Kuliah Minggu ke 5 Internal Controls and Fraud Protection Board and Management Responsibilities

Kuliah Minggu ke 5

Internal Controls and Fraud ProtectionBoard and Management Responsibilities

Agenda

Part I: Overview of Board and Management

Responsibilities Auditor Responsibilities Framework of Internal Controls

Part II: Overview of an Organization-Wide Model

of Internal Control Best Practices Pertaining to Board and

Management Oversight

Elements of an Organizational System of Internal Control

1. Financial Controlsa. Preventive controlsb. Detective controls

2. Non-Financial Systems3. Management Oversight and

Behavior

II. Non-Financial Systems

Several Non-Financial Systems Are Important to Internal Controls and Fraud Protection

Among the Most Important: Human Resources Systems Information Technology Systems Communications Systems Insurance Protection

Human Resources Systems

Hiring Policies and PracticesNew Employee OrientationCode of Ethics and Related PoliciesPerformance Evaluation SystemsCompensation Adjustment PracticesGrievance PoliciesCounseling of Troubled EmployeesExit Interviews

Communications

Organization Chart Clear understanding of lines of

communicationAccess to Audit Committee

Or equivalent board-level representativesHotlines

Anonymous reporting of suspected fraud and abuse, or any other misconduct, by employees

External Crisis management

Methods of Detection:NPOs Overall

Tips 34.4% 34.2%By Accident 28.7% 25.4%Internal Controls 19.7% 19.2%Internal Audit 16.4% 20.2%External Audit 14.8% 12.0%Notified by Police 4.9% 3.8%Source: 2006 ACFE Report to the Nation on

Occupational Fraud and Abuse

Tips Came From:

Employee – 64.1%Anonymous – 18.1%Customer – 10.7%Vendor – 7.1%

III. Management Oversight

Day-to-Day Management ActivitiesBoard of DirectorsFinancial Oversight and Monitoring

Board and management level Department/program level

Day-to-Day Management

Understanding Responsibilities and RisksSetting an Example – Follow all Policies

“Tone at the top” Communicate seriousness of internal control

All Supervisors and Managers Have Responsibilities Awareness of red flags of problems

Enforcement of Policies And reward ethical behavior

Responding to Fraud and Deficiencies in I.C.Open-Door Policies – Receive

Communications Regarding Allegations of Wrongdoing

Corrective Actions

Board of Directors

Oversight Responsibilities in Many Areas

Establishment of Committees so That Committee can Address Issues in Greater Detail Than Full Board Separate Audit Committee

Committee Charters Outline Responsibilities and Authority Committees Deal With Issues in Detail,

Bringing Summaries and Recommendations to the Full Board

Audit Committee Should be Independent of Finance Committee

So, what’s it all mean for me as a board member?

Best Practices for Board Members

1. Codes of Ethics2. Hotlines and Whistleblower Protection3. Functioning Audit Committee4. Fraud Risk Assessment Process5. Model Oversight and Policies After U.S.

Sentencing Commission Guidelines6. Make Inquiries Regarding The NPC’s

Financial and Non-Financial Controls

1. Codes of Ethics

1. Draft or edit to make sure it is comprehensive and accurate

2. Draft or edit related written policies and procedures

3. Reinforce awareness and importance4. Staff training and certification

Codes of Ethics

Two Approaches to Drafting Detailed – identifying specific acts Broad – conduct in general terms

If Broad, Cross-Reference Other Written Policies, Such as Personnel Manual, etc.

Codes of Ethics

Borrowing from SOX – Codes Should Deter Wrongdoing and Promote: Honest, ethical conduct, including handling

of conflicts of interest Full, fair, timely disclosures Compliance with applicable laws and

regulations Prompt internal reporting of violations Description of what constitutes fraudulent

behavior Accountability for adherence to the code and

sanctions for those who breach it

Codes of Ethics

Communicate the Code Effectively, Through Policy Manuals, etc.

Have Employees Sign, Acknowledging They Understand it and Agree to Comply With it

Emphasized at Orientation for New Employees

Training and Periodic Re-certification

Monitoring of Code is the Responsibility of: Management Audit committee

Ethics Training Topics

Code of EthicsConflicts of InterestEthical IssuesKickbacksHotline Usage & Other Methods of

ReportingProtection from RetaliationEach Person’s Role in Maintaining an

Ethical Workplace

The Value of Ethics Training

With Fraud Awareness or Ethics Training: Median Loss = $100,000 Median Months to Detection = 15

Without: Median Loss = $200,000 Median Months to Detection = 24

Policy on Suspected Misconduct

Functions in Conjunction With Code of EthicsIdentifies How to Report Suspected ActivitiesIncorporates Whistleblower Protection

ProvisionsStates Employer’s Rights

Including right to inspect and search employee files, lockers, desks, etc. that are provided as an employee convenience by the employer

Explains Disciplinary Actions That May Result, Including Termination

2. Hotlines

Allows for Anonymous Reporting of Suspected Wrongdoing

Utilize Third-Party Services (EthicsLine of Association of CFE’s; The Network; Pinkerton Security; Other Services)

FraudNet, a Service of GAO to Report Wrongdoing Involving Federal Funds fraudnet@gao.gov or (202) 512-3086

Hotlines

Consider Method of Reporting: Telephone interview Voicemail service Web-based format

Consider Protocol for Dissemination of Information: Direct to audit committee Compliance officer Human resources Internal audit

Promote the Hotline

Personnel Manual and Other Policy Manuals

Staff MeetingsMemos/NewslettersPostings in Break RoomsIntranet

The Value of Hotlines

With Hotlines Median Loss = $100,000 Months Prior to Detection = 15

Without Hotlines Median Loss = $200,000 Months Prior to Detection = 24

Whistleblower Protection

Key to Encouraging Proper Use of a Hotline is Protection of Whistleblower

Does Not Protect Trouble-MakersProtects Employees Who Report

Possible Misconduct Based on Information They Believe to be Truthful

Protects Against Retaliation Against Whistleblower in any Form

3. Audit Committee Functions

Oversee All Audit Functions Selection, Planning, etc.

Review and Approve Audit ReportsOversee Corrective Actions in

Response to Auditor FindingsMonitor Adequacy of Internal ControlsReceive CommunicationsInvestigate Allegations of Fraud

Audit Committee Functions (2)

Monitor Compliance With Code of Conduct

Manage Conflicts of InterestMonitor Adequacy of Insurance

ProtectionAssess Financial Risks Due to

Current Operating Environment

Audit Committee Charter

Clearly Describe ResponsibilitiesProvide Committee With Proper

Authority Access to records Authority to hire investigators, if deemed

necessary

Describe Member and Meeting Requirements

4. Fraud Risk Assessments

Active, ongoing discussion involving each of the following: Identification of potential fraud risks Evaluation of current internal controls in

response to those risks Consideration of changes necessary to

properly respond to the risks Design and implement changes in internal

controls Monitoring of the performance of internal

controls Receive input regarding control breakdowns

Who is Involved?

The Board’s role is to oversee and make sure this process is taking place; Direct involvement depends on the individual circumstances (size and structure of NPC)

Others with roles: Senior management Chief financial and operations officers Program personnel (research and education) Auditors Others as deemed necessary

5. Model Practices After USSC

Directly applicable only in certain federal cases; Includes guidelines for assessing penalties against corporations

Similar approach often taken to penalizing corporations in non-federal non-criminal cases

Excellent source of best practices regarding establishment of an ethical culture by boards and senior management

Sentencing Guidelines Due Diligence

1. Establish standards and procedures (internal controls) to prevent and detect criminal conduct

2. Assign high-level personnel responsibility for compliance and ethics program, and specific individuals for day-to-day operational responsibility for the program

3. Reasonable efforts not to include within substantial authority any person the organization knew, or should have known through due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program

Sentencing Guidelines Due Diligence

4. Communicate standards and procedures of the compliance and ethics program periodically and in a practical manner by conducting training and otherwise disseminating information

5. Take reasonable steps to ensure the program is followed (monitoring and auditing), including having a publicized system for employees and agents to report problems or seek guidance

6. When criminal conduct is detected, take steps to prevent further similar criminal conduct

Sentencing Guidelines Due Diligence

7. Periodically assess risk of criminal conduct and design, implement, or modify the preceding requirements to reduce the risk of criminal conduct

8. Large organizations should encourage small organizations (such as subcontractors and vendors) to implement effective compliance and ethics programs

6. Make Inquiries

As stated earlier, the role of the NPC board is not necessarily to be internal control experts or to directly carry out each of the steps described in this presentation

Direct involvement in development of policies or practices that are the responsibility of the board

Make inquiries of management and staff regarding how each of the other areas is being addressed

Make inquiries regarding fraud risks and the existence of internal controls in response to specific fraud risks that we’ll explain in the second part of this series.