Developments in High Risk Tiffany R. Winters, Esquire [email protected] Brustein & Manasevit, PLLC...
-
Upload
berenice-welch -
Category
Documents
-
view
217 -
download
0
Transcript of Developments in High Risk Tiffany R. Winters, Esquire [email protected] Brustein & Manasevit, PLLC...
Developments in High Risk
Tiffany R. Winters, [email protected] Brustein & Manasevit, PLLCFall Forum 2011
Risk Management:What Does it Mean
Primarily financial (protecting the integrity of federal funds)
But can also be programmatic (what is ED’s return on investment)
Risk = any barrier that prevents grantees and subgrantees from: (1) complying with federal law; and (2) meeting program objectives.
2
Risk Management:Why Does it Matter?
Federal laws require ED to monitor risk levels at state/local level
Internal problems at ED have led to increased awareness of the impact of state/local activities
Significant audit/monitoring findings (including fraud, waste & abuse)
These issues have led to a major ED restructuring to focus on risk issues
3
Risk Management Services
RMS Group Part of the Office of the
Secretary 4 Primary Responsibilities:
1. Grant policy
2. Training/Customer service
3. Oversight of “high-risk” entities
4. Risk based monitoring
4
According to RMS…
Successful Risk Mitigation Application review identifies who can best
implement the program Risk analysis identifies issues that can
impede program implementation Early risk mitigation actions can improve
grant administration
5
Improved Decisions by ED
6
Components of Internal Controls
Risk Assessment
ControlActivities
Information and
CommunicationsMonitoring
ControlEnvironment
7
Internal Controls – Control Environment
Maintaining a level of competence that allows personnel to accomplish their assigned duties
Clearly defined organizational structure Proper amounts of supervision Maintaining a good relationship with
oversight agencies (like ED and OIG for example!)
8
Internal Controls – Risk Assessment
What could go wrong?
What assets do we need to protect?
How could someone steal or disrupt operations?
What information do we rely on?
Risk
High
Low
JudgmentRequired
Low HighImpact
9
Internal Controls – Control Activities
Examples: Segregating Key Responsibilities Among Different People Restricting Access to Systems and Records
Authorizations / Passwords Implementing Clear Written Policies in Key Areas Performance Reviews Maintaining Physical Control Over Valuable Assets
Maintenance of Security Data System Checks Accurate and Timely Recording of Information
10
Risk / Internal Control Examples
Scheme
Fake Expense Reports Diversion to personal
use Payroll / No work Rigged RFP – kickbacks Fictitious Vendors Fictitious Invoices District cards / personal
use
Control Lacking
Preapproved vendor list Supervisory oversight /
invoice review Supervisory payroll approval Tight RFP procedure /
insulated Lack of RFP process Separation of duties Reconciliation of statements
11
DocumentationIssues to Consider
Record retention State law Federal law = 3 years Statute of limitations = 5 years
Records to facilitate an effective audit (comprehensive)
Consistency of documentation Source documentation
12
RMS
Want SEAs and LEAs to self-analyze and recognize risk What are strategies for minimizing
risk (i.e., succession planning, internal audit function, monitoring, self assessment, control environment)
Where are the entity’s greatest risks
How can ED help13
Possible factors in risk matrix Amount of money received Single audit findings (especially
repeat findings or findings in multiple districts)
Federal program monitoring findings SEA monitoring of LEAs
(Sub-recipient monitoring) Lapsed funds Program performance Compliance with laws/regulations Media reports!
14
Tips for Avoiding Risks
Keep in mind federal cost principles and basic threshold compliance standards
Have a well developed system of internal controls
Document, document, document!
15
Top Single Audit Findings
Unallowable Costs Reporting Property and Procurement Cash Management Subrecipient Monitoring
16
Single Audit Findings
A-133 Audit NOT necessarily reliable regarding compliance Not all programs are covered Depth of Review Problems with Quality
Hold Firms Accountable Be Proactive
Internal Controls!!17
RISKY Consequences
How to Trigger High Risk Status
Puerto Rico: PRDE Secretary sentenced to 12.7 years – bribes and kickbacks
New Orleans August 2005 OIG Audit $69.3 million not properly accounted for OIG recommendation: Designate New Orleans High Risk and impose
special conditions
Detroit, August 2008 OIG Audit $53.6 million not adequately documented OIG recommendation: Designate Detroit High Risk and impose special
conditions
Philadelphia, January 2010 OIG Audit $138.4 million unallowable or not adequately documented OIG recommendation: Designate Philadelphia high risk and impose special
conditions19
You suspect an audit or some other trigger for high risk is here – or coming–
What do you do?
20
High Risk Preemptive Strike
a) Do nothing – the U.S. Department of Education will take over the high risk designation and process;
b) May review overall State supervision of LEA’s in State administered programs
21
High Risk Preemptive Strike
States/Districts prefer to manage the process at the state level – USDOE will generally not manage day to day – may require hiring outside third party fiduciary
22
High Risk Preemptive Strike
States can take more active role Cooperative SEA-LEA relationships
generally in place Closer to local conditions Can move faster more flexibility
23
High Risk Preemptive Strike
State high risk processa) Notify RMS that state is acting
preemptively and will stay in close touch with RMS
b) State designates LEA as high risk
24
State Designation to LEA as High Risk
Formal letter Imposes conditions
25
State Designation to LEA as High Risk
Conditions Can be varied to fit circumstances Include at minimum
Risk assessment Corrective action plan Audit resolution process Review and revision if necessary of policies and
procedures
26
May include Restrictions on advance payment Contracting with third party to review internal
controls Outsourcing some or all
LEA admin activities Requirements to deliver manuals
Personnel Procurement Payroll
Any other actions the SEA deems appropriate
27
Next Steps
RMS, SEA, LEA Meeting Discussion includes steps taken
Timelines Deliverables Further Communication
28
Finally
The LEA wants to know when this is over: Rome wasn’t built in a day a.k.a. the
conditions at issue did not develop in 6 months or a year
Be patient.
29
Firm Disclaimer (Yet Again)
This presentation is intended solely to provide general information and does not constitute legal advice or a
legal service. This presentation does not create a client-lawyer relationship with Brustein & Manasevit and, therefore, carries none of the protections under
the D.C. Rules of Professional Conduct. Attendance at this presentation, a later review of any printed or
electronic materials, or any follow-up questions or communications arising out of this presentation with any attorney at Brustein & Manasevit does not create
an attorney-client relationship with Brustein & Manasevit. You should not take any action based
upon any information in this presentation without first consulting legal counsel familiar with your particular
circumstances.30