Finding Text
Finding No. 2023-002: Financial Reporting (Material Weakness)
Statement of condition
Reporting
The lack of appropriate policies, procedures, and internal processes led to untimely year end close and recording procedures, late filing of required reporting, and incomplete submissions of required data collection forms.
Certain information technology controls and procedures were not documented, properly designed, or followed appropriately, including, but not limited to: segregation of administrative user roles from the accounting function, user access review, removal of terminated users, physical access, complementary user entity controls assessment, backup restoration testing, penetration testing, and cybersecurity awareness training.
Criteria
The Organization is required to have internal controls and procedures in place in order to timely and accurately report the results of its operations, close its books, and timely file its reports with the applicable federal agencies. These procedures include documenting levels of review, reconciling accounting records at month-end and year-end close and maintaining a well-documented, designed, and applied information technology environment.
Cause
Management did not have sufficient internal controls in place to accurately and timely report the results of the Organization's operations and maintain the information technology environment.
Effect
Insufficient controls, late closing and reconciliation of accounting records, and insufficiently maintained information technology environment could result in accounting errors and theft. A lack of controls over financial reporting can result in untimely filing of required reports or incomplete filings with the regulatory and oversight entities.
Recommendation
We recommend that management re-evaluate its internal controls, policies and procedures to ensure an appropriate member of management is in place to review the year-end and month-end close processes, as well as journal entries, reconciliations, and other accounting records. Management should appoint an individual to be responsible for the Organization's financial statements and reporting obligations. Management evaluate its controls and procedures over the information technology environment to ensure they are properly documented, designed, and followed, including but not limited to: ensuring segregation of administrative user roles from the accounting function, performing a regular review of user access, ensuring terminated users are removed from all systems and software, ensuring restriction of physical access to the system, performing an assessment of complementary user entity controls for relevant software vendors, performing backup restoration tests and penetration tests, and providing cybersecurity awareness training.
Identification of repeat finding
The finding is a repeat of Finding No. 2022-002 and Finding No. 2022-003.
Auditor non-compliance code
S - Internal control deficiencies
Questioned costs
None
Finding resolution status
In process