MRO Internal Controls Accounting and Financial Management March 28, - PowerPoint PPT Presentation

MRO Internal Controls Accounting and Financial Management March 28, 2019 1

The purpose of this presentation is to update the MRO Board of Directors on MRO’s internal control environment, documentation, and compliance oversight. It is meant to provide information to assist the board in fulfilling its mandate to review the adequacy and integrity of the organization’s accounting and financial controls. 2

MRO’s internal controls are a component of MRO’s broader compliance and ethics program. MRO’s compliance and ethics program ensures all facets of internal compliance are managed and includes guidelines that make for a comprehensive control environment. 3

Who: Tone at the Top MRO’s What: Corporate Programs Corporate and Policies Compliance Why: Laws and Regulations and Ethics How: Prevent, Detect, Program Correct 4

Who? Tone at the Top The Who: MRO is governed by its bylaws and under its bylaws, the business and affairs of the company are managed by or under the direction of the MRO Board of Directors. The board has established three board committees to help it carry out its work, including the: • Finance and Audit Committee (FAC) • Governance and Personnel Committee (GPC) • Organizational Group Oversight Committee (OGOC) The FAC has primary responsibility for oversight of the implementation and operation of MRO’s Internal Program for Corporate Compliance and Ethics. The GPC has responsibility for particular aspects of the program. The OGOC is responsible for oversight of MRO’s organizational groups and the representatives serving on industry groups established by NERC. 5

Compliance and Ethics Oversight The FAC is responsible for: • Monitoring the integrity of the company’s financial reporting • Ensuring that the company has adopted an internal control structure, including the adoption of appropriate policies and procedures, consistent with the company’s size and complexity • Monitoring the external auditor’s independence to ensure the external auditor is ultimately accountable to the board • Monitoring compliance with the Sarbanes-Oxley Act of 2002 as appropriate for a nonprofit organization that does not issue stock • Monitoring compliance with any debt covenants • Reviewing the company’s procedures related to finance to ensure compliance with applicable laws and regulations 6

Compliance and Ethics Oversight The Chief Compliance Officer is responsible for: • Developing and implementing compliance policies and procedures • Providing guidance to employees regarding policies and procedures • Providing guidance, with the assistance of General Counsel, regarding compliance with laws, rules, and regulations • Coordinating, developing, and participating in communications, education, and training • Ensuring contractors (vendors, billing services, etc.) are aware of the requirements of MRO’s Program for Corporate Compliance and Ethics • Maintaining an anonymous reporting system (hotline) and responding to concerns, complaints, and questions related to the Program for Corporate Compliance and Ethics • Coordinating internal investigations and implementing corrective action 7

What? Corporate Programs and Policies The What: Corporate compliance is the process of making sure that our organization and its staff follow the laws, regulations, standards, and ethical practices that apply to our organization. MRO also has to conform to certain obligations governed by the Federal Energy and Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC). 8

Corporate Compliance and Ethics Program Compliance is a prevalent business concern, partly because of an ever-increasing number of regulations that require companies to be vigilant about their regulatory compliance requirements. Sarbanes-Oxley Act (SOX) Health Insurance Portability and Accountability Act (HIPAA) Dodd-Frank Act Federal Information Security Management Act (FISMA) 9

Corporate Compliance and Ethics Program MRO has modeled its compliance and ethics program after the Federal Sentencing Guidelines for Organizations’ seven elements for an effective compliance and ethics program. Those elements are: Establish policies, procedures and controls to prevent and detect criminal conduct Exercise effective compliance and ethics oversight Exercise due diligence to avoid delegation of authority to unethical individuals Communicate and educate employees on compliance and ethics programs Monitor, audit and evaluate the compliance and ethics programs for effectiveness Promote and enforce the program through appropriate incentives and disciplinary measures Respond appropriately to criminal conduct that is detected and take steps to prevent further similar conduct - U.S. Sentencing Commission, Guidelines Manual , Ch. 8, Pt. B2 (2008), at 1. 10

Internal Controls MRO has established policies and procedures in order to ensure that (1) officers understand their fiduciary responsibilities and (2) MRO funds and assets are managed properly Given that MRO operates under statutory authorities from government, MRO and its board are responsible for ensuring that operations and the activities within programs meet the regulatory requirements MRO maintains internal controls to provide direction on protecting MRO assets and financial accountability MRO engages in financial risk management to understand, identify, and gain knowledge on what risks are surrounding MRO 11

Why? Laws and Regulations The Why: • To help prevent and detect violations of laws and regulations • To recognize and report illegal or unethical activity • To avoid waste, fraud, abuse, discrimination, and other practices that disrupt operations • To prevent major disasters and failures AND • To safeguard our assets including staff • To create reliable financial reporting • To promote compliance with laws and regulations • To achieve effective and efficient operations 12

Internal Control Objectives MRO’s controls are based upon the following objectives: • Authorization: All transactions are pre-approved by responsible personnel • Completeness: All valid transactions are included in the accounting records • Accuracy: All valid transactions are accurate, consistent with the originating transaction data, and information is recorded in a timely manner • Validity: All recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management’s general authorization • Physical Safeguards and Security: Access to physical assets and information systems is controlled and properly restricted to authorized personnel • Error Handling: Errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management • Segregation of Duties: Duties are assigned to individuals in a manner to ensure that no one individual can control both the recording function and the procedures relative to processing a transaction 13

How? Prevent, Detect, Correct Corrective - mitigates damage Detective - once an intended to find irregularity, error, problems within a or risk has company's materialized and processes prevents future occurrences 14

Preventative Controls: MRO Management will oversee the following controls: Background Password Segregation of Trained and Vendor/Contractor Checks Protected Access Duties Certified Staff Validation Staff that are All staff submit to Having a checks and sufficiently trained and Staff are granted Vendors are background testing. balances system certified in protecting necessary access authenticated for doing Those with financial reduces liability and company assets and based on role and work at MRO and on oversight submit to risk from fraud or monitoring activities responsibilities MRO’s systems annual testing. financial misconduct ensures the prevention of asset loss 15

Detective Controls MRO has several controls related to its financial activities to mitigate the potential for fraud or financial misconduct • MRO utilizes a fraud monitoring system with its financial institution to ensure that pre-authorized transactions are identified and unauthorized activities are caught before clearing the bank Bank Reconciliations • Banking transactions are reviewed by staff who do not perform banking functions such as check printing or Fixed Asset List Review ACH requests • MRO maintains a fixed asset list that catalogs all valuable physical assets; these items are tracked and General Ledger Review audited annually • MRO maintains a review of its financial records, which corresponds to its financial reports to ensure accuracy 16

Detective Controls, cont. MRO has additional controls related to its compliance activities to mitigate the potential for fraud or misconduct • MRO performs various reviews of systems and Annual Reviews processes to check for errors and/or adjust for newly identified risks • An anonymous hotline is available to bring attention to any wrongdoing • External audits are performed independent of staff to External Anonymous reaffirm that proper controls are in place and to Audits Hotline address any potential risk exposure 17