Internal Controls

Definition of Internal Control Internal control is a process, effected by an

entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations.

Benefits of Internal Control Having controls in place minimizes embezzlement

and/or misappropriation of funds. The temptation to steal assets from the church is lessened once steps have been taken to put checks and balances in place. These controls would help to promote ethical behavior.

There is also a reduction in the need to accuse and confront employees. The internal controls would provide accurate information that would be used to detect illegal behavior and also to make reporting easier.

The internal controls minimize the embarrassment of the church because of negative publicity from the media should inappropriate behavior occurs. It is a good practice to try and prevent the image of the church from being damaged in any way. Fraud in the headlines is a strike against any organization.

External/regulatory oversight Unlike corporations which provide quarterly

financial statements to the SEC and hold quarterly conference calls with outside analysts, the church is subject to almost no recurring outside financial scrutiny

Since many churches and dioceses are not required by law to be transparent and accountable in their finances, they choose to keep their finances private.

Canon Law and Other Guidelines Canon law contains a number of provisions

directed at good management and financial practices. The primary diocesan institution to monitor

diocesan finances is the diocesan finance council (DFC). According to canon law, each diocese is required to establish a DFC, to be presided over by the bishop or his delegate.

In addition to canon law, the United States Conference of Catholic Bishops (USCCB) has established recommended guidelines for diocesan financial management. But they are just that - guidelines

5 Elements of the IC Process Control Environment Risk Assessment Control Activities Information and Communication Monitoring

Control Environment The core of any business is its people - their

individual attributes, including integrity, ethical values, and competence and the environment in which they operate. Clear lines of authority and accountability that

emphasize the importance of internal controls A documented code of conduct/ethical standards A formal budget process and prompt variance

analysis. A plan to attract and retain competent personnel. An effective audit committee and internal audit

functions. More on the Control Environment later

Risk Assessment The entity must be aware of and deal with the

risks it faces. It must set objectives, integrated with the sales, production, marketing, financial, and other activities so that the organization is operating in concert. It also must establish mechanisms to identify, analyze, and manage the related risks. Clear objectives regarding operating, financial

reporting, and law compliance functions. An entity-wide review to assess and evaluate risk

(discussed later)

Control Activities Control policies and procedures must be

established to ensure that management's responses to risks are effectively carried out. Segregation of duties: collections of cash

contributions counted by two or more people. Independent counting and/or confirmation of

investments. Controlled access to electronic data processing

operations and adequate back-up (disaster recovery) in place.

Information and Communication Information and communication systems

surround all of these activities. They enable people to capture and share the information needed to conduct, manage, and control operations. Management support for developing and

maintaining effective financial management information systems.

The sharing of information on emerging risk issues with other dioceses.

Channels of communication for employees and church workers to report suspected irregularities or illegal acts.

Monitoring. The entire process must be monitored, and

modifications must be made as necessary. In this way, the system can react dynamically, changing as conditions warrant. Regular receipt and prompt acting on reports of

problems in internal controls (from external/internal auditors, etc.).

Prompt follow-up on unusual variances from budget. Periodic comparison of physical inventories of saleable

items (textbooks, cemetery lots, etc.) and permanent assets (sacred vessels, historical treasures, office equipment) to accounting records and the reconciliation of differences.

Limitations of IC Mistakes and human errors in applying the

established policies and procedures. Circumvention of controls by collusion of two

or more people (e.g., an employee and a vendor).

Intentional disregard of controls (e.g., management override, falsifying documents, forgery, etc.).

Discussed in more detail later

People and IC Bishop Finance Officers Internal Auditors Other Diocesan Personnel Volunteers Committees Finance Council

Audit committee Financial/project review committee Properties committee Investments committee

External Auditors

Key Business Cycles Financial planning and control Cash management (includes the revenue

cycle) Payroll Purchasing

Elements of IC Honest Employees

Require vacations Bonding when appropriate Awareness of conflict of interest policies “know” your employees Background checks on all potential hires

Separation of duties Recordkeeping, custodianship, authorization

Appropriate policies and procedures over transactions

Suitable documents and accounting records Physical control over assets Independent verification of performance

Financial Planning and Control Cycle Monthly Comparative Financial

Statements Chart of Accounts Policy and Procedures Manuals.

Cash Management Cycle Proper Control over:

Bank accounts Cash disbursements Cash receipts Petty cash Marketable securities Receivables Payables Payroll

Payroll Cycle Personnel Administration and

Employment File Maintenance Timekeeping and Payroll Preparation Payment of Payroll Preparation of Payroll Tax Returns and

Payment of Taxes

Purchasing Cycle Authorization of Purchase Processing Purchase Orders Receiving Goods and Services Recognizing the Liability Processing and Recording Cash

Disbursements

Guidelines for an IC Review Risk Assessment and Evaluation Suggested Steps

A project committee should be established (perhaps a subcommittee of the diocese's finance council) composed of, at a minimum:

The committee should be charged with undertaking and documenting a study of the diocesan internal control process and making recommendations for improvement. Its chair should regularly report to the bishop on progress. (Items 3-8 refer to the study/review.)

The committee should assess the overall control environment The committee should divide the entity into natural business cycles The committee should review the flow of transactions through these cycles to

understand each processing system and its controls. The committee should determine whether control techniques in place in each cycle

achieve the defined internal control objectives Where objectives are not met, the committee should assess the resultant risks and

make specific recommendations to improve internal controls at a cost below the value of the related benefit to be attained.

The committee should draft a report summarizing the project and detailing the recommendations.

The implementation of the recommendations should be periodically reviewed to ensure the desired results are achieved and to promote the diocesan culture of appreciating and embracing the value of internal controls.

Ongoing Commitment

Fraud and Irregularities The fraud triangle

Opportunity, rationalization, pressure Types of fraud

Management override Collusion Lapping Theft Accounts Payable Fraud Payroll Ghosts and Unauthorized Pay Charges Kickbacks Supplies or Inventory Fraud

Detecting Fraud Changes in employee's lifestyle, spending habits,

or behavior

Inventory shortages

Ignoring of internal/external policies or audit recommendations

Unusual banking activities

Decline in employee morale/attendance

Exceedingly high expenses/purchases

Unexplained budget variances

Zech & West:Control environment The organizational structure of the firm (in the

Catholic Church, this involves questions such as is the diocese organized as a corporation sole?)

Oversight by the board (in the Catholic Church, this is the diocesan finance council, or DFC)

Management's philosophy and operating style Procedures for delegating responsibility and

authority Management's methods for evaluating

performance External influences (e.g., regulatory oversight)

Results of Zech and West Study: Part 1: Risk Factors (as cited by CFOs) CFO’s ranked the following risk factors in this

order (highest risk to lowest risk): Lack of expertise at the parish level Parish finances and controls Litigation Adequacy of insurance coverage Property management

Results of Zech and West Study: Part 2: Importance of DFC If the Diocesan Finance Council (or one of its

committees) is involved in reviewing the diocesan budget, there is less fraud detected (better prevention). The more frequently the DFC meets, the greater the amount of fraud detected (better detection)

Results of Zech and West Study: Part 3: Importance of CFO the tenure (years of the experience on the

job) of the CFO, whether the CFO had an accounting background, and if the CFO selects the auditors all seemed to imply better fraud prevention

However, in cases where the bishop or DFC feels capable of making the auditor selection, it seems appropriate that they do so, from at least an independence viewpoint

Results of Zech and West Study: Part 4: Internal Control Variables

Those dioceses with formal, written fraud policies experienced less embezzlement, presumably the result of better prevention.

A second variable that had a positive impact on fraud detection was the frequency with which parishes submit their

financial data. A third internal control variable that was significant is

difficult to interpret. Dioceses that presented comparative financial data in their monthly budget versus actual reports experienced more embezzlement. This control is really a financial reporting control. It is not a control that would typically be used to detect embezzlements. It is a control that would more likely be used to detect errors in financial reporting.

Results of Zech and West Study: Part 5: Audit Category the frequency of internal audits of parishes

was significant and positive, and, based on the value of the standardized coefficient, the most important factor in explaining the level of diocesan fraud. This seems logical in that more frequent internal audits result in more detected embezzlements. On the other hand, one could argue that more internal audits would be a deterrent to employees and less fraud and embezzlements should occur.

Recommended environment control policies (Zech and West) Implementation in every Catholic diocese of

the policies prescribed in the USCCB handbook Diocesan Financial Issues

The establishment of fraud policies in every diocese

Annual internal audits of parishes supplemented by external audits conducted at east every three years

Public disclosure of the names and professions of every member of the Diocesan Finance Council, along with their conflict of interest guidelines

Continued - Recommendations At a minimum, quarterly meetings of the DFC (or

one of its subcommittees) to monitor diocesan office, parish, and school financial reports

Selection of the diocesan auditor by someone (bishop or DFC) other than the diocesan CFO

At least annual (and preferably more frequent) submission of financial data by all parishes and high schools

Establishment of a uniform budgeting process and standardized software for all diocesan entities

Establishment of communication channels for church workers to report suspected irregularities or fraudulent activities while protecting their anonymity.

Recommendations from USCCB An annual letter from the parish to the bishop containing

The names and professional titles of the parish finance council members,

Dates when the council met in the preceding fiscal year and since the end of the fiscal year,

Date(s) when the approved (i.e. by the parish finance council) parish financial statements/budgets were made available to the parishioners during the preceding fiscal year and since the end of the fiscal year. A copy of the published financial statements/budgets should be provided to the bishop, it added.

A statement signed by the parish priest and the finance council members that they have met, developed, and discussed the financial statements and budget of the parish.

Thorough diocesan training for parish finance council members relative to their roles and responsibilities.

Establishment of diocesan policies to cover conflicts of interest, protection of whistleblowers, and a fraud policy which would include prosecution of all fraud cases in the diocese.

Completion of an annual internal control questionnaire by each parish with proper review and follow-up made by qualified diocesan personnel.

USCCB Recommendations - continued In longer-term recommendations, the

committee urged Development of a parish best practices manual,

similar to the Diocesan Financial Issues document, which has been developed for dioceses.

Integration of financial training into seminarian programs so students will be better prepared to handle parish financial matters.

Other General Recommendations A full audit

Expensive and time consuming, but very thorough “Agreed upon procedures” in which an outside firm will look at specific

areas of the church’s finances and then make a report with recommendations. firm can perform an internal control review or they can assist in the

compilation of the church’s financial statements Have a certified public accountant (CPA) review the church’s financial

procedures and issue a management letter noting weaknesses of the system and offering recommendations.

An “inside audit” done by a committee comprised by members of the church who have expertise in accounting and finance. These can be effective, but they do have limitations because they do not

have the independence of an outside auditor If churches have good financial policies and procedures in place, a full audit

may not be necessary. It is important to report the finances of a church on a regular basis in a

manner that can be understood easily; in a nutshell, be forthright about the church’s finances

Have a time for members to ask questions and to have someone on hand who can answer those questions

Use of an internal control checklist