Internal Control: Identifying and Minimizing Risks

For Governmental Entities

1

2

Comptroller Justin Wilson likens Memphis to a recovering alcoholic

State Comptroller Justin Wilson has penned an op-ed piece in the Commercial Appeal that compares governments to alcoholics – and pronounces Memphis on the road to recovery. An excerpt:

The individual knows he is drinking too much and the government recognizes that its finances are precarious, but hey, it’s not that serious, I’ll change tomorrow or next year. Besides, getting drunk makes me happy and providing services and benefits we don’t pay for today keeps the voters happy.

3

The downward spiral progresses until the individual or the government hits bottom. That happens with the realization that the pain caused by the substance abuse or the financial irresponsibility outweighs the pleasure derived from the behavior.

4

…Most alcoholics still struggle with temptation, and there is always the danger of falling off the wagon. But if Memphis continues on its road to recovery, and continues to make good financial decisions, there is no reason to compare it to Detroit. Rather, Memphis will find its rightful place among the world’s most vibrant cities.

5

State of TennesseeJustin P. Wilson, State Comptroller

For Immediate Release: June 19, 2014Three Quarters of a Million Dollars’ Worth of Stolen Public Money Remains

Uncollected

Although county officials across Tennessee have made strides in recovering money stolen from public coffers, $775,221.12 remained uncollected at the end of the last fiscal year. That was one of the key findings of the 2013 Report of Cash Shortages, which was released today by the state Comptroller’s office.Each year, the Comptroller’s office prepares the report detailing the status of money stolen from county governments in Tennessee. The report includes information compiled from annual financial reports for the 89 counties audited by the Comptroller’s office and six counties audited by private accounting firms, as well as investigations and special reports issued by the Comptroller’s office. The new report provides a snapshot of each county’s cash shortages as of June 30, 2013. There is information in the report not only about money stolen during the year, but also in previous fiscal years that remains unrecovered.

The state’s 95 counties began the last fiscal year with $563,372.50 in cash shortages

that had not been recovered. During the year, $449,624.04 worth of new shortages was detected. Counties were able to recover $237,775.42 through restitution payments, insurance claims or other means. That left a net unrecovered shortage of $775,221.12 at the end of the fiscal year. “While it’s encouraging that county officials have been able to recover substantial amounts of the money that has been taken from them, it’s discouraging that the amount of new thefts discovered in the fiscal year outpaces the recovered amounts,”

Comptroller Justin P. Wilson said. “I hope people will read through this report and realize how widespread the theft of public funds is in our state. I urge local government officials to follow the steps recommended by our auditors to safeguard against the fraud, waste and abuse of public money.” Blake Fontenay, Communications Director, (615) 253-2668 or blake.fontenay@tn.gov

A Personal Decision

What is it worth to you?Would you throw away your integrity?Give up your good reputation?Lose the good name you have worked your entire life to build?

How much would it take????

Dennis Dycus once said…

“If you think theft or fraud is not happening where you work, you are probably wrong”.

Video – Dixon, ILVideo - Columbus

9

10

11

Reference Text:

Committee of Sponsoring Organizations of the Treadway Commission

Internal Control – Integrated Framework

Framework and Appendices

May 2013

COSO Model

12

13

The Committee of Sponsoring Organizations (COSO)

• Sponsored and funded by:– American Institute of Certified Public Accountants

(AICPA)– American Accounting Association (AAA)– Financial Executives Institute (FEI)– The Institute of Internal Auditors (IIA)– The Institute of Management Accountants (IMA)

• Publishes The Internal Control Integrated Framework, a standard for establishing internal controls

Definition

COSO defines internal control as:

“…a process, affected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

1) Effectiveness and efficiency of operations2) Reliability of financial reporting3) Compliance with applicable laws and objectives”

14

Five Components of the COSO Model

1. The Control Environment2. Risk Assessment3. Control Activities4. Information and

Communication5. Monitoring Activities

15

1. The Control Environment

• Sets the tone for the entire organization• Management leads by example• Integrity and ethical values• Commitment to competence• Organizational structure• Adherence to policies and procedures

16

17

New Control Environment

Principles

Control Environment – 5 Principles

1. Organizational commitment to integrity and ethical values

2. Governing bodya. Demonstrates independence from managementb. Exercises oversight of internal control

18

Control Environment – 5 Principles

3. Management establishes reporting lines, authorities and responsibilities

4. Organizational commitment to attract, develop and retain competent individuals

5. Organization holds individuals accountable for internal control responsibilities

19

2. Risk Assessment

• Present at every level of an organization• Define organizational objectives • Identify risks that may adversely impact

organization’s achievement of goals• Minimize the likelihood of occurrence

20

Risk Analysis

• Assess the frequency of the risk occurring

• Estimate the potential impact if the risk were to occur

• Determine how the risk should be managed

• Prioritize and manage significant risks

21

Reasonable Assurance

• Effective control system provides reasonable but not absolute assurance

• Appropriate balance between risk of a certain practice and level of control to ensure objectives

• Cost of a control should not exceed the derived benefit

22

23

Controls Out of Balance

Excessive Risks• Loss of Assets or Grants• Poor business decisions• Noncompliance• Public scandals

Excessive Controls• Increased bureaucracy• Reduced productivity• Increased complexity• Increase of no-value

activities

24

New Risk Assessment

Principles

Risk Assessment – 4 Principles

1. Objectives are specified to enable the identification and assessment of related risks

2. Risks to the achievement of the entity’s objectives are identified and analyzed to manage those risks

3. The potential for fraud is considered in risk assessment

4. The organization identifies and assesses changes that could significantly impact internal control

25

26

3. Control Activities

• Policies and procedures to mitigate risks• Appropriate response• Implementation• Conscientious• Consistent

• Types of Controls• Preventive controls – proactive • Detective controls – reveal what has occurred

Types of Controls

Preventive• Deter undesirable events• Help prevent loss• Examples• Emphasize quality• Proactive

Detective• Detect undesirable events• Provide evidence of loss• Do not prevent loss• Provide evidence that

preventive controls are functioning

27

28

New Control Activities

Principles

Control Activities – 3 Principles

1. Activities that contribute to the mitigation of risks to acceptable levels are selected and developed by the organization

2. General control activities over technology are selected and developed to support objectives

3. Control activities are deployed through policies and procedures

29

4. Information and Communication

• Essential at every level of an organization

• Clear understanding of expectations• Minimizes assumptions

30

Communicating

• Standard operating procedures– Strengthen communication channels– Decrease chance that a new administration will

arbitrarily change policies• Information overload results in employees

ignoring communication attempts

31

32

New Information and Communication

Principles

Information and Communication –3 Principles

1. Relevant and quality information is used to support the functioning of internal control

2. Information, including objectives and responsibilities, are communicated internally

3. Matters affecting the functioning of internal control are communicated to external parties

33

5. Monitoring Activities

• Ongoing evaluation• Activities functioning properly• Controls must change over time• Technologies evolve• Priorities change• New deficiencies emerge

34

35

New Monitoring Activities

Principles

Monitoring Activities - 2 Principles

1. Evaluations are developed to ascertain internal control components are present and functioning

2. Internal control deficiencies are communicated to those responsible for taking corrective action

36

37

Basic InternalInternal Controls

Checklist

Checklist1. Make sure that the following policies and procedures are

available in your municipality, either by hard copy or electronically:a. Administrative proceduresb. Financial and accounting manual (including at a minimum the

Comptroller requirements)c. Employee handbookd. Purchasing manual

2. Make sure that departments have well written ‐departmental policies and procedures manuals which address significant activities and unique issues. Employee responsibilities, limits to authority, performance standards, control procedure disciplinary action for not complying and organizational relationships should be clear.

Checklist3. Make sure that employees are well acquainted with the

municipality’s policies and procedures that pertain to their job responsibilities.

4. Discuss ethical issues with employees. If employees need additional guidance, consider departmental standards of conduct.

5. Communicate state laws related to conflict of interest; make sure employees understand how to disclose potential conflicts of interest.

6. Develop job descriptions; clearly state responsibility for internal control, and correctly translate desired competence levels into required knowledge, skills, and experience.

Checklist

7. Make sure that each employee has an adequate training program.

8. Conduct employee performance evaluations periodically. Good performance should be valued highly and recognized in a positive manner.

9. Most importantly, make sure appropriate disciplinary action is taken when an employee does not comply with policies and procedures or behavioral standards.

QUESTIONS ?MTAS and CTAS now working on model I/C policies and training

programs (and perhaps others are as well)

41