date: to: members of the audit · pdf fileaudit committee meeting ... presentation - properly...

ORANGE COUNTY EMPLOYEES RETIREMENT SYSTEM

Annual Internal Control Self-Assessment Memo of 1

Audit Committee Meeting – February 5, 2014

MEMORANDUM

DATE: January 27, 2014

TO: Members of the Audit Committee

FROM: David James, Director of Internal Audit

SUBJECT: Annual Internal Control Self-Assessment by Management

Recommendation

Receive and file.

Background

Internal Audit has met with management from Finance, Member Services, Investments, and

Information Technology, and we reviewed the attached Risk and Control Matrices (RACM) with them.

We discussed business objectives, related risks, and controls in place to mitigate such risks. Based on

information supplied by management, we updated the internal control descriptions for 2014.

The attached matrices show the key internal controls that OCERS’ management has asserted they have

in place and the risks they mitigate. These lists of controls are representations by management,

unaudited by Internal Audit. Internal Audit plans to audit some of these internal controls in future

audits.

Prepared by: Reviewed by:

______________________________ ______________________________

David James Steve Delaney

Director of Internal Audit Chief Executive Officer

OCERS - Finance Division1. INVESTMENT ACCOUNTING PROCESSRisk Analysis and Control MatrixAs of 01/14/14

Con

trol

O

bjec

t.

AssertionsControl

# Control Description Business Objective Risk Ris

k sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs Fr

aud

Ris

k Control Category

Related Accounts: Cash, Investments, Income, Investment Expenses

-

INV-1.1 Access to custodian bank accounts requires User ID and password. Access to the G/L system is controlled at the network level.

Annual 01/01/10 S P IT Manager

Y Control

-

INV-1.2 For control over the granting of access to the accounting system, refer to control GL-1.2 in the General Ledger & Close process. Finance personnel are assigned access privileges on Dynamics based on their job function by the Finance Manager and approval by Director of Finance.

Annual 01/01/10 M P N Control

-

INV-1.3 The analysis of investment activities are done by large number of spreadsheets. The folder containing the spreadsheets has been assigned restricted access.

Annual 01/01/10 M P Y Control

E, C, V INV-2.1 Many investment mangers provide OCERS their SSAE-16 reports.Finance maintains a SSAE-16 status log for each investment manager and documents that these reports have been received and reviewed. The Director of Finance will be responsible for the review during the course of the year-end audit.

Management should have adequate knowledge of how its investments are safeguarded by the custodian bank and investment managers.

Management does not have knowledge of what controls are exercised by the custodian bank or investment managers to safeguard the entity's financial investments, 4.0

Annual 01/01/13 M D Director of

Finance

Y Safeguarding

3. Investment activities are appropriately authorized.E, C INV-3.1 Capital call, drawdown, and wire transfer

to custodian bank State Street must be authorized in according to the Capital Authority, which updated on 12/2013.

Investment activities must be initiated and executed by authorized individuals.

Unauthorized activities can cause loss of funds.

4.0 Daily 01/01/10 M P Assistant CEO

N Authorization

E, C, V INV-4.1 Custodian Bank working trial balance is analyzed by the Accountant/Auditor monthly and reconciled with the Chief Investment Officer report. The Finance Manager approves the reconciliations annually.

3.5 Monthly 01/01/10 M D Director of Finance

N Authorization

1. Access to the general ledger is appropriately restricted. (System access)

2. Safeguarding of System's assets

Access to system should be restricted to responsible personnel to protect against errors or fraudulent uses.

4.0

4. Investment activities are recorded accurately and completely in the general ledger in the proper accounting periods.

Unauthorized personnel can access system to commit fraud or obtain confidential information.

Director of

Finance

Information provided by the custodian bank must be analyzed and reviewed to Custodian trial balance does not

report investment activities

2014 Finance RACM-Investment Acctng.xlsx [C Matrix] 1 of 2

OCERS - Finance Division1. INVESTMENT ACCOUNTING PROCESSRisk Analysis and Control MatrixAs of 01/14/14

Con

trol

O

bjec

t.

AssertionsControl


k sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs Fr

aud

Ris

k Control Category

Related Accounts: Cash, Investments, Income, Investment ExpensesE, C, V INV-4.2 Investment manager valuation statements

are reconciled by the Accountant/Auditor quarterly to the custodian bank monthly statement. The Finance Manager approves the reconciliations.

3.5 Quarterly 01/01/13 M D Director of Finance

N Control

E, C, V INV-4.3 Monthly Journal Vouchers to record investment activities are prepared by the Accountant/Auditor and approved by the Finance Manager.

3.5 Monthly 01/01/13 M D Financial reporting Manager

N Control

E, C, V INV-4.4 Monthly reconciliation of G/L accounts to the custodian bank working trial balance are prepared by the Accountant/Auditor and approved by the Finance Manager.

3.5 Monthly 01/01/13 M D Director of Finance

N

Control

E, C, V, R INV-5.1 a) Investment activities are authorized by the CIO or Director of Investment.

b) One Accountant/Auditor reconciles the investment manager evaluation statements to the custodian bank statement, while another Accountant/Auditor analyzes and records activities from the custodian bank statement to the G/L.

c) The Finance Manager reviews and approves reconciliations.

d) The Finance Manager reviews and approves the journal vouchers.

Duties to execute, analyze, record, and review transactions should be assigned to different individuals to minimize the risk of fraud or errors.

Staff may create and/or record transactions erroneously or fraudulently without being prevented or detected.

4.0

Monthly 01/01/10 M D Assistant CEO

Y Control

Assertions: Completeness - No unrecorded trans, asset or liability. Transactions recorded in the proper period, proper accts, totals correct Control Attributes:Existence - Of an Asset or Liability. Occurrence of an event or recorded transaction A AccuracyValuation - Asset, liability or transaction recorded at appropriate amount C CompletenessRights & Obligations - Contractual right or obligation existsPresentation - Properly classified, described & disclosed in the financial statements Type:

Control Category: Authorization of transaction S, M System or ManualCustody or safeguarding of assets P, D Preventive or DetectiveRecordingControl activity ** If effective date cannot be determined use 1/1/2010.

5. Segregation of duties

ensure they completely and accurately reflect all investment activities.

Investment activities are recorded accurately, completely, and timely in the general ledger accounts.

Investment activities are not reported accurately or completely in the general ledger accounts

report investment activities completely and accurately.

2014 Finance RACM-Investment Acctng.xlsx [C Matrix] 2 of 2

OCERS - Finance Division2. CONTRIBUTION ACCOUNTING PROCESSRisk Analysis and Control Matrix As of 01/14/14

Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs

Fraud Risk

Control Category

Related Accounts: Cash, Accounts Receivable, Prepaid Contribution, Reserves.

-

CO-1.1 User ID and password are required to access the Pension Gold pension administrative system (PG). Access to Dynamics accounting system is controlled at the network level.

Annual 01/01/11 S P IT Y Control

-

CO-1.2 Finance personnel are assigned access privileges on Dynamics based on their job function by the Finance Manager and approval by Director of Finance.

As Needed

01/01/11 M P Finance Manager, Director of Finance

N Control

-

CO-1.3 Spreadsheet Protection: All analyses and reconciliations are done in Excel spreadsheets. Due to the numerous spreadsheets that would require password protection, access to folder containing spreadsheets are restricted instead.

Spreadsheets should be protected against accidental errors.

Viewers can accidentally change formulas or data that cause the information to be inaccurate or unusable.

As Needed

01/01/12 M P Contribution Accountant

N Control

E, C, V, R CO-2.1 Data transmitted to OCERS by plan sponsors is checked for errors by the system. Errors are forwarded to the Member Services' Transmittal Desk to resolve.

3.0

Monthly 01/01/11 S P IT N Control

E, C, V, R CO-2.2 The Accounting Technician compares the contributed amounts against cash receipt to ensure OCERS received the correct contribution amounts.

3.5

Monthly 01/01/11 M D Contribution Accountant

N Control

E, C, V, R CO-2.3 The Accounting Technician compares the amounts reported by PG against the JV to ensure all transactions are posted completely and accurately to the G/L accounts.

3.5


N Control

C, V, R CO-3.1 The Finance Manager reviews and approves all journal entries prepared by the Accounting Technician to ensure they are accurate and timely.

3.0

Monthly 01/01/11 M D Financial Reporting Manager

N Authorization

C, V, R CO-3.2 The Accounting Technician maintains a roll forward schedule and compares the YTD amounts to the G/L to ensure contributions are recorded correctly in the G/L.

3.5


Y Control

3. Contributions are accurately recorded in the general ledger in the correct period and charged to the correct accounts and sub-accounts.

1. Access to the general ledger is appropriately restricted. (System access)

NOTE: Members and retirees data are entered into the pension administrative system by Member Services staff, Finance does not have control over that process.2. Data related to contributions, prepayment (EE), and interest credit (EE) are imported completely and accurately from pension administration system to the G/L.

Access to systems should be restricted to responsible personnel to protect against fraud.

Unauthorized personnel can access systems to commit fraud or obtain confidential information.

Transactions related to contributions, prepaid allocations, and interest credits are transferred completely and accurately from the pension administrative system into the accounting system.

Transactions related to contributions, prepaid allocations, and interest credits are posted to the correct G/L accounts.

Transaction posted inaccurately or to the incorrect accounts will negatively affect the accuracy of the financial statements.

Data not imported completely and accurately to the G/L will negatively affect the accuracy of financial statements.

4.0

2014 Finance RACM-Contribution Acctng.xlsx [C Matrix] 1 of 2

OCERS - Finance Division2. CONTRIBUTION ACCOUNTING PROCESSRisk Analysis and Control Matrix As of 01/14/14

Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs

Fraud Risk

Control Category

Related Accounts: Cash, Accounts Receivable, Prepaid Contribution, Reserves.

E, C, V, R CO-4.1 a) Plan sponsors transfer funds to banks or send checks to OCERS. Checks are received and deposited to bank accounts by the Accounting Technician.

b) Payroll and contribution data are entered into Pension Gold by IT. Discrepancies are investigated an resolved by Member Service' Transmittal Desk.

c) The Accounting Technician imports data from PG and prepares journal entries to record the contribution at summary level to the general ledger; she does not handle cash receipts.

d) All JVs related to the recording of contributions are reviewed and approved by the Finance Manager.

The recording of payroll and contribution data is handled by more than one person to prevent errors or fraud.

Staff create and/or record transactions erroneously or fraudulently without being prevented or detected.

3.5

Annual 01/01/10 M P Assistant CEO

Y Control

Assertions: Completeness - No unrecorded trans, asset or liability. Transactions recorded in the proper period, proper accts, totals correct Control Attributes:Existence - Of an Asset or Liability. Occurrence of an event or recorded transaction A AccuracyValuation - Asset, liability or transaction recorded at appropriate amount C Completeness

Rights & Obligations - Contractual right or obligation existsPresentation - Properly classified, described & disclosed in the financial statements Type:



2014 Finance RACM-Contribution Acctng.xlsx [C Matrix] 2 of 2

OCERS - Finance Division3. RETIREE PAYROLL & OTHER BENEFITS ACCOUNTING PROCESSRisk Analysis and Control Matrix As of 01/14/04

Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs Fr

aud

Ris

k Control Category

Related Accounts: Cash, Accrued Liabilities, Reserves,…

-

PR-1.1 Access to Pension Gold, LibertyNet, and Business Object Infoview (Bob) requires user ID and password. Access to the Dynamics accounting system is controlled at the network level. Users are required to change passwords to the network every 90 days.

Quarterly 01/01/10 S P IT Y Control

-

PR-1.2 For control over the granting of access to the accounting system, refer to control GL-1.2 in the General Ledger & Close process. Finance personnel are assigned access privileges on Dynamics based on their job function by the Finance Manager and approval by Director of Finance.

Quarterly 01/01/10 M P Director of Finance

N Authorization

E, C, V, R PR-2.1 Member Services personnel record and maintain all participants and retirees data. Controls over the data are exercised in Member Services division - separation of duties.

Retiree data is complete and accurate to ensure that benefit payments are accurately computed.

Incorrect data causes error in benefit payments and financial reporting.

4 Daily 01/1/2010 M P Member Services

N Control

E,C PR-2.2 The Finance Manager runs a report of outstanding payroll checks and sends it to a Supervisor of Member Services to investigate any check that has been outstanding for more than 180 days.

Investigate staled checks to determine if retiree information is incorrect or outdated.

Staled check is an indication that the retiree information may be incorrect or outdated.

4 Monthly 01/01/10 M D Finance Manager

and Manager Member Services

Y Control

E PR-3.1 Monthly retiree payroll is initiated jointly by Member Services, IT, Finance, and Administrative Services. A certificate is signed by managers of the four divisions.

Monthly payroll is appropriately authorized.Payments are made without proper authorization.

4 Monthly 01/01/10 M P Finance Manager

N Authorization

E PR-3.2 Manual checks and payments for other benefits (withdrawal, refund, death, etc.) must be authorized in writing by a Member Services Supervisor or Manager. The payment requests are saved in LibertyNet.

Manual payroll check is appropriately authorized.

Payments are made without proper authorization.

4 As needed

01/01/10 M P Finance Manager

and Director of Member Services

Y

1. Access to the payroll application and data is appropriately restricted. (System access)

2. Member, retiree, and payroll data (benefits, status, deductions) are accurately maintained in the pension administrative system (PAS).

3. Payroll and related transactions are properly authorized.

4.0Access to system should be restricted to responsible personnel to protect against fraudulent uses.


2014 Finance RACM-Retiree Payroll.xlsx [C Matrix] 1 of 2

OCERS - Finance Division3. RETIREE PAYROLL & OTHER BENEFITS ACCOUNTING PROCESSRisk Analysis and Control Matrix As of 01/14/04

Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs Fr

aud

Ris

k Control Category

Related Accounts: Cash, Accrued Liabilities, Reserves,…E, V PR-3.3 Payment to payroll vendors such as

insurance companies, associations, and tax authorities must be supported by payroll reports generated by the PAS and approved by the Finance Manager.

Payroll-related payments are appropriately authorized.

Payments are made without proper authorization.

4 Monthly 01/01/10 M P Finance Manager

N Authorization

C, V, P PR-4.1 The Accounting Technician prepares the JV to record monthly payroll activities. JVs are reviewed and approved by an Accountant/Auditor.

Transactions are posted accurately to the correct accounting period.

Transactions posted to the G/L may be inaccurate or in the wrong accounting period.


N Authorization

C, V, P PR-4.2 The Accounting Technician analyzes the payroll liability accounts. An Accountant/Auditor reviews the analysis and investigates any unusual amount.

G/L accounts balance are accurate and supported by analysis or reconciliation.

G/L accounts balance are inaccurate or unsupported.


N Control

P PR-5.1 Tax withholding reports to IRS and California Tax Authority (no legal requirement for OCERS to withhold for other states) are reviewed by the Finance Manager for accuracy and completeness

Reports to federal and state tax authorities are complete, timely, and accurate.

Untimely or inaccurate reporting to tax authorities may result in penalties.

3

Monthly 01/01/10 M D Finance Manager

N Control

E, C, V, R PR-6.1 Considerations:a) Member Services maintains the retiree data including the pension rates. b) IT executes the monthly payroll.c) Accounting Technician prepares JV to record payroll to the G/L.d) Auditor/Accountant reviews and approves the JV.(Management will begin the transition of printing payroll from IT to Finance during 2014.)

Duties are segregated to prevent errors and collusion to commit fraud.


4 Monthly 01/01/10 M P Assistant CEO

Y Control



6. Segregation of duties.

4. Transactions are accurately recorded in the general ledger in the correct period and charged to the correct accounts and sub-accounts.

5. Regulatory reports are prepared timely and accurately.

2014 Finance RACM-Retiree Payroll.xlsx [C Matrix] 2 of 2

OCERS - Finance Division4. ACCOUNTS PAYABLERisk Analysis and Control Matrix As of 01/14/14

Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D

Who Performs

Fraud Risk

Control Category

Related Accounts: Cash, Accounts Payable, Accrued Liabilities, Expenses.

-

AP-1.1 User ID and password are not required for access to Dynamics. Control is at the network level.

As needed 01/01/10 S P IT Y Control

-

AP-1.2 Finance personnel are assigned access privileges on Dynamics based on their job function by the Finance Manager and approval by Director of Finance.

As needed 01/01/10 S P Finance Manager, Director of Finance

Y Control

E, R AP-2.1 Vendor form is completed by A/P Accountant and approved by Finance Manager. Entry of new vendor is made by Accounting Technician.

Vendor master file should be accurate and contains only legitimate or authorized vendors

Without approval from a supervisor, the A/P Accountant has the ability to set up fictitious vendors or make unauthorized changes to existing vendors.

3.0

As needed 01/01/14 M P Finance Manager

Y Authorization

E, R AP-2.2 Vendor Master files will be reviewed on a quarterly basis to verify that any changes or additions were properly authorized.

Changes to master file(s) should be reviewed to detect error or fraudulent transactions.

- Unauthorized changes are made to the vendor file.- Error may not be detected timely. 3.0

Quarterly 02/06/13 M D Finance Manager

Y Control

E, V, R AP-3.1 All invoices are approved by the department head. A/P Accountant enters only approved invoices into the A/P system.

Only invoices approved by authorized managers are entered into the A/P system for payment.

Daily 01/09/04 M P A/P Accountant

Y Control

E, V, R AP-3.2 Travel expense reports or American Express card statements must have supporting receipts or invoices attached. They must be approved by the department head. The Board Chair approves expense claims for Board members and the CEO. The Vice Chair approves expense claims for the Chair. The CEO approves expense claims for management.

Only expense reports that are approved by authorized managers are entered into the A/P system for payment.


Y Control

1. Access to the A/P functions of the accounting system is appropriately restricted. (System access)

2. Additions, terminations, and changes of vendor information are properly authorized and recorded accurately. (Master files maintenance)

3. Invoices are properly approved.

Access to system should be restricted to responsible personnel to protect against fraudulent uses.


Unauthorized or fraudulent expenses are processed for payment.

4.0

3.5

2014 Finance RACM-Accounts Payable.xlsx [C Matrix] 1 of 3


Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D

Who Performs

Fraud Risk

Control Category

Related Accounts: Cash, Accounts Payable, Accrued Liabilities, Expenses.E, R AP-3.3 CEO must approve all contracts over

$100K. All contracts $50K or greater must go through RFP process. All invoices require a transmittal with approval by appropriate manager/director or Asst CEO.

Daily 01/01/14 M P Assistant CEO,

Director of Finance

N Authorization

E, V, R AP-3.4 A list of individuals authorized to initiate and confirm capital call fund transfer is available to Finance and Investment staff.

Daily 12/01/13 M P Assistant CEO

Y Authorization

E, C, P AP-4.1 All invoices require a transmittal cover sheet that includes period invoice is to be posted and account number which is then signed/approved by division manager prior to processing and then by two finance managers prior to checks being signed.

Expenses are accurately reported in the proper categories of the financial statements.

Expenses can be coded and entered into the wrong accounts that will affect the accuracy of the financial statements. 3.5

Daily 05/01/12 M P Division Manager, Finance Manager

(Director of Finance acts as backup)

N Authorization

C AP-4.2 All vendors have been instructed to send invoices directly to AP. When invoices are routed for approval, AP Accountant creates log to keep track of which invoices have not been returned by business managers with approval and need to be followed up.

Expenses are accurately reported in the proper accounting period.

Invoices should be processed and paid timely.

Transactions may be recorded in the wrong accounting period.Invoices may not be paid timely.

3.0


N Control

V AP-4.3 Dynamics will notify when a previously paid invoice is entered in the system.

Expenses are accurately reported in the proper accounting period.

Invoices should be processed and paid timely.

Duplicate invoice.

3.0

Daily 01/01/14 S P A/P Accountant

Y Control

E, C, V AP-5.1 Electronic Fund Transfer is initiated by the Accounting Technician and released by the Financial Manager or another Finance Manager as back up.

Funds are transferred in the correct amount to the proper vendors.

Funds can be transferred to the wrong vendor or fictitious accounts. 3.5

Daily 01/01/10 M P Finance Manager

Y Control

E, C, V AP-5.2 The check run check batch is reviewed and approved by Finance Manager prior to check run. A second Finance Manager performs review subsequent to check run.

Accounts are paid timely, but cash should not be disbursed prematurely.

Accounts are not paid timely.

Cash is not managed efficiently if accounts are paid long before due date.

3.0

Semi-weekly

05/01/12 M D Finance Manager

N Control

E, C, V AP-5.3 Blank checks are locked in a file cabinet, check numbers are tracked in a log sheet, which is reviewed and signed off by the Accounting Technician after each check run.

Checks are safeguarded against unauthorized uses.

Checks are stolen and used for unauthorized purposes.

3.0

Semi-weekly

01/01/10 M D Accounting Technician,

separate from Sr. Accounting Assistant who performs A/P

N Custody or safeguarding of assets

4. Transactions are correctly coded to the appropriate accounts in the proper period. (Process transactions)

5. Check run and electronic fund transfer are properly authorized (Authorize transactions)

The entity establishes clear authority and limits of approval and authorization for each level of management. The authority should be reviewed annually to ensure they are relevant to the current business environment.

Clear and up-to-date levels of authority are not available to guide the A/P function in the processing of invoices and payments.

3.5



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D

Who Performs

Fraud Risk

Control Category

Related Accounts: Cash, Accounts Payable, Accrued Liabilities, Expenses.

E, C, V AP-6.1 All A/P journal entries are reviewed and approved by Finance Manager prior to posting in the General Ledger.

Transactions are accurately reported in the proper categories of the financial statements.

Transactions can be posted into the wrong accounts that will affect the accuracy of the financial statements. 4.0


N Authorization

E, C, V AP-6.2 Quarterly reconciliation of A/P is included as part of our quarterly close; however, majority of invoices are processed and paid within a week, so A/P balance is minimal.

G/L account should be supported by details to ensure accuracy.

The G/L account balance does not accurately reflect the total unpaid invoices. 4


N Control

E, C, V AP-7.1 The Finance Director and Finance Manager review the quarterly travel and training expense report before sending it to the executive division.

Report should be reviewed for accuracy before disseminating to users

Inaccurate report does not provide value to users. 3.5


N Control

E, C, V, R a) The AP Accountant prints the checks, the Accounting Technician verifies the check numbers log, and two Finance Managers sign the checks. b) HR Office Clerk mails checks, not Finance.c) Finance Manager reviews changes to Vendor Master file on quarterly basis.d) Coding of invoices is reviewed by Division Manager and two Finance Managers.e) Check runs are authorized by Finance Manager and reviewed by second Finance Manager once checks have been processed.f) Journal voucher is reviewed by Finance Manager, not by AP Accountant.

05/01/12





6. Transactions are accurately recorded in the correct period and charged to the correct accounts and sub-accounts.

7. Reports are prepared accurately.

Assistant CEO &

Director of Finance

ControlAP-8.1 M P YAdequate segregation of duties can prevent and detect error or fraud.


3.0

Annual


OCERS - Finance Division5. GENERAL LEDGER CLOSE & FINANCIAL REPORTING PROCESSRisk Analysis and Control Matrix As of 01/14/14

Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs Fr

aud

Ris

k

Control Category

Related Accounts: All balance sheet, income, and expense accounts

-

GL-1.1 Access to the G/L system is controlled at the network level which requires user ID and password. Passwords must be changed every 90 days.

Access to system should be restricted to responsible personnel according to job function to protect against errors and

fraud.

Unauthorized personnel can access system to commit fraud, obtain

confidential information, or make errors.

Quarterly 01/01/10 S P IT Y Control

-

GL-1.2 The Director of Finance authorizes access to the accounting system. Terminated employees cannot access the network, therefore have no access to the Dynamics system. Finance personnel are assigned access privileges to Dynamics based on their job function by the Finance Manager and approval by Director of Finance.


fraud.



As Needed

01/01/10 M P Finance Manager, Director of Finance

Y Authorization

-

GL-1.3 The financial reporting process utilizes large number of spreadsheets. Due to the numerous spreadsheets that would require password protection, the folder containing the spreadsheets has been assigned restricted access.


fraud.



4.0

Annual N/A M P Director of Finance

Y Control

1. Access to the G/L functions of the accounting system is appropriately restricted.

4.0

2014 Finance RACM-GL & Financial Reporting.xlsx [C Matrix] 1 of 4


Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs Fr

aud

Ris

k

Control Category


E, C, V, R GL-2.1 Finance personnel are assigned access privileges on Dynamics based on their job function by the Finance Manager and approval by Director of Finance.

Master files should be protected from unauthorized changes to maintain the integrity of the account structures and financial information.

Unauthorized changes to the master files can cause errors in the account balances and financial reports. 4.0

As Needed

N/A M P Assistant CEO and Director of Finance

Y Control

E, C, V, R GL-3.1 All journal entries are reviewed by Finance Manager or Director of Finance.

Data entered into the G/L system should be properly authorized to ensure accuracy and appropriateness.

Unauthorized entries can cause data to be posted in the wrong accounts or wrong accounting period. 4.0

Monthly 01/01/10 M P Financial Reporting Manager

and Director of Finance

N Authorization

C, V, P GL-4.1 Management has created a monthly, quarterly and year-end checklists to facilitate the accounting close process.

Use of a check list help to identify all tasks and the timing of their completion to ensure all necessary tasks are completed in proper sequences. It also helps to manage the close process more efficiently.

Without clear schedule or check list, tasks may be performed out of sequence or untimely which cause errors in the account balances and delay of the close process.

3.5 Monthly 01/01/14 M P Financial Reporting Manager

N Control

C, V, P GL-4.2 The Director of Finance and Finance Manager review all account balances as part of the preparation of the quarterly financials and confirm that all significant accounts are properly reconciled.

Significant account balances are accurate and properly supported

Significant account balances are inaccurate or unsubstantiated.

3.5 Quarterly 01/01/10 M D Financial Reporting Managers

and Director of Finance

N Control

C, V, P GL-4.3 Financial statement disclosure amounts are supported by worksheets prepared by the Finance Managers, and Accountant/Auditors. Those worksheets are reviewed by the Director of Finance.

All disclosure amounts are accurate and supported by analysis or reconciliation.

Incorrect disclosure amounts may render the financial statement misleading

4 Annually 01/01/10 M D Director of Finance

N Control

4. Transactions are processed completely and posted to the correct accounting period. Major account balances and disclosures are properly supported.

2. Changes to chart of accounts and master files are properly authorized.

3. Journal entries are properly authorized.



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs Fr

aud

Ris

k

Control Category


C, V, P GL-5.1 All Finance staff are required to pursue continuing education opportunities.

Financial executives should be knowledgeable of new accounting standards to ensure the financial reports are prepared in accordance with all requirements.

The financial reports may not comply with newly approved standards.

2 As Needed

01/01/13 M P Assistant CEO

N Control

C, P GL-5.2 The Director of Finance and Finance Manager prepare a disclosure checklist as part of the year-end CAFR preparation.

All required disclosures should be included in the financial reports.

Required disclosures may be missing, so the reporting entity may be subject to fine or sanction.

3.5 Annual 05/01/12 M P Assistant CEO and

Director of Finance

N Control

C, V, P GL-5.3 The Finance Manager and Finance Director compare the periodic financial statements to the budget and prior period financial statements to ensure the amounts reported are reasonable.

Financial statements should be compared to the budget and prior period to ensure they are reasonable.

Unusual or large changes in the financial statements are not detected and explained.

3.5 Quarterly, Annual

01/01/10 M D Financial Reporting Manager

N Control

C, V, P GL-5.4 The quarterly and annual financial statements along with disclosures are reviewed by the CEO, Assistant CEO of Internal Operations, and Audit Committee.

Financial reports are reviewed for accuracy and appropriateness by executives and the Audit Committee.

Financial disclosures may not reflect completely new developments in the organization.

4 Quarterly, Annual

01/01/10 M D Assistant CEO, CEO,

and Audit Committee

N Control

C, V, P GL-5.5 The quarterly financial statements and CAFR are reviewed by the Board of Retirement.

Financial reports are reviewed by Board members to detect any unusual items that have not been explained.

Unusual or large changes in the financial statements are not detected and explained.

4 Quarterly, Annual

01/01/10 M D Board of Trustees

N Control

5. Periodic Financial Statements and CAFR are prepared in accordance to financial standards and reasonably accurate.



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs Fr

aud

Ris

k

Control Category


E, C, V, R GL-6.1 Considerations:- Retiree payroll, accounts payable, and cash management are handled by three different individuals whose work is reviewed by the Finance Manager.- Contribution accounting is handled by one accountant, and investment accounting is handled by two accountants. The work of those three accountants are reviewed by the Financial Reporting Manager.- The Director of Finance is responsible for the operations of the division and the preparation of the financial statements.- The monthly and quarterly financial statements, and the CAFR, are reviewed by the Assistant CEO of Internal Operations, CEO, and the Audit Committee.

Duties are segregated to protect against errors, collusion, and fraud.


4.0 Annually 01/01/10 M P Assistant CEO

Y Control



6. Segregation of duties.


OCERS - Finance Division6. CASH MANAGEMENT PROCESSRisk Analysis and Control Matrix As of 01/14/14

Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs

Fraud Risk

Control Category

Related Accounts: Cash, Accounts Receivable, Reserves.

-CA-1.1 Access to the G/L system is controlled at

the network level. Users are required to change password every 90 days.

4.0Quarterly 01/01/10 S P IT Y Control

-

CA-1.2 Finance personnel are assigned access privileges on Dynamics based on their job function by the Finance Manager and concurrence by Director of Finance. 4.0

As needed 01/01/10 M P Director of Finance

N Authorization

-

CA-1.3 Access to Wells Fargo online banking system requires user ID, password, and token key. Access restricted to Finance personnel with differing user roles: Accountant/Auditors can initiate; Finance Manager & Director of Finance can approve/update/edit.

4.0

As needed 01/01/10 M P Finance Managers

(Dual Control),

Director of Finance, Assistant

CEO

Y Control

C CA-2.1 a) An Accountant Technician picks up check from the mail or reception desk, posts cash receipts to the G/L, and prints a Dynamics edit report. A second Accounting Technician makes the bank deposit online and verifies the deposited amounts against the edit report provided by the first Technician.

b) The Finance Manager verifies daily cash deposits against bank statement to ensure all cash deposits are recorded accurately by the bank

a) Cash receipts are deposited promptly to prevent loss, and to improve cash flows and interest earning.

b) Cash receipts are recorded accurately and timely.

Cash or checks held in the office may be lost or stolen.

There is opportunity cost to holding cash outside of the bank account.

4.0

As needed 01/01/10 M D Finance Manager

Y Recording

1. Access to the Banking applications and accounting system is appropriately restricted. (System access)

2. Cash receipts are timely deposited and recorded.

Access to system should be restricted to responsible personnel to protect against

fraudulent uses.

Unauthorized personnel can access system to commit fraud or obtain

confidential information.

2014 Finance RACM-Cash Management.xlsx [C Matrix] 1 of 3


Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs

Fraud Risk

Control Category

Related Accounts: Cash, Accounts Receivable, Reserves.

E, C, V CA-3.1 Electronic fund transfer transfers (EFT) must be released by a different individual than the one who initiates the transaction. The Payroll Accountant and Accounting Technicians are authorized to initiate EFTs with approval done by 2 Finance Managers.

4.0

As needed 01/01/10 M P Assistant CEO

Y Control

E, C, V CA-3.2 The Finance Manager reviews each check to verify they are supported by invoices and batch control report. Checks require two "live" signatures from the Finance Managers, Director of Finance or Asst CEO Finance.

4.0

As needed 01/01/10 M D Finance Manager

Y Control

C, V, P CA-4.1 a) Journal entries to record operating cash transactions are reviewed and approved by the Finance Manager.

b) Journal entries to record investing cash transactions are reviewed and approved by the Financial Manager.

c) Cash receipts from plan sponsors are verified against transmittal data by the Accounting Technician to ensure accuracy and completeness.

Cash related transactions are recorded accurately in the general ledger.

Cash related transactions are not accurately recorded in the general ledger.

4.0


Financial Manager

N Authorization

3. Cash payments are properly authorized

4. Cash transactions are accurately recorded in the general ledger in the correct period and charged to the correct accounts and sub accounts.

Disbursements must be properly authorized and supported.

Cash may be disbursed without proper authorization and support.



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

S or M

P or D

Who Performs

Fraud Risk

Control Category

Related Accounts: Cash, Accounts Receivable, Reserves.C, V, P CA-4.2 The Wells Fargo bank account is

reconciled monthly by the Finance Manager. Bank recs are reviewed by one of three Finance Managers not responsible for preparing the bank recon. In 2014, Accountant Auditor will be responsible for preparing bank recon and it will be reviewed by Finance Manager.

Bank account is reconciled periodically to ensure accuracy and completeness.

Cash related transactions are not accurately recorded in the general ledger.

4.0


N Control

R, V CA-4.3 a) Monthly the Finance Manager runs a payroll stale check report and sends it to Member Services for investigating and resolving any check that has not been cashed for six months.

b) After the monthly WFB account is reconciled the A/P Accountant investigates all stale vendor checks.

Stale checks are investigated to detect outdated records, errors, or potential wrong doing.

Stale checks may be indications of error or wrongdoing.

3.5


Y Control

E, C, V, R CA-5.1 a) Cash receipts are deposited by one accounting technician and recorded by another technician.b) All bank reconciliations are reviewed by Finance Manager not responsible for preparing bank rec. In 2014, preparation of bank rec will be responsibility of Accountant Auditor.c) EFT (wire transfer) must be initiated and released by 2 different authorized individuals.

Duties are properly segregated to prevent error or collusion to commit frauds.


4.0

Annual 01/01/10 M P Assistant CEO

Y Control





OCERS - Investment DivisionInvestment OperationsRisk Analysis and Control Matrix As of 01/24/14

Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category

Related Accounts: Cash & Equivalents, Investment, Income Receivable, Income from investment, Investment Consulting fees.

-

INV-1.1 Access to the network and e-mail system requires user ID and password. The password must be changed every 90 days.

The computer network and applications should be protected against unauthorized access and uses.

4 As Needed

01/01/10 S P IT Operations Manager

Y Control

-

INV-1.2 Access to the network and e-mail system must authorized in writing by the division head, and submitted to the IT Operations Manager.

IT annually reviews user network access rights to ensure that all access for terminated employees have been removed.

Access to computer network and applications should be granted only to employees who need the tools to fulfill their responsibilities.

4 As Needed

01/01/10 M P IT Operations Supervisor, IT Programming Supervisor, IT

Manager

Y Authorization

-

INV-1.3

The spreadsheets and reports are saved in a password protected folder, which is accessible only by Investments staff.

Investment Team's secondary review process highlights any accidental changes, deletion, or fraudulent changes to spreadsheets and reports.

Spreadsheets must be protected against accidental errors or intentional wrong doing.

Excel spreadsheets are prone to errors. There is no audit trail to track unauthorized access or modification.

4

As Needed

01/01/10 S P CIO Y Control

1. Data and System Access

Unauthorized personnel may access system to illegally obtain confidential information or fraudulently alter data.

2014 Investments RACM.xlsx [C Matrix] 1 of 6


Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category


R INV-2.1 The Chief Investment Officer (CIO) Charter was adopted by the Board in August 20, 2012. It listed specific responsibilities and authority of the CIO.

The CIO Charter is reviewed and updated every 3 years to ensure the CIO's responsibilities and authority are clearly defined and relevant to the current operations.

Without a current charter which clearly defines the responsibilities and authorities, the Board and management may not be able to assess accurately the performance of the CIO.

4 As Needed

08/20/11 M P Board, Investment Committee,

CIO

Y Authorization

R INV-2.2 The Investment Committee Charter was revised and accepted by the Board on May 21, 2012.

The Investment Committee's responsibilities and authority are clearly defined and relevant to current operations.

Without a current Charter to guide its activities, the Investment Committee may not be able to perform its duties effectively.

4 As Needed


CIO

N Authorization

R INV-2.3 The Board adopted an Investment Policy to assist the Board, Investments division, and consultants in managing OCERS' investments. The policy sets forth the asset class allocation and risk tolerance policy. The policy is reviewed and updated every 3 years and as needed. The current investment policy was amended on August 28, 2013.

There should be an investment policy to guide the Investment Committee and management in handling the investment activities. The policy should clearly define the investment objectives, risk tolerance, decision making process, and asset class allocation.

The policy must be reviewed and updated periodically to ensure it meets the organization's objectives and financial market conditions.

Without a current investment policy, management and investment consultants may not be able to formulate investment strategy to achieve intended objectives.

4 As Needed


CIO

Y Authorization

C, E, R, P INV-2.4 Major procedures over invoice processing, account opening, manager contract, capital calls, and fund transfers have been updated as of January 2013.

Processes governing invoice processing, account opening, manager contract, capital calls, and fund transfers include proper review and approval procedures.

Staff may not be able to perform their duties effectively or efficiently if there is no clear and current procedures for them to follow.

4 As Needed

11/30/07 M D CIO Y Control

2. Charter, Policy, and Procedures



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category


V INV-3.1 The Board has adopted a Due Diligence policy, which specified the time frame and the responsibilities of Board members and Investments staff related to the due diligence process. However, OCERS has not established specific guidelines or procedures to ensure that relevant information are collected and evaluated on a consistent basis.

Last Updated: March 22, 2010

Recommendation: Investments to review with CEO Steve Delaney regarding revising the Due Diligence policy.

Investment is more of an art than an exact science. Therefore, it is critical that the Board and management document clearly the decision making process to demonstrate that they perform their duties with fairness, prudence, and professionalism.

If Board members and executives do not document clearly their decision making process, they may be subject to litigation when the fund suffers losses to fraud or poor performance.

4 Daily 01/01/10 M P Board and CIO

Y Control

V INV-3.2 Services are acquired according to the "Procurement and Contracting Policy" adopted by the board in May 2013 and the "Investment Fee Policy" adopted by the board in April 2013 to ensure contracts are awarded to the parties who can provide the best service at a reasonable price. Investments Division relies on investment consultants to provide information on service provider searches.

Effective policy enables Board members and Investments executives to select the fund managers who can provide the services that meet the requirements of the Investment Policy at reasonable cost.

Board members and executives may not be able to select the consultant and fund managers who can efficiently assist them with the investment activities.

4 Daily 01/01/10 M P CIO Y Control

R INV-3.3 Contracts with fund managers are reviewed and signed by the Chief Investment Officer with assistance from investment counsel. The CEO also reviews and signs these contracts. A contract completion form is also used to evidence proper approval of the contract.

Management obtains the contract terms that provide the optimum level of services and costs.

The organization may commit to unfavorable contract terms that prevent it from achieving its investment objectives.

4 Daily 01/01/10 M P CIO Y Authorization

R INV-3.4 The Investment Management Monitoring Subcommittee was formed by the Governance committee on January 30, 2013 to begin providing, at minimum, a biennially (every two years) review of Investment Managers for any potential due diligence issues.

The Investment Committee is informed of any key due diligence issues related to OCERS' investment managers.

The Investment Committee is not duly informed of key due diligence items for OCERS' investment managers.

4 Monthly 01/30/13 M P Investment Analyst Officer

Y Control

3. Due Diligence and Service Provider Selection



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category


E, C, R INV-4.1 Invoices for management fees are recalculated by investment staff to ensure they accurately reflect the contract terms. The Director of Investments then reviews and approves those invoices before sending them to Finance for payment. Discrepancies in management fee calculations are logged by the Investment Analyst.

Fees are paid according to contract terms and properly authorized.

Fees may be calculated inaccurately or paid without proper review and authorization.

4 Quarterly 11/01/07 M P Director of Investments Operations

Y Authorization

E, C, R INV-4.2 Investments Division relies on SSAE-16 reports (if provided) and audited financial statements from commingled funds and alternative managers to determine that fees paid at source are calculated accurately and equitably.

Fees are calculated in according to contract terms.

Fees may be calculated and/or recorded erroneously.

4 Quarterly 11/01/07 M P Director of Investments Operations

Y Control

E, C, R INV-4.3 Capital calls from private equity and real estate commingled funds must be approved by the Director of Investments or Investment Officer before they are executed by Finance.

Capital payments are properly authorized, according to investment policy.

Unauthorized payments cause loss or inappropriate allocation of assets.

4 As Needed

05/14/09 M P Director of Investments Operations

Y Authorization

E, C, R INV-4.4 All fund transfers such as funding, rebalancing, and withdrawal must be reviewed and approved by the Chief Investment Officer in writing before forwarding to the custodian bank for execution. Finance and respective fund managers are notified of these transactions.

Fund movements are properly authorized according to investment policy to achieve predefined asset allocation model.

Unauthorized movement of funds can prevent the organization from achieving its asset allocation model or cause loss.

4 As Needed

05/14/09 M P CIO Y Authorization

C, V INV-4.5 On a monthly basis, the Chief Investment Officer reviews asset allocations and authorizes rebalancing as needed according to Investment Policy.

The investment portfolio should adhere to the asset class allocation model approved in the investment policy.

Values of asset classes do not match the approved asset class allocation model, which may prevent the portfolio to achieve the expected rate of return.

4 Monthly 04/28/09 M D CIO N Control

4. Authorization and approval of transactions



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category


E, C, V INV-5.1 State Street custodian bank and many fund managers provide SSAE-16 (formerly SAS 70) reports to OCERS. Finance Division logs reports.

Recommendation: Investments Division to send a blanket form to fund manager asking the manager to highlight important items from the SSAE-16 report.

Custodian bank and investment funds safeguard OCERS' investments, and report activities and results accurately.

Custodian bank or funds do not have adequate internal controls to safeguard investment and report results accurately.

4 Annual N/A M D Investments staff

Y Safeguarding

C, V, P INV-5.2Investment team members perform reviews of all monthly and quarterly reports before being submitted to the Board. All recommendations to the Board are cross-checked by another Investments staff member. Reports include:-Derivatives exposure report-Manager compliance report-CIO report-Portfolio activity report-Manager performance report

Investment activities and results are reported accurately and completely to the Investment Committee and Board of Retirement.

Investment activities and results reported in the Investment Committee and Board do not reflect accurately the actual investment amounts.

4 Monthly 04/28/09 M D Director of Investments Operations

N Control

C, V, P INV-5.3 Investment Analyst and Investment Officer compile information to be published in the CAFR. The Director of Investments Operations reviews the information for accuracy before it is sent to Finance.

Investment activities and results are reported accurately and completely in the CAFR.

Investment activities and results reported in the CAFR do not reflect accurately the actual amounts.

4 Annual 04/28/09 M D Director of Investments Operations

N Control

V INV-5.4 OCERS has contracted with BlackRock Solutions to create an investment risk management/monitoring solution - "Green Package". The project's ultimate goal is to provide a systematic approach to managing risk in order to make a measurable difference in the outcomes experienced within the OCERS portfolio.

The first "Green Package" was released in October 2013 with September 2013 data and will be refreshed quarterly for the Investment Committee.

To improve the decision making process of the Investment Committee and its understanding of the portfolio's components.

The Investment Committee's decision making process deteriorates and lacks an understanding of the portfolio's components.

4 Quarterly 09/30/13 S P Investment Analyst

N Control

5. Monitoring and reporting of investment activities



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category


E, C, V, R INV-6.1 Considerations:- Transactions such as cash/securities transfers are initiated by staff, approved by the CEO or CIO, and executed by Finance.- Transactions such as capital calls are initiated by staff, approved by the CIO or Director of Investments Operations, and executed by Finance.- Transactions are analyzed and recorded by Finance.- The Investment Committee selects consultants and fund managers.- The Investment Committee approves the asset class allocation.- The Investments division serves as a conduit to facilitate the flow of information among the consultants, investment managers, and the Board.

Duties are segregated to prevent errors, collusion, and fraud.

Employees create and/or record transactions erroneously or fraudulently without being detected.

4 As needed

01/01/10 M P Investments Staff, CEO,

CIO, Finance, Investment Committee

Y Control

Assertions: Completeness - No unrecorded trans, asset or liability. Transactions recorded in the proper period, proper accts, totals correct Control Attributes:Existence - Of an Asset or Liability. Occurrence of an event or recorded transaction A Accuracy

Valuation - Asset, liability or transaction recorded at appropriate amount C CompletenessRights & Obligations - Contractual right or obligation existsPresentation - Properly classified, described & disclosed in the financial statements Type:




OCERS - IT DepartmentIT EnvironmentRisk Analysis and Control Matrix As of 01/24/2014

Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category

Related Accounts: All General Ledger Accounts

-

IT - 1 Back up: Data is backed up daily and stored both on and off-site.

System malfunction, accident or natural disaster can cause data to be corrupted and not useable.

5.0 Daily 01/01/10 S P IT Operations Supervisor, IT Programming Supervisor, IT Manager

N Control

-

IT - 2 Restore: On a quarterly basis, IT division restores data from backups to test the integrity of the backup data and effectiveness of restoring procedures.

Data cannot be restored from back-up media.

5.0 Qtly 01/01/10 M P IT Operations Supervisor, IT Programming Supervisor, IT Manager

N Control

-

IT - 3 IT Disaster Recovery: IT has put together a disaster recovery plan which needs to be complemented with Business Continuity Plans from the different departments.

Recommendation: Executive Management must provide Business Continuity Plans for the various divisions (i.e. Member Service, Finance, Investments, Adminstrative Services) to IT so that an enterprise wide Business Continuity Plan can be put into place)

Ensure that IT function can restore its operations and provide support to the organization after accident or natural disaster.

IT function cannot operate or provide support to the organization after experiencing accident or natural disaster.

5.0 As needed 01/01/10 M D

IT Operations Supervisor, IT Programming Supervisor, IT Manager

N Control

-

IT - 4 a) Licensing: IT only purchases software from authorized vendors, and IT Managers renew licenses on a timely basis.

b) Prevention: IT has installed Windows 7 operating system to facilitate User controls and lockdowns of systems to prevent system OS changes, installations, or other behaviors not authorized by OCERS. An additional monitoring software tool called System Center is now in place to control asset management and supervisor rights.

a) Ensure entity has legal rights to use software.

B) Prevent users from installing unauthorized software

a) Unlawful use of software can expose the entity to legal actions and substantial penalties

b) Unauthorized installation of software can cause system malfunction or damage applications and databases.

4.0 As needed 01/01/10 M D


Y Control

-

IT - 5 a) Policy & Procedures: IT has established policies and procedures related to asset acquisition, asset disposal and asset management.

b) Orientation & Training: During 2014, IT will be rolling out education classes or educational presentations to OCERS staff regarding IT policies related to security, confidentiality, and use of OCERS software/hardware.

Policies and procedures are accurately and completely captured in written documentation, approved by management, and communicated to line staff.

Personnel not adhering to proper policies and procedures can cause errors in applications or damage to hardware.

4.0 As needed 01/01/10 M D


Y Control

-

IT - 6 Network security: Firewalls (both physical and virtual) have been installed and are monitored on a daily basis.

Protect data & applications from unauthorized access and malicious acts by employees or outsiders. Ensure that system access is proactively monitored.

Network can be modified or damaged by unauthorized personnel or hackers.

4.0 Daily 01/01/10 M P IT Operations Supervisor, IT Programming Supervisor, IT Manager

Y Control

1. General Operations

2. Security

Protect data & applications from damage caused by system malfunction, accident, or natural disaster.

2014 IT RACM.xlsx [C Matrix] 1 of 5


Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category


-

IT - 7 Desktop security: Users are required to have an Active Directory (AD) account to log onto their desktop PC. AD accounts follow password complexity rules. USB ports for data storage are disabled, and all desktops and servers have Anti-Virus and Anti-Spam protection which are regularly updated.

Protect data & applications from unauthorized access and malicious acts by employees or outsiders.

Unauthorized individual can access computers to commit fraud

4.0 Daily 01/01/10 S PIT Operations Supervisor, IT Programming Supervisor, IT Manager

Y Control

-

IT - 8 Portable device security: AD accounts are required to log onto laptops and iPads (remaining Blackberry devices will be terminated during 2014). Additional security is enabled on servers to prevent unauthorized users from logging on directly to a server. Users are strictly prohibited from bringing personal devices to work and connecting them to OCERS network and/or any OCERS device.

Data on portable hardware devices (i.e. USB drives) is also encrypted.


Unauthorized individual can access computers to commit fraud

4.0 Daily 01/01/10 S P


Y Control

-

IT - 9 Access to Applications: Application access is determined in writing by the division manager. Change in access must be requested by division managers. All terminated employees application access rights are terminated upon written notice of termination by HR.

The main applications (PensionGold & LibertyNet) in use at OCERS require separate logins and passwords, and user access and permissions are determined by group/user profiles within each application.

The financial system (Dynamics) requires both IT and Finance to provide a user with access to the system via Windows user id and password authentication.

Annually, the IT review user access rights to both PensionGold & Dynamics for appropriateness with the Asst. CEO of Internal Operations.


Unauthorized individual can access applications to alter data or commit fraud

4.0 As needed 01/01/10 M P


Y Control



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category


-

IT - 10 Access to data / shared drives: Access is limited to individuals who need the information to carry out their responsibilities. Access must be authorized by the employee's division head in writing to the IT division.

IT annually reviews user network access rights to ensure that all access for terminated employees have been removed.



4.0 As needed 01/01/10 M P


Y Control

-

IT - 11 Remote access (via VPN software) is permitted only to designated employees and Vitech staff according to business needs.

User ID's and passwords provide security for the VPN software.



4.0 As needed 01/01/10 S P


Y Control

-

IT - 12 Physical facilities: Servers are locked in a designated Server room. Room is equipped with supplemental UPS power, and A/C protection. Access to he room is controlled by HR and only granted to IT Operations staff, IT Programming Supervisor, Asst. CEO Internal Operations, and HR Manager.

Additional access controls have been put in place to monitor access of V3 implementation consultants.

Protect hardware from being damaged by vandalism, accident, and natural disaster

Damaged hardware can interrupt operations and workflows

4.0 Daily 01/01/10 S P


Y Custody or safeguarding of assets

-

IT - 13 Software Acquisition controls:Policies require approved purchase orders and bidding from multiple sources before acquisition as stated in the "Procurement and Contracting Policy" adopted by the Board in May 2013.

Ensure the IT organization has adequate software that are appropriate for its operations

Unsuitable software may not provide accurate and timely information to management

4.0 As needed 01/01/10 M P


Y Control3. Asset and Inventory Management



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category


-

IT - 14 Hardware acquisition controls:Policies require approved purchase orders and bidding from multiple sources before acquisition as stated in the "Procurement and Contracting Policy" adopted by the Board in May 2013.

Inventory controls are implemented to track the receipt and disposal of assets.

Ensure the IT organization has adequate hardware that are appropriate for its operations

Inadequate or unsuitable hardware may not be able to support operations.

4.0 As needed 01/01/10 M P


Y Custody or safeguarding of assets

-

IT - 15 Software Upgrade/Implementation: All vendor specific software updates are tested and verified by all parties before implementation.

Ensure software update is executed properly to protect existing database and applications from being corrupted

Obsolete version of the software may no longer be supported by the vendors.Improperly upgraded software can cause errors and interrupt the operations of the organization.

4.0 As needed 01/01/10 M P IT Operations Supervisor, IT Programming Supervisor, IT Manager

N Control



Con

trol

O

bjec

t.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

** S or M

P or D Who Performs

Fraud Risk

Control Category


-

IT - 16 System Development Lifecycle Controls (SDLC): Programming follows standard SDLC controls over the development of new software reports before being put into production (i.e. requirements defining, designing, prototyping, coding, testing, rollout, and documentation.)

Requirements are identified and documented to assist IT with designing suitable software for the end users.

Risk that requirements are not completely identified or understood

4.0 As needed 06/30/13 M P

IT Programming Supervisor, IT Manager

N Control




4. Software Development


OCERS - Member Services Division1. SYSTEM & DATA SECURITYRisk Analysis and Control Matrix As of 01/15/2014

Con

trol

Obj

ect.

Assertions Control # Control Description Business Objective Risk Ris

k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

**

S or M

P or D Who Performs

Fraud Risk

Control Category

Related Accounts: Employer contribution, employee contribution, retiree payroll, post retirement other benefits, third-party benefit provider liability.

-

DS-1.1 Access to the network requires user ID and password; password must be changed every 90 days. 4

Every 90 days

01/01/10 S P IT Manager

Users

Y Control

-

DS-1.2 Access to the Pension Gold pension administration system (PG) requires user ID and password; password must be changed every 90 days

4

Every 90 days


Users

Y Control

-

DS-1.3 Access to the LibertyNet document depository system requires user ID and password; password must be changed every 90 days 4

Every 90 days


Users

Y Control

-

DS-1.4 Member access to the MIC (Member Information Center) application requires user ID and password.

Members must be established in PG database and obtain a PIN from OCERS to set up user ID and password. Changes in MIC are captured by the system and automatically routed in LibertyNET to designated Member Services staff, who enter the changes in PG. Changes in MIC are entered into LibertyNET and stamped as completed by Member Services staff.

4

Daily 01/23/09 S P Member Services Users Y Control

-

DS-1.5 The Disability Application database in the Operations\Disabilities folder on the F: drive is controlled at the network level. Only members of the disability processing group and managers have access to that folder.

4

Daily 02/17/09 S P IT Manager Y Control

DS-1.6 Annually, the IT review user access rights to both PensionGold for appropriateness with the Asst. CEO of Internal Operations.

4Annual 01/01/10 M P IT Operations Supervisor, IT

Programming Supervisor, IT Manager

Y Authorization

Access to systems should be restricted to responsible personnel to protect confidentiality and against fraudulent uses.

Management should periodically review the list of authorized users to ensure that only current personnel have access to the systems.

Unauthorized personnel can access systems to commit fraud or obtain confidential information.

1. Access to computer applications are appropriately restricted. (System access)

2014 Member Services RACM-System & Data Security.xlsx [C Matrix] 1 of 3


Con

trol

Obj

ect.


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

**

S or M

P or D Who Performs

Fraud Risk

Control Category


E DS-2.1 Changes to members' information must be submitted in writing and are entered by the Member Services staff responsible for the respective member's account. Requests for change are retained in LibertyNet. Also refer to DS-1.4.

Changes to members' information must be properly authorized or requested.

Staff may fraudulently change members or retirees' information.

4 As Needed 07/15/09 M P Member Services staff Y Authorization

E DS-2.2 Documents that affect the benefits such as divorce judgment, tax levy, support order are routed to Legal division for review and interpretation before changes are entered into the PAS. Legal Division provides instructions in memo.

Complicated matters that affect the members' benefits are reviewed by Legal division to ensure the issues are understood and accurately entered into the PAS.

Misunderstanding of legal implication can result in accurate benefits paid to participants and their beneficiaries.

4

As Needed 07/15/09 M P Legal Department N Control

E DS-2.3 For retirees: if mail is returned, Member Services staff notes in PG (bad address flag). If payroll check is returned, it is retained by Finance; the Director and Manager of MS are informed. Staff searches the Small World database for an address, and sends out the address change form. When the signed form is received, staff updates information in PG. The signed form is saved in LibertyNet. No responses to Member Services' inquiry results in suspended benefit payments.

Return mails should be investigate to ascertain that participants are still alive and their information are updated.

Returned mails indicate wrong address or participant may no longer be alive.

4

As Needed 07/15/09 M D Member Services staff Y Control

E DS-2.4 Member Services staff reviews monthly and quarterly change reports to ensure that changes to members' information are legitimate:

1. The Transmittal Report for any members not properly reported on the employer transmittals since the prior quarter.

2. The Payroll Report for any changes in net benefit payments greater than 3% from the prior month.

Periodically (monthly or more often due to large volume) a manager should review the change report to ensure that all changes to members data are properly authorized and accurate.

Members data can be changed inaccurately or fraudulently without being detected.

4

Monthly & Quarterly

02/01/12 M D Member Services staff Y Control

2. Additions and changes of member or retiree information are properly authorized and recorded accurately. (Master files maintenance)



Con

trol

Obj

ect.


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

**

S or M

P or D Who Performs

Fraud Risk

Control Category


E DS-3.1 Copies of documents such as birth and marriage certificates are compared to the original by a specialist and stamped "VERIFIED" before being scanned into LibertyNet document depository. Paper copies are retained in a locked storage room for 90 days, and then shredded. The Director of MS has the key to the locked storage room.

Photocopies of legal documents are verified against the original to ensure they are authentic replica of the original.

Members may fraudulently submit counterfeit photocopies of legal documents.

4

Daily 01/11/08 M P Member Services management Y Control

E, R DS-4.1 Considerations:- MS enrolls members and processes benefit applications, while Finance and IT process benefit payments and retiree payroll.- Benefit calculations, that are performed by CSR, are reviewed by the MS Supervisor or Sr. Benefit Specialist.- Disability staff recommends the disposition of the application, the Board approves, and a MS CSR sets up the benefit.- Annual COLA and STAR COLA adjustments are authorized by the Board of Retirement and entered into PG by IT. Manual adjustments are entered by Member Services staff and reviewed by Member Services management.

Duties should be segregated to prevent error and fraud.

Personnel create and/or record transactions erroneously or fraudulently without being prevented or detected.

4 Daily 01/01/10 M P Member Services staff Disability staffFinance staff

IT staff

Y Control





3. Confidentiality and Data Protection


OCERS - Member Services Division2. MEMBER & BENEFIT SET UPRisk Analysis and Control Matrix As of 01/15/2014

Con

trol

Obj

ect.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

**

S or M

P or D Who Performs

Fraud Risk

Control Category

Related Accounts:

E, R MB-1.1 New member affidavit is matched to the respective employer payroll transmittal to ensure the data submitted are accurate after the member is posted in Pension Gold (PG). Member Services (MS) staff contacts the employer to resolve any discrepancy between the affidavit and the transmittal file.

Member information are recorded accurately and completely in the pension administrative system (PAS) to ensure data provided to actuary and pension contributions are accurate.

Inaccurate or incomplete members' information will cause the actuary to calculate inaccurate contributions rates. They will also cause benefits to be calculated incorrectly.

4.0

Daily 01/01/10 M P Transmittal Specialist

Y Control

E, C, V MB-2.1 Pension benefit application must be supported by original legal documents including birth certificate, Domestic Relation Order (DRO). The documents are inspected by the Benefit Specialist and scanned to LibertyNet. Evidenced by stamped receipt of legal documents.

Pension calculations are based on authentic and accurate information

Pension amounts may be based on inaccurate of falsified information

4.0

Daily 01/01/10 M P Member Services staff

Y Control

E, C, V MB-2.2 The Benefit Specialist uses a check list to ensure all information affecting the pension benefit calculation are obtained and taken into consideration. Evidenced by signoff of the LibertyNET e-form.

Benefit calculations take into account all relevant information

Relevant information may be omitted which cause benefit amounts to be inaccurate.

4.0


N Control

E, C, V MB-2.3 Pension benefit calculation is reviewed by MS Manager or MS Supervisor or a Senior Benefit Specialist before the benefit is posted in PG. A peer review is also performed before the MS Manager or Senior Benefit Specialist performs the review.

Pension calculations are performed accurately

Benefit calculation may be performed inaccurately.

4.0

Daily 01/01/10 M D MS Manager, Senior Benefit Specialist

Y Authorization

E, C, V MB-2.4 The termination date is compared to external sources such as CAPS reports from Orange County, payroll records, and termination notice to ensure accuracy before benefit is paid.

Pension calculations are based on accurate information

Benefit amounts may be based on inaccurate information

3.5

Daily 01/01/10 M D Member Services staff

N Control

E, C, V MB-2.5 Option 4 election (benefit is divided into multiple continuances voluntarily or by DRO) must be approved by the Board of Retirement as evidenced in Board of Retirement meeting minutes.

Unusual transactions must be properly reviewed and authorized.

Transactions that are out the ordinary practice may be executed without proper authorization. 3.0

Monthly 01/01/10 M P Board of Retirement N Authorization

1. Member Enrollment

2. Pension calculation

3. Survivor Claims, Death, and Other Benefits

2014 Member Services RACM-Enrollment.xlsx [C Matrix] 1 of 2

OCERS - Member Services Division2. MEMBER & BENEFIT SET UPRisk Analysis and Control Matrix As of 01/15/2014

Con

trol

Obj

ect.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

**

S or M

P or D Who Performs

Fraud Risk

Control Category

Related Accounts: E, R MB-3.1 Application for survivor, death, and other

benefits must be supported by original legal documents including marriage license, identification, court order, etc. The document are inspected by the Benefit Specialist or Legal Division and scanned into LibertyNet. Evidenced by stamped receipt of legal documents.

Benefits calculations are based on authentic and accurate information

Benefit amounts may be based on inaccurate of falsified information

4.0


Y Control

E, R MB-3.2 Survivor and other benefit calculations must be reviewed by MS Manager or a Senior Benefit Specialist before posted in PG.

Benefit calculations are performed accurately

Benefit calculation may be performed inaccurately.

3.5

Daily 01/01/10 M D MS Manager, Senior Benefit Specialist

Y Control

E, R MB-3.3 Any payment or change of benefit resulted from litigation must be reviewed and approved by Legal division before being processed by MS and Finance. Evidenced by memo produced by Legal.

Unusual and complicated transactions must be properly reviewed and authorized by knowledgeable staff.

Complicated or unusual transactions may be misunderstood and executed incorrectly by staff 4.0

As Needed 01/01/10 M P Legal StaffMS staff

N Control

E, R MB-4.1 All disability retirement applications must be supported by medical records or professional evaluation. The application package must be reviewed by a committee comprised of Legal and Member Services and approved by the Board of Retirement as evidenced in Board of Retirement meeting minutes.

Benefit awarded must be based on valid and accurate information.

The award must be authorized as required by policy.

Benefit awarded may be based on invalid or fraudulent information.

4.0

Daily 01/01/10 M D Committee of Legal/Member,

ServicesBoard of Retirement

Y Control

E, R MB-4.2 If the Court awards the disability retirement to an applicant whose application was previously rejected by the normal venues, the Court order must be reviewed by Legal division, and the benefit must be set up in according to Legal's interpretation. The award is evidenced by a memo by Legal with instructions to MS. MS only performs when written instructions are received from Legal.

Unusual and complicated transactions must be properly reviewed and authorized by knowledgeable personnel.

Complicated or unusual transactions may be misunderstood and executed incorrectly by staff

4.0

As Needed 01/01/10 M P Legal StaffMS staff

N Control

Assertions: Completeness - No unrecorded trans, asset or liability. Transactions recorded in the proper period, proper accts, totals correct Control Attributes:Existence - Of an Asset or Liability. Occurrence of an event or recorded transaction A AccuracyValuation - Asset, liability or transaction recorded at appropriate amount C CompletenessRights & Obligations - Contractual right or obligation existsPresentation - Properly classified, described & disclosed in the financial statements

Type:Control Category: Authorization of transaction S, M System or Manual

Custody or safeguarding of assets P, D Preventive or DetectiveRecordingControl activity ** If effective date cannot be determined use 1/1/2010.

4. Disability Retirement Application Review

2014 Member Services RACM-Enrollment.xlsx [C Matrix] 2 of 2

OCERS - Member Services Division3. TRANSACTION PROCESSINGRisk Analysis and Control Matrix As of 01/15/2014

Con

trol

Obj

ect.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

**

S or M

P or D

Who Performs

Fraud Risk

Control Category

Related Accounts:

E,V TP-1.1 PG compares each payroll transmittal batch against the expected values in PG and provides an exception report. Transmittal desk specialists investigate and resolve all exceptions before the employee record is posted to PG. Employee records with no variance in $ amounts are posted automatically to PG.

Contributions include: employee contribution, reverse pick-up, and service credit purchase (employer contribution variances are tracked outside of PG and researched by Finance, not MS).

Member information and contributions must be recorded completely and accurately in the pension administration system (PAS) to ensure:- Data provided to the actuary are complete and accurate.- Benefit calculations are accurate and relevant to each member's plan.

Inaccurate or incomplete information cause the contribution rates and benefit amounts to be incorrect.

4.0

Bi-weekly 01/01/10 S P Transmittal Specialists

Y Control

E, R TP-2.1 IT uploads a PG file, which contains all annuitants to Small World Solutions. Small World Solutions compares PG file against reported deaths (Social Security database, etc.) and emails a report to designated MS Staff on a weekly basis, who check all names reported as deceased. The 2 MS staff who process death benefits terminate benefits for deceased members in Pension Gold and add them as deletes to each month’s current payroll log.

3.5

Weekly 01/01/10 M D Member Services

staff

Y Control

E, R TP-2.2 Each January MS sends an "Annual Certification" form to retirees who reside abroad, the retirees must complete the form and send it back to Member Services within 60 days, otherwise the benefit payment is suspended until the matter is resolved.

3.5

Annual 01/01/12 M D MS Manager Y Control

E, V TP-2.3 Monthly, Member Services, IT, and Finance sign a certificateto initiate payroll jointly after each division verifies the data in Business Objects Infoview and makes necessary corrections. There are separate certificate forms for non bi-weekly payments such as manual checks or void-issue requests.

Retiree payroll should be initiated by the authorized personnel after they have reviewed the trial runs for accuracy and completeness. There is adequate segregation of duties to prevent fraud.

Retiree payroll may be inaccurate or incomplete, and executed without proper authorization.

4.0

Monthly 01/01/10 M P Managers of Finance, IT,

and MS

N Authorization

1. Contributions to pension fund

2. Retiree Payroll

Benefits are paid only to annuitants who are still alive.

Benefits may be paid to deceased annuitants.

2014 Member Services RACM-Transaction Processing.xlsx [C Matrix] 1 of 2

OCERS - Member Services Division3. TRANSACTION PROCESSINGRisk Analysis and Control Matrix As of 01/15/2014

Con

trol

Obj

ect.

AssertionsControl


k Sc

ore

Freq

uenc

y

Effe

ctiv

e D

ate

**

S or M

P or D

Who Performs

Fraud Risk

Control Category

Related Accounts: E TP-2.4 Monthly the Finance Manager runs a report of outstanding

payroll checks and sends it to the Member Service Manager,who investigates any check that has been outstanding for more than 180 days.

Payments should be sent only to the correct retirees with a valid address.

Staled check is an indication of outdated or inaccurate retiree information in the PAS.

4.0


MS Manager

N Control

E, V TP-3.1 The lump-sum payments (e.g. withdrawals, death payments, return of contributions) are set up in PG by Member Servicesstaff. The Member Services Manager executes the trial check run, and Member Services Supervisor reviews the trial run for accuracy. IT does the actual check run.

Benefit payments are accurate. There is adequate segregation of duties to prevent fraud.

Benefit payments may be inaccurate or incomplete, and executed without proper authorization.

3.5

As needed 01/01/10 M D Member Services

staff

N Control




3. Lump-sum payments (death benefit, cash out, etc)

2014 Member Services RACM-Transaction Processing.xlsx [C Matrix] 2 of 2