deltek insight 2010: dcaa and internal controls bringing it all together
TRANSCRIPT
XT-302: DCAA and Internal Controls Bringing it All Together
Presented By: Susan Zimmermann
1
Copyright © 2010 Deltek, Inc. 2
Agenda
• 10 Key DCAA Audits Performed
• Why Bring them Together?
• Control Matrix Elements
• Sample Internal Control Matrix
• Sample DCAA Control Matrix
• Mapping Controls and Assessing Gaps
10 Key DCAA Audits Performed
• Control Environment and Overall Accounting Systems Controls
• Labor and Accounting Controls
• Compensation System Controls
• Indirect and Other Direct Cost System Controls
• Billing System Controls
• Estimating System Controls
• IT General Systems Controls
• Budget and Planning Systems Controls
• Purchasing Controls
• Material Management and Accounting Systems Controls
• Internal Control Matrices for DCAA audits can be found at http://www.dcaa.mil/ under Audit Guidance > Standard Audit Programs
Copyright © 2010 Deltek, Inc. 3
Why Bring them Together?
• Why make the correlation between DCAA control objectives and financial control objectives?– Decreases costs of compliance and maintenance
– Allows for quick assessment of control gaps/deficiencies, their impact and remediation
– Clarifies what controls are unrelated to DCAA control objectives
– Decreases number of inconsistent or redundant controls.
– Prevents “knee jerk” controls from being put in place
– Intent of both is to provide assurance regarding the achievement of objectives in effectiveness, reliability, and compliance with laws and regulations.
– Both assess types of controls. I.e. Preventive versus Detective, Manual versus automated.
– Consistent elements: Intent, frequency, performers
Copyright © 2010 Deltek, Inc. 4
Control Matrix Elements
• Cycle– Relates to the corresponding processing cycle a control is related
• Control Objective– The overarching risk being mitigated by a control activity
• Control # – Allows identification of the control number for reference purposes
• Control Activities– Detailed description of risk mitigation procedures applied to control objective
• Primary Control Owner– The individual responsible for performing the control and ensuring the stated
control is in place and operating as intended
• Frequency– Identifies how often the control is performed to assist in determining sample
sizes for testing. (Daily, Weekly, Bi-Weekly, Monthly, Quarterly, Yearly)
Copyright © 2010 Deltek, Inc. 5
Control Matrix Elements
• Control Assertions– C = Completeness
– A = Accuracy
– V = Validity
– R = Restricted Access
• Financial Statement Assertions– EO Existence or Occurrence
– C = Completeness
– VA = Valuation or Allocation
– RO = Rights and Obligations
– PD = Presentation & Disclosure
• Control Types– Preventative meaning it prevents a misstatement from occurring in the first
place
– Detective identifies a misstatement after it has occurred.Copyright © 2010 Deltek, Inc. 6
Control Matrix Elements
• Manual/Automated– Manual means a control activity is dependent upon people to perform
– Automated are control activities that serve to enforce controls such as file level controls, field level edits/validations, and access authorization checks.
• Related Policies– Identify corporate policy that provides guidelines for control area.
• Related DCAA Audit Program Objectives– Abbreviation for identification of which of the 10 major DCAA audits a control
applies and the number of the specific DCAA audit objective mitigated.
Copyright © 2010 Deltek, Inc. 7
Sample Internal Control Matrix
Copyright © 2010 Deltek, Inc. 8
Cycle Obj # Control ObjectivesControl
# Control Activities
Primary Control Owner Frequency
Control Assertion FS Assertion
Control Types
Manual/ Automate
dC A V RA EO C VA RO PD
PAYROLL & PERSONNEL
ACCURATE LABOR JOB COSTING
PP5-ATime is recorded accurately and completely. 115
The Costpoint Work Force functionality is used to limit the charge numbers employees have access to charge. Automated Daily RA Preventative Automated
116
Employees must enter time on a daily basis and certify timesheets weekly in Deltek Time & Expense. Employees must record all time worked. Employee Weekly C A C VA Preventative Manual
117Timesheets are approved and signed by designated supervisors. Supervisor Weekly V EO VA Preventative Manual
118Access to Deltek Time and Expense is password protected Automated Daily RA Preventative Automated
119
Notifications to employees and supervisors are sent out periodically during the timesheet period to individuals with a non-compliant status in Deltek Time and Expense Automated Weekly C Preventative Automated
120
Timesheets collected in Deltek Time and Expense are uploaded via an automated Costpoint process to the Timesheet Entry Screen. The Time Application Administrator confirms the batch totals to ensure no issues occurred. Automated Weekly C A C VA Preventative Automated
121
If a timesheet correction is deemed necessary, a revised timesheet must be completed and submitted via Deltek Time and Expense. Employee Weekly C A V Detective
Sample Internal Control Matrix
Copyright © 2010 Deltek, Inc. 9
Cycle Obj # Control ObjectivesControl
# Control Activities
Related DCAA Audit Program Objectives
Related PoliciesCE IT BP PURMATCOM LAB IND BIL EST
PAYROLL & PERSONNEL ACCURATE LABOR JOB COSTING
PP5-ATime is recorded accurately and completely. 115
The Costpoint Work Force functionality is used to limit the charge numbers employees have access to charge. 3
QNA-PLCY-FA-03 Timekeeping Policy and Process
116
Employees must enter time on a daily basis and certify timesheets weekly in Deltek Time & Expense. Employees must record all time worked. 4, 5
QNA-PLCY-FA-03 Timekeeping Policy and Process
117Timesheets are approved and signed by designated supervisors. 4
QNA-PLCY-FA-03 Timekeeping Policy and Process
118Access to Deltek Time and Expense is password protected 4
QNA-PLCY-FA-03 Timekeeping Policy and Process
119
Notifications to employees and supervisors are sent out periodically during the timesheet period to individuals with a non-compliant status in Deltek Time and Expense 1
QNA-PLCY-FA-03 Timekeeping Policy and Process
120
Timesheets collected in Deltek Time and Expense are uploaded via an automated Costpoint process to the Timesheet Entry Screen. The Time Application Administrator confirms the batch totals to ensure no issues occurred. 4, 5
QNA-PLCY-FA-03 Timekeeping Policy and Process
121
If a timesheet correction is deemed necessary, a revised timesheet must be completed and submitted via Deltek Time and Expense. 8
QNA-PLCY-FA-03 Timekeeping Policy and Process
Sample DCAA Control Matrix
Copyright © 2010 Deltek, Inc. 10
Control Objectives Example Control Activities Audit Procedures
4. TIMEKEEPING
Assure that labor hours are accurately recorded and that any corrections to timekeeping records are documented, including appropriate authorizations and approvals.
Manual systems provide for the accurate and complete recording of labor hours, as well as appropriate controls to ensure corrections to labor records are accurate and authorized. Generally, they may be categorized as procedures which pertain to: • Supervisory observation of employee arrival and departure to prevent improper clock-in/clock-out.Employee possession of timecard/time sheet. • Employee preparation of their timecard in ink, and as work is performed.
a. Determine if the contractor’s policies and procedures are adequate to maintain the integrity of the timekeeping system. b. In conjunction with step 5.e., select a random sample of employees for floor checks, verifying that the established timekeeping procedures are being followed. (Note: To the extent possible, the auditor should rely on work performed under MAAR 6.)
Audit of Labor and Accounting Controls
Sample DCAA Control Matrix
Copyright © 2010 Deltek, Inc. 11
Control Objectives Example Control Activities Audit Procedures
4. TIMEKEEPING
Assure that labor hours are accurately recorded and that any corrections to timekeeping records are documented, including appropriate authorizations and approvals.
• Allowing only one card/sheet to be prepared per employee per period; cards/sheets are preprinted with employee name and identification number; and are turned in to the designated timekeeping office or collected by an authorized person. • Precoded data being printed on the job cards for identification purposes so employees will know the job being charged and can relate it to the task being performed. • Direct labor employees recording their time no less often than daily. Sufficient formal subsidiary records are maintained, if necessary, to assure accurate time recording and allocating to intermediate and final cost objectives when multiple jobs are worked in a day.
a. Determine if the contractor’s policies and procedures are adequate to maintain the integrity of the timekeeping system. b. In conjunction with step 5.e., select a random sample of employees for floor checks, verifying that the established timekeeping procedures are being followed. (Note: To the extent possible, the auditor should rely on work performed under MAAR 6.)
Sample DCAA Control Matrix
Copyright © 2010 Deltek, Inc. 12
Control Objectives Example Control Activities Audit Procedures
4. TIMEKEEPING
Assure that labor hours are accurately recorded and that any corrections to timekeeping records are documented, including appropriate authorizations and approvals.
• Corrections being made in ink, initialed by the employee, properly authorized, and sufficiently explained and documented. • Employees and supervisors signing the timecards/timesheets in accordance with procedures, verifying the accuracy of the recorded effort.
a. Determine if the contractor’s policies and procedures are adequate to maintain the integrity of the timekeeping system. b. In conjunction with step 5.e., select a random sample of employees for floor checks, verifying that the established timekeeping procedures are being followed. (Note: To the extent possible, the auditor should rely on work performed under MAAR 6.)
Copyright © 2010 Deltek, Inc. 13
Mapping Controls and Assessing Gaps
• Identify similar control objectives– Internal Matrix - Time is recorded accurately and completely.
– DCAA Matrix - Assure that labor hours are accurately recorded and that any corrections to timekeeping records are documented, including appropriate authorizations and approvals Identify control activities that enforce control objective.
• Identify control activities that are applicable to DCAA objective.
• Denote what objective # for which DCAA audit in DCAA section of matrix.
• Complete initial mapping assessment
• Filter internal controls by DCAA audit and compare to DCAA Control Matrix applicable for audit area
• Identify gaps and review internal matrix to ensure nothing missed
• Formulate remediation plan to assess gaps.
Internal Control Matrix
Questions?
Copyright © 2010 Deltek, Inc. 14