A REPORT TO THE ARIZONA LEGISLATURE Financial Audit Division Report on Internal Control and Compliance Arizona State University Year Ended June 30, 2010 Debra K. Davenport Auditor General The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five senators and five representatives. Her mission is to provide independent and impartial information and specific recommendations to improve the operations of state and local government entities. To this end, she provides financial audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and conducts performance audits of school districts, state agencies, and the programs they administer. Copies of the Auditor General’s reports are free. You may request them by contacting us at: Office of the Auditor General 2910 N. 44th Street, Suite 410 • Phoenix, AZ 85018 • (602) 553-0333 Additionally, many of our reports can be found in electronic format at: www.azauditor.gov Arizona State University Report on Internal Control and Compliance Year Ended June 30, 2010 Table of Contents Page Report on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards 1 Schedule of Findings and Recommendations 3 University Response Report Issued Separately 2010 Financial Report Independent Auditors’ Report on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards Members of the Arizona State Legislature The Arizona Board of Regents We have audited the financial statements of the business-type activities and aggregate discretely presented component units of Arizona State University as of and for the year ended June 30, 2010, which collectively comprise the University’s financial statements, and have issued our report thereon dated October 20, 2010. Our report was modified to include a reference to our reliance on other auditors and as to consistency because of the implementation of Governmental Accounting Standards Board Statement No. 53. We conducted our audit in accordance with U.S. generally accepted auditing standards and the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States. Other auditors audited the financial statements of the aggregate discretely presented component units consisting of the Arizona State University Foundation; the Arizona Capital Facilities Finance Corporation; the Arizona State University Alumni Association; the Arizona State University Research Park, Inc.; the Collegiate Golf Foundation; the Downtown Phoenix Student Housing, LLC; the Mesa Student Housing, LLC; the Sun Angel Endowment; the Sun Angel Foundation; and the University Public Schools, Inc.; as described in our report on the University’s financial statements. The financial statements of the aggregate discretely presented component units were not audited by the other auditors in accordance with Government Auditing Standards. This report includes our consideration of the results of the other auditors’ testing of internal control over financial reporting that are reported on separately by those other auditors. However, this report, insofar as it relates to the results of the other auditors, is based solely on the reports of the other auditors. Internal Control over Financial Reporting In planning and performing our audit, we considered the University’s internal control over financial reporting as a basis for designing our auditing procedures for the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the University’s internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of the University’s internal control over financial reporting. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the University’s financial statements will not be prevented, or detected and corrected, on a timely basis. Our consideration of internal control over financial reporting was for the limited purpose described in the first paragraph of this section and was not designed to identify all deficiencies in internal control over financial reporting that might be deficiencies, significant deficiencies, or material weaknesses. We and the other auditors did not identify any deficiencies in internal control over financial reporting that we consider to be material weaknesses, as defined above. However, we identified certain deficiencies in internal control over financial reporting, as discussed in the accompanying Schedule of Findings and Recommendations that we consider to be a significant deficiency in internal control over financial reporting. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Compliance and Other Matters As part of obtaining reasonable assurance about whether the University’s financial statements are free of material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of financial statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed no instances of noncompliance or other matters that are required to be reported under Government Auditing Standards. The University’s response to the finding identified in our audit is included herein. We did not audit the University’s response and, accordingly, we express no opinion on it. This report is intended solely for the information and use of the members of the Arizona State Legislature, the Arizona Board of Regents, university management, and others within the University and is not intended to be and should not be used by anyone other than these specified parties. However, this report is a matter of public record, and its distribution is not limited. Debbie Davenport Auditor General October 20, 2010 2 Arizona State University Schedule of Findings and Recommendations Year Ended June 30, 2010 10-01 The University should strengthen controls over payroll expenses Criteria: The University needs to have strong internal controls over payroll expenses to help ensure employees are accurately paid and to accurately record and report payroll expenses. Further, since payroll processing functions are decentralized at the University, the internal controls should include adequate monitoring and training to ensure compliance with established policies and procedures. Condition and context: The University’s payroll and related expenses comprise over $881 million, or approximately 58 percent, of its total expenses. Payroll processing at the University is decentralized since some key internal control functions are performed by university departments. During fiscal year 2010, the University improved existing policies and procedures for processing, monitoring, and verifying payroll expenses. However, when obtaining an understanding of the University’s internal control over payroll expenses and testing those controls, auditors noted the following deficiencies:  For 8 of 71 university departments where employees were selected for test work, the departments either did not prepare a monthly detailed reconciliation of payroll expenses for each employee or did not correctly prepare the reconciliation in accordance with the University’s policies. In addition, four of these departments did not ensure that amounts paid to employees agreed to the employment contracts.  For 5 of 92 employees selected for test work, the employee was paid or reimbursed for employmentrelated expenses in excess of the amount specified in the employment contract, offer letter, or other official documentation maintained in the personnel file. Further, these overpayments were not identified by the University and were not included in the listing used to monitor overpayments.  Leave requests for employees were not always reviewed and monitored at the department level. In addition, the leave requests were not always retained to support vacation and sick leave taken on time sheets.  For 2 of 71 departments where employees were selected for test work, time sheets for hourly employees were approved by employees who did not have firsthand knowledge of the actual time worked.  Payroll overpayments identified by departments or reported by the employees themselves were not consolidated in a timely manner and monitored centrally. As a result, the University was unable to determine recurring reasons for overpayments and identify potential internal control deficiencies. Effect: The lack of effective internal controls over payroll expenses may result in misstating the financial statements or paying employees wrong amounts. In addition, it also increases the risk of fraudulent payroll transactions occurring and not being detected. This finding is a significant deficiency in internal control over financial reporting. 3 Arizona State University Schedule of Findings and Recommendations Year Ended June 30, 2010 Cause: Since the payroll processing function is decentralized, individual departments did not always follow payroll policies, and the University did not effectively monitor the decentralized payroll functions. Recommendation: To help ensure employees are accurately paid and that payroll expenses are accurately recorded and reported, the University should:  Ensure that all departments prepare detailed monthly reconciliations of each employee’s payroll expenses in accordance with the University’s policies.  Improve controls over payroll to ensure that payroll data reflected in the payroll system is supported by the contract, offer letter, or other official documentation maintained in the personnel files.  Require departments to follow established policies and procedures to ensure that leave requests for employees are reviewed, monitored, and retained to support hours worked.  Ensure that departments are aware of and follow guidelines for verifying and approving time recorded by employees.  Monitor the overpayment listing centrally to help ensure accuracy, completeness, and timely collection of overpayments as well as to identify potential internal control weaknesses.  Ensure all departmental personnel responsible for payroll functions are instructed as to the University’s current policies and procedures. This finding is similar to a prior-year finding. 4 UNIVERSITY RESPONSE UNIVERSITY RESPONSE All recommendations have been implemented and, as noted by the auditors, the University has made significant progress in resolving payroll-related issues. Improving overall compliance by individual university departments is ongoing and the University will continue with education and monitoring efforts. The University agrees departments should review and reconcile payroll expenses in compliance with University policy to identify and rectify issues relating to employee pay, including pay adjustments, leave reporting, and timesheet approvals. During fiscal year 2010 most departments instituted processes to comply with the University’s policy, as evidenced by the auditor’s findings and University reviews performed by Financial Services. Additionally, in fiscal year 2010, a central website containing payroll and human resources-related policies and procedures was established and made available to University departments. Responsibility for the payroll function, including management of overpayments, was transferred to the accounting area of Financial Services at the beginning of fiscal year 2011. A single comprehensive overpayment list is maintained and updated to ensure timely collection of overpayments and to identify potential control weaknesses in either University or departmental processes. Arizona State University Report on Internal Control and Compliance Year Ended June 30, 2010 State of Arizona Office of the Auditor General