Insert PresentationTitle Here

Developing Ironclad Internal Controls

MPPOA Annual Fall ConferenceOctober 26, 2015

Presented By:Joshua Sullivan, CPA &

Chad Biggar, CPA

Learning Objectives

• At the end of the presentation you will be able to:– Understand Internal Controls– Identify common areas of internal control

weakness– Determine high risk areas– Have a better understanding of fraud

Fraud by Industry

Governments have the second highest percentage of fraud, second only to banking and financial services.• Governments are extremely susceptible to fraud

because of its sheer size and number of employees. They have fallen victim to nearly every type of fraud that exists, including billing fraud, the purchase of substandard/low quality products, asset misappropriation and payroll expense reimbursement fraud.

Clues/Triggers Someone May Be Embezzeling • Employees who appear to live beyond their means• Employees who don’t go on vacation• Employees who aren’t team players. Want to

solve all their problems on their own. Don’t need anyone else’s help.

• Family going through financial distress• Changes in lifestyle• Employees who request for salary advances• Missing petty cash, past-due bills, or late vendor

payments

These are a few triggers that you might have an issue.

The “Fraud Triangle...or Diamond”

SO HOW DO WE STOP FRAUD FROM OCCURRING OR AT

LEAST MITIGATE SOME OF THE

RISK???

STRONG INTERNAL CONTROLS

Internal Control Background

• The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

• Issued first report in 1985 stressing importance of internal control, the control environment, codes of conduct, audit committees and internal audit functions.

• COSO defines internal control as:A process, effected by an entity’s board of directors, management and other

personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of

operations, reliability of financial reporting, and compliance with applicable laws and regulations.

Internal Control Background

• Key concepts of the COSO framework– Internal control is a process. It is a means to an

end, not an end by itself.– Internal control is affected by people. It’s not

merely policy, manuals, and forms, but people at every level of an organization.

– Internal control can only provide reasonable assurance, not absolute assurance to an entity’s management and board

– Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

Primary Objectives of Internal Control

• Orderly and efficient conduct of business, including adherence to internal control policies

• Safeguarding of assets• Prevention and detection of fraud and error• Accuracy and completeness of the accounting

records• Timely preparation of financial information

Benefits of Sound Internal Control

• Fraud detection and/or prevention• Effectiveness and efficiency of operations• Reliability of financial reporting• Compliance with applicable laws and

regulations

The Five Components of Internal Controls

1. Control Environment2. Risk Assessment3. Control Activities4. Information and Communication5. Monitoring

The Five Components of Internal Controls

1. Control Environment– Attitude of management (Tone at the top)

2. Risk Assessment– Management’s responsibility to identify the

riskiest areas.

3. Control Activities– Policies and procedures to ensure

management’s directives are carried out.

The Five Components of Internal Controls

4. Information and communication– Understand your information technology,

accounting and communication systems and processes.

5. Monitoring– To ensure management assess the design and

operating effectiveness of the entity’s system of internal control on a short and long-term basis.

Designing Proper Internal Controls

• Oversight by a manager– In-depth knowledge of business and

accounting operations and daily oversight of company personnel, are key controls in the entity’s environment

• Overcoming lack of segregation of duties– Reviewing reports– Selecting transaction for review of supporting

docs– Overseeing counts of inventory or assets and

agreeing them to accounting records– Reviewing reconciliations of account balances

Designing Proper Internal Controls

• Limit risks associated with the IT system– Standardized reports and reporting formats– Password and other application control

• Continuous Monitoring– Management’s responsibility to perform “walk-

arounds” of controls and provide feedback on the effectiveness of accounting, internal control, and operational systems.

Accounts Receivable and Cash Receipts(Any system in place should be in writing and adhered to)

1. Reconcile the collections (per your practice management / billing system) to the amounts deposited in the bank. Such reconciliations should be done daily, weekly and monthly. Randomly audit cash drawer or petty cash for honesty.

2. Segregate duties within the organization (i.e., make certain that the employee who posts payments to the system is not the person who also opens the mail). This isn’t always possible in a small organization. At a minimum be sure everyone in the office is “cross trained”. This can help keep everyone honest.

3. Review and maintain effective access controls to the A/R system. (Approval for write offs), reconciliations, etc. Follow through on your requirement that these policies be followed.

4. Be sure the accounting and billing system can provide an “audit trail” for deleted items.

Accounts Receivable and Cash Receipts5. Require that bank deposits be made daily. Make a copy

of the bank deposit ticket before the employee takes deposit to the bank. Be sure you receive receipt and compare to copy and what was recorded in check register.

6. Require that all funds received be posted the same day.7. Be sure bank statements are only opened by a specified

individual(s).8. Great protection is the use of a bank Lock Box for

organization cash receipts coming in. Might be a little costly, but will completely protect against theft on the majority of your collections. Save employee time on opening mail, preparing deposit ticket, etc.

Cash Disbursement Controls

1. Review cash disbursement listings to assess if any possible false vendors have been paid. If possible review the actual cancelled check. Some accounting systems will allow you to change the vendor after the check is printed. You have to look at the cancelled check. If they don’t come in the mail you can always randomly review them on line. Be sure your employee knows you or your CPA is doing this. The fear that someone may check on them can often deter a staff from embezzlement.

2. Review invoices when signing checks to confirm that you are paying for goods and or services that have actually been received.

Cash Disbursement Controls

3. Review payroll register periodically.4. Limit use of a signature stamp for checks.5. Keep checks locked up. Limit paying for items using

an “electronic” check.6. Assess your accounts payable and cash disbursement

system to ensure that the related approvals are obtained prior to any payment being made.

7. Limit the use of the organization’s credit card. Don’t authorize an employee to make payments using a credit card. Review all charges and be sure you have a receipt for each charge on the card. If you don’t you might miss a pair of movie tickets, shoes, etc.

General

1. Require that vacation time be taken by purchasing and accounting employees.

2. Cross-train and rotate job responsibilities among employees.

3. Do comprehensive background checks on employment applicants (inclusive of criminal background and employee credit check). Both a financial and a criminal check. If someone has just gone through a bankruptcy you can still hire, you just might want to be a little cautious. 1/3 of embezzlers have financial problems AND 7 % of all embezzlers have been convicted of a previous crime. You do need permission to run a credit check. If a perspective employee refuses or responds defensively you have already spotted a red flag.

General

4. Consider the development and implementation of a ‘Practice Code of Ethics’. Update your employee

handbook on how embezzlement or fraud will be handled.5. Compensate employees fairly, and attempt to help

employees in financial trouble.6. Perform annual employee reviews.7. Be mindful of personal issues impacting your

employees. These personal issues may provide a warning sign of fraud risk.

8. Be appropriately (but not excessively) suspicious.9. Avoid keeping excessive cash and checks on hand. As

necessary, use a safe or strong box. Consider a bank Lock Box.

General

10.INSPECT WHAT YOU EXPECT! Perform periodic ‘audits’ of work to make sure it is being performed as you expect and require according to your written procedures.

11.Consider hiring a professional to review, assess and aid in the strengthening of your practice’s internal control systems. Staff knowing the CPA will be coming in periodically to “check” the system may provide a deterrent.

Fraud Examples in Local Governments

• Village of Port Henry – Country Clerk-Treasurer admitted to stealing

almost $153,000 over a 5 year period.– Sentenced to 7-22 years in prison– Most of the fraud came from cash payments

made for trash-disposal stickers, campground space rentals and water and sewer rents.

What went wrong

• No segregation of duties (no review of ledgers or sub-ledgers)

• No management oversight. • Inactive board (no financials presented or

discussed at meetings)• Bank deposits were never done on a set

schedule• Money paid by residents was not recorded

daily

Fraud Example in other industry

• Nathan Mueller’s $8 million fraud scheme.– Company bought by ING – erroneously given access– Authority to approve checks to $250,000– Access to log on as associate– Pick up checks from bank – Also had access to request checks– Started by paying off credit cards about $1,000 at a

time– Put expense to various accounts with lot of

transactions– Set up false vendors with names similar to approved

vendors

Fraud Example in other industry

– $88,000 in 2003, $1 million in 2004, $2 million in 2005, $4 million in 2006, and $1 million in 2007

– Living extravagant life style and got divorced– Caught when wife and co-worker had lunch and

questioned his story– Ended up getting 5 years in prison and has

paid back about $860,000

What went wrong

• Set up in the ERP system – to much access• Having other associates passwords• Approving vendors

WHO HAS THE FIRST QUESTION???

THANK YOU