit Committee and financial results,
delegation of authority, segregation of duties, risk management / assessment. In some cases, the
activities are being performed, however supporting documentation to demonstrate a co nsistent, formal
process does not exist. The remaining issues will require establishing a formal process with
documentation. Additionally, we have identified 3 specific areas that are process improvement
opportunities: fraud, employee control responsibil ities and employee recommendations.
The ratings and the associated conditions for each area of MSD’s performance as assessed by Internal
Audit are as follows:
Ratings Conditions
Effective No significant deficiencies exist, while improvement continues to be appropriate; controls are considered
adequate and findings are not significant.
Needs
Improvement
Some improvement is needed to bring the process to acceptable status. If performance continues without
attention the result would likely be further deterioration and place the institution at an unacceptable level of
performance and/or risk.
Unsatisfactory
Significant deficiencies exist which could lead to material financial loss, strained business relationships,
reputational risk, compliance risk, etc.to the financial institution. The need for strong corrective action is
noted and should be given top priority of senior management and the Board of Directors.
The following section provides a summary of the results for the Entity-level Controls review.
4 | P a g e
ISSUE SUMMARY
Interviews were conducted with all Trustee’s and Directors and organizational documentation was
reviewed to assess the design of each control. To determine effectiveness of each control, we tested
supporting documentation and performed a survey (~20%) of MSD’s employees to understand their
perspective and further support effectiveness testing. We have identified six issues that will require
mitigating activities by leadership. There are also a few items noted as process improvement
opportunities to provide leadership with other considerations for additional control strengthening.
Issue #1 Recommendation
Whistleblower
Control 10 - Whistleblower program is in place and is
monitored by audit committee.
Risk - Employees do not have the opportunity to anonymously
report misconduct, or the audit committee is not monitoring
incidents reported to the line.
Employees are unaware of the ‘Whistleblower’ line and its
objective.
• 2021 ‘Whistleblower’ complaint log had 7 submissions. 1
of the 7 was from a retired employee. The other 6 were
from customers.
• A policy and procedures are not documented to outline
the steps required to review all ‘Whistleblower’ incidents,
formal documentation of leadership response and
reporting to the Audit Committee.
• Audit Committee packets from select months in 2021 and
2022 did not mention the ‘Whistleblower’ line, nor were
there meeting minute references.
• Survey results: multiple responses indicated lack of
knowledge of the ‘Whistleblower’ line and appropriate
uses.
Management should consider training
employees on the ‘Whistleblower’ line
and its intended use. It is essential that
employees know they have an
anonymous mechanism in place to
report potential fraud, non-compliance
with regulatory requirements, etc.
Along with the training formally
document a policy and procedures
detailing the procedures to review,
analyze and report to the Audit
Committee. Items to include are how
to handle issues noted on the monthly
report, what documentation is required
to demonstrate analysis and decision
made, leadership’s responsibilities and
what is required to be reported to the
Audit Committee. A monthly summary
of matters reported to the hotline
should be reported to the Audit
Committee. We also understand that
MSD has recently amended its contract
with its hotline service provider to add
a microlearning program to educate
MSD employees about the importance
of ethical conduct and raising concerns
if they observe unethical conduct.
MSD agrees with this recommendation. The District does have an ethics hotline and the number is
posted throughout the District and on the MSD website but agrees that providing training to employees
on the Ethics Hotline and its intended use will make this a more effective tool. MSD also agrees to create
written policies and procedures that document the mechanisms in place to ensure anonymity and
outline the steps that will be taken to review and respond to Hotline submissions, including how MSD
will determine when items will be reported to the Board. Expected Completion: March 2023.
5 | P a g e
Issue #2 Recommendation
Discipline
Control 58 - Inappropriate conduct may not be escalated or
remediated.
Risk - Reported problems are investigated in a timely manner
and disciplinary actions are taken when necessary.
The Discipline Policy was last approved in 2008, more than 14
years of changes to business activities and risks have occurred
since the last review.
• The policy does not outline a formal process and
procedures to be followed by leadership to report and
document infractions and associated disciplinary action,
including notification to Human Resources.
• Discipline examples in the policy omit business related
infractions that increase risk to the organization or do not
comply with regulatory requirements.
• When managers are handling discipline internally, Human
Resources is only aware of inappropriate conduct when
they are contacted by the employee.
• Survey results: multiple responses identify the lack of
appropriate and consistent discipline. Respondents do
not trust the discipline process.
Formally document procedures for
disciplinary actions. Establish required
steps, documentation, escalation,
independent validation, and reporting
to Human Resources.
Review and update the Disciplinary
policy at least every three years to
maintain relevance. Detail activities
such as, non-compliance with
regulatory requirements, fraud, etc. as
example infractions. This establishes
clear expectations for everyone and the
organization’s commitment to ethical
behavior.
MSD agrees with this recommendation. The Discipline policy should be reviewed and updated regularly.
Management will review and update the policy to reference other applicable rules such as the Civil
Service Rules, Collective Bargaining Agreements, and other policies that include examples of infractions
and address disciplinary actions. The updated policy will also document that disciplinary actions need to
be reported to Human Resources and factored into performance reviews. Expected Completion: March
2023
Issue #3 Recommendation
Segregation of Duties
Control 25 - Incompatible duties are segregated (e.g.,
separation of accounting for and access to assets).
Risk - MSD doesn't have proper segregation of duties.
Management’s review of incompatible duties needs
improvement.
Management’s review is supported by a signed form by the
business owner with the date.
• The review does not demonstrate required supporting
details, who has access to certain systems and
transactions and the type of access that each resource
had during that period of time.
Develop a standard template with
required data to demonstrate
Management’s review of segregation of
duties. Management should be able to
determine if access is excessive and
that write capabilities align with each
resource’s responsibilities, particularly
as roles change. Questionable items
should be discussed, and modifications
should be made timely to reduce the
6 | P a g e
MSD does not maintain a segregation of duties matrix. The
Internal Auditor was able to provide review and signoff
for segregation of duties support for the following
systems:
• Oracle/HR – reviewed on 10/27/21
• Oracle/Treasury – reviewed 10/27/21
• Oracle/Engineering – reviewed 10/13/21
• EPBCS – reviewed 4/30/20 – next review to be completed
by June 2022.
• Finance – reviewed 5/7/20 – next review to be completed
by June 2022.
• Maximo Asset Management – reviewed 5/28/20 – next
review to be completed by June 2022.
However, were unable to review a SOD Matrix and determine
what was reviewed (supporting documentation) and
actual sign-off for the review.
Control 50 - There are defined responsibilities for individuals
responsible for implementing, documenting, testing, and
approving changes to computer programs and systems.
Risk - Appropriate segregation of duties is unclear for system
updates, allowing an employee to implement an unapproved
change.
Based on our review of the Change Management (CAB) SOP.
There was no delineation of clear accountability for individuals
responsible for implementing, documenting, testing, and
approving changes to computer programs and systems.
• In addition, we inspected the “All ChangeesJuly1-
May13.pdf” provided by MSD. From the report, we can
clearly see who performed which processes. However, a
list of existing roles and responsibilities, or a quarterly
review of these responsibilities, was not provided.
opportunity for errors and/or fraud.
Example provided Appendix B
Consider preparing a matrix of available
transactions, along with the associated
systems to validate segregation of
duties conflicts do not exist. Example
provided Appendix B
MSD agrees with this recommendation. MSD does use Separation of Duties (SOD) to protect against
fraud and errors and requires management to review and sign off on the appropriateness of user access
for key systems. To strengthen controls in this area,
1. A Segregation of Duties (SOD) matrix will be created as part of the Oracle Cloud migration
project. The SOD will be provided to management for review and approval.
2. The IT onboarding process will be modified to provision access per job title to consistently
administer access in alignment with employee job responsibilities.
3. The IT Security Team will own the facilitation of annual access review process and document
evidence (date stamped) of the review by business owners.
7 | P a g e
4. The SOP for the Change Advisory Board (CAB) will be updated to reflect the change approval
process with a list of roles and responsibilities (including segregation of duties) for implementing
changes to computer programs and systems.
5. The IT Service Management system will be modified to capture and report out evidence of
compliance to the change approval process by involved resources.
These controls will be designed and built throughout the Oracle Cloud migration. Estimated Completion:
September 2023
Issue #4 Recommendation
Audit Committee and Review of Financial Results
Control 40 - Audit committee charter is in place; board
approved a 3-year strategic plan; board has several active
committees
Risk - The organization does not have an Audit Committee
charter establishing a process to identify, review and resolve
audit issues.
There is an Audit Committee; however, there is no charter to
establish its role and responsibilities.
An Audit Committee Charter clearly defines
the (GAO best practice) fundamental goals:
1) maintenance of sound internal controls,
2) objectively assess management’s
financial reporting practices, and 3) ensure
satisfaction with audit performance and
resolution of issues.
MSD agrees with this recommendation. A Board Audit Charter should be reviewed by the Board at least
annually. The District will work with its internal audit firm, Armanino, to bring an updated Board Audit
Charter to the Board for review and approval. It will outline the Board’s authority, roles, and responsibilities.
MSD’s Internal Audit Charter will also be updated and brought to the Board for review and approval.
Expected Completion: March 2023
Process Improvement Opportunities
Control Finding Recommendation
Fraud
Control 74 - Management identifies fraud risk factors,
including management override of controls
Risk - Fraud risks are not being properly identified exposing
the organization to theft or manipulation of finances.
Control 81 - Fraud risk assessment including fraud scenarios
is prepared by management and presented to the audit
committee or board of directors at least annually
Risk – Fraud risk assessments that are not performed or
presented to the Audit Committee and Board could provide
Develop a comprehensive fraud risk
assessment by including manual processes
(with a significant potential for financial
loss or reputational harm) and
management overrides. Consider
performing the fraud risk assessment every
2 or 3 years given the significant change
that occurs in today’s environment.
8 | P a g e
a false sense of comfort or lack of knowledge for
opportunities of fraud.
The last Fraud Risk Assessment performed in Q4 2018
• The assessment did not specifically or broadly identify
any departmental manual controls or processes that
could potentially be overridden as a fraud risk factor.
MSD agrees with this recommendation. Internal Audit is currently performing a Fraud Risk Assessment but
the District agrees that comprehensive fraud risk assessments should be performed more frequently (every
two to three years) and presented to the Board/Audit Committee. Internal Audit will take the lead on
developing a Fraud Awareness/Prevention Policy that will address:
▪ Definition of Fraud
▪ Fraud categories and potential scheme types
▪ Responsibility of employees for reporting potential fraud
▪ District’s maintenance of confidentiality and obligation to protect employees
making reports
▪ Use of the District’s Ethics Hotline
▪ Role of Internal Audit
▪ Overall process for reviewing allegations, conducting investigations and reporting
on fraud investigation
Expected Completion: June 2023
Employee Responsibilities for Controls
Control 54 - Employee duties and control responsibilities are
timely and effectively communicated.
Risk - Operations could be impacted if an employee is
unaware of their responsibilities.
We inquired with the Director of Finance and Director of
Information Systems and noted there currently is no formal
process to communicate responsibilities to employees.
Human Resources should redesign job
descriptions to include responsibilities for
control performance and monitoring.
Annually require a formal
acknowledgement from each employee
that they have read and understand their
responsibilities to perform internal
controls.
MSD does not agree with this recommendation. MSD’s position is that an employee’s duties and
responsibilities, including control responsibilities, are timely and effectively communicated through
training, policy and procedure guidance, and supervision. Key controls for identified risk areas are reviewed
and/or tested through internal audits and annual financial audits. Ongoing training, annual policy
acknowledgments, and performance reviews also aid knowledge monitoring and retention.
UHY Response – We have considered management’s response, and our finding remains as indicated.
9 | P a g e
Employee Recommendations
Control 59 - There are realistic mechanisms in place for
employees to provide recommendations.
Risk - Employees and ideas are not taken into consideration,
leading to poor employee satisfaction.
Based on discussion, there is no policy or procedure around
how employees provide recommendations.
Establish a single, formal mechanism and
process for all employees to provide
recommendations. Clearly communicate
how the information will be maintained,
reviewed and how it will benefit the
organization.
MSD agrees with this recommendation. The updated Ethics Hotline will include a portal for submission of
employee recommendations. A written policy will be created to describe how suggestions will be
maintained, reviewed and considered. Expected Completion: March 2023
Risk Management / Assessment
Control 71– Management identifies risk related to each of
the established objectives
Risk - Business objectives may not be achieved if risks are
not identified, analyzed and mitigated.
Control 76 - Risks are evaluated as part of the business
planning process
Risk - The business planning process is not property
identifying risks which could result in not meeting the
strategic goals.
Control 78 - The responsibilities and expectations for the
entity's business activities and the entity's philosophy about
identification and acceptance of business risk are clearly
communicated to the executives in charge of separate
functions
Risk - Unclear and inconsistent understanding of
responsibilities and expectations for business risks could
lead to inappropriate risks not being documented,
communicated, considered or discussed by executive
leadership for consideration of its impact to the entire
organization.
The Fiscal Year 2021 Budget and the Strategic Business and
Operating Plan (SBOP) was reviewed for risks
• References and inferences about risk may be assigned
to some company objectives, not all and not
consistently documented, or presented.
• Lack of a documented comprehensive risk assessment,
communication to department executives, board of
Establish a standard procedure to assess
risks during the annual business planning
process. Document identified risks
categorizing them using COSO’s three
categories of objectives: operations,
reporting or compliance.
Identify and document risks that could
impede the ability to accomplish
goals/objectives even if it is remote. Rate
each risk by likelihood and impact,
determine indicators for monitoring, and
develop mitigating actions monitored as a
possible indicator that the risk may become
a reality and determine potential mitigating
factors.
Incorporate this practice in the entity’s
business activities establishing responsibility
and expectations to identify and manage
risk across all functions.
Documentation of risks with standard
business processes should be aggregated to
build a risk register. Maintaining and
analyzing the risk register provides a broad
picture of potential impact to the entire
organization and facilitates consideration of
10 | P a g e
directors, and the audit committee, the district’s risk
may not be adequately, presented in a clear,
consistent, and comprehensive manner.
impact if more than one of the risks were to
occur simultaneously.
MSD agrees with this recommendation. Risks are addressed via several avenues including the SBOP process,
Director's meetings, Committee meetings, Board meetings, budget process, Rate Commission process,
Consent Decree monitoring/reporting, and DEC procedures and processes for monitoring and ensuring
regulatory and environmental compliance. We believe current procedures have been effective in addressing
risk but agree that ongoing and consistent risk monitoring and mitigation can be improved with a
framework to identify risks in a repeatable way that aids understanding, prioritization, documentation, and
communication. The District will evaluate risk framework tools and establish a procedure to identify,
categorize, and rate risks. Appropriate documentation for this procedure will be developed and maintained.
Expected Completion: December 2023
11 | P a g e
Appendix A
The control environment is the set of standards, processes, and structures that provide the basis for
carrying out internal control across the organization. The board of directors and senior management
establish the tone at the top regarding the importance of internal control and expected standards of
conduct. Internal Control – Integrated Framework, May 2013
Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control - Integrated Framework
COSO Attribute
Control #
Point of Focus / Control Objective Overall Finding
Control Environment
Integrity and Ethical Values
1
A code of conduct and other policies exist regarding acceptable business practices, conflicts of
interest, or expected standards of ethical and moral behavior ⧫ Effective
2
Employees clearly understand what behavior is acceptable under the company's code of
conduct and know what to do when they encounter improper behavior. ⧫ Effective
3
There is an established "tone at the top" including explicit guidance about what is right and
wrong. This tone is communicated and practiced by executives and management throughout
the organization. Employees are aware of what to do when they encounter improper behavior. ⧫ Needs
Improvement
4 Management follows ethical guidelines in dealing with employees, suppliers, customers,
investors, creditors, insurers, competitors, regulators, and auditors. ⧫ Effective
5 The importance of high ethics and controls is discussed with newly hired employees through
orientations or interviews. ⧫ Effective
6 Management removes or reduces incentives or temptations that might cause personnel to
engage in dishonest or unethical acts. ⧫ Effective
7 Management takes appropriate disciplinary action in response to departures from approved
policies and procedures or violations of the code of conduct. ⧫ Effective
8 Situations involving pressure to meet unrealistic targets do not exist or are properly controlled -
particularly for short-term results. ⧫ Effective
9
Individual compensation awards are in line with the ethical values of the company, and foster an
appropriate ethical tone (e.g., bonuses are given to those that meet objectives, but in the
process circumvent established policies, procedures or controls).
⧫ Effective
10 Whistleblower program is in place and is monitored by audit committee. ⧫ Unsatisfactory
Commitment to Competence
11 Company personnel have the competence and training necessary for their assigned duties. ⧫ Effective
12 Personnel are cross trained to understand other functions and the impact of their duties on
other areas of the company. ⧫ Effective
13 Management possesses broad functional experience (i.e., management comes from several
functional areas rather than just a few, such as production and sales). ⧫ Effective
14 Management provides personnel with access to training programs on relevant topics. ⧫ Effective
15 Formal job descriptions or other means of defining tasks that comprise particular jobs exist and
are effectively used. ⧫ Effective
16
Adequate staffing levels are maintained to effectively perform required tasks. Employees have
the requisite skill levels relative to the size of the entity and nature and complexity of activities
and systems. ⧫ Effective
12 | P a g e
COSO Attribute
Control #
Point of Focus / Control Objective Overall Finding
Control Environment
Management’s Philosophy and Operating Style
17 Management analyzes the risks and potential benefits of ventures. ⧫ Effective
18 Turnover in management or supervisory personnel is monitored and the reason for significant
turnover is evaluated. ⧫ Effective
19 Senior management maintains contact with and consistently emphasizes appropriate behavior
to operating personnel. ⧫ Effective
20
Management exemplifies attitudes and actions reflecting a sound control environment and
commitment to ethical values including financial reporting as it relates to appropriate resolution
of disputes over application of accounting treatments. ⧫ Effective
21 Management adopts accounting policies that best reflect economic realities of the business. ⧫ Effective
Organizational Structure
22 Executives clearly understand their responsibility and authority for business activities and how
they relate to the entity overall. ⧫ Effective
23 The entity establishes appropriate lines of reporting, giving consideration to its size and the
nature of its activities. ⧫ Effective
24
The structure of the entity facilitates the flow of information to appropriate people in a timely
manner, including reliable and timely disclosure of material information, monitoring the
performance of the disclosure infrastructure and effective flows of material information to the
group responsible.
⧫ Effective
25 Incompatible duties are segregated (e.g., separation of accounting for and access to assets) ⧫ Needs
Improvement
26
There is an appropriate assignment of responsibility and delegation of authority to deal with
organizational goals and objectives, operating functions and regulatory requirements. ⧫ Effective
Assignment of Authority
27 Employees throughout the entity are assigned authority and responsibility related to their
specific job functions. ⧫ Effective
28 Job descriptions contain specific references to control-related responsibilities. ⧫ Effective
29 Employees are empowered, when appropriate, to correct problems or implement
improvements. ⧫ Effective
30 There is a structure for assigning ownership of information including who is authorized to
initiate or change transactions. ⧫ Effective
31 There are policies and procedures for authorization and approval of transactions. ⧫ Effective
32
The board of directors and/or audit committee gives adequate consideration to understanding
how management identifies, monitors and controls business risks affecting the organization (i.e.,
strategic, operational, financial and disclosure risk). ⧫ Effective
13 | P a g e
COSO Attribute
Control #
Point of Focus / Control Objective Overall Finding
Control Environment
Human Resource Policies and Procedures
33
Management establishes and enforces standards for hiring the most qualified individuals, with
emphasis on educational background, prior work experience, past accomplishments, and
evidence of integrity and ethical behavior. ⧫ Effective
34 Screening procedures, including background checks, are employed for job applicants,
particularly for employees with access to assets susceptible to misappropriation. ⧫ Effective
35
Recruiting practices include formal, in-depth employment interviews and informative, insightful
presentations on the entity's history, culture, and operating style. ⧫ Effective
36 Training policies communicate prospective roles and responsibilities and illustrate expected
levels of performance and behavior. ⧫ Effective
37 Job performance is periodically evaluated and reviewed with each employee, (accurately and
candidly communicating performance and differentiating levels of performance.) ⧫ Effective
38 Disciplinary actions send a message that violations of expected behavior will not be tolerated ⧫ Needs
Improvement
39 An ongoing education process enables people to deal effectively with evolving business
environments. ⧫ Effective
40 Audit committee charter is in place; board approved a 3-year strategic plan; board has several
active committees ⧫ Unsatisfactory
41 IT strategic plan aligns with company’s business plan; IT management understands its roles and
responsibilities as it relates to internal controls. ⧫ Effective
Information & Communication
Information Availability
42 Management monitors relevant external information and considers the impact on the entity. ⧫ Effective
43 Internal information regarding financial results is generated by the entity's financial information
systems and that information is reported regularly. ⧫ Effective
44 Entity-wide operating results are reviewed and compared against budgets at regular intervals. ⧫ Effective
45 The adequacy of the information technology structure is considered by senior management. ⧫ Effective
46
Managers and other personnel have the required information in sufficient detail to carry out
their responsibilities and there are mechanisms in place to ensure changing needs are met. ⧫ Effective
Reliability of IT Systems
47 Management has a strategic plan for IT systems that is linked to the entity's overall strategies. ⧫ Effective
48
Procedures are in place to provide assurance that relevant information is identified, captured,
processed and reported by IT systems in an appropriate and timely fashion. ⧫ Effective
49 Management adequately staffs and designs the IT department to support the entity's overall
business objectives. ⧫ Effective
50 There are defined responsibilities for individuals responsible for implementing, documenting.
testing, and approving changes to computer programs and systems. ⧫ Needs
Improvement
51 There is a regular back-up of application programs and data files. ⧫ Effective
52
The entity has a disaster recovery plan in place that allows for the timely recovery of
information. The disaster recovery plan is tested regularly and is updated as the business
changes. ⧫ Effective
53 There is a high level of user satisfaction with the IT systems, including reliability and timeliness
of reports. ⧫ Effective
Communication
14 | P a g e
54 Employee duties and control responsibilities are timely and effectively communicated. ⧫ Needs
Improvement
55 Management performs timely and appropriate follow-up regarding communications received
from customers, vendors regulators and other external parties. ⧫ Effective
56 Communication across the organization is adequate, complete and timely to enable people to
perform their responsibilities effectively. ⧫ Effective
57
There is an established channel of communication for people to report, anonymously when
appropriate, suspected improprieties and management encourages employees to utilize such
channels when necessary. ⧫ Effective
58 Reported problems are investigated in a timely manner and disciplinary actions are taken when
necessary. ⧫ Needs
Improvement
59 There are realistic mechanisms in place for employees to provide recommendations. ⧫ Needs
Improvement
60
Financial results are communicated at least quarterly to senior management, board of directors,
and audit committee; relevant information on ethics and policies is communicated to employees
and management. ⧫ Effective
61 Company has a policy for the distribution of critical information to the public. ⧫ Effective
Risk Assessment
Company Wide Objectives
62 Board of directors and/or strategy committee oversees the risk assessment process and takes
action to address the significant risks identified. ⧫ Effective
63 Management has a business planning process in place to examine existing objectives and
establish new objectives as necessary. ⧫ Effective
64 Management establishes business plans and budgets realistic goals, and incentives for
achievement of plans are balanced. ⧫ Effective
65 Management has established and clearly communicated the company's mission, strategy and
business objectives. ⧫ Effective
66 Objectives are communicated at the appropriate levels and are understood and adopted by the
responsible parties. ⧫ Effective
67 Management has established a process to periodically review and update entity-wide strategic
plans and objectives. ⧫ Effective
Activity-Level Objectives
68 Activity-level objectives are linked with entity-wide objectives and strategic plans. ⧫ Effective
69 Activity-level objectives are consistent with each other (e.g., objectives for the sales organization
are consistent with the manufacturing organization). ⧫ Effective
70 Resources are generally sufficient to achieve objectives for processes in key business function
and plans are in place to acquire additional resources as needed. ⧫ Effective
Risk Identification & Management
71 Management identifies risks related to each of the established objectives. ⧫
Needs
Improvement
72
Management has mechanisms in place to identify business risks resulting from entering new
markets or lines of business or from offering new products and services ⧫ Effective
73 There have not been financial reporting or disclosure related issues identified by internal or
external auditors. ⧫ Effective
74 Management identifies fraud risk factors, including management override of controls. ⧫ Needs
Improvement
75
Identifying risks includes estimating the significance of the risks identified, assessing the
likelihood of the risks occurring, and determining the need for action. ⧫ Effective
76 Risks are evaluated as part of the business planning process. ⧫ Needs
Improvement
15 | P a g e
77 Senior management develops plans to mitigate significant identified risks. ⧫ Effective
78
The responsibilities and expectations for the entity's business activities and the entity's
philosophy about identification and acceptance of business risk are clearly communicated to the
executives in charge of separate functions. ⧫ Needs
Improvement
79 Risks are reviewed periodically with the appropriate corporate governance functions (e.g.,
executive management, disclosure committee, audit committee and level - Legal?) . ⧫ Effective
80
There are effective processes for sourcing, measuring and monitoring internal business risks.
For example, process risk and information for decision-making risk. ⧫ Effective
81 Fraud risk assessment including fraud scenarios is prepared by management and presented to
the audit committee or board of directors at least annually. ⧫ Needs
Improvement
82 Management creates and follows a 3-year strategic plan. ⧫ Effective
83 Management performs annual risk assessment and presents to board of directors. ⧫ Effective
Managing Change
84 The business planning process includes a broad spectrum of personnel with collective
knowledge of all areas of the entity. ⧫ Effective
85 The business planning process includes consideration of changes in the business environment,
including the industry, competitors, the regulatory environment, and customers. ⧫ Effective
86 Changes in risks are identified in a timely manner. ⧫ Effective
87 Changes are appropriately communicated to the proper level of management (depending on the
significance). ⧫ Effective
88 Management has identified the resources needed to achieve the objectives and has a plan to
acquire the necessary resources. ⧫ Effective
89 Budgets and forecasts are updated throughout the year to reflect changing conditions. ⧫ Effective
90 Management’s budget, forecast, and strategic plans are communicated to board of directors
and employees. ⧫ Effective
91 Accounting department has a process in place to identify and address changes in GAAP, the
operating and regulatory environment, and related party transactions. ⧫ Effective
Monitoring
Ongoing Monitoring
92 Management monitors relevant external and internal information and considers the impact on
the control structure.
N/A
93 Procedures are in place to monitor when controls are overridden and to determine if the
override was appropriate.
N/A
94 Management takes appropriate action on exceptions to policies and procedures. ⧫ Effective
95 Management responds timely to comments identified in management letters from the external
auditor. ⧫ Effective
96 Internal audit has the authority to review any aspect of the entity's operations. ⧫ Effective
97 Controls are reviewed to ensure that they are being applied as expected. N/A
98 Internal audit is independent of the activities they audit. ⧫ Effective
99 Internal auditors are prohibited from having an operating role in the activities they monitor. ⧫ Effective
100 Management is required to respond in a timely manner to the internal audit department's
findings and recommendations. ⧫ Effective
101 Audit committee effectively oversees the company’s antifraud program and meets at least once
a year to discuss the anti-fraud program and fraud risks. ⧫ Effective
16 | P a g e
102 Board of directors’ monitors company’s performance, risk, and operations. ⧫ Effective
103 Audit committee monitors financial results and reviews financial statements ⧫ Effective
Reporting Deficiencies
104 Internal and/or external audit comments and management responses are provided to the audit
committee or board of directors. ⧫ Effective
17 | P a g e
Appendix B
Example Quarterly Review of User Access
Example Detail Transaction Review for Segregation of Duties
18 | P a g e
Example Segregation of Duties Matrix
Risk and Controls Matrix Example
Example
19 | P a g e
Fraud Concerns for management overrides:
20 | P a g e
Appendix C – Interview/Discussion Listing
Name Title Date of Discussion
Brian Hoelscher President and CEO 3/17/22
Bret Berthold Director of Operations 3/22/22
Marion Gee Director of Finance 3/30/22
Rich Unverferth Director of Engineering 3/21/22
Susan Myers General Counsel 3/18/22
Todd Loretta Internal Auditor 3/29/22
Tracey Coleman Director of Human
Resources
3/22/22
Tim Snoke Secretary Treasurer 3/30/22
Jonathon Sprague Director of Information
Systems
4/14/22
Amy Fehr Board of Trustees 4/6/22
Greg Nicozisin Board of Trustees 4/19/22
Brian Wahby Board of Trustees 4/6/22
Brian Watson Board of Trustees 4/29/22
Ret. Col. Richard
Wilson
Board of Trustees 4/19/22
Michael Evans Board of Trustees 3/31/22