© Grant Thornton. All rights reserved. 1 Checks and Balances: Improving Accountability Through Internal Controls May 26, 2011 Dan Barrón, Partner Darla

© Grant Thornton. All rights reserved.1

© Grant Thornton. All rights reserved.

Checks and Balances:Improving Accountability Through Internal Controls

May 26, 2011

Dan Barrón, PartnerDarla Kerico, Senior Manager NPSGGrant Thornton LLP


Checks and Balances:Improving Accountability Through Internal Controls

Today's topics

• Internal Controls- What Are They?• Internal Controls- Why Do You Care?• Common Control Activities• Fraud


Internal Controls - What Are They?

• COSO definition – A process, effected by those charged with governance, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:– Effectiveness and efficiency of operations– Reliability of financial reporting– Compliance with applicable laws & regulations


Internal Controls - What Are They?

• Key COSO concepts:– Internal control is a process– Internal control is effected by people– Internal control can be expected to provide only

reasonable assurance, not absolute assurance– Internal control is geared to the achievement of

objectives in one or more separate but overlapping categories


Definition Of Internal Control - Simplified

Those processes that management relies on to make sure things don’t get goofed up


Internal Controls- Hitting the Target

Internal controls should provide reasonable assurance that:•Transactions are properly authorized•Assets are safeguarded•Transactions are properly recorded and reported •Competency prevails


Internal Controls - Why Do You Care?

• Fiduciary responsibility as a member of the executive management team

• How many of you in the audience sign the year-end representation letter to the external auditors?

• Key representations:– Responsible for internal control environment– No known significant deficiencies in the design of or

operation of internal controls– Acknowledge responsibility for the design and implementation of programs and controls to prevent and

detect fraud– No known material instances of fraud


Control Environment:The Foundation for Internal Controls

Four interrelated components: • Risk assessment - identification and analysis of relevant

risks to achievement of organizational objectives, which form the basis for management decisions regarding the best means of managing risk

• Control activities - policies and procedures that help ensure that management directives are carried out

• Information and communication - the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities

• Monitoring - the process by which the quality of internal control performance is assessed over time


Three basic types of internal controls

1. Operational controls pertain to the effectiveness and efficiency of an operation

2. Financial controls concentrate on the reliability and integrity of the financial information

3. Compliance controls apply to the ability of the organization to continue operations and the reputation of the entity in the marketplace


Control Activities

Policies and procedures that help ensure that management's directions are carried out, which include a range of activities such as:

– approvals– authorizations– verifications– reconciliations– reviews of operating performance– security of assets, and– segregation of duties


Common Control Activities

• Budgeting and Regular Financial Reporting• Safeguarding of Assets and Physical Controls• Effective Computer Security Measures• Segregation of Duties• Investment Policies and Procedures• Documented Accounting Procedures and Controls


Controls Over Specific Accounts And Transactions: Cash and Cash Equivalents

• All cash is received and deposited in a timely manner• All cash disbursements are for authorized transactions and

for the correct amounts• All cash accounts are reconciled to the general ledger in a

timely manner• All cash related transactions are recorded in the correct

account, in the correct amount, and in the proper accounting period

• Cash not required for operations is invested in a timely fashion.


Controls Over Specific Accounts And Transactions: Cash Receipts

• Incoming mail opened and a listing of cash and/or checks received should be made under the supervision of a responsible official. This listing should be compared to the actual deposit made to ensure the completeness of the deposit

• Checks immediately restrictively endorsed• Use of a bank lockbox• Prenumbered tickets or logs when processing cash receipts and

require each person processing a ticket or log to initial it• Deposit all cash receipts intact daily, if possible, and adequately

safeguard undeposited receipts• Prompt investigation of checks returned for insufficient funds


Controls Over Specific Accounts And Transactions: Cash Disbursements

• Physical access to cash and unissued checks restricted to authorized personnel• Checks and bank transfers prepared only for authorized and documented

transactions by authorized personnel• Supporting documentation such as invoices and check requests initialed by a

responsible individual indicating proper authorization• Policy stating specific dollar limits for checks that require two signatures or one

signature• Disbursement and bank transfers prepared by someone other than the person

who initiated the transaction• Mechanical check signers used sparingly• Payment made from an original invoice• Supporting documents should be stamped “posted” or “paid”• Prenumbered checks issued in numerical sequence• Use of postdated checks, checks payable to bearer or cash, and signatures of

blank checks prohibited• After signature, all checks forwarded directly to the payee


Controls Over Specific Accounts And Transactions: Other Cash Controls

• Petty cash funds kept to the minimum amount practical

• Individuals handling cash included in fidelity bond coverage

• Number of bank accounts limited to a reasonable number and unused accounts promptly closed

• Bank accounts reconciled as soon as possible after receiving the statements and necessary adjustments made to the general ledger

• Old outstanding checks investigated and resolved


Controls Over Specific Accounts And Transactions: Payroll

• Use of an outside payroll service such as ADP• Payroll and related benefits only paid to bona fide

employees at approved salary and benefit rates• Payroll transactions properly recorded in the general ledger

and properly allocated to functional areas based on time and effort reports

• Payroll taxes properly reported and remitted to federal and state taxing authorities

• Payroll records maintained in accordance with entity and government policies

• Employee benefit programs maintained in accordance with applicable laws and regulations


Controls Over Specific Accounts And Transactions: Payroll (Cont.)

• Hiring and personnel changes in accordance with entity policy• Payroll and personnel information kept confidential with access allowed

only to authorized personnel• Salary levels and salary changes approved by the executive director or

board in conformity with the organization's normal procedures• Payroll prepared based on properly documented timesheets or other

attendance records• Payments for overtime pay properly approved• Vacation, holiday, and sick pay accurately tracked• Employee names and pay rates verified with each payroll run• Individual who signs payroll checks different than the person who

prepares the payroll• Reconcile salary and benefit expenses recorded in the general ledger

with payroll information reported to the IRS


Controls Over Specific Accounts And Transactions: Grant or Contract Revenue

• Procedures for the proper review of all grant and contract proposals

• Accounting system properly designed to capture direct costs and revenues for each individual grant or contract

• Reasonable and rational method developed for allocating indirect costs to each award

• Grants and contracts properly supervised to ensure that expenditures are made only for the purposes stated in the grant and that compliance with grant requirements is met

• Appropriate revenue recognition criteria must be established


Controls Over Specific Accounts And Transactions: Fixed Assets

• Adequately budgeting for fixed asset acquisitions• Documented procedure for the sale or disposal of fixed

assets• Establishing a stated capitalization policy for recording fixed

assets• Properly accounting for and assigning responsibility for

portable fixed assets such as laptop computers• Periodically inspecting fixed assets and comparing the

inventory of fixed assets with amounts recorded on the general ledger and in insurance records


Three categories of control deficiencies

A control deficiency exists when the design/operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.


Three categories of control deficiencies (cont.)

A significant deficiency is a deficiency, or combination of deficiencies, in internal control, that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.


Three categories of control deficiencies (cont.)

A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis.


Auditor Considerations

• Does a control deficiency – or a combination of deficiencies – constitute a significant deficiency or a material weakness?

• Would prudent officials with knowledge of the facts and circumstances agree with the auditor's assessment?

• Are effective compensating or complementary controls in place?

• What is "material" to the financial statements from a quantitative and qualitative perspective?

• What is the "potential" error vs. the "actual" error?


Auditor's Reporting Responsibilities

• Significant deficiencies and material weaknesses should be communicated, in writing, to management and those charged with governance

• Includes significant deficiencies and material weaknesses that were communicated in previous audits and have not yet been remediated

• Communication should be no later than 60 days following the report release date


Sarbanes-Oxley Act of 2002

• Public accounting firms have changed how they relate to all clients, whether required to do so or not

• Sarbanes-Oxley created a new public awareness of issues of accountability and independence that has "spilled over" into the not-for-profit sector

• NFP board members now model themselves on corporate governance "best practices" initiated by Sarbanes-Oxley


Implications for Not-for-Profit Board Governance- Best Practices

• The Board should take responsibility and assess the effectiveness of internal controls over financial reporting

• Internal controls should provide reasonable assurance that:– Transactions are properly authorized– Assets are safeguarded

– Transactions are properly recorded and reported


Implications for Not-for-Profit Board Governance- Best Practices (cont.)

• The CEO and CFO should establish and monitor effective systems of internal control

• Any known deficiencies in financial reporting and internal control should be reported to the Board

• Auditor should report to the Board its assessment of the organization's internal control structure and procedures


What is fraud?

• Any intentional or deliberate act to deprive another of property or money by guile, deception or other unfair means. The elements of fraud are:

– a false representation about a material fact – made intentionally– believed and acted upon by the perpetrator

– to the victim’s damage


Definition of Fraud

• Fraud is a type of illegal act involving the obtaining of something of value through willful misrepresentation. Whether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond auditors' professional responsibility. (GAO Yellow Book)

• For purposes of the section, fraud is an intentional act that results in a material misstatement in financial statements that are the subject of an audit. (AICPA – SAS No. 99)


Types of Fraud

• Types of fraud:– Asset misappropriations– Corruption– Fraudulent financial statements

• Asset misappropriation is most common of the three schemes – 90% plus

• Survey participants estimated that the typical organization loses 5% of its annual revenue to fraud.

Source- Association of Certified Fraud Examiners 2010 Report to the Nation Occupational Fraud and Abuse


Why and How Does Fraud Occur?

Opportunity is generally provided through weaknesses in the internal controls, such as inadequate or no:

• supervision and review • segregation of duties • system controls

Pressure can be imposed due to:

• personal financial problems • personal vices such as gambling, drugs,

extensive debt, etc. • unrealistic deadlines and performance goals

Rationalization occurs when the individual develops a justification for their fraudulent activities.

The Fraud Triangle


Common Causes of Fraud

• Weak internal control system• Lack of monitoring of internal controls• Poor or inadequate training• High management turnover• Collusion among employees• Transactions executed without proper authorization


The "Red Flags" of Fraud

• Not separating functional responsibilities of authorization, custodianship, and record keeping.

• Unrestricted and unmonitored access to assets or data

• Not recording transactions resulting in lack of accountability

• Not reconciling assets with the appropriate records

• Unauthorized transactions

• Unimplemented controls because of the lack of or unqualified personnel

• Employees over whom there is little to no supervision


Accounting "Red Flags"

• Fictitious/ altered/ photocopied receipts• Missing documents• Stale/ increasing reconciling items• Unusual bank statement items• Excessive voids/ credits• Second endorsements on checks• Duplicate payments• Things that don't make sense


Not-for-profit organizations are not immune to scandal and bad publicity

• Recent University ticket scandal $1.3 million• Veterans cheated for benefit of foundation executives• Former University President Indicted for Embezzling $1.5

Million• Former CEO of a not-for-profit was sentenced to 10 years

in prison and ordered to pay $65 million in restitution• In the same case, a board member was sentenced to 3

years in prison and ordered to pay $1.7 million in restitution


Measures That Are The Most Helpful in Preventing Fraud

• Strong internal controls• Background checks on new employees• Regular fraud audits• Established fraud policy• Willingness of entities to prosecute• Ethics training for employees• Anonymous fraud reporting mechanisms• Workplace surveillance Source- Association of Certified Fraud Examiners 2006 Report to the Nation Occupational Fraud and Abuse


The very best fraud prevention mechanism is to put forth the perception

that... if you do something wrong, you will be caught... and the punishment will be

swift and severe


Questions, answers, discussion


Contact information

Dan BarrónPartner, AuditT: 214-561-2440E: [email protected]

Darla Kerico Senior Manager, National Professional StandardsGroupT: 214-561-2457E: Darla. [email protected]

Documents

© Grant Thornton. All rights reserved. 1 Checks and Balances: Improving Accountability Through Internal Controls May 26, 2011 Dan Barrón, Partner Darla