Article by Tom Sneeringer, RSM
I have seen it countless times. Under its longstanding head of school and business officer, a school’s financial function is humming along like a well-tuned engine. Procedures seem to be in place, the finance committee receives reports on a timely basis and the annual audit is smooth, with no adjusting of entries or management letter deficiencies. Then turnover happens in key positions and the school experiences a prolonged rough patch. Monthly closes are significantly behind, and the annual audit produces many findings.
What happened? While it’s possible that many controls were not well documented, the more likely story is that “change” happened, and the school neither perceived this as a risk nor put in extra efforts/measures during the transition.
This is but one argument for a solid system of internal controls. Among the many other responsibilities on their plate, independent school business officers are typically tasked with the design and maintenance of a system of internal controls, at the direction of the board of trustees and head of school. Vitally important for any business enterprise, internal controls — if designed properly — provide reasonable assurance of meeting objectives relating to operations, reporting and compliance involving financial reporting.
Internal controls are fraught with potential risk if not structured well or modified on an ongoing basis, particularly when a school operates in an environment of rapid change.
However, as the example above shows, internal controls are also fraught with potential risk if not structured well or modified on an ongoing basis, particularly when a school operates in an environment of rapid change. Controls may fail to prevent, detect or correct misstatements involving transactions, account balances or disclosures in a timely fashion. They may center around policies and procedures determined before the school was able to fully identify objectives, let alone potential obstacles. Some schools may not adequately document controls, leading to inconsistencies when there is turnover.
By and large, independent schools’ shortcomings in internal controls are not through a failure to recognize their importance. Finance and audit committees typically have high expectations for controls and set the tone for achieving them. In addition, auditors are specifically required to gain an understanding over a school’s significant controls during the annual audit, and to communicate noted deficiencies to management and/or the board, depending on severity. As most schools want to avoid the dreaded “management letter” from the auditing firm, they often design controls with that goal in mind. However, an auditor’s annual evaluation is very high level and often limited to material accounts and transaction cycles. As such, even schools that avoid getting a management letter may still be at risk of their controls failing, especially when those controls do not evolve with time.
I believe that a school’s best defense against control risk is COSO. In the United States, the COSO Framework is the recognized standard model for internal controls. COSO is named after the Committee of Sponsoring Organizations of the Treadway Commission, a body established by several accounting industry professional societies that in 1992 published Internal Control – Integrated Framework. The Framework is scalable and can be used by an entity of any size.
The original Framework established the concept that internal control is based on the relationship of five components:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
View these components as interlocking, rather than sequential. A change involving any one may necessitate changes to other components. In other words, controls are dynamic and constantly changing as internal and external environments change.
Control Environment
Control environment is often referred to as “tone at the top.” A school’s governance structure, codes of conduct, delegations of authority/accountability and other high-level policies all encompass its control environment. This is the roadmap for how a school conducts business and activities, and sets the stage for all other control components.
Risk Assessment
Risk assessment starts with setting clear objectives around operations, reporting and compliance. Once a school develops and understands these objectives, it can perform an exercise that considers the risk areas that would prevent it from achieving them. Concern should focus on risks with a higher chance of occurrence or that are likely to have a significant or material impact.
Following the risk assessment, a school’s leadership team must decide how to either mitigate the risks or live with them. Many schools have a good feel for their risks and make decisions on how to mitigate them accordingly. However, this process may be informal and can miss obvious risks. Ideally, a school should actively engage in risk determination. This may be as simple as a strategy meeting at the beginning of the school year with key members of the administration, department heads, a well-crafted agenda and a facilitator. For those risks that can be mitigated with policies and procedures, the results will feed into the next component.
Control Activities
In my experience auditing independent schools, any mention of internal controls triggers thoughts of policies and procedures. These, in fact, are known as control activities and are probably the most understood component of the Framework. However, they are not one-size-fits-all. I am often amused when I hear of schools asking others to share their accounting manual, in response to pressure from their finance committee or auditors to have one. I caution schools to customize control activities for their particular business situation — and based on the risk assessment results. Independent schools come in all shapes and sizes, with variables that only begin with enrollment, auxiliary activities and size of the business office.
Control environment also plays a key role. A school with a very conservative approach to business risk (and perhaps not lacking monetary resources) may elect to add more administrative resources to mitigate issues involving segregation of duties. By comparison, a less risk-averse school may conduct a cost-benefit analysis and determine that it can live with some segregation issues if it deploys detective controls on the back end.
Information and Communication
This component deals with how a school determines and communicates relevant information such as key performance indicators, externally and internally alike. Quality is critical. For example, a school’s Form 990 not only goes to the Internal Revenue Service but is available online at Guidestar.org. As such, the school should have a second person review that information for accuracy before it is provided to the accounting firm preparing the return. Then, the controller and business officer should review the draft return in detail, and the finance committee at a higher level. For added measure, a school may wish to provide all board members with a draft copy of the return and the ability to comment prior to filing.
Monitoring
Monitoring refers to separate and ongoing evaluations of existing controls to determine if they are operating as intended, or, alternatively, if they could be more efficient and/or need to be redesigned. Given limited resources, proper monitoring of controls is probably the most challenging aspect of the Framework for most schools. Even if they rely on external auditors to provide findings (i.e., through management letters), external auditors are independent of controls and therefore cannot supplant monitoring by management.
Although independent schools are not required to use the Framework, external auditors must use its components when evaluating controls in a financial statement audit. By adopting the COSO Framework, or simply incorporating many of its components and principles, your school may realize benefits including a more robust system of controls and greater efficiency. You can most likely avoid that audit management letter as well. At a minimum, understand how you are being evaluated and the nature of recommendations being made.