Northern Arizona University report on internal control and compliance

              Report on Internal Control and Compliance
A REPORT
TO THE
ARIZONA LEGISLATURE
Northern Arizona
University
Year Ended June 30, 2007
Financial Audit Division
Debra K. Davenport
Auditor General
The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five
senators and five representatives. Her mission is to provide independent and impartial information and specific
recommendations to improve the operations of state and local government entities. To this end, she provides financial
audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and
conducts performance audits of school districts, state agencies, and the programs they administer.
Copies of the Auditor General’s reports are free.
You may request them by contacting us at:
Office of the Auditor General
2910 N. 44th Street, Suite 410 • Phoenix, AZ 85018 • (602) 553-0333
Additionally, many of our reports can be found in electronic format at:
www.azauditor.gov
Northern Arizona University
Report on Internal Control and Compliance
Year Ended June 30, 2007
Table of Contents Page
Annual Financial Report
Issued Separately
Report on Internal Control over Financial Reporting and on Compliance and
Other Matters Based on an Audit of Financial Statements Performed in
Accordance with Government Auditing Standards
1
Schedule of Findings and Recommendations 3
University Response
2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051
DEBRA K. DAVENPORT, CPA
AUDITOR GENERAL
STATE OF ARIZONA
OFFICE OF THE
AUDITOR GENERAL WILLIAM THOMSON
DEPUTY AUDITOR GENERAL
Independent Auditors’ Report on Internal Control over Financial Reporting
and on Compliance and Other Matters Based on an Audit of Financial
Statements Performed in Accordance with Government Auditing Standards
Members of the Arizona State Legislature
The Arizona Board of Regents
We have audited the financial statements of the business-type activities and aggregate discretely
presented component units of Northern Arizona University as of and for the year ended June 30, 2007,
which collectively comprise the University’s financial statements, and have issued our report thereon dated
November 20, 2007. Our report was modified to include a reference to our reliance on other auditors. We
conducted our audit in accordance with U.S. generally accepted auditing standards and the standards
applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller
General of the United States. Other auditors audited the financial statements of the aggregate discretely
presented component units, the Northern Arizona University Foundation, Inc., and the Northern Arizona
Capital Facilities Finance Corporation, as described in our report on the University’s financial statements.
The financial statements of the aggregate discretely presented component units were not audited by the
other auditors in accordance with Government Auditing Standards. This report includes our consideration
of the results of the other auditors’ testing of internal control over financial reporting that are reported
separately by those other auditors. However, this report, insofar as it relates to the results of the other
auditors, is based solely on the reports of the other auditors.
Internal Control over Financial Reporting
In planning and performing our audit, we considered the University’s internal control over financial
reporting as a basis for designing our auditing procedures for the purpose of expressing our opinions on
the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the
University’s internal control over financial reporting. Accordingly, we do not express an opinion on the
effectiveness of the University’s internal control over financial reporting.
Our consideration of internal control over financial reporting was for the limited purpose described in the
preceding paragraph and would not necessarily identify all deficiencies in internal control over financial
reporting that might be significant deficiencies or material weaknesses. However, as discussed below, we
and the other auditors identified certain deficiencies in internal control over financial reporting that we
consider to be significant deficiencies.
2
A control deficiency exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent or detect
misstatements on a timely basis. A significant deficiency is a control deficiency, or combination of control
deficiencies, that adversely affects the University’s ability to initiate, authorize, record, process, or report
financial data reliably in accordance with generally accepted accounting principles such that there is more
than a remote likelihood that a misstatement of the University’s financial statements that is more than
inconsequential will not be prevented or detected by the University’s internal control. We consider items
07-01 through 07-05 described in the accompanying Schedule of Findings and Recommendations to be
significant deficiencies in internal control over financial reporting.
A material weakness is a significant deficiency, or combination of significant deficiencies, that results in
more than a remote likelihood that a material misstatement of the financial statements will not be
prevented or detected by the University’s internal control.
Our consideration of internal control over financial reporting was for the limited purpose described in the
first paragraph of this section and would not necessarily identify all deficiencies in internal control that
might be significant deficiencies and, accordingly, would not necessarily disclose all significant
deficiencies that are also considered to be material weaknesses. However, of the significant deficiencies
described above, we consider items 07-03 through 07-05 to be material weaknesses.
Compliance and Other Matters
As part of obtaining reasonable assurance about whether the University’s financial statements are free of
material misstatement, we performed tests of its compliance with certain provisions of laws, regulations,
contracts, and grant agreements, noncompliance with which could have a direct and material effect on the
determination of financial statement amounts. However, providing an opinion on compliance with those
provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The
results of our tests disclosed no instances of noncompliance or other matters that are required to be
reported under Government Auditing Standards.
Managements’ responses to the findings identified in our audit have been included herein. We did not
audit managements’ responses and, accordingly, we express no opinion on them.
This report is intended solely for the information and use of the members of the Arizona State Legislature,
the Arizona Board of Regents, and the University and is not intended to be and should not be used by
anyone other than these specified parties. However, this report is a matter of public record, and its
distribution is not limited.
Debbie Davenport
Auditor General
November 20, 2007
Northern Arizona University
Schedule of Findings and Recommendations
Year Ended June 30, 2007
3
Northern Arizona University Finding
07-01
Northern Arizona University
The University should improve access controls over its financial reporting computer system
System access controls help ensure that only authorized users have access to read, create, or modify
data in the University��s computer systems. These controls are critical in preventing or detecting
unauthorized use, damage, loss, or modification of programs, and misuse of confidential or sensitive
information. However, the University did not adequately limit access to its financial reporting system.
Specifically, one individual in the comptroller’s office has the ability to assign system user rights, including
approval rights, and can process financial transactions such as purchase requisitions, purchase orders,
journal entries, travel claims, and check disbursements. In addition, the individual’s access to the system
is not monitored or controlled. Further, approximately 140 office specialists have the ability to initiate a
purchase, receive and enter the purchase into the system, and approve the purchase for payment for
amounts under $5,000. As a result, inappropriate or incorrectly classified purchases may not be detected.
To help strengthen controls over its financial reporting computer system, the University should develop
and implement written policies and procedures for managing user access rights, including the following:
• Segregate the functions of assigning user access rights and processing daily financial transactions.
• Maintain appropriate system access rights for each employee that are compatible with the employee’s
job responsibilities.
• Segregate functions of initiating a purchase, receiving and entering the purchase into the system, and
approving the purchase for payment.
Discretely Presented Component Unit Findings
The other auditors who audited the Northern Arizona University Foundation, Inc. (NAUF) reported the
following significant deficiencies and material weaknesses for that component unit:
07-02
Northern Arizona University Foundation, Inc.
Year-End Preparation of Financial Statements
The Foundation maintains their books on a cash basis of accounting. Adjustments are then posted at the
end of the fiscal year to bring the books to an accrual basis of accounting. However, there are not
adequate controls in place to ensure that all required entries are made to properly present the financial
statements. We recommend establishing policies and procedures for the year-end financial reporting
process. Careful consideration should be given to the controls that should be implemented to ensure
these year-end procedures are being performed accurately (e.g., reviews by individuals separate from the
individuals preparing the adjustments, etc.).
Northern Arizona University
Schedule of Findings and Recommendations
Year Ended June 30, 2007
4
Foundation management response: With the Controller position filled, NAUF will implement the auditors’
suggestion of having a person independent of those making the accrual adjustment review the accrual for
accuracy and appropriateness. In addition, NAUF will prepare a procedures document noting the
standard adjusting entries to be made at year-end.
07-03
Northern Arizona University Foundation, Inc.
Improper Recording of Gift Income Associated with Irrevocable Trust Agreements
The Foundation has not designed adequate controls to ensure the identification and proper recording of
irrevocable trust agreements naming the Foundation as beneficiary. Generally Accepted Accounting
Principles require the recognition of gift income at the time the Foundation learns that they are the
beneficiary of an irrevocable agreement. There are many situations where the Foundation does not know
they are the beneficiary of a donor’s estate/trust until the first distribution is received. At this time, the
Foundation should contact the trustee to obtain an estimate on what the Foundation will be receiving. This
estimate should be recorded as gift income and a receivable on the financial statements. We recommend
establishing controls and procedures to ensure this financial reporting objective is achieved in a timely
manner.
Foundation management response: NAUF will implement controls and procedures that will ensure proper
recording of Irrevocable Trust Gift Income Transactions. Training has and will continue to take place for all
parties (gift planning, data entry staff, development officers, and Foundation staff) involved in trust
transactions to ensure that the transactions are recorded properly and on a timely basis.
07-04
Northern Arizona University Foundation, Inc.
Net Asset Reporting
Generally Accepted Accounting Principles require the reporting of net assets under three classifications –
unrestricted, temporarily restricted, and permanently restricted – which are to be reported in accordance
with donor-imposed restrictions. Since the Foundation uses a fund basis of accounting, the Foundation
has identified the required net asset classifications based on fund type (e.g., endowed fund, quasi-endowed
fund, discretionary fund, etc.). However, the Foundation does not have adequate controls over
the creation of funds, the assignment of fund type, and the subsequent recording of gift income in order to
ensure that the net asset classification reported in the statement of activities is in accordance with the
donor’s restriction on the gift. For example, during the fiscal year 2007, there was a significant temporarily
restricted gift that was recorded to an endowed fund type, resulting in a permanently restricted
classification in the financial statements.
The Foundation’s new accounting system (in use for FY 2008) allows the identification of a fund type (e.g.,
endowed fund, quasi-endowed fund, discretionary fund, etc.) as well as a separate net asset class
identification. Management of the Foundation has determined that this will enable the Foundation to
properly record gifts and net assets under the three net asset classifications identified above. However,
the Foundation needs to implement controls over the creation of funds to ensure that the funds are set-up
Northern Arizona University
Schedule of Findings and Recommendations
Year Ended June 30, 2007
5
correctly. In addition, there needs to be controls in place to ensure that the assignment of gifts to funds
matches the restriction defined by the donor. We also recommend that a policy (or other documentation)
be established that has specific definitions of fund types (generally in line with CASE reporting standards)
and the GAAP reporting requirements. Until such controls are in place and operating effectively, material
misstatements in the financial statements could continue to occur and not be detected or prevented.
Lastly, we recommend performing a thorough review of all funds to ensure that the set-up of the fund and
net asset classifications are in line with the restrictions of the donors who have contributed to those funds.
The results of this review should then be reconciled to the net asset balances for each classification
reported in the financial statements.
Foundation management response: NAUF will implement appropriate controls to ensure the creation of a
fund, the assignment of fund type and the subsequent recording of gift income is done properly and on a
timely basis. As the Controller position has now been filled this provides NAUF with an adequate staffing
level to provide oversight for the fund creation and classification process. NAUF will perform a thorough
review of all funds in FY 2008 to ensure that the existing fund structure corresponds with the net asset
classification as established by any donor restrictions.
07-05
Northern Arizona University Foundation, Inc.
Financial Expertise
The Foundation does not have adequate expertise over certain non-profit requirements of Generally
Accepted Accounting Principles. Compounding this issue, the board of directors (or designated
committee) does not receive regular financial statements for the Foundation as a whole on a regular basis
in order to provide adequate oversight of the financial reporting process. To address these issues, we
recommend the Foundation accounting staff invest time in conferences and seminars to gain knowledge
in accounting issues specific to the Foundation. Also, we recommend reviewing the regular financial
reporting process to determine if changes should be made so that the board of directors (or designated
committee) can provide proper oversight.
Foundation management response: NAUF will follow the auditor’s recommendation of additional training.
The Council for Advancement and Support of Education Conference for Institutionally Related
Foundations, April 2008, will be attended by the Foundation Director of Finance and Administration and
the Foundation Controller. Research will be done to identify additional training opportunities for the NAUF
staff, as well as subscriptions that may be obtained for pertinent and relevant periodicals that would allow
NAUF staff to be knowledgeable regarding current events/issues. Additionally, NAUF staff will provide the
NAUF Board of Directors with quarterly financial reports for review and comment.
COMPTROLLER’S OFFICE
PO Box 4069, Flagstaff, AZ 86011-4069
(928) 523-6054
(928) 523-2052 Fax
December 16, 2007
Debra K. Davenport, CPA
Auditor General
2910 N. 44th Street, Suite 410
Phoenix, AZ 85018
Re: Schedule of findings and recommendations for the Year Ended June 30,
2007
Dear Ms. Davenport,
Please find attached Northern Arizona University’s response to your
findings and related recommendations as described in the November 20th,
2007 Independent Auditor’s Report on Internal Control over Financial
Reporting and on Compliance and Other Matters Based on an Audit of
Financial Statements Performed in Accordance with Government Auditing
Standards. In the findings and recommendations, you will also see findings
for the University component units. The component units are separate
legal entities not under the University's management and therefore the
University did not respond to those findings.
Sincerely,
Robert Norton
Associate Vice President
COMPTROLLER’S OFFICE
PO Box 4069, Flagstaff, AZ 86011-4069
(928) 523-6054
(928) 523-2052 Fax
Northern Arizona University
Corrective Action Plan
Year Ended June 30, 2007
Finding 07-01 - The University should improve access controls over its critical
computer systems
Contact Person: Robert Norton, Associate Vice President of Administration and
Finance / Comptroller
Anticipated Completion Date: January 2, 2008
Corrective Action Plan – The Advantage Security Administrator’s access has been
restricted to security functions only. User access rights for employees who have
been promoted, demoted, transferred or terminated are reviewed on a monthly
basis using the “Terms and Transfers Query” that is generated and distributed by
Payroll. Employee access has been updated to be compatible with the employee’s
job functions. Duties for the initiation and approval of a purchase and the
subsequent receipt of goods via the departmental purchase orders have been
segregated to no longer allow the self approval of the departmental purchase order.