Title: Evaluating A Government
1Evaluating A Governments Internal Controls and a
Review of How Fraud Relates to Internal Controls
- Presented By
- Paul E. Glick
- Glick Consulting Group
- Email pglick_at_mindspring.com
2THE AGENDA
- Introduction and Overview
- What Are Internal Controls
- Managements Objectives and Responsibilities
- Who Is Responsible for Internal Controls?
- What Types of Public Sector Fraud Exists?
3The Agenda
- Where is the Independent Auditor?
- Internal Control Environment
- Risk Assessment
- Control Activities
- Information and Communication (Step 4)
- Monitoring
4The Agenda
- Evaluation Controls Over Accounting And Financial
Reporting - Other Internal Control Pitfalls
5Seminar Objectives
- Review The Framework And Concepts Of Internal
Controls - Relate These Concepts To Financial Cycles
(I.E., The Real World) - Understand Who Might Be Ripping Us Off
6Factors Affecting our Current Environment
7Factors Affecting our Current Environment
- Global financial crisis
- Uncertainty in unexpected places (Municipal Bond
Ratings) - Increased regulation and oversight (Tax Reform,
ARRA) leading to diminished control over revenues - Smaller staff due to budget cuts
8Factors Affecting our Current Environment
- Trends in the Audit Community
- SAS 115 (documentation of internal controls and
communication with those in governance) - Risk Assessments
- Fraud Risks
- Oversight at the Federal Level
- Transparency
- COSO
-
9Factors Affecting our Current Environment
- Governments are being asked to do more with less
- Money and human resources
-
10The Nature of Fraud Industry
- Fraud Can Be Explained By Three Key Factors
- A Supply Of Motivated Offenders
- The Availability Of Suitable Targets
- The Absence Of Capable Guardians Or A Control
System To Mind The Store
11The Nature of Fraud Industry
- The Opportunity To Commit Conceal Fraud Is The
Only Element Over Which You Have Significant
Control. - What Are Some Of The Warning Signs?
- What Can We Do About It?
12A Survey Of Folks Regarding Fraud
- 31 of All Americans are Dishonest
- Another 40 are Situationally Honest (i.e., they
will be honest if it pays to be honest and
dishonest if it pays to be dishonest) - 200 Billion Employee Fraud Cost per Year
Compared to 11 Billion from Violent Crime - In Banks, 95 of Losses are from Employees and
5 are Caused by Bank Robberies - In Retail, 70 of Losses are from Employees and
5 are Caused by Shoplifters and Customers
13Fraud and Abuse in The U.S.
- U.S. Cost About 990 Billion A Year
- Government And Public Administration Have A
Median Loss Of 93,000 Per Fraud Scheme - Average Organization Loses 7 Of Revenue
- 12 Of Cases In A Study Were Frauds That Occurred
In Government - Street Crime Only Costs The U.S. 4 Billion
Annually
14The Facts
- Fraud Schemes Frequently Continue For Years
Before They Are Detected - The Typical Fraud In The Study Lasted 2 Years
From The Time It Began Until It Was Discovered - Frauds Are Much More Likely To Be Detected By A
Tip Than By Audits, Controls Or Any Other Means - Lack Of Adequate Internal Controls Was Most
Commonly Cited As The Factor That Allowed Fraud
To Occur - Occupational Fraudsters Are Generally First-time
Offenders
15What Is Fraud?
- Its When Folks Are Ripping Off The Government In
Lots Of Different Ways - Fraud Is Like A Four Letter Word
- Just Ignore It And It Will Go Away
- It Will Never Happen To Us
16Common Myths About Fraud
- Most Folks Will Not Commit Fraud
- Fraud Is Not Material
- Most Fraud Goes Undetected
- Fraud Is Well Concealed
- Prosecuting Will Deter Others
17Potential Cost Of Fraud
- Lose The Confidence In The Government
- Loss To The Reputation Of Innocent Third
Parties (I.E., The Remaining Staff) - Cost To The Perpetrator
- The Public Loss
18Potential Cost Of Fraud
- Diversion Of Public Resources From Intended
Purpose - Loss Of Money, Assets And Time
- Embarrassment, Guilt, Humiliation And Shame
- Subsequent Management Decisions Are Reviewed
Under A Microscope - Any Investigation Turns The Government Or Agency
Inside Out
19Personal Rip Offs For Glick
- Send Banking Information
- Bank of America
- Wachovia Bank
- TCF Bank
- HSBC Bank
- Catawba Valley Bank
- Regions Bank
- Bank of the West
- Washington Mutual
- Bank Financial
- Huntington Bank
- Smith Barney
20Personal Rip Offs For Glick
- Frank Senger - 20.5 Million
- Chief Adeniran Aderogba - 10 Million
- Dr Sikas Usman - 30 of 45.8 Million
- Dr.Ahmed Kassim - 10.5 Million
- Miss Caroline Williams 30 Of 16.5 Million
- Mr Jack Chow No Amount
- Jim Mcconville - 20 Million British Pounds
21Personal Rip Offs For Glick
- Richard H Mason 10 On All Payments Made
- Mr. Brendon Hopkins 30 Of 26.5 Million
British Pounds (Twice) - Mr. Mark Johnson Lottery - 2.5 Million British
Pounds - Mr.Carlos Moreno 50 Of 34.5 Million
- Miss Joyce Awuse - 5.5 Million
- Irs - 109.30
- Dr Dansuki Dan - 25.5 Million
22Session 2
- What Are Internal Controls
23What Are Internal Controls?
- To put it simply, internal controls are an
exercise of common sense. You are practicing good
internal controls when you? - Balance your checkbook
- Keep your ATM/debit card pin number separate from
your card - Keep copies of your tax return
- Compare your monthly credit card statement to the
credit card receipts - Lock your car doors
24What Are Internal Controls?
- Internal Control Is A Process, Affected By
Management And Other Personnel, Designed To
Provide Reasonable Assurance Regarding The
Achievement Of Objectives In The Following
Categories - Effectiveness And Efficiency Of Operations
- Reliability Of Financial Reporting
- Compliance With Laws And Regulations
25What Are Internal Controls?
- Internal Control Consists Of Five Interrelated
Components That Affect Each Of The Three
Categories
26What Are Internal Controls?
- Internal control is a process. It is a means to
an end, not an end itself. - Internal control is effected by people.
- Its not merely policy manuals and forms, but
people functioning at every level of the
institution.
27Limitations on Internal Controls
- Considerations Of Costs Will Prevent Management
From Ever Installing A Perfect System - Controls Are Potentially Subject To Management
Override - Risk Of Collusion
28Applying the COSOFramework
- Committee of Sponsoring Organizations of the
Treadway Commission - www.coso.org
29Who Are The Organizations
- American Accounting Association
- American Institute of Certified Public
Accountants - Financial Executives International
- Institute of Management Accountants
- The Institute of Internal Auditors
30COSO Internal Control Integrated Framework
- Established A Common Definition Of Internal
Control - Provides A Standard Against Which A Government
Can Assess Their Control Systems And Determine
How To Make Improvements
31Internal Control Components
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
32Internal Control Components
- Internal Control Components Interact With
- Operations
- Financial Reporting
- Compliance
33Evaluating Internal Controls
- Often, Evaluations Are Piecemeal Approaches To
The Task - Internal Controls Are Not Isolated And Are
Related To One Another
34Internal Controls Are Actually
- A Coordinated Set Of Policies And Procedures That
Reflect A Comprehensive Strategy For Achieving
Managements Objectives
35Assessing The Internal Control Framework
- Provides A Favorable Control Environment.
- Continually Assesses Risk.
- Establishes And Maintains Effective Control-
Related Policies And Procedures. - Effectively Communicates Information.
- Monitors The Effectiveness Of Control Policies
And Procedures And The Resolution Of Potential
Problems Identified By Controls.
36A Basic Rule
- More Is Not Better
- The Cost Of Excessive Or Redundant Controls Could
Exceed The Benefits - Employees May View Controls As Unnecessary Red
Tape
37Why Are Internal Controls So Important?
- Because The Prevention Of Fraud Is Critical And
Costs Are High
38Session 3
- MANAGEMENTS OBJECTIVES AND RESPONSIBILITIES
39MANAGEMENTS RESPONSIBILITIES AND THE INTERNAL
CONTROL FRAMEWORK
- EFFECTIVENESS
- EFFICIENCY
- COMPLIANCE
- FINANCIAL REPORTING
40EFFECTIVENESS
- DETERMINES WHETHER THE GOVERNMENT AND ITS
DEPARTMENTS ARE MEETING THEIR OBJECTIVES - GOALS AND OBJECTIVES IDENTIFIED IN BUDGETARY
PROCESS - FOCUSES ON RESULTS RATHER THAN EFFORTS
- INCLUDE OUTPUTS - HOW MUCH OF GOODS AND
SERVICES ARE PROVIDED - INCLUDE OUTCOMES - WHAT IS THE QUALITY OF GOODS
OR SERVICES TO BE PROVIDED
41EFFICIENCY
- MAKING OPTIMAL USE OF THE RESOURCES MADE
AVAILABLE - OBTAINING DESIRED RESULTS WITH THE LEAST
EXPENDITURE OF RESOURCES - MEASURES COSTS (I.E., EFFORT) TO RESULTS (I.E.,
EFFECTIVENESS)
42COMPLIANCE
- ANNUAL APPROPRIATED BUDGET
- GRANTOR REQUIREMENTS
- STATE OVERSIGHT REQUIREMENTS
- IRS REQUIREMENTS
- BOND COVENANTS
- LOCAL LAWS AND REGULATIONS
43FINANCIAL REPORTING
- INTERNAL FINANCIAL REPORTING
- EXTERNAL FINANCIAL REPORTING
- - SPECIAL PURPOSE
- - GENERAL PURPOSE
- - CAFR
44Session 4
- Who Is Responsible For Internal Controls?
45Who is Responsible for Internal Controls?
- Everyone has a part in the internal control
system. - The roles vary depending upon what level of
responsibility and the nature of involvement by
the individual.
46Who is Responsible for Internal Controls?
- Managers and supervisors are responsible for
ensuring that internal controls are established
and functioning to achieve the mission and
objectives of their unit. - Each employee within an area should be made aware
of proper internal control procedures associated
with their specific job function.
47Is This Just A Problem For The Finance Office?
- Most Folks Think This Is Finances Problem
- But Not Really
- However, We Are Emphasizing the Finance
Department In This Seminar
48Managements Responsibilities And The Internal
Control Framework
- Any Entity, Be It A Government, A Business Or A
Nonprofit Organization, Exists To Achieve Some
Purpose - It Is The Role Of Management To Provide The
Leadership Needed For An Entity To Realize That
Purpose
49Managements Responsibilities And The Internal
Control Framework
- Furthermore, Management Is Not Free Simply To Act
In Any Way It Might Choose To Achieve The
Entity's Goals - Management's Options And Actions Are
Circumscribed By Constraints And Expectations,
Both Implicit And Explicit.
50Responsibility For Internal Controls
- Management Is Primarily Responsible For The
Effectiveness Of Internal Controls, Like Any
Other Aspects of Performance - A Side Note - Authority And Responsibility Should
Not Be Separated
51Responsibility For Internal Controls
- Management Is Subject To Oversight By The
Governments Elected Officials - The Governing Body Is Ultimately Responsible
- Internal And External Auditors Can Assist
Management
52Responsibility For Internal Controls
- This Stuff Is Not Something Different From
- Your Basic Responsibilities As Leaders And As
Fiduciaries
53Basic Management Responsibilities
- Achieving The Governments Purpose
(Effectiveness) - Making Optional Use Of Scarce Resources
(Efficiency) - Observing Restrictions On The Use Of Resources
(Compliance) - Periodically Demonstrating Accountability For
Stewardship Of Resources Place In The Care
(Reporting)
54Session 5
- What Types of Public Sector Fraud Exists
55Profile of Fraud Perpetrator
- Male Or Female (White Males Over 60?)
- No Prior Criminal History (lt8)
- Well Liked By Co-workers
- Likes To Give Gifts/Compulsive Shopper
- Gambling Problems Not Unusual
- Long-term Employee
- Rationalizes Starts Small Or Borrows
- Lifestyle Clues
56General Observations Of A Fraudster
- Male
- Intelligent (Bored With The Job Routine)
- Egotistical (Scornful Of Obvious Control Flaws)
- Inquisitive (E.G., Tempted By The Discovery Of
A Computer Vulnerability) - A Risk Taker
- A Rule Breaker
- A Hard Worker
- Under Stress
- Disgruntled At Work
57The Fraud Triangle
Exacerbated in Economic Downturn
- Perceived Opportunity
- To Commit Fraud
- Perceived Pressure
- Facing Individual
Persons Rationalization Or Integrity
58Conditions Present When Fraud Occurs
- Incentive/Pressure
- Opportunity
- Attitude and Rationalization
59Causes Of Fraud
- Character And Personality
- Financial Stress
- -- Addiction
- -- Disaffection
- -- Pathologies
- Perceived Opportunity
- - Permits Fraud
- - Promotes Fraud
60Why Folks Commit Fraud
- Grumpy Gus
- Stressed Sally
- Pill poppin Paula
- Never goes home Ned
61Why Folks Commit Fraud
- Extravagant Ellen
- Over-spent Ollie
- Lotto Larry
- Compulsive Connie
62Who Commits Fraud?
- Fraud Losses Caused By Managers And Executives
Were 16 Times Greater Than Those Caused By
Non-managerial Employees. - Losses Caused By Men Were Four Times More Those
Caused By Women. - Those 60 And Older Were 28 Times Those Caused By
Perpetrators 25 Or Younger.
63Generally, What is the Goal of A Fraudster?
64Types Of Public Sector Fraud
- Receipts Fraud
- Disbursements Fraud
- Assets Fraud
65Cash Schemes
- Stealing Cash Funds Processed Or On Hand
- Not Recording Stealing The Cash Receipts
- Under Ringing Stealing The Difference In Cash
Receipts - Altering Bank Deposits
66 Receipts Fraud
- Lapping Too Much Work!
- Kiting Bank Deposit Schemes
- Granting Bogus Credit Memos
- Forging Check Received
67 Receipts Fraud
- Duplicate Payments
- Charge Off Fraud Bogus Write-offs
- Disposal Fraud
- Credit Card Manipulation
68Disbursements Fraud
- Personal Bills
- Bid Rigging
- False Claims (Fictitious Suppliers, Kickbacks)
- Conflict of Interest
69Disbursements Fraud
- Travel Claim Fraud
- Procurement and Credit Cards
70Payroll and Benefits Fraud
- Ghost Employees
- Unclaimed Payroll Checks
- Excess Payroll Payments (Falsifying Time Cards)
- Withholdings and W-2s
- Vacation and Sick Pay
71Theft Of Assets Fraud
- Petty Cash Fraud
- Cash Register Theft
- Consumable Inventory Theft
- Capital Asset Theft
- Using Assets For Personal Use
72Red Flags
- A Red Flag Is
- A Set Of Circumstances That Are Unusual In Nature
Or Vary From The Normal Activity. - A Signal That Something Is Out Of The Ordinary
And May Need To Be Investigated Further. - Not About Guilt Or Innocence But Merely Provides
Possible Warning Signs Of Fraud.
73Red Flags
- Do Not Ignore A Red Flagstudies Of Fraud Cases
Consistently Show That Red Flags Were Present,
But Were Either Not Recognized Or Were Recognized
But Not Acted Upon By Anyone. - Sometimes An Error Is Just An Errorred Flags
Should Lead To Some Kind Of Appropriate Action,
I.E. An Investigation By A Measured Responsible
Person, But Sometimes An Error Is Just An Error
And No Fraud Exists
74Employee Red Flags
- Employee Lifestyle Changes
-
- High Employee Turnover
- Significant Personal Debt And Credit Problems
-
- Refusal To Take Vacation Or Sick Leave
- Behavioral Changes
-
- Lack Of Segregation Of Duties In A High-risk
(Vulnerable) Area -
75Employee Red Flags
- Reluctance To Provide Information To Auditors
- Photocopied Or Missing Documents
-
- Weak Internal Control Environment
- Unexpected Overdrafts Or Declines In Cash
Balances - Decisions Dominated By An Individual Or Small
Group
76Employee Red Flags
- Excessive Number Of Year-end Transactions
- Management Displays Significant Disrespect For
Regulatory Bodies - Excessive Number Of Or Frequent Changes In
Checking Accounts -
- Accounting Personnel Are Lax Or Inexperienced
77Employee Red Flags
- High Employee Turnover Rate
- Compensation Is Out Of Proportion
- Decentralization Without Adequate Monitoring
- Frequent Changes In External Auditors
-
78Red Flags in Cash
- Excessive Number Of Voids
- Presence Of Personal Checks In Petty Cash
- Unauthorized Bank Accounts
-
- Excessive Or Unjustified Cash Transactions
- Large Number Of Account Write-offs
-
- Sudden Activity In A Dormant Account
79Red Flags in Payroll
- Inconsistent Overtime Hours For A Cost Center /
Department -
- Overtime Charged During A Slack Period
- Overtime Charges For Employees Who Normally Would
Not Have Overtime Wages -
- Budget Variations For Payroll By Cost Center /
Department - Employees With Duplicate Social Security Numbers,
Names, And Addresses - Employees With Few Or No Payroll Deductions
-
80Red Flags in Procurement
- Increasing Number Of Complaints About Services
- Vendors Without Physical Address
- Lack Of Physical Security Over Assets / Inventory
- Payments To Vendors Not Included On An Approved
Vendor List - Vendor Address Matching Employee Address
-
81Red Flags in Procurement
- Purchases That Bypass Normal Procedures
- Charges Without Shipping Documents
- Vendor Payments Picked Up Rather Than Having It
Mailed - High Volume Of Purchases From New Vendors
-
-
82Profiles of an Government At Risk
- Less Than 100 Employees.
- Management Ignores Irregularities.
- High Turnover With Low Morale.
- Staff Lacks Training
83Session 6
- Where Is The Independent Auditor?
84The Independent Auditor
- Once The Independent Auditor Is Finished With The
Annual Audit, Can Everyone Relax And Assume That
No One Got Us This Year? - Of Discovered Fraud, the Independent Auditor Only
Finds about 9
85Why Do Auditors Fail To Detect Fraud?
- Lack of Training
- Accept any Reasonable Explanations
- Going Through the Process of Ticking and Tying
Numbers - They May Not Want to Find Fraud, It Causes
Problems - They May Be Embarrassed
- Not Enough Time Budgeted for the Audit
86Types of Audits
- Financial Audits
- Performance Audits
87The Independent Auditor
- The Auditor Reports On The Adequacy Of Existing
Controls Within The Government - The Auditor Must Carefully Evaluate The Internal
Control System As A Basis To Determine The Degree
Of Audit Procedures Necessary In The Circumstances
88New Statements on Auditing Standards
- A Few Years Ago, The Rules For Auditors Were
Changed And Expanded Substantially
89What Created The Need?
- Corporate Fraud In The Roaring 90s Which
Became Known In The Early 2000s - Sarbanes Oxley Act Of 2002 (Private Sector)
- Required Additional Internal Controls By
Management - Created A New Agency (PCAOB) To Closely
Scrutinize Public Company Audits - Removed The AICPA From Any Authority For Public
Company Audit Standards And Peer Review
90A New Audit Approach
- A Risk Based Audit
- The Government Must Identify Key Internal
Controls That Relate To High Risk Areas - Some of the Areas Might Include
- Cash
- Investments
- Budget
- Revenue Receipts
- Expenditures
- Payroll
- Consumable Inventories
- Capital Assets
- Grants
91Do the Auditors Look At Everything?
- Auditors Obtain Reasonable Assurance, Not
Absolute Assurance - Materiality
- The Single Audit
- The Auditor May Report on Compliance and Internal
Controls - Major Federal Awards
92Internal Audit Function
- Management Can Improve The Quality Of The
Environment By Establishing An Internal Audit
Function - Report Directly To Top Management (Or The
Elected Officials?) - Monitoring The Effectiveness Of Control Related
Policies And Procedures
93Internal Audit Function
- Internal Auditors Can Be Of Great Value To State
And Local Governments In A Variety Of Ways. - In Particular, They Commonly Assist Management In
Monitoring The Design And Proper Functioning Of
Internal Control Policies And Procedures.
94Internal Audit Function
- In This Capacity, Internal Auditors Themselves
Function As An Additional Level Of Control And So
Help To Improve The Governments Overall Control
Environment. - Internal Auditors Also Can Play A Valuable Role
Conducting Performance Audits, As Well As Special
Investigations And Studies
95Internal Audit Considerations
- Dont Let The Audit Function Become A Political
Football - Dont Promise The Moon
- Dont Let The Auditors Become Free Roaming
Chickens. - Dont Fly By The Seats Of Your Pants
96Internal Audit Considerations
- Dont Use The Shotgun Approach To Scoping An
Audit - Never Leave A White Elephant In The Auditees
Office. - Dont Count Your Chickens Before They Hatch.
Never Assume The Auditee Fixed The Problem.
97GFOA Recommendations
- Every Government Should Consider The Feasibility
Of Establishing A Formal Internal Audit Function
Because Such A Function Can Play An Important
Role In Helping Management To Maintain A
Comprehensive Framework Of Internal Controls. - As A Rule, A Formal Internal Audit Function Is
Particularly Valuable For Those Activities
Involving A High Degree Of Risk (E.G., Complex
Accounting Systems, Contracts With Outside
Parties, A Rapidly Changing Environment).
98GFOA Recommendations
- If It Is Not Feasible To Establish A Separate
Internal Audit Function, A Government Is
Encouraged To Consider Either - 1) Assigning Internal Audit Responsibilities To
Its Regular Employees Or - 2) Obtaining The Services Of An Accounting Firm
(Other Than The Independent Auditor) For This
Purpose
99GFOA Recommendations
- The Internal Audit Function Should Be Established
Formally By Charter, Enabling Resolution, Or
Other Appropriate Legal Means - It Is Recommended That Internal Auditors Of State
And Local Governments Conduct Their Work In
Accordance With The Professional Standards
Relevant To Internal Auditing Contained In The
U.S. General Accounting Offices Publication
Government Auditing Standards, Including Those
Applicable To The Independence Of Internal
Auditors
100GFOA Recommendations
- At A Minimum, The Head Of The Internal Audit
Function Should Possess A College Degree And
Appropriate Relevant Experience. - It Also Is Highly Desirable That The Head Of The
Internal Audit Function Hold Some Appropriate
Form Of Professional Certification (E.G.,
Certified Internal Auditor, Certified Public
Accountant, Certified Information Systems
Auditor) And - All Reports Of Internal Auditors, As Well As The
Annual Internal Audit Work Plan, Should Be Made
Available To The Governments Audit Committee Or
Its Equivalent.
101Goals Of Audit Committee
- Ensure That Management Is Maintaining A
Comprehensive Framework Of Internal Control - Ensure That Managements Financial-reporting
Practices Are Assessed Objectively -
- Determine That The Financial Statements Are
Properly Audited And That Any Problems Disclosed
In The Course Of The Audit Are Satisfactorily
Resolved
102Key Benefits
- Practical Tool For Focusing Board Attention
- Direct Communications Link Between The
Independent Auditors And The Governing Body - Forum In Which The Independent Auditors Can
Candidly Discuss Audit-related Matters With
Members Of The Governing Board Apart From
Management
103Applicability to Small Governments
- Smaller Governments Have The Same Basic
Responsibility As Larger Governments - An Audit Committee Is Just As Necessary For Both
104Level Of Expertise Needed OfMembers
- Sufficient Understanding To Perform Duties With
Expert Assistance (I.E., Financial Expert) - New Or Prospective Members Typically Should
Receive Some Brief Formal Training - Role Of The Audit Committee
- Their Personal Responsibility As Audit Committee
Members - Training Should Underscore Professional
Skepticism In Dealing With Management
105Relationship With Independent Auditors
- Auditors Report Directly To Audit Committee
- Provision To Meet Privately
- Amend Sunshine And Open Meetings Laws
Accordingly
106Relationship With Independent Auditors
- Two Views
- Traditional
- Internal Auditors/Management As Audit
Committee/Governing Body - Emerging
- Completely Independent Of Management
- Trade-off
- Management Involvement And Cooperation V.
Independence
107Basic Tasks
- Determining The Scope Of The Audit
- Determining The Scope Of Nonaudit Services
- Managing The Audit Procurement Process
- Selecting The Independent Auditors
- Reviewing The Financial Statements
108Basic Tasks
- Reviewing The Auditors Report
- Reviewing The Comprehensive Framework Of Internal
Control - Assessing The Performance Of The Independent
Auditors - Providing An Independent Forum For Findings Of
Fraud, Abuse, Or Control Override
109Session 7
- The Internal Control Environment
110The Control Environment
- Sets The Tone For The Government
- Influences Control Consciousness
- Foundation For All Other Control Components
- Includes Integrity, Ethical Values, Competency,
Managements Philosophy, And The Way Authority
And Responsibility Is Assigned
111The Control Environment
- Corporate Culture (Enron) (A 60 Page Code of
Ethics) - Does Management Believe That Internal Controls
Are Important To Achieving Its Goals And
Objectives? - Does Management View Internal Controls As An
Obstacle To Achieving Its Goals And Objectives?
112The Control Environment
- Who Knew Who They Were? There Was No Place For
Me To Voice My Concerns, Either To The Internal
Audit Function Or The Audit Committee. Remember,
I Was Not In The Accounting Department. But Even
If I Were, I Think I Would Have Known It Would
Have Been Fruitless, Because I Would Have Had
Access To Junior Auditors Who Were Simply Not In
The Position To Raise The Flags That Would Have
Hurt Their Senior Auditors And Account
Executives. - Sherron Watkins
- Enron Corporation
113The Control Environment
- The Way We Do Things Around Here
- Sets The Tone Of The Government, Influencing The
Control Consciousness Of Its Staff
114Managements Attitude
- What Is The Tone At The Top?
- - Management
- - Elected Officials
- Will Management Allocate Resources To Internal
Controls? - Are There High Ethical And Professional
Standards? - Does Management Cut Corners?
115The Typical Environment in Which Fraud Occurs
- Trust Is Placed In Employees
- Employees Have Detailed Knowledge Of The
Accounting Systems And Their Weaknesses - Management Domination Subverts Normal Internal
Controls
116The Typical Environment in which Fraud Occurs
- Management Adds Pressure To Make The Numbers
- Expected Moral Behavior Is Not Communicated To
Employees - Unduly Liberal Accounting Practices
117The Typical Environment in which Fraud Occurs
- Ineffective Or Nonexistent Internal Auditing
Staff. - Lack Of Effective Internal Controls.
- Poor Accounting Records.
- Related Party Transactions.
- Incomplete And Out Of Date Procedural
Documentation. - Management Sets A Bad Example.
118Practical Application - Control Environment
- Establish Current Policies With Regard To Ethical
Behavior (Code Of Conduct), Conflict Of Interest,
Nepotism - Enforce Appropriate Discipline For Failure To
Comply With These Policies - Ensure Personal Adherence To Strong Moral Code
- Reward Competency
119Practical Application - Control Environment
- Place High Degree Of Importance On Maintaining
Strong Internal Control - Provide For A Whistle Blower Policy That Allows
Employees And Others To Report Fraud Or False
Statements By The Management Team
120Impact of the Control Environment
- Dont Underestimate The Importance Of This Part
Of The Control System. - All The Great Control Activities In The World
Will Not Be Effective If Employees Know That
Management Is Not Concerned With Strong Internal
Control, Lacks Integrity Or Does Not Value Their
Employees
121Control Environment Pitfalls
- Ignoring The Tone That Management Sets Or
Thinking That The Control Environment Is Not
Important. - Inconsistency In Treatment Of Lapses In Ethical
Conduct. - Allowing Employees To Feel Devalued.
122Maintaining A Qualified Staff
- Competent And Honest Staff
- Up To Date Job Descriptions
- Follow Appropriate Hiring Policies (E.G., Not
Hiring A Relative Or A Buddy) - Assign Authority And Responsibility
- Ensure That Employees Are Trained
- Review And Document Performance
- Set Appropriate Performance Goals For Promotion
123Session 8
124What Is Risk Monitoring And Assessment?
- The Governments Identification And Analysis Of
Relevant Risks To Achieve It Objectives, Forming
A Basis On How They Should Manage The Risks
125Risk Assessment
- Risks Result From Both External And Internal
Sources - These Change Over Time Based On Economic,
Regulatory, And Operating Conditions - Risk Assessment Must Link Identified Policy
Objectives To Specific Risk Factors
126Risk Assessment
- Example A Policy Of Receiving The Highest Rate
Of Return On Investments Must Be Linked To
Interest Rate Risk - Example A Policy Of Allowing Payment From
Vendor Statements Rather Than Original Invoices
Only Must Be Linked To The Risk Of Duplicate
Payments
127Risk Assessment
- Example A Policy Of Decentralized Cash Receipts
Must Be Linked To The Risk Of Untimely Deposit
And Recording To The General Ledger.
128Risk Assessment
- Risk Assessment Must Also Link Identified Control
Objectives To Specific Risk Factors - All Transactions Are Properly Authorized
- Transactions Are Recorded In The Correct Period
For The Correct Amount - All Revenues Are Received And Recorded Timely
- Assets Are Not Stolen Or Lost
129Risk Assessment
- Risk Factors Are Created By
- The Nature Of Particular Accounts Or Transactions
- Turnover In Key Employee Positions
- Changes In The Financial Markets
- The Expertise Of The Personnel Handling
Transactions - Ineffective Or Poorly Designed Control Activities
130Practical Application - Risk Assessment
- Be Realistic About The True Risk With Regard To A
Particular Account Or Cycle Of Transactions - Consider All Types Of Applicable Risk Inherent,
Control Risk, Fraud Risk, Credit Risk, Etc - Make Sure To Address IT Risk
- Identify What Could Go Wrong?
131Risk Detection
- It Is Like A Physician
- It Is Like An Attorney
- Prevention And Quick Corrective Action
132Inherent Risk
133Inherent Risk
- Complexity
- Cash Receipts
- Direct Third Party Beneficiaries
- Degree Of Centralization
- Prior Problems
- Prior Unresponsiveness To Identify Control
Weaknesses
134Effect Of Change On Risk Management
- Changes In The Environment
- Changes In Personnel
- Changes In Technology
- Rapid Growth
- New Programs And Services
- Changes In Structure
135What Could Go Wrong?Example Cash Disbursements
- Payments Could Be Made To Fictitious Vendors
- Disbursements Could Be Made For The Wrong Amount
- Duplicate Payments Could Be Made On An Invoice
- Disbursements Could Be Recorded In The Wrong
Period
136What Could Go Wrong?Example Investments
- Excessive Transaction Fees Could Be Charged To
The Government. - Investments Held By The Government Could Be
Stolen (Certificates Of Deposit). - Investments Outside The Governments Risk
Tolerance Could Be Purchased And Result In Loss
Of Principal.
137What Could Go Wrong?Example Cash Receipts
- Funds Received Could Be Credited To The Wrong
Customer Account - Cash Could Be Stolen By An Employee
- Amounts Received Could Be Recorded Net Rather
Than Gross - Amounts Receivable May Never Be Collected Due To
Failure To Follow On Past Due Amounts
138Risk Matrix Cash Receipts
139Practical Application - Risk Assessments
- Risk Assessments Can Be Documented Via Narrative,
Checklist Or Matrix - Tools Available Include
- COSO Documents Available Via AICPA
- PPC Checklists Or Other Auditor Utilized
Templates - Local Government Websites (Perform Google Search
For Government Internal Control) -
140Practical Application - Risk Assessments
- Remember That Use Of A Third Party Does Not
Eliminate Managements Responsibility For
Assessing Risks. - Structure Of Agreement Is Important
- Obtain SAS 70
- Reconcile Reports To General Ledger (As
Applicable) -
141Practical Application - Risk Assessments
- Remember That IT Controls Can Affect Risk For All
Cycles Of Transactions. Well Designed Internal
Controls Can Be Made Ineffective By Poor Controls
Over IT. - System Log-in Should Mirror Job Responsibilities
- Passwords
- Remove Temporary Access Granted Once No Longer
Appropriate -
142Risk Assessment Pitfalls
- Trying To Identify A Control For Every Risk
Factor. - Ignoring The Possibility Of Existing Compensating
Controls. - Not Performing A Risk Assessment Annually Or At
Least When Key Factors Have Changed (Regulatory,
Employee Turnover, Etc.) - Ignoring It Controls.
143Session 9
144Control Activities
- The Policies And Procedures That Ensure
Managements Directives Are Followed - These Occur At All Levels Throughout The
Organization - Include Approvals, Authorizations,
Verifications, Reconciliations, Security Of
Assets, Segregation Of Duties And Review Of
Operating Performance
145Practical Application - Control Activities
- Address Control Objectives Existence Or
Occurrence, Completeness, Valuation Or
Allocation, Rights And Obligations, Accuracy Or
Classification, Cutoff And Presentation And
Disclosure - Tie Control Activities To Risks Previously
Identified And Address What Could Go Wrong
Scenarios - Balance Cost And Benefit
146Practical Application - Control Activities
- Identify Control Objectives And The Risks Of What
Could Happen - For Each Risk Factor Identified, Evaluate The
Potential Impact And Probability Of Occurrence - Design Control Activities To Address High Impact,
High Probability Concerns - Evaluate Annually
147Risk Matrix
148Risk Matrix
- Cash Disbursements Example
149Practical Application - Control Activities
- It Is Not Necessary To Address Every Risk Factor
With A Specific Control Activity Focus On Key
Areas - Utilize Compensating Controls Where Textbook
Approach Is Not Practical - Evaluate The Benefit Of Existing Monitoring
Controls
150Risk Matrix
- Cash Disbursements Example
151Key Control Activities
- Address Unusual Transactions Or Variance From
Expected Benchmarks In Timely Fashion - Reconcile Accounts Per General Ledger To
Subsidiary Ledgers Or Statements From
Trustee/Custodian (As Applicable) - Separate Initiation And Authorization From
Recording Of Transactions
152Key Control Activities
- Provide For Oversight By Interested Party Such As
Investment Committee (Include Trustee Activities)
, Audit Committee Or Citizens Group - Utilize Disclosure Checklist To Ensure
Presentation And Disclosure Requirements Are Met
153Control Activities Pitfalls
- Remember That For Small Governments Key
Objectives Must Be Identified - Reducing The Risk Of Theft Or Fraud
- Providing For Accountability
- Ensuring Compliance With Regulations
- Focus On True Effectiveness Not Just Cookie
Cutter Approaches - Ensure Benefit Justifies The Cost
154Session 10
- Information and Communications
155Information and Communication
- Includes Both Internal And External Interaction
- Requires Pertinent Information To Be Identified,
Captured And Communicated In A Form And Timeframe
For Employees To Carry Out Their Responsibilities - Reports Must Contain Relevant Operational,
Financial And Compliance Information
156Practical Application - Information and
Communication
- System Generated Reports Must Include Relevant
Information - Statements From Outside Third Parties
(Broker/Dealers, Bank Statements, Grantor Agency)
Must Be Channeled To Correct Personnel And
Provided Timely
157Information And CommunicationExample Investments
- Communication With Investment Committee Or Other
Oversight Body Should Include - Types Of Investments Held
- Average Rate Of Return For Period And YTD
Compared With Benchmarks - Average Maturity Of Portfolio
- Compliance With Investment Policy Provisions
158 Information and CommunicationExample
Investments
- Communication With Investment Committee Or Other
Oversight Body Should Also Include - Changes In Investment Strategy (If Any)
- Interest Rate Environment Changes
- Discussion Of Any Unusual Transaction Or
Particularly Risky Investment
159 Information and CommunicationExample Cash
Disbursements
- Communication With Departments
- Budget To Actual Report By Budgeted Line
- Request To Explain Certain Variances
- Detail Of Capital Assets Added To Subledger
- Communication With Council
- Budget To Actual Comparison By Department
- Explanations For Variances Over A Certain
Threshold
160 Information and CommunicationExample Cash
Receipts
- Daily Cash Reports Should Show Revenue By Major
Categories Such That Reconciliation To The
General Ledger Is Facilitated. - The Date Of Receipt And Date Of Deposit Should Be
Included Along With The General Ledger And Bank
Account Information.
161 Information And Communication Pitfalls
- Generating Reports That Provide Inaccurate,
Untimely Or Unnecessary Information - Providing Inappropriate Information Outside The
Organization (SS , Employee Evaluations) - Failure To Verify Accuracy Of Externally Provided
Reports
162Session 11
163Monitoring
- Assessing The Quality Of The Internal Control
System And Making Modifications As Needed - This Process Is Ongoing Through The Normal Course
Of Operations And At Separate Specific
Evaluations Of A Particular Process
164Monitoring
- COSO Framework States That Monitoring Ensures
That Internal Control Continues To Operate
Effectively. - The COSO Framework Recognizes That Risks Change
Over Time And That Management Needs To Determine
Whether The Internal Control System Continues To
Be Relevant And Able To Address New Risks.
165Monitoring
- The Original COSO Report On Internal Controls Was
Issued In 1992. - In 2009, COSO Issued Guidance On Monitoring
Internal Control Systems - Emphasized Importance Of Monitoring Controls As
Part Of Even Small Government Environments.
166Monitoring
- Monitoring Is Both An On-going Process And Can Be
Annual In Nature (Testing Of Key Controls) - Process Can Be Done Annually By The Internal
Audit Department (As Applicable) Or As An
Internal Review By Finance Personnel.
167Practical Application Examples of Monitoring
- Cash Receipts
- Performing A Review Of Bank Reconciliations On A
Monthly Basis And Signing Off As Having Reviewed
These. - Monthly Comparison Of Actual Receipts To Budgeted
Receipts And Investigation Of Significant
Discrepancies. - Annually Selecting A Few Transactions To Ensure
Proper Recording.
168Practical Application Examples Of Monitoring
- Cash Disbursements
- Performing A Review Of Bank Reconciliations On A
Monthly Basis And Signing Off As Having Reviewed
These. - Monthly Comparison Of Cash Disbursements To
Budgeted Expenditures/Expenses And Investigation
Of Significant Discrepancies.
169Practical Application Examples Of Monitoring
- Cash Disbursements
- Reconciliation Of P-card Purchases By Someone
Other Than The Card Holder - Annual Test Of A Selection Of Transactions For
Proper Recording.
170Practical Application Examples of Monitoring
- Investments
- Performing Investment Portfolio Review (Including
Evaluation Of Concentration And Type Of
Investments) Quarterly By Person Independent Of
Investment Portfolio Management - Disclosure Of Conflict Of Interest Statement
Annually By Portfolio Manager - Obtaining A SAS 70 Report From Custodian Annually
171Practical Application - Monitoring
- Controls Will Change As The Makeup Of An Account
Changes - Controls Should Be Evaluated When There Are
Changes In Key Personnel Or Software Applications - Be Responsive To Information Requests Of Key
Management Personnel - Review Polices And Procedures Annually
172Monitoring Pitfalls
- Failure To Perform Any Monitoring Control
Activities. - Overkill For The Organizations Size. One Or Two
Key Data Cycles Or Areas Can Be Selected Each
Year For Testing Of Controls. - No Attempt To Actually Test Key Controls In Some
Fashion. - Failure To Evaluate Controls When Personnel Or
Software Changes.
173Session 12
- Evaluation Controls Over Accounting And Financial
Reporting
174Know Where To Start
- Identify Control Cycles
- Basic Control Cycles
- - Obtaining Resources
- - Applying Resources
175Identify Control Cycles
- It Is Easy For Management To Be Daunted By The
Sheer Volume And Complexity Of Controls Over
Accounting And Financial Reporting. - Accordingly, The First Step In Evaluating These
Controls Is To Know Where To Start. - The Best Place To Begin Is By "Breaking Down"
What A Government Does Into Manageable Groupings
Of Similar Or Related Activities, Commonly Known
As "Control Cycles."
176Obtaining Resources
- The Resources Inflows Control Cycle
- - Obtaining Legal Claim (Levy The Tax, Provide
The Service) - - Demanding Payment (From Taxpayers, Customers
And Grantors) - - Converting To Cash (Collect)
177Applying Resources
- The Resources Outflows Control Cycle
- Applying Resources (Issue Purchase Orders,
Approve Contracts, Hire Employees, Award Grants)
178Applying Resources
- The Resources Outflows Control Cycle
- - Ensuring Conditions Met (Receipt Of Goods Or
Services, Compliance With Grant Requirements) - - Making Cash Payments
179Applying Resources
- The Resources Outflows Control Cycle
- - Making Cash Payments
180Interim Management
- Governments Are Not Able To Apply Immediately All
Of The Resources They Obtain. - Rather, There Will Be A Greater Or Lesser
Interval Between When Resources Are First
Obtained And When Those Resources Are Finally
Converted Into Goods And Services - During This Interval, A Government Must
Carefully Manage The Resources Entrusted To Its
Care.
181Interim Management
- First, Liquid Resources (E.G., Cash) Must Be
Properly Protected And Used To Best Advantage
Until Needed (I.E., Invested Or Placed On
Deposit). - Second, Non Liquid Assets Used In The Provision
Of Services (E.G., Equipment, Inventories Of
Supplies) Must Be Properly Protected And
Maintained. - When Both Of These Processes Are Combined
Together, The Result Is A Third Control Cycle For
"Resource Management."
182Seven Important Steps
- Vulnerability Assessment
- Documenting Transactions
- Identifying Specific Risks
- Identifying Compensating Controls
183Seven Important Steps
- Evaluating The Design Of Comensating Controls
- Testing Compensating Controls
- Assessing The Results Of Testing
184Session 13
- Control Cycles
- A Final Review
185Cash Controls
- Collection Controls
- Disbursement Controls
- Custody Controls
- Accounting Controls
- Reconciliation Controls
186Investments Controls
- Segregation of Duties
- Procedural Controls
- Custody Controls
- Accounting Controls
187Capital Asset Controls
- Segregation of Duties
- Procedural Controls
- Authorization Controls
- Asset Accountability Controls
- General Ledger Controls
188Inventory Controls
- Segregation of Duties
- Authorization Controls
- Receipt/Issues Controls
- Physical Inventory Controls
189Procurement Controls
- Segregation of Duties
- Procedural Controls
- Requisition Controls
- Procurement Controls
- Receiving Controls
- Invoice Processing Controls
190Personnel and Payroll Controls
- Segregation of Duties
- Procedural Controls
- Personnel Controls
- Payroll Processing Controls
191IT Controls
- Segregation of Duties
- Procedural Controls
- Documentation Controls
- Data Controls
- Security Controls
- Inventory Controls
192Session 14
- Other Internal Control Pitfalls
193A Final Reminder About I/C Pitfalls
- Dont Focus On Areas Where Risk Is Low
- Dont Ignore Risk Factors You Become Aware Of
Throughout The Year - Talk To Your Auditors About Areas Of Concern They
May Have And New Auditing Standards That Will
Affect Your Audit. - Make Sure To Tailor Any Borrowed PP To Your
Organization.
194A Final Reminder About I/C Pitfalls
- Remember That The Cost Of Implementing The
Control Structure Should Not Outweigh The
Benefit. - Remember To Address Budget, Grant And It
Controls.
195Summary
- The Control Environment Establishes The
Importance Of Internal Control. - Risk Assessments Must Be Realistic And Performed
When Changes To Objectives Or Policies Occur,
There Is Turn Over In Key Employees Or
Significant Changes In The Financial Markets.
196Summary
- Control Activities Should Be Focused On Areas Of
Highest Risk. Monitoring Controls Are Effective
Stopgap For Smaller Entities. - Information And Communication Must Provide
Relevant Information For Managing The Assets And
Liabilities Of The Entity. - Monitoring Of The Internal Control System Is An
Ongoing Process.
197Session 15
198How to Catch a Fraudster
- Independent Auditor
- Internal Audit
- Getting Ratted Out
- Oops Method
199How to Catch a Fraudster
- Rotate those Job Duties
- The Spot Check
- And, the Surprise Attack
200Eliminate Fraudster Potential
- Background Check
- Criminal
- Credit
- References
- Verify the Social
201Eliminate Fraudster Potential
- Background Check
- Driving Record
- The Education
- Professional Credentials
- Drug Testing
202Tips Employee Changes
- Attendance
- Tardiness
- Avoiding Others
- Bathroom Breaks
203Tips Employee Changes
- Listen
- Look
- Smell
- Observe
- Ask
204Top Ten ReasonsFraud Beats InternalControlsAnd
What Management Can Do About It?
205Fighting the Last War
- Accountants Too Often Allow Themselves To Focus
Almost Exclusively On Past Weaknesses Rather Than
On Current And Future Exposures (Like Putting Up
Traffic Signals Only After An Accident Occurs)
206Establish A System Of Proactive FraudPolicies
Dont Wait For Something To PopUp!
- Use Of The Analytical Review
- Watch For Increasing Expenses, Increasing
Receivables/Decreasing Cash, Increasing
Revenue/Decreasing Cash - Use Fraud Assessment Questions With Each Employee
207Establish A System Of Proactive FraudPolicies
Dont Wait For Something To PopUp!
- Enforce A Mandatory Vacation Policy With A Senior
Person Filling The Position For Several Days - Enforce A Mandatory Job Rotation Policy
- Periodically, Stage A Surprise Audit Of Each
Position
208Detection of Fraud Schemes
- Tip (46.2)
- By Accident (20)
- Internal Audit (19.4)
- Internal Controls (23.3)
- External Audit (9.1)
- Notified by Police (3.2)
209Control Related Policies
- Authorization
- Properly Designed Records
- Security Of Assets And Records
- Segregation Of Duties
- Periodic Reconciliations
- Periodic Verifications
- Analytical Review
2101. Goin Through the Motions
- Process Mentality
- Just Doing The Steps In The Process
- Not Thinking About What One Is Doing
- Example Two Signatures Required On Checks. Both
Check Signers Fail To Notice The Check Has No
Payee And Still Sign The Check - Remedy Reinforce The Need To Pay Attention And
The Consequences For Failure
2112. See No Evil, Hear No Evil
- Blind Trust
- Failure To Acknowledge Warning Signals
- Example Failure To Follow Up On A Customer
Complaint Of An Incorrect Bill For Service And
Relying On The Experienced And Valued Billing
Clerks Response That It Was Just An Error. - Remedy Realize That Anyone Can Commit Fraud.
Assume Discrepancies Are Fraud And Prove To
Yourself It Is Only An Error.
2123. Its Good to be The King
- Positional Immunity
- Rationalizing That Controls Dont Apply To Me
Because I Am In Upper Management. - Often Referred To As Management Override.
- Example Executive Director Doesnt Report Leave
Used, But Still Gets Paid For Unused Leave
Annually. - Remedy Identify Someone Within Or Outside The
Entity That You Can Report These Circumstances To
And Not Jeopardize Your Job.
2134. New Kid on the Block
- Situational Incompetence
- New Employee Not In A Position To Question Why
- Example New Accounts Payable Clerk Questions Why
Purchases From A Certain Vendor Do Not Require
Bids, And Is Told That Such Purchases Are Exempt. - Remedy If You Are The Supervisor, Dont Assume
New Employee Just Doesnt Understand. Take Their
Questions Seriously And Ask Your Self Why. If You
Are The Employee, Ask More Than One Person.
2145. Wheres All the Time Gone?
- Workload Overload
- Not Enough Time To Perform Control Procedures
- Example Knowing That The Supervisor Is Too Busy
To Reconcile Accounts Receivable, A Billing Clerk
Steals Cash And Posts Unauthorized Adjustments. - Remedy Reevaluate Assignment Of Duties, And
When Needed, Demand More Resources By Focusing On
The Consequences Of Fraud.
2156. Cant We All Be Happy?
- Conflict Avoidance
- Responsible Employees Not Comfortable In
Confronting Other Employees - Example A Supervisor Recognizes That The Cash
Drawer Is Always Short At The End Of The Day, But
Is Uncomfortable In Confronting The Employee. - Remedy Reinforce Supervisory Responsibilities.
Provide Employee Management Training. Dont
Tolerate Poor Performance.
2167. Wheres the Beef?
- Informational Restraint
- Responsible Employees Lack The Information They
Need To Identify An Improper Transaction - Example An Accounts Payable Clerk Is Not
Provided A Contract That Includes A Not-to-exceed
Price Limit And Vendor Takes Advantage By
Over-billing. - Remedy Reinforce With Employees The Openness And
Availability Of Records And Information.
2178. Its None of My Business
- Behavioral Ignorance
- Respo