Overview
- Control Tracker is a web-based tool developed by UCOP and IBM in partnership with UC San Diego
- The main purpose of this tool is to satisfy SAS115 audit requirements which includes the documentation of key financial controls
- Control Tracker replaced a paper process and served as a centralized record of certification that financial operations controls were done
Critical Concepts
- Users log into Control Tracker to attest that controls were performed, certifiers then go in to certify they were reviewed and completed
- Control Tracker will be turned off at the end of September 2020
- Users are required to perform and certify controls through the end of fiscal year, June 30, 2020
- Some control activities have different deadlines to complete control certifications, therefore users are allowed to go in until the end of September 2020
General
Q: What is replacing Control Tracker and Ledger Reviewer Applications?
A:
- The replacement is a combination of in-suite reporting and workflow that requires certain controls like transaction approvals within Oracle and Concur
- In addition, we anticipate that new Oracle Governance, Risk, and Compliance modules will be launched by December 2020
- These modules will provide new ways to monitor unusual transactions and help analyze controls
- Note: FinancialLink and QueryLink will still be available for viewing legacy data
Q: What is SAS115?
A:
- SAS 115 is a Statement of Auditing Standard, which replaced the old one SAS 112
- In summary, it is the standard for auditors that outlines how they should communicate internal control findings
- It even describes proper terminology to describe audit findings like control deficiency, material weakness and significant deficiency in terms of internal controls
- In general, entities are expected to document its controls, follow the COSO Integrated Control Framework and retain evidence for control activities
- In publicly traded for-profit companies and public entities like ours, the focus areas include internal controls over financial reporting (integrity of financial statements), data security, loss/fraud prevention
- SAS 115 is specific to how auditors communicate what issues auditors find, to describe the nature of the finding, and whether the finding or risk is coming from a segregation conflict, access control, control gaps, fraud, etc.
Q: As a public institution, are we subject to Sarbanes-Oxley Compliance (SOX)?
A:
- No, we are not required to submit formal certification for the Sarbanes-Oxley Act but there is a growing expectation to comply with best/leading practices developed under SOX
- It is strongly recommended by our sponsors, agencies, UCOP and auditors to follow the best practices outlined by SOX
- Many organizations, both public and private, governmental, nonprofits, have adopted best practices and controls under SOX particularly because SOX does regulate independent audit/accounting firms that perform audits for companies required to certify compliance with SOX
- Since SOX went into federal law, there has been a growing push for greater accountability and enterprise risk management
- States and federal entities are starting to put into place regulations that are very much like SOX, and we know that the GAO has made serious moves towards SOX-like requirements for recipients of federal funding, including SOX-like governance
- NACUBO has also issued advisory reports urging universities to use SOX as a framework to evaluate and mitigate overall financial risks
- We may eventually be subject to SOX-like regulations
- There are several proposals under different labels or laws
- Federally sponsored funding, programs, nonprofit regulations have proposed new rules very similar to SOX
- These standards are applied by our auditors, both internal and external, from our agencies, sponsors and regulators, during our routine and special audits
Q: Now that we have Oracle Financials, what is the replacement of Control Tracker?
A:
- There is no replacement tool for Control Tracker
- However, financial controls and reviews of your transactions, expenses and finances are expected to continue, even though the certification in Control Tracker piece is no longer required
- Policy and Records has posted the draft policies which are in the final stages of formal approval
- The policies have been internally approved, including review by AMAS and FIS Governance, and are currently with campus counsel for initial legal sufficiency review before formal approval and publication
- The draft policies and Interim Guidelines have been posted online here, including the draft Internal Controls Policy
- It is important to note that performing financial operation controls continue to be a requirement in our financial units and continues to be the responsibility of our departments
- The main change is that units are no longer required to log into Control Tracker to check the box to certify performance of key controls
- There is no tool in Oracle that replaces Control Tracker
Q: Email notifications continue to pop up for reminders to complete control activities and certifications on Control Tracker, do we ignore the notifications?
A:
- Users are required to complete Control Tracker activities for the full fiscal year ending June 30, 2020
- Please note that some of the control certification cut-offs are 2-3 months past the period covered, so auto-notices are still going out until Control Tracker is fully deprecated at the end of September 2020
- This gives time for unit administrators to complete all certifications for the fiscal year ended June 30, 2020
- For example, some monthly control activities for June are not due until August, so reminder emails (gentle nagging notices) will continue past June 30 until control performers and certifiers complete their actions in Control Tracker
- If you are receiving automatic emails for July and August monthly controls, yes, you can ignore them
- You do not need to certify in Control Tracker for controls starting July 2020
- However, please note that performing financial operation controls continue to be a requirement in our financial units and continues to be the responsibility of our departments
- The main change is that units are no longer required to log into Control Tracker to check the box to certify performance of key controls
Q: How can I get this completed if I missed the certification deadline or forgot to certify past periods and Control Tracker locks me out past the deadline?
A: Please submit a Service & Support ticket > About: Financial Accounting > Related to: Internal Controls > More Specifically: Key Controls/Control Tracker
Q: I heard Transaction Sampling is going away. How do we perform the review of transactions? What do we use in Oracle?
A:
- Transaction Sampling was intended as a helper tool for making audit selections in reviewing expenses and transactions in unit-level financial controls
- In a nutshell, Transaction Sampling was a home-grown tool designed several years ago to assist our financial managers in making selections of transactions/expenses out of a large volume of transactions
- It functions like a picker to help units decide which transactions to pull for audit and documentation for during routine ledger review
- Now that we are on Oracle, there is no replacement of Transaction Sampling in the new financial system
- Selections are decided by the unit, should be risk-based and based on compliance requirements by your agencies and existing policies
- Unit financial managers will not need to rely on an algorithmic picker tool to help them decide what to review and document
- If a sponsor requires a unit to have documentation for all travel expenses or all equipment purchases, then the unit will need to ensure they are properly authorized, approved, accounted, and retained for audit
Q: What do the built-in monitoring controls in Oracle do, how do they work, and do we need to use them?
A:
- In the next few weeks and into 2021, there are 3 modules in Oracle Risk Management that will be installed and integrated with our Oracle Financial system:
- Advanced Access Controls, to monitor segregation of duties and ensure proper review of roles/privileges potential conflicts.
- It is used by audit to perform user access reviews which is a required attestation and data security certification
- We have a future initiative for identity management and user access management, which is in the works with our partners in ITS
- This will help automate user access provisioning
- Oracle Risk Management used by controls/audit folks is for financial transaction controls and audit management
- This tool is used by a restricted user group to monitor transactions in Oracle
- Within each module, audit tables are keeping data of user actions and transactions within process flows
- This includes inputs, activations, changes, deletions, approvals, and other processes within the system
- Transactions are monitored in the background for fraud prevention and mitigation, security and analysis of exceptions
- Our audit and control folks will use these tools for fraud investigations and analysis of system transactions down to the user level.
- Financial reporting controls and consolidation, related to the work we do for monthly close procedures, quarterly financial reports and period reporting up to our executive management and UCOP for institutional reporting