Evaluating A Government

About This Presentation

Title:

Evaluating A Government

Description:

Evaluating A Government s Internal Controls and a Review of How Fraud Relates to Internal Controls Presented By Paul E. Glick Glick Consulting Group – PowerPoint PPT presentation

Number of Views:485

Avg rating:3.0/5.0

Slides: 222

Provided by: PaulE94

Learn more at: https://www.gasbo.org

Category:

more less

Transcript and Presenter's Notes

Title: Evaluating A Government

1
Evaluating A Governments Internal Controls and a
Review of How Fraud Relates to Internal Controls

Presented By
Paul E. Glick
Glick Consulting Group
Email pglick_at_mindspring.com

2
THE AGENDA

Introduction and Overview
What Are Internal Controls
Managements Objectives and Responsibilities
Who Is Responsible for Internal Controls?
What Types of Public Sector Fraud Exists?

3
The Agenda

Where is the Independent Auditor?
Internal Control Environment
Risk Assessment
Control Activities
Information and Communication (Step 4)
Monitoring

4
The Agenda

Evaluation Controls Over Accounting And Financial
Reporting
Other Internal Control Pitfalls

5
Seminar Objectives

Review The Framework And Concepts Of Internal
Controls
Relate These Concepts To Financial Cycles
(I.E., The Real World)
Understand Who Might Be Ripping Us Off

6
Factors Affecting our Current Environment
7
Factors Affecting our Current Environment

Global financial crisis
Uncertainty in unexpected places (Municipal Bond
Ratings)
Increased regulation and oversight (Tax Reform,
ARRA) leading to diminished control over revenues
Smaller staff due to budget cuts

8
Factors Affecting our Current Environment

Trends in the Audit Community
SAS 115 (documentation of internal controls and
communication with those in governance)
Risk Assessments
Fraud Risks
Oversight at the Federal Level
Transparency
COSO

9
Factors Affecting our Current Environment

Governments are being asked to do more with less
Money and human resources

10
The Nature of Fraud Industry

Fraud Can Be Explained By Three Key Factors
A Supply Of Motivated Offenders
The Availability Of Suitable Targets
The Absence Of Capable Guardians Or A Control
System To Mind The Store

11
The Nature of Fraud Industry

The Opportunity To Commit Conceal Fraud Is The
Only Element Over Which You Have Significant
Control.
What Are Some Of The Warning Signs?
What Can We Do About It?

12
A Survey Of Folks Regarding Fraud

31 of All Americans are Dishonest
Another 40 are Situationally Honest (i.e., they
will be honest if it pays to be honest and
dishonest if it pays to be dishonest)
200 Billion Employee Fraud Cost per Year
Compared to 11 Billion from Violent Crime
In Banks, 95 of Losses are from Employees and
5 are Caused by Bank Robberies
In Retail, 70 of Losses are from Employees and
5 are Caused by Shoplifters and Customers

13
Fraud and Abuse in The U.S.

U.S. Cost About 990 Billion A Year
Government And Public Administration Have A
Median Loss Of 93,000 Per Fraud Scheme
Average Organization Loses 7 Of Revenue
12 Of Cases In A Study Were Frauds That Occurred
In Government
Street Crime Only Costs The U.S. 4 Billion
Annually

14
The Facts

Fraud Schemes Frequently Continue For Years
Before They Are Detected
The Typical Fraud In The Study Lasted 2 Years
From The Time It Began Until It Was Discovered
Frauds Are Much More Likely To Be Detected By A
Tip Than By Audits, Controls Or Any Other Means
Lack Of Adequate Internal Controls Was Most
Commonly Cited As The Factor That Allowed Fraud
To Occur
Occupational Fraudsters Are Generally First-time
Offenders

15
What Is Fraud?

Its When Folks Are Ripping Off The Government In
Lots Of Different Ways
Fraud Is Like A Four Letter Word
Just Ignore It And It Will Go Away
It Will Never Happen To Us

16
Common Myths About Fraud

Most Folks Will Not Commit Fraud
Fraud Is Not Material
Most Fraud Goes Undetected
Fraud Is Well Concealed
Prosecuting Will Deter Others

17
Potential Cost Of Fraud

Lose The Confidence In The Government
Loss To The Reputation Of Innocent Third
Parties (I.E., The Remaining Staff)
Cost To The Perpetrator
The Public Loss

18
Potential Cost Of Fraud

Diversion Of Public Resources From Intended
Purpose
Loss Of Money, Assets And Time
Embarrassment, Guilt, Humiliation And Shame
Subsequent Management Decisions Are Reviewed
Under A Microscope
Any Investigation Turns The Government Or Agency
Inside Out

19
Personal Rip Offs For Glick

Send Banking Information
Bank of America
Wachovia Bank
TCF Bank
HSBC Bank
Catawba Valley Bank
Regions Bank
Bank of the West
Washington Mutual
Bank Financial
Huntington Bank
Smith Barney

20
Personal Rip Offs For Glick

Frank Senger - 20.5 Million
Chief Adeniran Aderogba - 10 Million
Dr Sikas Usman - 30 of 45.8 Million
Dr.Ahmed Kassim - 10.5 Million
Miss Caroline Williams 30 Of 16.5 Million
Mr Jack Chow No Amount
Jim Mcconville - 20 Million British Pounds

21
Personal Rip Offs For Glick

Richard H Mason 10 On All Payments Made
Mr. Brendon Hopkins 30 Of 26.5 Million
British Pounds (Twice)
Mr. Mark Johnson Lottery - 2.5 Million British
Pounds
Mr.Carlos Moreno 50 Of 34.5 Million
Miss Joyce Awuse - 5.5 Million
Irs - 109.30
Dr Dansuki Dan - 25.5 Million

22
Session 2

What Are Internal Controls

23
What Are Internal Controls?

To put it simply, internal controls are an
exercise of common sense. You are practicing good
internal controls when you?
Balance your checkbook
Keep your ATM/debit card pin number separate from
your card
Keep copies of your tax return
Compare your monthly credit card statement to the
credit card receipts
Lock your car doors

24
What Are Internal Controls?

Internal Control Is A Process, Affected By
Management And Other Personnel, Designed To
Provide Reasonable Assurance Regarding The
Achievement Of Objectives In The Following
Categories
Effectiveness And Efficiency Of Operations
Reliability Of Financial Reporting
Compliance With Laws And Regulations

25
What Are Internal Controls?

Internal Control Consists Of Five Interrelated
Components That Affect Each Of The Three
Categories

26
What Are Internal Controls?

Internal control is a process. It is a means to
an end, not an end itself.
Internal control is effected by people.
Its not merely policy manuals and forms, but
people functioning at every level of the
institution.

27
Limitations on Internal Controls

Considerations Of Costs Will Prevent Management
From Ever Installing A Perfect System
Controls Are Potentially Subject To Management
Override
Risk Of Collusion

28
Applying the COSOFramework

Committee of Sponsoring Organizations of the
Treadway Commission
www.coso.org

29
Who Are The Organizations

American Accounting Association
American Institute of Certified Public
Accountants
Financial Executives International
Institute of Management Accountants
The Institute of Internal Auditors

30
COSO Internal Control Integrated Framework

Established A Common Definition Of Internal
Control
Provides A Standard Against Which A Government
Can Assess Their Control Systems And Determine
How To Make Improvements

31
Internal Control Components

Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring

32
Internal Control Components

Internal Control Components Interact With
Operations
Financial Reporting
Compliance

33
Evaluating Internal Controls

Often, Evaluations Are Piecemeal Approaches To
The Task
Internal Controls Are Not Isolated And Are
Related To One Another

34
Internal Controls Are Actually

A Coordinated Set Of Policies And Procedures That
Reflect A Comprehensive Strategy For Achieving
Managements Objectives

35
Assessing The Internal Control Framework

Provides A Favorable Control Environment.
Continually Assesses Risk.
Establishes And Maintains Effective Control-
Related Policies And Procedures.
Effectively Communicates Information.
Monitors The Effectiveness Of Control Policies
And Procedures And The Resolution Of Potential
Problems Identified By Controls.

36
A Basic Rule

More Is Not Better
The Cost Of Excessive Or Redundant Controls Could
Exceed The Benefits
Employees May View Controls As Unnecessary Red
Tape

37
Why Are Internal Controls So Important?

Because The Prevention Of Fraud Is Critical And
Costs Are High

38
Session 3

MANAGEMENTS OBJECTIVES AND RESPONSIBILITIES

39
MANAGEMENTS RESPONSIBILITIES AND THE INTERNAL
CONTROL FRAMEWORK

EFFECTIVENESS
EFFICIENCY
COMPLIANCE
FINANCIAL REPORTING

40
EFFECTIVENESS

DETERMINES WHETHER THE GOVERNMENT AND ITS
DEPARTMENTS ARE MEETING THEIR OBJECTIVES
GOALS AND OBJECTIVES IDENTIFIED IN BUDGETARY
PROCESS
FOCUSES ON RESULTS RATHER THAN EFFORTS
INCLUDE OUTPUTS - HOW MUCH OF GOODS AND
SERVICES ARE PROVIDED
INCLUDE OUTCOMES - WHAT IS THE QUALITY OF GOODS
OR SERVICES TO BE PROVIDED

41
EFFICIENCY

MAKING OPTIMAL USE OF THE RESOURCES MADE
AVAILABLE
OBTAINING DESIRED RESULTS WITH THE LEAST
EXPENDITURE OF RESOURCES
MEASURES COSTS (I.E., EFFORT) TO RESULTS (I.E.,
EFFECTIVENESS)

42
COMPLIANCE

ANNUAL APPROPRIATED BUDGET
GRANTOR REQUIREMENTS
STATE OVERSIGHT REQUIREMENTS
IRS REQUIREMENTS
BOND COVENANTS
LOCAL LAWS AND REGULATIONS

43
FINANCIAL REPORTING

INTERNAL FINANCIAL REPORTING
EXTERNAL FINANCIAL REPORTING
- SPECIAL PURPOSE
- GENERAL PURPOSE
- CAFR

44
Session 4

Who Is Responsible For Internal Controls?

45
Who is Responsible for Internal Controls?

Everyone has a part in the internal control
system.
The roles vary depending upon what level of
responsibility and the nature of involvement by
the individual.

46
Who is Responsible for Internal Controls?

Managers and supervisors are responsible for
ensuring that internal controls are established
and functioning to achieve the mission and
objectives of their unit.
Each employee within an area should be made aware
of proper internal control procedures associated
with their specific job function.

47
Is This Just A Problem For The Finance Office?

Most Folks Think This Is Finances Problem
But Not Really
However, We Are Emphasizing the Finance
Department In This Seminar

48
Managements Responsibilities And The Internal
Control Framework

Any Entity, Be It A Government, A Business Or A
Nonprofit Organization, Exists To Achieve Some
Purpose
It Is The Role Of Management To Provide The
Leadership Needed For An Entity To Realize That
Purpose

49
Managements Responsibilities And The Internal
Control Framework

Furthermore, Management Is Not Free Simply To Act
In Any Way It Might Choose To Achieve The
Entity's Goals
Management's Options And Actions Are
Circumscribed By Constraints And Expectations,
Both Implicit And Explicit.

50
Responsibility For Internal Controls

Management Is Primarily Responsible For The
Effectiveness Of Internal Controls, Like Any
Other Aspects of Performance
A Side Note - Authority And Responsibility Should
Not Be Separated

51
Responsibility For Internal Controls

Management Is Subject To Oversight By The
Governments Elected Officials
The Governing Body Is Ultimately Responsible
Internal And External Auditors Can Assist
Management

52
Responsibility For Internal Controls

This Stuff Is Not Something Different From
Your Basic Responsibilities As Leaders And As
Fiduciaries

53
Basic Management Responsibilities

Achieving The Governments Purpose
(Effectiveness)
Making Optional Use Of Scarce Resources
(Efficiency)
Observing Restrictions On The Use Of Resources
(Compliance)
Periodically Demonstrating Accountability For
Stewardship Of Resources Place In The Care
(Reporting)

54
Session 5

What Types of Public Sector Fraud Exists

55
Profile of Fraud Perpetrator

Male Or Female (White Males Over 60?)
No Prior Criminal History (lt8)
Well Liked By Co-workers
Likes To Give Gifts/Compulsive Shopper
Gambling Problems Not Unusual
Long-term Employee
Rationalizes Starts Small Or Borrows
Lifestyle Clues

56
General Observations Of A Fraudster

Male
Intelligent (Bored With The Job Routine)
Egotistical (Scornful Of Obvious Control Flaws)
Inquisitive (E.G., Tempted By The Discovery Of
A Computer Vulnerability)
A Risk Taker
A Rule Breaker
A Hard Worker
Under Stress
Disgruntled At Work

57
The Fraud Triangle
Exacerbated in Economic Downturn

Perceived Opportunity
To Commit Fraud

Perceived Pressure
Facing Individual

Persons Rationalization Or Integrity
58
Conditions Present When Fraud Occurs

Incentive/Pressure
Opportunity
Attitude and Rationalization

59
Causes Of Fraud

Character And Personality
Financial Stress
-- Addiction
-- Disaffection
-- Pathologies
Perceived Opportunity
- Permits Fraud
- Promotes Fraud

60
Why Folks Commit Fraud

Grumpy Gus
Stressed Sally
Pill poppin Paula
Never goes home Ned

61
Why Folks Commit Fraud

Extravagant Ellen
Over-spent Ollie
Lotto Larry
Compulsive Connie

62
Who Commits Fraud?

Fraud Losses Caused By Managers And Executives
Were 16 Times Greater Than Those Caused By
Non-managerial Employees.
Losses Caused By Men Were Four Times More Those
Caused By Women.
Those 60 And Older Were 28 Times Those Caused By
Perpetrators 25 Or Younger.

63
Generally, What is the Goal of A Fraudster?

Cash, Cash, Cash

64
Types Of Public Sector Fraud

Receipts Fraud
Disbursements Fraud
Assets Fraud

65
Cash Schemes

Stealing Cash Funds Processed Or On Hand
Not Recording Stealing The Cash Receipts
Under Ringing Stealing The Difference In Cash
Receipts
Altering Bank Deposits

66
Receipts Fraud

Lapping Too Much Work!
Kiting Bank Deposit Schemes
Granting Bogus Credit Memos
Forging Check Received

67
Receipts Fraud

Duplicate Payments
Charge Off Fraud Bogus Write-offs
Disposal Fraud
Credit Card Manipulation

68
Disbursements Fraud

Personal Bills
Bid Rigging
False Claims (Fictitious Suppliers, Kickbacks)
Conflict of Interest

69
Disbursements Fraud

Travel Claim Fraud
Procurement and Credit Cards

70
Payroll and Benefits Fraud

Ghost Employees
Unclaimed Payroll Checks
Excess Payroll Payments (Falsifying Time Cards)
Withholdings and W-2s
Vacation and Sick Pay

71
Theft Of Assets Fraud

Petty Cash Fraud
Cash Register Theft
Consumable Inventory Theft
Capital Asset Theft
Using Assets For Personal Use

72
Red Flags

A Red Flag Is
A Set Of Circumstances That Are Unusual In Nature
Or Vary From The Normal Activity.
A Signal That Something Is Out Of The Ordinary
And May Need To Be Investigated Further.
Not About Guilt Or Innocence But Merely Provides
Possible Warning Signs Of Fraud.

73
Red Flags

Do Not Ignore A Red Flagstudies Of Fraud Cases
Consistently Show That Red Flags Were Present,
But Were Either Not Recognized Or Were Recognized
But Not Acted Upon By Anyone.
Sometimes An Error Is Just An Errorred Flags
Should Lead To Some Kind Of Appropriate Action,
I.E. An Investigation By A Measured Responsible
Person, But Sometimes An Error Is Just An Error
And No Fraud Exists

74
Employee Red Flags

Employee Lifestyle Changes
High Employee Turnover
Significant Personal Debt And Credit Problems
Refusal To Take Vacation Or Sick Leave
Behavioral Changes
Lack Of Segregation Of Duties In A High-risk
(Vulnerable) Area

75
Employee Red Flags

Reluctance To Provide Information To Auditors
Photocopied Or Missing Documents
Weak Internal Control Environment
Unexpected Overdrafts Or Declines In Cash
Balances
Decisions Dominated By An Individual Or Small
Group

76
Employee Red Flags

Excessive Number Of Year-end Transactions
Management Displays Significant Disrespect For
Regulatory Bodies
Excessive Number Of Or Frequent Changes In
Checking Accounts
Accounting Personnel Are Lax Or Inexperienced

77
Employee Red Flags

High Employee Turnover Rate
Compensation Is Out Of Proportion
Decentralization Without Adequate Monitoring
Frequent Changes In External Auditors

78
Red Flags in Cash

Excessive Number Of Voids
Presence Of Personal Checks In Petty Cash
Unauthorized Bank Accounts
Excessive Or Unjustified Cash Transactions
Large Number Of Account Write-offs
Sudden Activity In A Dormant Account

79
Red Flags in Payroll

Inconsistent Overtime Hours For A Cost Center /
Department
Overtime Charged During A Slack Period
Overtime Charges For Employees Who Normally Would
Not Have Overtime Wages
Budget Variations For Payroll By Cost Center /
Department
Employees With Duplicate Social Security Numbers,
Names, And Addresses
Employees With Few Or No Payroll Deductions

80
Red Flags in Procurement

Increasing Number Of Complaints About Services
Vendors Without Physical Address
Lack Of Physical Security Over Assets / Inventory
Payments To Vendors Not Included On An Approved
Vendor List
Vendor Address Matching Employee Address

81
Red Flags in Procurement

Purchases That Bypass Normal Procedures
Charges Without Shipping Documents
Vendor Payments Picked Up Rather Than Having It
Mailed
High Volume Of Purchases From New Vendors

82
Profiles of an Government At Risk

Less Than 100 Employees.
Management Ignores Irregularities.
High Turnover With Low Morale.
Staff Lacks Training

83
Session 6

Where Is The Independent Auditor?

84
The Independent Auditor

Once The Independent Auditor Is Finished With The
Annual Audit, Can Everyone Relax And Assume That
No One Got Us This Year?
Of Discovered Fraud, the Independent Auditor Only
Finds about 9

85
Why Do Auditors Fail To Detect Fraud?

Lack of Training
Accept any Reasonable Explanations
Going Through the Process of Ticking and Tying
Numbers
They May Not Want to Find Fraud, It Causes
Problems
They May Be Embarrassed
Not Enough Time Budgeted for the Audit

86
Types of Audits

Financial Audits
Performance Audits

87
The Independent Auditor

The Auditor Reports On The Adequacy Of Existing
Controls Within The Government
The Auditor Must Carefully Evaluate The Internal
Control System As A Basis To Determine The Degree
Of Audit Procedures Necessary In The Circumstances

88
New Statements on Auditing Standards

A Few Years Ago, The Rules For Auditors Were
Changed And Expanded Substantially

89
What Created The Need?

Corporate Fraud In The Roaring 90s Which
Became Known In The Early 2000s
Sarbanes Oxley Act Of 2002 (Private Sector)
Required Additional Internal Controls By
Management
Created A New Agency (PCAOB) To Closely
Scrutinize Public Company Audits
Removed The AICPA From Any Authority For Public
Company Audit Standards And Peer Review

90
A New Audit Approach

A Risk Based Audit
The Government Must Identify Key Internal
Controls That Relate To High Risk Areas
Some of the Areas Might Include
Cash
Investments
Budget
Revenue Receipts
Expenditures
Payroll
Consumable Inventories
Capital Assets
Grants

91
Do the Auditors Look At Everything?

Auditors Obtain Reasonable Assurance, Not
Absolute Assurance
Materiality
The Single Audit
The Auditor May Report on Compliance and Internal
Controls
Major Federal Awards

92
Internal Audit Function

Management Can Improve The Quality Of The
Environment By Establishing An Internal Audit
Function
Report Directly To Top Management (Or The
Elected Officials?)
Monitoring The Effectiveness Of Control Related
Policies And Procedures

93
Internal Audit Function

Internal Auditors Can Be Of Great Value To State
And Local Governments In A Variety Of Ways.
In Particular, They Commonly Assist Management In
Monitoring The Design And Proper Functioning Of
Internal Control Policies And Procedures.

94
Internal Audit Function

In This Capacity, Internal Auditors Themselves
Function As An Additional Level Of Control And So
Help To Improve The Governments Overall Control
Environment.
Internal Auditors Also Can Play A Valuable Role
Conducting Performance Audits, As Well As Special
Investigations And Studies

95
Internal Audit Considerations

Dont Let The Audit Function Become A Political
Football
Dont Promise The Moon
Dont Let The Auditors Become Free Roaming
Chickens.
Dont Fly By The Seats Of Your Pants

96
Internal Audit Considerations

Dont Use The Shotgun Approach To Scoping An
Audit
Never Leave A White Elephant In The Auditees
Office.
Dont Count Your Chickens Before They Hatch.
Never Assume The Auditee Fixed The Problem.

97
GFOA Recommendations

Every Government Should Consider The Feasibility
Of Establishing A Formal Internal Audit Function
Because Such A Function Can Play An Important
Role In Helping Management To Maintain A
Comprehensive Framework Of Internal Controls.
As A Rule, A Formal Internal Audit Function Is
Particularly Valuable For Those Activities
Involving A High Degree Of Risk (E.G., Complex
Accounting Systems, Contracts With Outside
Parties, A Rapidly Changing Environment).

98
GFOA Recommendations

If It Is Not Feasible To Establish A Separate
Internal Audit Function, A Government Is
Encouraged To Consider Either
1) Assigning Internal Audit Responsibilities To
Its Regular Employees Or
2) Obtaining The Services Of An Accounting Firm
(Other Than The Independent Auditor) For This
Purpose

99
GFOA Recommendations

The Internal Audit Function Should Be Established
Formally By Charter, Enabling Resolution, Or
Other Appropriate Legal Means
It Is Recommended That Internal Auditors Of State
And Local Governments Conduct Their Work In
Accordance With The Professional Standards
Relevant To Internal Auditing Contained In The
U.S. General Accounting Offices Publication
Government Auditing Standards, Including Those
Applicable To The Independence Of Internal
Auditors

100
GFOA Recommendations

At A Minimum, The Head Of The Internal Audit
Function Should Possess A College Degree And
Appropriate Relevant Experience.
It Also Is Highly Desirable That The Head Of The
Internal Audit Function Hold Some Appropriate
Form Of Professional Certification (E.G.,
Certified Internal Auditor, Certified Public
Accountant, Certified Information Systems
Auditor) And
All Reports Of Internal Auditors, As Well As The
Annual Internal Audit Work Plan, Should Be Made
Available To The Governments Audit Committee Or
Its Equivalent.

101
Goals Of Audit Committee

Ensure That Management Is Maintaining A
Comprehensive Framework Of Internal Control
Ensure That Managements Financial-reporting
Practices Are Assessed Objectively
Determine That The Financial Statements Are
Properly Audited And That Any Problems Disclosed
In The Course Of The Audit Are Satisfactorily
Resolved

102
Key Benefits

Practical Tool For Focusing Board Attention
Direct Communications Link Between The
Independent Auditors And The Governing Body
Forum In Which The Independent Auditors Can
Candidly Discuss Audit-related Matters With
Members Of The Governing Board Apart From
Management

103
Applicability to Small Governments

Smaller Governments Have The Same Basic
Responsibility As Larger Governments
An Audit Committee Is Just As Necessary For Both

104
Level Of Expertise Needed OfMembers

Sufficient Understanding To Perform Duties With
Expert Assistance (I.E., Financial Expert)
New Or Prospective Members Typically Should
Receive Some Brief Formal Training
Role Of The Audit Committee
Their Personal Responsibility As Audit Committee
Members
Training Should Underscore Professional
Skepticism In Dealing With Management

105
Relationship With Independent Auditors

Auditors Report Directly To Audit Committee
Provision To Meet Privately
Amend Sunshine And Open Meetings Laws
Accordingly

106
Relationship With Independent Auditors

Two Views
Traditional
Internal Auditors/Management As Audit
Committee/Governing Body
Emerging
Completely Independent Of Management
Trade-off
Management Involvement And Cooperation V.
Independence

107
Basic Tasks

Determining The Scope Of The Audit
Determining The Scope Of Nonaudit Services
Managing The Audit Procurement Process
Selecting The Independent Auditors
Reviewing The Financial Statements

108
Basic Tasks

Reviewing The Auditors Report
Reviewing The Comprehensive Framework Of Internal
Control
Assessing The Performance Of The Independent
Auditors
Providing An Independent Forum For Findings Of
Fraud, Abuse, Or Control Override

109
Session 7

The Internal Control Environment

110
The Control Environment

Sets The Tone For The Government
Influences Control Consciousness
Foundation For All Other Control Components
Includes Integrity, Ethical Values, Competency,
Managements Philosophy, And The Way Authority
And Responsibility Is Assigned

111
The Control Environment

Corporate Culture (Enron) (A 60 Page Code of
Ethics)
Does Management Believe That Internal Controls
Are Important To Achieving Its Goals And
Objectives?
Does Management View Internal Controls As An
Obstacle To Achieving Its Goals And Objectives?

112
The Control Environment

Who Knew Who They Were? There Was No Place For
Me To Voice My Concerns, Either To The Internal
Audit Function Or The Audit Committee. Remember,
I Was Not In The Accounting Department. But Even
If I Were, I Think I Would Have Known It Would
Have Been Fruitless, Because I Would Have Had
Access To Junior Auditors Who Were Simply Not In
The Position To Raise The Flags That Would Have
Hurt Their Senior Auditors And Account
Executives.
Sherron Watkins
Enron Corporation

113
The Control Environment

The Way We Do Things Around Here
Sets The Tone Of The Government, Influencing The
Control Consciousness Of Its Staff

114
Managements Attitude

What Is The Tone At The Top?
- Management
- Elected Officials
Will Management Allocate Resources To Internal
Controls?
Are There High Ethical And Professional
Standards?
Does Management Cut Corners?

115
The Typical Environment in Which Fraud Occurs

Trust Is Placed In Employees
Employees Have Detailed Knowledge Of The
Accounting Systems And Their Weaknesses
Management Domination Subverts Normal Internal
Controls

116
The Typical Environment in which Fraud Occurs

Management Adds Pressure To Make The Numbers
Expected Moral Behavior Is Not Communicated To
Employees
Unduly Liberal Accounting Practices

117
The Typical Environment in which Fraud Occurs

Ineffective Or Nonexistent Internal Auditing
Staff.
Lack Of Effective Internal Controls.
Poor Accounting Records.
Related Party Transactions.
Incomplete And Out Of Date Procedural
Documentation.
Management Sets A Bad Example.

118
Practical Application - Control Environment

Establish Current Policies With Regard To Ethical
Behavior (Code Of Conduct), Conflict Of Interest,
Nepotism
Enforce Appropriate Discipline For Failure To
Comply With These Policies
Ensure Personal Adherence To Strong Moral Code
Reward Competency

119
Practical Application - Control Environment

Place High Degree Of Importance On Maintaining
Strong Internal Control
Provide For A Whistle Blower Policy That Allows
Employees And Others To Report Fraud Or False
Statements By The Management Team

120
Impact of the Control Environment

Dont Underestimate The Importance Of This Part
Of The Control System.
All The Great Control Activities In The World
Will Not Be Effective If Employees Know That
Management Is Not Concerned With Strong Internal
Control, Lacks Integrity Or Does Not Value Their
Employees

121
Control Environment Pitfalls

Ignoring The Tone That Management Sets Or
Thinking That The Control Environment Is Not
Important.
Inconsistency In Treatment Of Lapses In Ethical
Conduct.
Allowing Employees To Feel Devalued.

122
Maintaining A Qualified Staff

Competent And Honest Staff
Up To Date Job Descriptions
Follow Appropriate Hiring Policies (E.G., Not
Hiring A Relative Or A Buddy)
Assign Authority And Responsibility
Ensure That Employees Are Trained
Review And Document Performance
Set Appropriate Performance Goals For Promotion

123
Session 8

Risk Assessment

124
What Is Risk Monitoring And Assessment?

The Governments Identification And Analysis Of
Relevant Risks To Achieve It Objectives, Forming
A Basis On How They Should Manage The Risks

125
Risk Assessment

Risks Result From Both External And Internal
Sources
These Change Over Time Based On Economic,
Regulatory, And Operating Conditions
Risk Assessment Must Link Identified Policy
Objectives To Specific Risk Factors

126
Risk Assessment

Example A Policy Of Receiving The Highest Rate
Of Return On Investments Must Be Linked To
Interest Rate Risk
Example A Policy Of Allowing Payment From
Vendor Statements Rather Than Original Invoices
Only Must Be Linked To The Risk Of Duplicate
Payments

127
Risk Assessment

Example A Policy Of Decentralized Cash Receipts
Must Be Linked To The Risk Of Untimely Deposit
And Recording To The General Ledger.

128
Risk Assessment

Risk Assessment Must Also Link Identified Control
Objectives To Specific Risk Factors
All Transactions Are Properly Authorized
Transactions Are Recorded In The Correct Period
For The Correct Amount
All Revenues Are Received And Recorded Timely
Assets Are Not Stolen Or Lost

129
Risk Assessment

Risk Factors Are Created By
The Nature Of Particular Accounts Or Transactions
Turnover In Key Employee Positions
Changes In The Financial Markets
The Expertise Of The Personnel Handling
Transactions
Ineffective Or Poorly Designed Control Activities

130
Practical Application - Risk Assessment

Be Realistic About The True Risk With Regard To A
Particular Account Or Cycle Of Transactions
Consider All Types Of Applicable Risk Inherent,
Control Risk, Fraud Risk, Credit Risk, Etc
Make Sure To Address IT Risk
Identify What Could Go Wrong?

131
Risk Detection

It Is Like A Physician
It Is Like An Attorney
Prevention And Quick Corrective Action

132
Inherent Risk

It Is Life!

133
Inherent Risk

Complexity
Cash Receipts
Direct Third Party Beneficiaries
Degree Of Centralization
Prior Problems
Prior Unresponsiveness To Identify Control
Weaknesses

134
Effect Of Change On Risk Management

Changes In The Environment
Changes In Personnel
Changes In Technology
Rapid Growth
New Programs And Services
Changes In Structure

135
What Could Go Wrong?Example Cash Disbursements

Payments Could Be Made To Fictitious Vendors
Disbursements Could Be Made For The Wrong Amount
Duplicate Payments Could Be Made On An Invoice
Disbursements Could Be Recorded In The Wrong
Period

136
What Could Go Wrong?Example Investments

Excessive Transaction Fees Could Be Charged To
The Government.
Investments Held By The Government Could Be
Stolen (Certificates Of Deposit).
Investments Outside The Governments Risk
Tolerance Could Be Purchased And Result In Loss
Of Principal.

137
What Could Go Wrong?Example Cash Receipts

Funds Received Could Be Credited To The Wrong
Customer Account
Cash Could Be Stolen By An Employee
Amounts Received Could Be Recorded Net Rather
Than Gross
Amounts Receivable May Never Be Collected Due To
Failure To Follow On Past Due Amounts

138
Risk Matrix Cash Receipts
139
Practical Application - Risk Assessments

Risk Assessments Can Be Documented Via Narrative,
Checklist Or Matrix
Tools Available Include
COSO Documents Available Via AICPA
PPC Checklists Or Other Auditor Utilized
Templates
Local Government Websites (Perform Google Search
For Government Internal Control)

140
Practical Application - Risk Assessments

Remember That Use Of A Third Party Does Not
Eliminate Managements Responsibility For
Assessing Risks.
Structure Of Agreement Is Important
Obtain SAS 70
Reconcile Reports To General Ledger (As
Applicable)

141
Practical Application - Risk Assessments

Remember That IT Controls Can Affect Risk For All
Cycles Of Transactions. Well Designed Internal
Controls Can Be Made Ineffective By Poor Controls
Over IT.
System Log-in Should Mirror Job Responsibilities
Passwords
Remove Temporary Access Granted Once No Longer
Appropriate

142
Risk Assessment Pitfalls

Trying To Identify A Control For Every Risk
Factor.
Ignoring The Possibility Of Existing Compensating
Controls.
Not Performing A Risk Assessment Annually Or At
Least When Key Factors Have Changed (Regulatory,
Employee Turnover, Etc.)
Ignoring It Controls.

143
Session 9

Control Activities

144
Control Activities

The Policies And Procedures That Ensure
Managements Directives Are Followed
These Occur At All Levels Throughout The
Organization
Include Approvals, Authorizations,
Verifications, Reconciliations, Security Of
Assets, Segregation Of Duties And Review Of
Operating Performance

145
Practical Application - Control Activities

Address Control Objectives Existence Or
Occurrence, Completeness, Valuation Or
Allocation, Rights And Obligations, Accuracy Or
Classification, Cutoff And Presentation And
Disclosure
Tie Control Activities To Risks Previously
Identified And Address What Could Go Wrong
Scenarios
Balance Cost And Benefit

146
Practical Application - Control Activities

Identify Control Objectives And The Risks Of What
Could Happen
For Each Risk Factor Identified, Evaluate The
Potential Impact And Probability Of Occurrence
Design Control Activities To Address High Impact,
High Probability Concerns
Evaluate Annually

147
Risk Matrix

Cash Receipt Example

148
Risk Matrix

Cash Disbursements Example

149
Practical Application - Control Activities

It Is Not Necessary To Address Every Risk Factor
With A Specific Control Activity Focus On Key
Areas
Utilize Compensating Controls Where Textbook
Approach Is Not Practical
Evaluate The Benefit Of Existing Monitoring
Controls

150
Risk Matrix

Cash Disbursements Example

151
Key Control Activities

Address Unusual Transactions Or Variance From
Expected Benchmarks In Timely Fashion
Reconcile Accounts Per General Ledger To
Subsidiary Ledgers Or Statements From
Trustee/Custodian (As Applicable)
Separate Initiation And Authorization From
Recording Of Transactions

152
Key Control Activities

Provide For Oversight By Interested Party Such As
Investment Committee (Include Trustee Activities)
, Audit Committee Or Citizens Group
Utilize Disclosure Checklist To Ensure
Presentation And Disclosure Requirements Are Met

153
Control Activities Pitfalls

Remember That For Small Governments Key
Objectives Must Be Identified
Reducing The Risk Of Theft Or Fraud
Providing For Accountability
Ensuring Compliance With Regulations
Focus On True Effectiveness Not Just Cookie
Cutter Approaches
Ensure Benefit Justifies The Cost

154
Session 10

Information and Communications

155
Information and Communication

Includes Both Internal And External Interaction
Requires Pertinent Information To Be Identified,
Captured And Communicated In A Form And Timeframe
For Employees To Carry Out Their Responsibilities
Reports Must Contain Relevant Operational,
Financial And Compliance Information

156
Practical Application - Information and
Communication

System Generated Reports Must Include Relevant
Information
Statements From Outside Third Parties
(Broker/Dealers, Bank Statements, Grantor Agency)
Must Be Channeled To Correct Personnel And
Provided Timely

157
Information And CommunicationExample Investments

Communication With Investment Committee Or Other
Oversight Body Should Include
Types Of Investments Held
Average Rate Of Return For Period And YTD
Compared With Benchmarks
Average Maturity Of Portfolio
Compliance With Investment Policy Provisions

158
Information and CommunicationExample
Investments

Communication With Investment Committee Or Other
Oversight Body Should Also Include
Changes In Investment Strategy (If Any)
Interest Rate Environment Changes
Discussion Of Any Unusual Transaction Or
Particularly Risky Investment

159
Information and CommunicationExample Cash
Disbursements

Communication With Departments
Budget To Actual Report By Budgeted Line
Request To Explain Certain Variances
Detail Of Capital Assets Added To Subledger
Communication With Council
Budget To Actual Comparison By Department
Explanations For Variances Over A Certain
Threshold

160
Information and CommunicationExample Cash
Receipts

Daily Cash Reports Should Show Revenue By Major
Categories Such That Reconciliation To The
General Ledger Is Facilitated.
The Date Of Receipt And Date Of Deposit Should Be
Included Along With The General Ledger And Bank
Account Information.

161
Information And Communication Pitfalls

Generating Reports That Provide Inaccurate,
Untimely Or Unnecessary Information
Providing Inappropriate Information Outside The
Organization (SS , Employee Evaluations)
Failure To Verify Accuracy Of Externally Provided
Reports

162
Session 11

Monitoring

163
Monitoring

Assessing The Quality Of The Internal Control
System And Making Modifications As Needed
This Process Is Ongoing Through The Normal Course
Of Operations And At Separate Specific
Evaluations Of A Particular Process

164
Monitoring

COSO Framework States That Monitoring Ensures
That Internal Control Continues To Operate
Effectively.
The COSO Framework Recognizes That Risks Change
Over Time And That Management Needs To Determine
Whether The Internal Control System Continues To
Be Relevant And Able To Address New Risks.

165
Monitoring

The Original COSO Report On Internal Controls Was
Issued In 1992.
In 2009, COSO Issued Guidance On Monitoring
Internal Control Systems
Emphasized Importance Of Monitoring Controls As
Part Of Even Small Government Environments.

166
Monitoring

Monitoring Is Both An On-going Process And Can Be
Annual In Nature (Testing Of Key Controls)
Process Can Be Done Annually By The Internal
Audit Department (As Applicable) Or As An
Internal Review By Finance Personnel.

167
Practical Application Examples of Monitoring

Cash Receipts
Performing A Review Of Bank Reconciliations On A
Monthly Basis And Signing Off As Having Reviewed
These.
Monthly Comparison Of Actual Receipts To Budgeted
Receipts And Investigation Of Significant
Discrepancies.
Annually Selecting A Few Transactions To Ensure
Proper Recording.

168
Practical Application Examples Of Monitoring

Cash Disbursements
Performing A Review Of Bank Reconciliations On A
Monthly Basis And Signing Off As Having Reviewed
These.
Monthly Comparison Of Cash Disbursements To
Budgeted Expenditures/Expenses And Investigation
Of Significant Discrepancies.

169
Practical Application Examples Of Monitoring

Cash Disbursements
Reconciliation Of P-card Purchases By Someone
Other Than The Card Holder
Annual Test Of A Selection Of Transactions For
Proper Recording.

170
Practical Application Examples of Monitoring

Investments
Performing Investment Portfolio Review (Including
Evaluation Of Concentration And Type Of
Investments) Quarterly By Person Independent Of
Investment Portfolio Management
Disclosure Of Conflict Of Interest Statement
Annually By Portfolio Manager
Obtaining A SAS 70 Report From Custodian Annually

171
Practical Application - Monitoring

Controls Will Change As The Makeup Of An Account
Changes
Controls Should Be Evaluated When There Are
Changes In Key Personnel Or Software Applications
Be Responsive To Information Requests Of Key
Management Personnel
Review Polices And Procedures Annually

172
Monitoring Pitfalls

Failure To Perform Any Monitoring Control
Activities.
Overkill For The Organizations Size. One Or Two
Key Data Cycles Or Areas Can Be Selected Each
Year For Testing Of Controls.
No Attempt To Actually Test Key Controls In Some
Fashion.
Failure To Evaluate Controls When Personnel Or
Software Changes.

173
Session 12

Evaluation Controls Over Accounting And Financial
Reporting

174
Know Where To Start

Identify Control Cycles
Basic Control Cycles
- Obtaining Resources
- Applying Resources

175
Identify Control Cycles

It Is Easy For Management To Be Daunted By The
Sheer Volume And Complexity Of Controls Over
Accounting And Financial Reporting.
Accordingly, The First Step In Evaluating These
Controls Is To Know Where To Start.
The Best Place To Begin Is By "Breaking Down"
What A Government Does Into Manageable Groupings
Of Similar Or Related Activities, Commonly Known
As "Control Cycles."

176
Obtaining Resources

The Resources Inflows Control Cycle
- Obtaining Legal Claim (Levy The Tax, Provide
The Service)
- Demanding Payment (From Taxpayers, Customers
And Grantors)
- Converting To Cash (Collect)

177
Applying Resources

The Resources Outflows Control Cycle
Applying Resources (Issue Purchase Orders,
Approve Contracts, Hire Employees, Award Grants)

178
Applying Resources

The Resources Outflows Control Cycle
- Ensuring Conditions Met (Receipt Of Goods Or
Services, Compliance With Grant Requirements)
- Making Cash Payments

179
Applying Resources

The Resources Outflows Control Cycle
- Making Cash Payments

180
Interim Management

Governments Are Not Able To Apply Immediately All
Of The Resources They Obtain.
Rather, There Will Be A Greater Or Lesser
Interval Between When Resources Are First
Obtained And When Those Resources Are Finally
Converted Into Goods And Services
During This Interval, A Government Must
Carefully Manage The Resources Entrusted To Its
Care.

181
Interim Management

First, Liquid Resources (E.G., Cash) Must Be
Properly Protected And Used To Best Advantage
Until Needed (I.E., Invested Or Placed On
Deposit).
Second, Non Liquid Assets Used In The Provision
Of Services (E.G., Equipment, Inventories Of
Supplies) Must Be Properly Protected And
Maintained.
When Both Of These Processes Are Combined
Together, The Result Is A Third Control Cycle For
"Resource Management."

182
Seven Important Steps

Vulnerability Assessment
Documenting Transactions
Identifying Specific Risks
Identifying Compensating Controls

183
Seven Important Steps

Evaluating The Design Of Comensating Controls
Testing Compensating Controls
Assessing The Results Of Testing

184
Session 13

Control Cycles
A Final Review

185
Cash Controls

Collection Controls
Disbursement Controls
Custody Controls
Accounting Controls
Reconciliation Controls

186
Investments Controls

Segregation of Duties
Procedural Controls
Custody Controls
Accounting Controls

187
Capital Asset Controls

Segregation of Duties
Procedural Controls
Authorization Controls
Asset Accountability Controls
General Ledger Controls

188
Inventory Controls

Segregation of Duties
Authorization Controls
Receipt/Issues Controls
Physical Inventory Controls

189
Procurement Controls

Segregation of Duties
Procedural Controls
Requisition Controls
Procurement Controls
Receiving Controls
Invoice Processing Controls

190
Personnel and Payroll Controls

Segregation of Duties
Procedural Controls
Personnel Controls
Payroll Processing Controls

191
IT Controls

Segregation of Duties
Procedural Controls
Documentation Controls
Data Controls
Security Controls
Inventory Controls

192
Session 14

Other Internal Control Pitfalls

193
A Final Reminder About I/C Pitfalls

Dont Focus On Areas Where Risk Is Low
Dont Ignore Risk Factors You Become Aware Of
Throughout The Year
Talk To Your Auditors About Areas Of Concern They
May Have And New Auditing Standards That Will
Affect Your Audit.
Make Sure To Tailor Any Borrowed PP To Your
Organization.

194
A Final Reminder About I/C Pitfalls

Remember That The Cost Of Implementing The
Control Structure Should Not Outweigh The
Benefit.
Remember To Address Budget, Grant And It
Controls.

195
Summary

The Control Environment Establishes The
Importance Of Internal Control.
Risk Assessments Must Be Realistic And Performed
When Changes To Objectives Or Policies Occur,
There Is Turn Over In Key Employees Or
Significant Changes In The Financial Markets.

196
Summary

Control Activities Should Be Focused On Areas Of
Highest Risk. Monitoring Controls Are Effective
Stopgap For Smaller Entities.
Information And Communication Must Provide
Relevant Information For Managing The Assets And
Liabilities Of The Entity.
Monitoring Of The Internal Control System Is An
Ongoing Process.

197
Session 15

Red Flags and Fraud

198
How to Catch a Fraudster

Independent Auditor
Internal Audit
Getting Ratted Out
Oops Method

199
How to Catch a Fraudster

Rotate those Job Duties
The Spot Check
And, the Surprise Attack

200
Eliminate Fraudster Potential

Background Check
Criminal
Credit
References
Verify the Social

201
Eliminate Fraudster Potential

Background Check
Driving Record
The Education
Professional Credentials
Drug Testing

202
Tips Employee Changes

Attendance
Tardiness
Avoiding Others
Bathroom Breaks

203
Tips Employee Changes

Listen
Look
Smell
Observe
Ask

204
Top Ten ReasonsFraud Beats InternalControlsAnd
What Management Can Do About It?
205
Fighting the Last War

Accountants Too Often Allow Themselves To Focus
Almost Exclusively On Past Weaknesses Rather Than
On Current And Future Exposures (Like Putting Up
Traffic Signals Only After An Accident Occurs)

206
Establish A System Of Proactive FraudPolicies
Dont Wait For Something To PopUp!

Use Of The Analytical Review
Watch For Increasing Expenses, Increasing
Receivables/Decreasing Cash, Increasing
Revenue/Decreasing Cash
Use Fraud Assessment Questions With Each Employee

207
Establish A System Of Proactive FraudPolicies
Dont Wait For Something To PopUp!

Enforce A Mandatory Vacation Policy With A Senior
Person Filling The Position For Several Days
Enforce A Mandatory Job Rotation Policy
Periodically, Stage A Surprise Audit Of Each
Position

208
Detection of Fraud Schemes

Tip (46.2)
By Accident (20)
Internal Audit (19.4)
Internal Controls (23.3)
External Audit (9.1)
Notified by Police (3.2)

209
Control Related Policies

Authorization
Properly Designed Records
Security Of Assets And Records
Segregation Of Duties
Periodic Reconciliations
Periodic Verifications
Analytical Review

210
1. Goin Through the Motions

Process Mentality
Just Doing The Steps In The Process
Not Thinking About What One Is Doing
Example Two Signatures Required On Checks. Both
Check Signers Fail To Notice The Check Has No
Payee And Still Sign The Check
Remedy Reinforce The Need To Pay Attention And
The Consequences For Failure

211
2. See No Evil, Hear No Evil

Blind Trust
Failure To Acknowledge Warning Signals
Example Failure To Follow Up On A Customer
Complaint Of An Incorrect Bill For Service And
Relying On The Experienced And Valued Billing
Clerks Response That It Was Just An Error.
Remedy Realize That Anyone Can Commit Fraud.
Assume Discrepancies Are Fraud And Prove To
Yourself It Is Only An Error.

212
3. Its Good to be The King

Positional Immunity
Rationalizing That Controls Dont Apply To Me
Because I Am In Upper Management.
Often Referred To As Management Override.
Example Executive Director Doesnt Report Leave
Used, But Still Gets Paid For Unused Leave
Annually.
Remedy Identify Someone Within Or Outside The
Entity That You Can Report These Circumstances To
And Not Jeopardize Your Job.

213
4. New Kid on the Block

Situational Incompetence
New Employee Not In A Position To Question Why
Example New Accounts Payable Clerk Questions Why
Purchases From A Certain Vendor Do Not Require
Bids, And Is Told That Such Purchases Are Exempt.
Remedy If You Are The Supervisor, Dont Assume
New Employee Just Doesnt Understand. Take Their
Questions Seriously And Ask Your Self Why. If You
Are The Employee, Ask More Than One Person.

214
5. Wheres All the Time Gone?

Workload Overload
Not Enough Time To Perform Control Procedures
Example Knowing That The Supervisor Is Too Busy
To Reconcile Accounts Receivable, A Billing Clerk
Steals Cash And Posts Unauthorized Adjustments.
Remedy Reevaluate Assignment Of Duties, And
When Needed, Demand More Resources By Focusing On
The Consequences Of Fraud.

215
6. Cant We All Be Happy?

Conflict Avoidance
Responsible Employees Not Comfortable In
Confronting Other Employees
Example A Supervisor Recognizes That The Cash
Drawer Is Always Short At The End Of The Day, But
Is Uncomfortable In Confronting The Employee.
Remedy Reinforce Supervisory Responsibilities.
Provide Employee Management Training. Dont
Tolerate Poor Performance.

216
7. Wheres the Beef?

Informational Restraint
Responsible Employees Lack The Information They
Need To Identify An Improper Transaction
Example An Accounts Payable Clerk Is Not
Provided A Contract That Includes A Not-to-exceed
Price Limit And Vendor Takes Advantage By
Over-billing.
Remedy Reinforce With Employees The Openness And
Availability Of Records And Information.