Upload
trantuyen
View
215
Download
0
Embed Size (px)
Citation preview
Evaluating A Evaluating A Government’s Internal Government’s Internal Controls and a Review Controls and a Review
of How Fraud Relates to of How Fraud Relates to Internal Controls Internal Controls
Presented ByPresented By Paul E. GlickPaul E. Glick
Glick Consulting GroupGlick Consulting Group Email [email protected] [email protected]
THE AGENDATHE AGENDA Introduction and OverviewIntroduction and Overview
What Are Internal ControlsWhat Are Internal Controls
Management’s Objectives and Management’s Objectives and ResponsibilitiesResponsibilities
Who Is Responsible for Internal Controls?Who Is Responsible for Internal Controls?
What Types of Public Sector Fraud What Types of Public Sector Fraud Exists?Exists?
The AgendaThe Agenda
Where is the Independent Auditor?Where is the Independent Auditor?
Internal Control EnvironmentInternal Control Environment
Risk AssessmentRisk Assessment
Control ActivitiesControl Activities
Information and Communication (Step 4)Information and Communication (Step 4)
MonitoringMonitoring
The AgendaThe Agenda
Evaluation Controls Over Accounting And Evaluation Controls Over Accounting And Financial ReportingFinancial Reporting
Other Internal Control PitfallsOther Internal Control Pitfalls
Seminar ObjectivesSeminar Objectives
Review The Framework And Concepts Review The Framework And Concepts Of Internal ControlsOf Internal Controls
Relate These Concepts To Financial Relate These Concepts To Financial Cycles (I.E., The Real World)Cycles (I.E., The Real World)
Understand Who Might Be “Ripping Understand Who Might Be “Ripping Us Off”Us Off”
Factors Affecting our Factors Affecting our Current EnvironmentCurrent Environment
Factors Affecting our Factors Affecting our Current EnvironmentCurrent Environment
Global financial crisisGlobal financial crisis Uncertainty in unexpected places Uncertainty in unexpected places
(Municipal Bond Ratings)(Municipal Bond Ratings) Increased regulation and oversight Increased regulation and oversight
(Tax Reform, ARRA) leading to (Tax Reform, ARRA) leading to diminished control over revenuesdiminished control over revenues
Smaller staff due to budget cutsSmaller staff due to budget cuts
Factors Affecting our Factors Affecting our Current EnvironmentCurrent Environment
Trends in the Audit CommunityTrends in the Audit CommunitySAS 115 (documentation of internal controls SAS 115 (documentation of internal controls
and communication with those in and communication with those in governance)governance)
Risk AssessmentsRisk AssessmentsFraud RisksFraud Risks
Oversight at the Federal LevelOversight at the Federal LevelTransparencyTransparency
COSOCOSO
Factors Affecting our Factors Affecting our Current EnvironmentCurrent Environment
Governments are being Governments are being asked to do more with asked to do more with lesslessMoney and human Money and human resourcesresources
The Nature of Fraud IndustryThe Nature of Fraud Industry
Fraud Can Be Explained By Three Key Fraud Can Be Explained By Three Key Factors:Factors:
A Supply Of Motivated OffendersA Supply Of Motivated Offenders The Availability Of Suitable TargetsThe Availability Of Suitable Targets The Absence Of Capable Guardians Or A The Absence Of Capable Guardians Or A
Control System To “Mind The Store”Control System To “Mind The Store”
The Nature of Fraud IndustryThe Nature of Fraud Industry
The Opportunity To Commit & Conceal The Opportunity To Commit & Conceal Fraud Is The Only Element Over Fraud Is The Only Element Over Which You Have Significant Control.Which You Have Significant Control.
What Are Some Of The Warning Signs?What Are Some Of The Warning Signs? What Can We Do About It?What Can We Do About It?
A Survey Of Folks Regarding A Survey Of Folks Regarding FraudFraud
31% of All Americans are Dishonest31% of All Americans are Dishonest
Another 40% are Situationally Honest (i.e., they will Another 40% are Situationally Honest (i.e., they will be honest if it pays to be honest and dishonest if it be honest if it pays to be honest and dishonest if it pays to be dishonest)pays to be dishonest)
$200 Billion Employee Fraud Cost per Year $200 Billion Employee Fraud Cost per Year Compared to $11 Billion from Violent CrimeCompared to $11 Billion from Violent Crime
In Banks, 95% of Losses are from Employees and 5% In Banks, 95% of Losses are from Employees and 5% are Caused by Bank Robberiesare Caused by Bank Robberies
In Retail, 70% of Losses are from Employees and 5% In Retail, 70% of Losses are from Employees and 5% are Caused by Shoplifters and Customersare Caused by Shoplifters and Customers
Fraud and Abuse in The U.S.Fraud and Abuse in The U.S.
U.S. Cost About $990 Billion A YearU.S. Cost About $990 Billion A Year
Government And Public Administration Have A Government And Public Administration Have A Median Loss Of $93,000 Per Fraud SchemeMedian Loss Of $93,000 Per Fraud Scheme
Average Organization Loses 7% Of Revenue Average Organization Loses 7% Of Revenue
12% Of Cases In A Study Were Frauds That Occurred 12% Of Cases In A Study Were Frauds That Occurred In GovernmentIn Government
Street Crime Only Costs The U.S. $4 Billion AnnuallyStreet Crime Only Costs The U.S. $4 Billion Annually
The FactsThe Facts Fraud Schemes Frequently Continue For Years Before Fraud Schemes Frequently Continue For Years Before
They Are DetectedThey Are Detected
The Typical Fraud In The Study Lasted 2 Years From The The Typical Fraud In The Study Lasted 2 Years From The Time It Began Until It Was DiscoveredTime It Began Until It Was Discovered
Frauds Are Much More Likely To Be Detected By A Tip Frauds Are Much More Likely To Be Detected By A Tip Than By Audits, Controls Or Any Other MeansThan By Audits, Controls Or Any Other Means
Lack Of Adequate Internal Controls Was Most Commonly Lack Of Adequate Internal Controls Was Most Commonly Cited As The Factor That Allowed Fraud To OccurCited As The Factor That Allowed Fraud To Occur
Occupational Fraudsters Are Generally First-time Occupational Fraudsters Are Generally First-time OffendersOffenders
What Is Fraud?What Is Fraud? It’s When Folks Are Ripping Off The It’s When Folks Are Ripping Off The
Government In Lots Of Different WaysGovernment In Lots Of Different Ways
Fraud Is Like A Four Letter WordFraud Is Like A Four Letter Word
Just Ignore It And It Will Go AwayJust Ignore It And It Will Go Away
It Will Never Happen To UsIt Will Never Happen To Us
Common Myths About FraudCommon Myths About Fraud
Most Folks Will Not Commit FraudMost Folks Will Not Commit Fraud
Fraud Is Not MaterialFraud Is Not Material
Most Fraud Goes UndetectedMost Fraud Goes Undetected
Fraud Is Well ConcealedFraud Is Well Concealed
Prosecuting Will Deter OthersProsecuting Will Deter Others
Potential Cost Of FraudPotential Cost Of Fraud
Lose The Confidence In The Lose The Confidence In The GovernmentGovernment
Loss To The Reputation Of Innocent Loss To The Reputation Of Innocent Third Parties (I.E., The Remaining Third Parties (I.E., The Remaining Staff)Staff)
Cost To The PerpetratorCost To The Perpetrator
The Public LossThe Public Loss
Potential Cost Of FraudPotential Cost Of Fraud Diversion Of Public Resources From Diversion Of Public Resources From
Intended PurposeIntended Purpose
Loss Of Money, Assets And TimeLoss Of Money, Assets And Time
Embarrassment, Guilt, Humiliation And Embarrassment, Guilt, Humiliation And ShameShame
Subsequent Management Decisions Are Subsequent Management Decisions Are Reviewed Under A MicroscopeReviewed Under A Microscope
Any Investigation Turns The Government Or Any Investigation Turns The Government Or Agency Inside OutAgency Inside Out
Personal Rip Offs For GlickPersonal Rip Offs For Glick Send Banking InformationSend Banking Information
Bank of AmericaBank of AmericaWachovia BankWachovia BankTCF BankTCF BankHSBC BankHSBC BankCatawba Valley BankCatawba Valley BankRegions BankRegions BankBank of the WestBank of the WestWashington MutualWashington MutualBank FinancialBank FinancialHuntington BankHuntington BankSmith BarneySmith Barney
Personal Rip Offs For GlickPersonal Rip Offs For Glick Frank Senger - $20.5 MillionFrank Senger - $20.5 Million
Chief Adeniran Aderogba - $10 MillionChief Adeniran Aderogba - $10 Million
Dr Sikas Usman - 30% of $45.8 Million
Dr.Ahmed Kassim - $10.5 Million- $10.5 Million
Miss Caroline Williams – 30% Of $16.5 MillionMiss Caroline Williams – 30% Of $16.5 Million
Mr Jack Chow – No AmountMr Jack Chow – No Amount
Jim Mcconville - $20 Million British PoundsJim Mcconville - $20 Million British Pounds
Personal Rip Offs For GlickPersonal Rip Offs For Glick Richard H Mason – 10% On All Payments MadeRichard H Mason – 10% On All Payments Made
Mr. Brendon Hopkins – 30% Of $26.5 Million British Pounds Mr. Brendon Hopkins – 30% Of $26.5 Million British Pounds (Twice)(Twice)
Mr. Mark Johnson – Lottery - $2.5 Million British PoundsMr. Mark Johnson – Lottery - $2.5 Million British Pounds
Mr.Carlos Moreno – 50% Of $34.5 MillionMr.Carlos Moreno – 50% Of $34.5 Million
Miss Joyce Awuse - $5.5 MillionMiss Joyce Awuse - $5.5 Million
Irs - $109.30Irs - $109.30
Dr Dansuki Dan - $25.5 MillionDr Dansuki Dan - $25.5 Million
Session 2Session 2
What Are Internal What Are Internal ControlsControls
What Are Internal Controls?What Are Internal Controls? To put it simply, internal controls are an To put it simply, internal controls are an
exercise of common sense. You are exercise of common sense. You are practicing good internal controls when you?practicing good internal controls when you?
Balance your checkbookBalance your checkbook Keep your ATM/debit card pin number separate from Keep your ATM/debit card pin number separate from
your cardyour card Keep copies of your tax returnKeep copies of your tax return Compare your monthly credit card statement to the Compare your monthly credit card statement to the
credit card receiptscredit card receipts Lock your car doorsLock your car doors
What Are Internal Controls?What Are Internal Controls?
Internal Control Is A Process, Affected By Internal Control Is A Process, Affected By Management And Other Personnel, Management And Other Personnel, Designed To Provide Reasonable Assurance Designed To Provide Reasonable Assurance Regarding The Achievement Of Objectives Regarding The Achievement Of Objectives In The Following Categories:In The Following Categories:
Effectiveness And Efficiency Of Effectiveness And Efficiency Of OperationsOperations
Reliability Of Financial ReportingReliability Of Financial Reporting Compliance With Laws And RegulationsCompliance With Laws And Regulations
What Are Internal Controls?What Are Internal Controls?
Internal Control Consists Of Five Internal Control Consists Of Five Interrelated Components That Interrelated Components That Affect Each Of The Three Affect Each Of The Three CategoriesCategories
What Are Internal Controls?What Are Internal Controls?
Internal control is a process. It is a Internal control is a process. It is a means to an end, not an end itself.means to an end, not an end itself.
Internal control is effected by Internal control is effected by people.people.
It’s not merely policy manuals and It’s not merely policy manuals and forms, but people functioning at forms, but people functioning at every level of the institution.every level of the institution.
Limitations on Internal ControlsLimitations on Internal Controls
Considerations Of Costs Will Considerations Of Costs Will Prevent Management From Ever Prevent Management From Ever Installing A “Perfect System”Installing A “Perfect System”
Controls Are Potentially Subject Controls Are Potentially Subject To “Management Override”To “Management Override”
Risk Of CollusionRisk Of Collusion
Applying the COSOApplying the COSOFrameworkFramework
Committee of Sponsoring Committee of Sponsoring Organizations of the Treadway Organizations of the Treadway CommissionCommission
www.coso.orgwww.coso.org
Who Are The OrganizationsWho Are The Organizations
American Accounting AssociationAmerican Accounting Association American Institute of Certified Public American Institute of Certified Public
AccountantsAccountants Financial Executives InternationalFinancial Executives International Institute of Management AccountantsInstitute of Management Accountants The Institute of Internal AuditorsThe Institute of Internal Auditors
COSO Internal Control – COSO Internal Control – Integrated FrameworkIntegrated Framework
Established A Common Definition Established A Common Definition Of Internal ControlOf Internal Control
Provides A Standard Against Provides A Standard Against Which A Government Can Assess Which A Government Can Assess Their Control Systems And Their Control Systems And Determine How To Make Determine How To Make ImprovementsImprovements
Internal Control ComponentsInternal Control Components
CControl Environmentontrol EnvironmentRisk AssessmentRisk AssessmentControl ActivitiesControl ActivitiesInformation and CommunicationInformation and CommunicationMonitoringMonitoring
Internal Control ComponentsInternal Control Components
Internal Control Components Internal Control Components Interact With:Interact With:
Operations Operations Financial Reporting Financial Reporting ComplianceCompliance
Evaluating Internal ControlsEvaluating Internal Controls
Often, Evaluations Are Piecemeal Often, Evaluations Are Piecemeal Approaches To The TaskApproaches To The Task
Internal Controls Are Not Internal Controls Are Not Isolated And Are Related To One Isolated And Are Related To One AnotherAnother
Internal Controls Are Internal Controls Are ActuallyActually::
A Coordinated Set Of Policies A Coordinated Set Of Policies And Procedures That Reflect A And Procedures That Reflect A Comprehensive Strategy For Comprehensive Strategy For Achieving Management’s Achieving Management’s ObjectivesObjectives
Assessing The Internal Assessing The Internal Control FrameworkControl Framework
Provides A Favorable Control Provides A Favorable Control Environment.Environment.
Continually Assesses Risk.Continually Assesses Risk. Establishes And Maintains Effective Establishes And Maintains Effective
Control- Related Policies And Procedures.Control- Related Policies And Procedures. Effectively Communicates Information. Effectively Communicates Information. Monitors The Effectiveness Of Control Monitors The Effectiveness Of Control
Policies And Procedures And The Policies And Procedures And The Resolution Of Potential Problems Resolution Of Potential Problems Identified By Controls.Identified By Controls.
A Basic RuleA Basic Rule
More Is Not BetterMore Is Not Better
The Cost Of Excessive Or The Cost Of Excessive Or Redundant Controls Could Redundant Controls Could Exceed The BenefitsExceed The Benefits
Employees May View Controls Employees May View Controls As Unnecessary “Red Tape”As Unnecessary “Red Tape”
Why Are Internal Controls So Why Are Internal Controls So Important?Important?
Because The Prevention Of Fraud Because The Prevention Of Fraud Is Critical And Costs Are HighIs Critical And Costs Are High
Session 3Session 3
MANAGEMENT’S OBJECTIVES AND MANAGEMENT’S OBJECTIVES AND RESPONSIBILITIESRESPONSIBILITIES
MANAGEMENT’S MANAGEMENT’S RESPONSIBILITIES AND THE RESPONSIBILITIES AND THE
INTERNAL CONTROL FRAMEWORKINTERNAL CONTROL FRAMEWORK
EFFECTIVENESSEFFECTIVENESS
EFFICIENCYEFFICIENCY
COMPLIANCECOMPLIANCE
FINANCIAL REPORTINGFINANCIAL REPORTING
EFFECTIVENESSEFFECTIVENESS DETERMINES WHETHER THE GOVERNMENT AND ITS DETERMINES WHETHER THE GOVERNMENT AND ITS
DEPARTMENTS ARE MEETING THEIR OBJECTIVESDEPARTMENTS ARE MEETING THEIR OBJECTIVES
GOALS AND OBJECTIVES IDENTIFIED IN BUDGETARY GOALS AND OBJECTIVES IDENTIFIED IN BUDGETARY PROCESSPROCESS
FOCUSES ON RESULTS RATHER THAN EFFORTSFOCUSES ON RESULTS RATHER THAN EFFORTS
INCLUDE OUTPUTS - HOW MUCH OF GOODS AND INCLUDE OUTPUTS - HOW MUCH OF GOODS AND SERVICES ARE PROVIDEDSERVICES ARE PROVIDED
INCLUDE OUTCOMES - WHAT IS THE QUALITY OF INCLUDE OUTCOMES - WHAT IS THE QUALITY OF GOODS OR SERVICES TO BE PROVIDEDGOODS OR SERVICES TO BE PROVIDED
EFFICIENCYEFFICIENCY
MAKING OPTIMAL USE OF THE MAKING OPTIMAL USE OF THE RESOURCES MADE AVAILABLERESOURCES MADE AVAILABLE
OBTAINING DESIRED RESULTS OBTAINING DESIRED RESULTS WITH THE LEAST EXPENDITURE OF WITH THE LEAST EXPENDITURE OF RESOURCESRESOURCES
MEASURES COSTS (I.E., EFFORT) MEASURES COSTS (I.E., EFFORT) TO RESULTS (I.E., EFFECTIVENESS)TO RESULTS (I.E., EFFECTIVENESS)
COMPLIANCECOMPLIANCE
ANNUAL APPROPRIATED BUDGETANNUAL APPROPRIATED BUDGET
GRANTOR REQUIREMENTSGRANTOR REQUIREMENTS
STATE OVERSIGHT REQUIREMENTSSTATE OVERSIGHT REQUIREMENTS
IRS REQUIREMENTSIRS REQUIREMENTS
BOND COVENANTSBOND COVENANTS
LOCAL LAWS AND REGULATIONSLOCAL LAWS AND REGULATIONS
FINANCIAL REPORTINGFINANCIAL REPORTING
INTERNAL FINANCIAL REPORTINGINTERNAL FINANCIAL REPORTING
EXTERNAL FINANCIAL REPORTINGEXTERNAL FINANCIAL REPORTING
- SPECIAL PURPOSE - SPECIAL PURPOSE - GENERAL PURPOSE- GENERAL PURPOSE - CAFR- CAFR
Session 4Session 4
Who Is Responsible Who Is Responsible For Internal For Internal Controls?Controls?
Who is Responsible for Internal Who is Responsible for Internal Controls?Controls?
Everyone has a part in the Everyone has a part in the internal control system.internal control system.
The roles vary depending upon The roles vary depending upon what level of responsibility and what level of responsibility and the nature of involvement by the the nature of involvement by the individual.individual.
Who is Responsible for Internal Who is Responsible for Internal Controls?Controls?
Managers and supervisors are Managers and supervisors are responsible for ensuring that internal responsible for ensuring that internal controls are established and controls are established and functioning to achieve the mission and functioning to achieve the mission and objectives of their unit.objectives of their unit.
Each employee within an area should Each employee within an area should be made aware of proper internal be made aware of proper internal control procedures associated with control procedures associated with their specific job function.their specific job function.
Is This Just A Problem For The Is This Just A Problem For The Finance Office?Finance Office?
Most Folks Think This Is Most Folks Think This Is Finance’s ProblemFinance’s Problem
But Not ReallyBut Not Really
However, We Are Emphasizing However, We Are Emphasizing the Finance Department In This the Finance Department In This SeminarSeminar
Management’s Responsibilities Management’s Responsibilities And The Internal Control And The Internal Control
FrameworkFrameworkAny Entity, Be It A Government, A Any Entity, Be It A Government, A
Business Or A Nonprofit Business Or A Nonprofit Organization, Exists To Achieve Organization, Exists To Achieve Some PurposeSome Purpose
It Is The Role Of Management To It Is The Role Of Management To Provide The Leadership Needed Provide The Leadership Needed For An Entity To Realize That For An Entity To Realize That PurposePurpose
Management’s Responsibilities Management’s Responsibilities And The Internal Control And The Internal Control
FrameworkFrameworkFurthermore, Management Is Not Furthermore, Management Is Not
Free Simply To Act In Any Way It Free Simply To Act In Any Way It Might Choose To Achieve The Might Choose To Achieve The Entity's GoalsEntity's Goals
Management's Options And Management's Options And Actions Are Circumscribed By Actions Are Circumscribed By Constraints And Expectations, Constraints And Expectations, Both Implicit And Explicit.Both Implicit And Explicit.
Responsibility For Internal Responsibility For Internal ControlsControls
Management Is Primarily Management Is Primarily Responsible For The Effectiveness Responsible For The Effectiveness Of Internal Controls, Like Any Of Internal Controls, Like Any Other Aspects of PerformanceOther Aspects of Performance
A Side Note - Authority And A Side Note - Authority And Responsibility Should Not Be Responsibility Should Not Be SeparatedSeparated
Responsibility For Internal Responsibility For Internal ControlsControls
Management Is Subject To Oversight Management Is Subject To Oversight By The Government’s Elected OfficialsBy The Government’s Elected Officials
The Governing Body Is Ultimately The Governing Body Is Ultimately ResponsibleResponsible
Internal And External Auditors Can Internal And External Auditors Can Assist ManagementAssist Management
Responsibility For Internal Responsibility For Internal ControlsControls
This Stuff Is This Stuff Is NotNot Something Different Something Different FromFromYour Basic Responsibilities As Your Basic Responsibilities As Leaders And As FiduciariesLeaders And As Fiduciaries
Basic Management Basic Management ResponsibilitiesResponsibilities
Achieving The Government’s Purpose Achieving The Government’s Purpose (Effectiveness)(Effectiveness)
Making Optional Use Of Scarce Making Optional Use Of Scarce Resources (Efficiency)Resources (Efficiency)
Observing Restrictions On The Use Of Observing Restrictions On The Use Of Resources (Compliance)Resources (Compliance)
Periodically Demonstrating Periodically Demonstrating Accountability For Stewardship Of Accountability For Stewardship Of Resources Place In The Care Resources Place In The Care (Reporting)(Reporting)
Session 5Session 5
What Types of Public What Types of Public Sector Fraud ExistsSector Fraud Exists
Profile of Fraud PerpetratorProfile of Fraud Perpetrator
Male Or Female (White Males Over 60?)Male Or Female (White Males Over 60?) No Prior Criminal History (<8%)No Prior Criminal History (<8%) Well Liked By Co-workersWell Liked By Co-workers Likes To Give Gifts/Compulsive ShopperLikes To Give Gifts/Compulsive Shopper Gambling Problems Not UnusualGambling Problems Not Unusual Long-term EmployeeLong-term Employee Rationalizes: Starts Small Or “Borrows”Rationalizes: Starts Small Or “Borrows” Lifestyle CluesLifestyle Clues
General Observations Of A General Observations Of A FraudsterFraudster
MaleMale Intelligent (Bored With The Job Routine)Intelligent (Bored With The Job Routine) Egotistical (Scornful Of Obvious Control Egotistical (Scornful Of Obvious Control
Flaws)Flaws) Inquisitive (E.G., Tempted By The Inquisitive (E.G., Tempted By The
Discovery Of A Discovery Of A Computer Vulnerability)Computer Vulnerability) A Risk TakerA Risk Taker A Rule BreakerA Rule Breaker A Hard Worker A Hard Worker Under StressUnder Stress Disgruntled At WorkDisgruntled At Work
The Fraud TriangleThe Fraud Triangle
Perceived PressurePerceived Pressure Facing IndividualFacing Individual
Perceived OpportunityPerceived OpportunityTo Commit FraudTo Commit Fraud
Exacerbated in Economic Downturn
Person’s RationalizationOr Integrity
Conditions Present When Conditions Present When Fraud OccursFraud Occurs
Incentive/PressureIncentive/Pressure
OpportunityOpportunity
Attitude and RationalizationAttitude and Rationalization
Causes Of FraudCauses Of Fraud
Character And PersonalityCharacter And Personality
– – Financial StressFinancial Stress -- Addiction-- Addiction -- Disaffection-- Disaffection -- Pathologies-- Pathologies
Perceived OpportunityPerceived Opportunity
- Permits Fraud- Permits Fraud - Promotes Fraud- Promotes Fraud
Why Folks Commit FraudWhy Folks Commit Fraud
Grumpy GusGrumpy Gus
Stressed SallyStressed Sally
Pill poppin’ PaulaPill poppin’ Paula
Never goes Never goes home Nedhome Ned
Why Folks Commit FraudWhy Folks Commit Fraud
Extravagant EllenExtravagant Ellen
Over-spent OllieOver-spent Ollie
Lotto LarryLotto Larry
Compulsive ConnieCompulsive Connie
Who Commits Fraud?Who Commits Fraud?
Fraud Losses Caused By Managers And Fraud Losses Caused By Managers And Executives Were 16 Times Greater Executives Were 16 Times Greater Than Those Caused By Non-managerial Than Those Caused By Non-managerial Employees.Employees.
Losses Caused By Men Were Four Losses Caused By Men Were Four Times More Those Caused By Women.Times More Those Caused By Women.
Those 60 And Older Were 28 Times Those 60 And Older Were 28 Times Those Caused By Perpetrators 25 Or Those Caused By Perpetrators 25 Or Younger.Younger.
Generally, What is the Goal Generally, What is the Goal of A Fraudster?of A Fraudster?
Cash, Cash, CashCash, Cash, Cash
Types Of Public Sector FraudTypes Of Public Sector Fraud
Receipts FraudReceipts Fraud
Disbursements FraudDisbursements Fraud
Assets FraudAssets Fraud
Cash SchemesCash Schemes
Stealing Cash Funds Processed Stealing Cash Funds Processed Or On HandOr On Hand
Not Recording & Stealing The Not Recording & Stealing The Cash ReceiptsCash Receipts
Under Ringing & Stealing The Under Ringing & Stealing The Difference In Cash ReceiptsDifference In Cash Receipts
Altering Bank DepositsAltering Bank Deposits
Receipts FraudReceipts Fraud
Lapping – Too Much Work!Lapping – Too Much Work!
Kiting – Bank Deposit SchemesKiting – Bank Deposit Schemes
Granting Bogus Credit MemosGranting Bogus Credit Memos
Forging Check ReceivedForging Check Received
Receipts FraudReceipts Fraud
Duplicate PaymentsDuplicate Payments
Charge Off Fraud – Bogus Write-offsCharge Off Fraud – Bogus Write-offs
Disposal FraudDisposal Fraud
Credit Card ManipulationCredit Card Manipulation
Disbursements FraudDisbursements Fraud
Personal BillsPersonal Bills
Bid RiggingBid Rigging
False Claims (Fictitious Suppliers, False Claims (Fictitious Suppliers, Kickbacks)Kickbacks)
Conflict of InterestConflict of Interest
Disbursements FraudDisbursements Fraud
Travel Claim FraudTravel Claim Fraud
Procurement and Credit CardsProcurement and Credit Cards
Payroll and Benefits FraudPayroll and Benefits Fraud Ghost EmployeesGhost Employees
Unclaimed Payroll ChecksUnclaimed Payroll Checks
Excess Payroll Payments (Falsifying Time Excess Payroll Payments (Falsifying Time Cards)Cards)
Withholdings and W-2’sWithholdings and W-2’s
Vacation and Sick PayVacation and Sick Pay
Theft Of Assets FraudTheft Of Assets Fraud
Petty Cash FraudPetty Cash Fraud
Cash Register TheftCash Register Theft
Consumable Inventory TheftConsumable Inventory Theft
Capital Asset TheftCapital Asset Theft
Using Assets For Personal UseUsing Assets For Personal Use
Red FlagsRed Flags
A Red Flag Is:A Red Flag Is:
A Set Of Circumstances That Are Unusual A Set Of Circumstances That Are Unusual In Nature Or Vary From The Normal In Nature Or Vary From The Normal Activity. Activity.
A Signal That Something Is Out Of The A Signal That Something Is Out Of The Ordinary And May Need To Be Ordinary And May Need To Be Investigated Further. Investigated Further.
Not About Guilt Or Innocence But Merely Not About Guilt Or Innocence But Merely Provides Possible Warning Signs Of Fraud.Provides Possible Warning Signs Of Fraud.
Red FlagsRed Flags
Do Not Ignore A Red Flag–studies Of Fraud Do Not Ignore A Red Flag–studies Of Fraud Cases Consistently Show That Red Flags Cases Consistently Show That Red Flags Were Present, But Were Either Not Were Present, But Were Either Not Recognized Or Were Recognized But Not Recognized Or Were Recognized But Not Acted Upon By Anyone.Acted Upon By Anyone.
Sometimes An Error Is Just An Error–red Flags Sometimes An Error Is Just An Error–red Flags Should Lead To Some Kind Of Appropriate Should Lead To Some Kind Of Appropriate Action, I.E. An Investigation By A Measured & Action, I.E. An Investigation By A Measured & Responsible Person, But Sometimes An Error Responsible Person, But Sometimes An Error Is Just An Error And No Fraud ExistsIs Just An Error And No Fraud Exists
Employee Red FlagsEmployee Red Flags Employee Lifestyle ChangesEmployee Lifestyle Changes
High Employee TurnoverHigh Employee Turnover
Significant Personal Debt And Credit ProblemsSignificant Personal Debt And Credit Problems
Refusal To Take Vacation Or Sick LeaveRefusal To Take Vacation Or Sick Leave
Behavioral ChangesBehavioral Changes
Lack Of Segregation Of Duties In A High-risk Lack Of Segregation Of Duties In A High-risk (Vulnerable) Area(Vulnerable) Area
Employee Red FlagsEmployee Red Flags Reluctance To Provide Information To AuditorsReluctance To Provide Information To Auditors
Photocopied Or Missing DocumentsPhotocopied Or Missing Documents
Weak Internal Control EnvironmentWeak Internal Control Environment
Unexpected Overdrafts Or Declines In Cash Unexpected Overdrafts Or Declines In Cash BalancesBalances
Decisions Dominated By An Individual Or Small Decisions Dominated By An Individual Or Small GroupGroup
Employee Red FlagsEmployee Red Flags Excessive Number Of Year-end TransactionsExcessive Number Of Year-end Transactions
Management Displays Significant Disrespect Management Displays Significant Disrespect For Regulatory BodiesFor Regulatory Bodies
Excessive Number Of Or Frequent Changes Excessive Number Of Or Frequent Changes In Checking AccountsIn Checking Accounts
Accounting Personnel Are Lax Or Accounting Personnel Are Lax Or InexperiencedInexperienced
Employee Red FlagsEmployee Red Flags High Employee Turnover RateHigh Employee Turnover Rate
Compensation Is Out Of ProportionCompensation Is Out Of Proportion
Decentralization Without Adequate Decentralization Without Adequate MonitoringMonitoring
Frequent Changes In External AuditorsFrequent Changes In External Auditors
Red Flags in CashRed Flags in Cash Excessive Number Of VoidsExcessive Number Of Voids
Presence Of Personal Checks In Petty CashPresence Of Personal Checks In Petty Cash
Unauthorized Bank AccountsUnauthorized Bank Accounts
Excessive Or Unjustified Cash TransactionsExcessive Or Unjustified Cash Transactions
Large Number Of Account Write-offsLarge Number Of Account Write-offs
Sudden Activity In A Dormant AccountSudden Activity In A Dormant Account
Red Flags in PayrollRed Flags in Payroll Inconsistent Overtime Hours For A Cost Center / DepartmentInconsistent Overtime Hours For A Cost Center / Department
Overtime Charged During A Slack PeriodOvertime Charged During A Slack Period
Overtime Charges For Employees Who Normally Would Not Overtime Charges For Employees Who Normally Would Not Have Overtime WagesHave Overtime Wages
Budget Variations For Payroll By Cost Center / DepartmentBudget Variations For Payroll By Cost Center / Department
Employees With Duplicate Social Security Numbers, Names, Employees With Duplicate Social Security Numbers, Names, And AddressesAnd Addresses
Employees With Few Or No Payroll DeductionsEmployees With Few Or No Payroll Deductions
Red Flags in ProcurementRed Flags in Procurement Increasing Number Of Complaints About ServicesIncreasing Number Of Complaints About Services
Vendors Without Physical AddressVendors Without Physical Address
Lack Of Physical Security Over Assets / InventoryLack Of Physical Security Over Assets / Inventory
Payments To Vendors Not Included On An Approved Payments To Vendors Not Included On An Approved Vendor ListVendor List
Vendor Address Matching Employee AddressVendor Address Matching Employee Address
Red Flags in ProcurementRed Flags in Procurement Purchases That Bypass Normal ProceduresPurchases That Bypass Normal Procedures
Charges Without Shipping DocumentsCharges Without Shipping Documents
Vendor Payments Picked Up Rather Than Having It Vendor Payments Picked Up Rather Than Having It MailedMailed
High Volume Of Purchases From New VendorsHigh Volume Of Purchases From New Vendors
Profiles of an Government At Profiles of an Government At RiskRisk
Less Than 100 Employees. Less Than 100 Employees.
Management Ignores Irregularities.Management Ignores Irregularities.
High Turnover With Low Morale.High Turnover With Low Morale.
Staff Lacks TrainingStaff Lacks Training
Session 6Session 6
Where Is The Where Is The Independent Independent
Auditor?Auditor?
The Independent AuditorThe Independent AuditorOnce The Independent Auditor Is Once The Independent Auditor Is
Finished With The Annual Audit, Can Finished With The Annual Audit, Can Everyone Relax And Assume That “No Everyone Relax And Assume That “No One Got Us This Year?”One Got Us This Year?”
Of Discovered Fraud, the Independent Of Discovered Fraud, the Independent Auditor Only Finds about 9%Auditor Only Finds about 9%
Why Do Auditors Fail Why Do Auditors Fail To Detect Fraud?To Detect Fraud?
Lack of TrainingLack of TrainingAccept any Reasonable ExplanationsAccept any Reasonable ExplanationsGoing Through the Process of Ticking Going Through the Process of Ticking
and Tying Numbersand Tying NumbersThey May Not Want to Find Fraud, It They May Not Want to Find Fraud, It
Causes ProblemsCauses ProblemsThey May Be EmbarrassedThey May Be EmbarrassedNot Enough Time Budgeted for the AuditNot Enough Time Budgeted for the Audit
Types of AuditsTypes of AuditsFinancial AuditsFinancial Audits
Performance AuditsPerformance Audits
The Independent AuditorThe Independent AuditorThe Auditor Reports On The Adequacy The Auditor Reports On The Adequacy
Of Existing Controls Within The Of Existing Controls Within The GovernmentGovernment
The Auditor Must Carefully Evaluate The The Auditor Must Carefully Evaluate The Internal Control System As A Basis To Internal Control System As A Basis To Determine The Degree Of Audit Determine The Degree Of Audit Procedures Necessary In The Procedures Necessary In The CircumstancesCircumstances
New Statements on Auditing New Statements on Auditing StandardsStandards
A Few Years Ago, The Rules For A Few Years Ago, The Rules For Auditors Were Changed And Expanded Auditors Were Changed And Expanded SubstantiallySubstantially
What Created The Need?What Created The Need?● Corporate Fraud In The “Roaring 90’s” Which Corporate Fraud In The “Roaring 90’s” Which
Became Known In The Early 2000’sBecame Known In The Early 2000’s
● Sarbanes Oxley Act Of 2002 (Private Sector)Sarbanes Oxley Act Of 2002 (Private Sector)● Required Additional Internal Controls By ManagementRequired Additional Internal Controls By Management● Created A New Agency (PCAOB) To Closely Scrutinize Created A New Agency (PCAOB) To Closely Scrutinize
Public Company AuditsPublic Company Audits● Removed The AICPA From Any Authority For Public Removed The AICPA From Any Authority For Public
Company Audit Standards And Peer ReviewCompany Audit Standards And Peer Review
A New Audit ApproachA New Audit Approach● A Risk Based AuditA Risk Based Audit
● The Government Must Identify Key Internal Controls That The Government Must Identify Key Internal Controls That Relate To High Risk AreasRelate To High Risk Areas
● Some of the Areas Might Include:Some of the Areas Might Include:● CashCash● InvestmentsInvestments● BudgetBudget● Revenue ReceiptsRevenue Receipts● ExpendituresExpenditures● PayrollPayroll● Consumable InventoriesConsumable Inventories● Capital AssetsCapital Assets● GrantsGrants
Do the Auditors Look At Do the Auditors Look At Everything?Everything?
● Auditors Obtain Reasonable Assurance, Not Absolute Auditors Obtain Reasonable Assurance, Not Absolute AssuranceAssurance
● MaterialityMateriality
● The Single AuditThe Single Audit
● The Auditor May Report on Compliance and Internal ControlsThe Auditor May Report on Compliance and Internal Controls● Major Federal AwardsMajor Federal Awards
Internal Audit FunctionInternal Audit Function
● Management Can Improve The Quality Of The Management Can Improve The Quality Of The Environment By Establishing An Internal Environment By Establishing An Internal Audit FunctionAudit Function
● Report Directly To Top Management (Or The Report Directly To Top Management (Or The Elected Officials?)Elected Officials?)
● Monitoring The Effectiveness Of Control Monitoring The Effectiveness Of Control Related Policies And ProceduresRelated Policies And Procedures
Internal Audit FunctionInternal Audit Function
Internal Auditors Can Be Of Great Internal Auditors Can Be Of Great Value To State And Local Value To State And Local Governments In A Variety Of Ways. Governments In A Variety Of Ways.
In Particular, They Commonly Assist In Particular, They Commonly Assist Management In Monitoring The Management In Monitoring The Design And Proper Functioning Of Design And Proper Functioning Of Internal Control Policies And Internal Control Policies And Procedures. Procedures.
Internal Audit FunctionInternal Audit Function In This Capacity, Internal Auditors In This Capacity, Internal Auditors
Themselves Function As An Additional Level Themselves Function As An Additional Level Of Control And So Help To Improve The Of Control And So Help To Improve The Government’s Overall Control Environment. Government’s Overall Control Environment.
Internal Auditors Also Can Play A Valuable Internal Auditors Also Can Play A Valuable Role Conducting Performance Audits, As Role Conducting Performance Audits, As Well As Special Investigations And Studies Well As Special Investigations And Studies
Internal Audit ConsiderationsInternal Audit Considerations Don’t Let The Audit Function Become A Don’t Let The Audit Function Become A
Political FootballPolitical Football
Don’t Promise The MoonDon’t Promise The Moon
Don’t Let The Auditors Become Free Don’t Let The Auditors Become Free Roaming Chickens.Roaming Chickens.
Don’t Fly By The Seats Of Your PantsDon’t Fly By The Seats Of Your Pants
Internal Audit ConsiderationsInternal Audit Considerations Don’t Use The Shotgun Approach To Don’t Use The Shotgun Approach To
Scoping An AuditScoping An Audit
Never Leave A White Elephant In The Never Leave A White Elephant In The Auditee’s Office.Auditee’s Office.
Don’t Count Your Chickens Before They Don’t Count Your Chickens Before They Hatch. Never Assume The Auditee Fixed The Hatch. Never Assume The Auditee Fixed The Problem. Problem.
GFOA RecommendationsGFOA Recommendations Every Government Should Consider The Every Government Should Consider The
Feasibility Of Establishing A Formal Internal Feasibility Of Establishing A Formal Internal Audit Function Because Such A Function Can Audit Function Because Such A Function Can Play An Important Role In Helping Management Play An Important Role In Helping Management To Maintain A Comprehensive Framework Of To Maintain A Comprehensive Framework Of Internal Controls. Internal Controls.
As A Rule, A Formal Internal Audit Function Is As A Rule, A Formal Internal Audit Function Is Particularly Valuable For Those Activities Particularly Valuable For Those Activities Involving A High Degree Of Risk (E.G., Complex Involving A High Degree Of Risk (E.G., Complex Accounting Systems, Contracts With Outside Accounting Systems, Contracts With Outside Parties, A Rapidly Changing Environment). Parties, A Rapidly Changing Environment).
GFOA RecommendationsGFOA Recommendations If It Is Not Feasible To Establish A Separate If It Is Not Feasible To Establish A Separate
Internal Audit Function, A Government Is Internal Audit Function, A Government Is Encouraged To Consider Either Encouraged To Consider Either
1) Assigning Internal Audit Responsibilities 1) Assigning Internal Audit Responsibilities To Its Regular Employees Or To Its Regular Employees Or
2) Obtaining The Services Of An Accounting 2) Obtaining The Services Of An Accounting Firm (Other Than The Independent Auditor) Firm (Other Than The Independent Auditor) For This PurposeFor This Purpose
GFOA RecommendationsGFOA Recommendations
The Internal Audit Function Should Be The Internal Audit Function Should Be Established Formally By Charter, Enabling Established Formally By Charter, Enabling Resolution, Or Other Appropriate Legal Means;Resolution, Or Other Appropriate Legal Means;
It Is Recommended That Internal Auditors Of It Is Recommended That Internal Auditors Of State And Local Governments Conduct Their State And Local Governments Conduct Their Work In Accordance With The Professional Work In Accordance With The Professional Standards Relevant To Internal Auditing Standards Relevant To Internal Auditing Contained In The U.S. General Accounting Contained In The U.S. General Accounting Office’s Publication Government Auditing Office’s Publication Government Auditing Standards, Including Those Applicable To The Standards, Including Those Applicable To The Independence Of Internal Auditors;Independence Of Internal Auditors;
GFOA RecommendationsGFOA Recommendations At A Minimum, The Head Of The Internal Audit At A Minimum, The Head Of The Internal Audit
Function Should Possess A College Degree And Function Should Possess A College Degree And Appropriate Relevant Experience. Appropriate Relevant Experience.
It Also Is Highly Desirable That The Head Of The It Also Is Highly Desirable That The Head Of The Internal Audit Function Hold Some Appropriate Form Internal Audit Function Hold Some Appropriate Form Of Professional Certification (E.G., Certified Internal Of Professional Certification (E.G., Certified Internal Auditor, Certified Public Accountant, Certified Auditor, Certified Public Accountant, Certified Information Systems Auditor); AndInformation Systems Auditor); And
All Reports Of Internal Auditors, As Well As The All Reports Of Internal Auditors, As Well As The Annual Internal Audit Work Plan, Should Be Made Annual Internal Audit Work Plan, Should Be Made Available To The Government’s Audit Committee Or Its Available To The Government’s Audit Committee Or Its Equivalent.Equivalent.
Goals Of Audit CommitteeGoals Of Audit Committee Ensure That Management Is Maintaining A Ensure That Management Is Maintaining A
Comprehensive Framework Of Internal Comprehensive Framework Of Internal ControlControl
Ensure That Management’s Financial-Ensure That Management’s Financial-reporting Practices Are Assessed Objectivelyreporting Practices Are Assessed Objectively
Determine That The Financial Statements Determine That The Financial Statements
Are Properly Audited And That Any Problems Are Properly Audited And That Any Problems Disclosed In The Course Of The Audit Are Disclosed In The Course Of The Audit Are Satisfactorily ResolvedSatisfactorily Resolved
Key BenefitsKey Benefits Practical Tool For Focusing Board AttentionPractical Tool For Focusing Board Attention
Direct Communications Link Between The Direct Communications Link Between The Independent Auditors And The Governing Independent Auditors And The Governing BodyBody
Forum In Which The Independent Auditors Forum In Which The Independent Auditors Can Candidly Discuss Audit-related Matters Can Candidly Discuss Audit-related Matters With Members Of The Governing Board With Members Of The Governing Board Apart From ManagementApart From Management
Applicability to Small Applicability to Small GovernmentsGovernments
Smaller Governments Have The Same Smaller Governments Have The Same Basic Responsibility As Larger Basic Responsibility As Larger GovernmentsGovernments
An Audit Committee Is Just As An Audit Committee Is Just As Necessary For BothNecessary For Both
Level Of Expertise Needed Level Of Expertise Needed OfOf
MembersMembers Sufficient Understanding To Perform Duties Sufficient Understanding To Perform Duties
With Expert Assistance (I.E., Financial Expert)With Expert Assistance (I.E., Financial Expert)
New Or Prospective Members Typically New Or Prospective Members Typically Should Receive Some Brief Formal TrainingShould Receive Some Brief Formal Training Role Of The Audit CommitteeRole Of The Audit Committee Their Personal Responsibility As Audit Their Personal Responsibility As Audit
Committee Committee MembersMembers
Training Should Underscore Professional Training Should Underscore Professional Skepticism In Dealing With ManagementSkepticism In Dealing With Management
Relationship With Relationship With Independent AuditorsIndependent Auditors
Auditors Report Directly To Audit Auditors Report Directly To Audit CommitteeCommittee
Provision To Meet PrivatelyProvision To Meet Privately Amend “Sunshine” And “Open Meetings” Amend “Sunshine” And “Open Meetings”
Laws AccordinglyLaws Accordingly
Relationship With Relationship With Independent AuditorsIndependent Auditors
Two ViewsTwo Views TraditionalTraditional
Internal Auditors/Management As Audit Internal Auditors/Management As Audit Committee/Governing BodyCommittee/Governing Body
EmergingEmerging Completely Independent Of ManagementCompletely Independent Of Management
Trade-offTrade-off Management Involvement And Cooperation V. Management Involvement And Cooperation V.
IndependenceIndependence
Basic TasksBasic Tasks Determining The Scope Of The AuditDetermining The Scope Of The Audit
Determining The Scope Of “Nonaudit” Determining The Scope Of “Nonaudit” ServicesServices
Managing The Audit Procurement ProcessManaging The Audit Procurement Process
Selecting The Independent AuditorsSelecting The Independent Auditors
Reviewing The Financial StatementsReviewing The Financial Statements
Basic TasksBasic Tasks Reviewing The Auditor’s ReportReviewing The Auditor’s Report
Reviewing The Comprehensive Framework Of Reviewing The Comprehensive Framework Of Internal ControlInternal Control
Assessing The Performance Of The Assessing The Performance Of The Independent AuditorsIndependent Auditors
Providing An Independent Forum For Providing An Independent Forum For Findings Of Fraud, Abuse, Or Control Findings Of Fraud, Abuse, Or Control Override Override
Session 7Session 7
The Internal Control The Internal Control EnvironmentEnvironment
The Control EnvironmentThe Control Environment
Sets The Tone For The GovernmentSets The Tone For The Government Influences Control ConsciousnessInfluences Control Consciousness Foundation For All Other Control Foundation For All Other Control
ComponentsComponents Includes: Integrity, Ethical Values, Includes: Integrity, Ethical Values,
Competency, Management’s Competency, Management’s Philosophy, And The Way Authority Philosophy, And The Way Authority And Responsibility Is AssignedAnd Responsibility Is Assigned
The Control EnvironmentThe Control Environment Corporate Culture (Enron) (A 60 Page Corporate Culture (Enron) (A 60 Page
Code of Ethics)Code of Ethics)
Does Management Believe That Does Management Believe That Internal Controls Are Important To Internal Controls Are Important To Achieving Its Goals And Objectives?Achieving Its Goals And Objectives?
Does Management View Internal Does Management View Internal Controls As An Obstacle To Achieving Controls As An Obstacle To Achieving Its Goals And Objectives?Its Goals And Objectives?
The Control EnvironmentThe Control Environment ““Who Knew Who They Were? There Was No Place Who Knew Who They Were? There Was No Place
For Me To Voice My Concerns, Either To The For Me To Voice My Concerns, Either To The Internal Audit Function Or The Audit Committee. Internal Audit Function Or The Audit Committee. Remember, I Was Not In The Accounting Remember, I Was Not In The Accounting Department. But Even If I Were, I Think I Would Department. But Even If I Were, I Think I Would Have Known It Would Have Been Fruitless, Because Have Known It Would Have Been Fruitless, Because I Would Have Had Access To Junior Auditors Who I Would Have Had Access To Junior Auditors Who Were Simply Not In The Position To Raise The Flags Were Simply Not In The Position To Raise The Flags That Would Have Hurt Their Senior Auditors And That Would Have Hurt Their Senior Auditors And Account Executives.”Account Executives.”
Sherron Watkins Sherron Watkins Enron CorporationEnron Corporation
The Control EnvironmentThe Control Environment
The “Way We Do Things Around The “Way We Do Things Around Here”Here”
Sets The Tone Of The Sets The Tone Of The Government, Influencing The Government, Influencing The Control Consciousness Of Its Control Consciousness Of Its StaffStaff
Management’s AttitudeManagement’s Attitude What Is The Tone At The Top?What Is The Tone At The Top?
- Management- Management - Elected Officials- Elected Officials
Will Management Allocate Resources To Will Management Allocate Resources To Internal Internal Controls?Controls?
Are There High Ethical And Professional Are There High Ethical And Professional Standards?Standards?
Does Management Cut Corners?Does Management Cut Corners?
The Typical Environment The Typical Environment in Which Fraud Occursin Which Fraud Occurs
Trust Is Placed In EmployeesTrust Is Placed In Employees
Employees Have Detailed Knowledge Of The Employees Have Detailed Knowledge Of The Accounting Systems And Their WeaknessesAccounting Systems And Their Weaknesses
Management Domination Subverts Normal Management Domination Subverts Normal Internal ControlsInternal Controls
The Typical Environment The Typical Environment in which Fraud Occursin which Fraud Occurs
Management Adds Pressure To “Make The Management Adds Pressure To “Make The Numbers”Numbers”
Expected Moral Behavior Is Not Expected Moral Behavior Is Not Communicated To EmployeesCommunicated To Employees
Unduly Liberal Accounting PracticesUnduly Liberal Accounting Practices
The Typical Environment in The Typical Environment in which Fraud Occurswhich Fraud Occurs
Ineffective Or Nonexistent Internal Auditing Staff.Ineffective Or Nonexistent Internal Auditing Staff.
Lack Of Effective Internal Controls.Lack Of Effective Internal Controls.
Poor Accounting Records.Poor Accounting Records.
Related Party Transactions.Related Party Transactions.
Incomplete And Out Of Date Procedural Incomplete And Out Of Date Procedural Documentation.Documentation.
Management Sets A Bad Example.Management Sets A Bad Example.
Practical Application - Practical Application - Control EnvironmentControl Environment
Establish Current Policies With Establish Current Policies With Regard To Ethical Behavior (Code Of Regard To Ethical Behavior (Code Of Conduct), Conflict Of Interest, Conduct), Conflict Of Interest, NepotismNepotism
Enforce Appropriate Discipline For Enforce Appropriate Discipline For Failure To Comply With These PoliciesFailure To Comply With These Policies
Ensure Personal Adherence To Strong Ensure Personal Adherence To Strong Moral CodeMoral Code
Reward CompetencyReward Competency
Practical Application - Practical Application - Control EnvironmentControl Environment
Place High Degree Of Importance On Place High Degree Of Importance On Maintaining Strong Internal ControlMaintaining Strong Internal Control
Provide For A “Whistle Blower” Policy Provide For A “Whistle Blower” Policy That Allows Employees And Others To That Allows Employees And Others To Report Fraud Or False Statements By Report Fraud Or False Statements By The Management TeamThe Management Team
Impact of the Control Impact of the Control EnvironmentEnvironment
Don’t Underestimate The Importance Don’t Underestimate The Importance Of This Part Of The Control System. Of This Part Of The Control System.
All The Great Control Activities In The All The Great Control Activities In The World Will Not Be Effective If World Will Not Be Effective If Employees Know That Management Is Employees Know That Management Is Not Concerned With Strong Internal Not Concerned With Strong Internal Control, Lacks Integrity Or Does Not Control, Lacks Integrity Or Does Not Value Their EmployeesValue Their Employees
Control Environment Control Environment PitfallsPitfalls
Ignoring The Tone That Management Ignoring The Tone That Management Sets Or Thinking That The Control Sets Or Thinking That The Control Environment Is Not Important.Environment Is Not Important.
Inconsistency In Treatment Of Lapses Inconsistency In Treatment Of Lapses In Ethical Conduct.In Ethical Conduct.
Allowing Employees To Feel Allowing Employees To Feel Devalued.Devalued.
Maintaining A Qualified StaffMaintaining A Qualified Staff
Competent And Honest StaffCompetent And Honest Staff
Up To Date Job DescriptionsUp To Date Job Descriptions
Follow Appropriate Hiring Policies (E.G., Not Hiring Follow Appropriate Hiring Policies (E.G., Not Hiring A A Relative Or A Buddy)Relative Or A Buddy)
Assign Authority And ResponsibilityAssign Authority And Responsibility
Ensure That Employees Are TrainedEnsure That Employees Are Trained
Review And Document PerformanceReview And Document Performance
Set Appropriate Performance Goals For PromotionSet Appropriate Performance Goals For Promotion
Session 8Session 8
Risk AssessmentRisk Assessment
What Is Risk Monitoring What Is Risk Monitoring And Assessment?And Assessment?
The Government’s Identification The Government’s Identification And Analysis Of Relevant Risks And Analysis Of Relevant Risks To Achieve It Objectives, To Achieve It Objectives, Forming A Basis On How They Forming A Basis On How They Should Manage The RisksShould Manage The Risks
Risk AssessmentRisk Assessment
Risks Result From Both External And Risks Result From Both External And Internal SourcesInternal Sources
These Change Over Time Based On These Change Over Time Based On Economic, Regulatory, And Operating Economic, Regulatory, And Operating ConditionsConditions
Risk Assessment Must Link Identified Risk Assessment Must Link Identified Policy Objectives To Specific Risk Policy Objectives To Specific Risk FactorsFactors
Risk AssessmentRisk Assessment
Example: A Policy Of Receiving The Example: A Policy Of Receiving The Highest Rate Of Return On Highest Rate Of Return On Investments Must Be Linked To Investments Must Be Linked To Interest Rate RiskInterest Rate Risk
Example: A Policy Of Allowing Example: A Policy Of Allowing Payment From Vendor Statements Payment From Vendor Statements Rather Than Original Invoices Only Rather Than Original Invoices Only Must Be Linked To The Risk Of Must Be Linked To The Risk Of Duplicate PaymentsDuplicate Payments
Risk AssessmentRisk Assessment
Example: A Policy Of Decentralized Example: A Policy Of Decentralized Cash Receipts Must Be Linked To The Cash Receipts Must Be Linked To The Risk Of Untimely Deposit And Risk Of Untimely Deposit And Recording To The General Ledger.Recording To The General Ledger.
Risk AssessmentRisk Assessment
Risk Assessment Must Also Link Risk Assessment Must Also Link Identified Control Objectives To Identified Control Objectives To Specific Risk FactorsSpecific Risk Factors
All Transactions Are Properly AuthorizedAll Transactions Are Properly AuthorizedTransactions Are Recorded In The Correct Transactions Are Recorded In The Correct
Period For The Correct AmountPeriod For The Correct AmountAll Revenues Are Received And Recorded All Revenues Are Received And Recorded
TimelyTimelyAssets Are Not Stolen Or LostAssets Are Not Stolen Or Lost
Risk AssessmentRisk Assessment
Risk Factors Are Created By:Risk Factors Are Created By:The Nature Of Particular Accounts The Nature Of Particular Accounts
Or TransactionsOr TransactionsTurnover In Key Employee PositionsTurnover In Key Employee PositionsChanges In The Financial MarketsChanges In The Financial MarketsThe Expertise Of The Personnel The Expertise Of The Personnel
Handling TransactionsHandling TransactionsIneffective Or Poorly Designed Ineffective Or Poorly Designed
Control ActivitiesControl Activities
Practical Application - Risk Practical Application - Risk AssessmentAssessment
Be Realistic About The True Risk With Be Realistic About The True Risk With Regard To A Particular Account Or Regard To A Particular Account Or Cycle Of TransactionsCycle Of Transactions
Consider All Types Of Applicable Risk: Consider All Types Of Applicable Risk: Inherent, Control Risk, Fraud Risk, Inherent, Control Risk, Fraud Risk, Credit Risk, EtcCredit Risk, Etc
Make Sure To Address IT RiskMake Sure To Address IT Risk Identify “What Could Go Wrong?”Identify “What Could Go Wrong?”
Risk DetectionRisk Detection
It Is Like A PhysicianIt Is Like A Physician
It Is Like An AttorneyIt Is Like An Attorney
Prevention And Quick Corrective Prevention And Quick Corrective ActionAction
Inherent RiskInherent Risk
It Is Life!It Is Life!
Inherent RiskInherent Risk ComplexityComplexity
Cash ReceiptsCash Receipts
Direct Third Party BeneficiariesDirect Third Party Beneficiaries
Degree Of CentralizationDegree Of Centralization
Prior ProblemsPrior Problems
Prior Unresponsiveness To Identify Control Prior Unresponsiveness To Identify Control WeaknessesWeaknesses
Effect Of Change On Risk Effect Of Change On Risk ManagementManagement
Changes In The EnvironmentChanges In The Environment Changes In PersonnelChanges In Personnel Changes In TechnologyChanges In Technology Rapid GrowthRapid Growth New Programs And ServicesNew Programs And Services Changes In StructureChanges In Structure
What Could Go Wrong?What Could Go Wrong?Example: Cash Example: Cash DisbursementsDisbursements
Payments Could Be Made To Fictitious Payments Could Be Made To Fictitious VendorsVendors
Disbursements Could Be Made For Disbursements Could Be Made For The Wrong AmountThe Wrong Amount
Duplicate Payments Could Be Made Duplicate Payments Could Be Made On An Invoice On An Invoice
Disbursements Could Be Recorded In Disbursements Could Be Recorded In The Wrong PeriodThe Wrong Period
What Could Go Wrong?What Could Go Wrong?Example: InvestmentsExample: Investments
Excessive Transaction Fees Could Be Excessive Transaction Fees Could Be Charged To The Government.Charged To The Government.
Investments Held By The Government Investments Held By The Government Could Be Stolen (Certificates Of Could Be Stolen (Certificates Of Deposit).Deposit).
Investments Outside The Investments Outside The Government’s Risk Tolerance Could Government’s Risk Tolerance Could Be Purchased And Result In Loss Of Be Purchased And Result In Loss Of Principal.Principal.
What Could Go Wrong?What Could Go Wrong?Example: Cash ReceiptsExample: Cash Receipts
Funds Received Could Be Credited To Funds Received Could Be Credited To The Wrong Customer AccountThe Wrong Customer Account
Cash Could Be Stolen By An EmployeeCash Could Be Stolen By An Employee Amounts Received Could Be Recorded Amounts Received Could Be Recorded
Net Rather Than GrossNet Rather Than Gross Amounts Receivable May Never Be Amounts Receivable May Never Be
Collected Due To Failure To Follow On Collected Due To Failure To Follow On Past Due Amounts Past Due Amounts
Risk Matrix – Cash ReceiptsRisk Matrix – Cash ReceiptsObjective Risk Factors
Impact Ranking
Probability Ranking
All collections are properly identified, control totals developed, and collections promptly deposited intact.
Failure to record cash receipts, withholding or delaying the recording of cash receipts.
5 4All bank accounts and cash on hand are subject to effective custodial accountability procedures and physical safeguards.
Misappropriated cash or petty cash funds, diverted cash receipts, unauthorized cash disbursements, loss of funds.
5 3All transactions are properly accumulated, correctly classified and summarized in the general ledger; balances are properly and timely reconciled with bank statement balances.
Misstating cash balances, covering unauthorized transactions by falsifying bank reconciliation.
4 3All transactions are promptly and accurately recorded in adequate detail records and appropriate reports are issued.
Covering unauthorized transactions by substituting unsupported credits or fictitious expenditures to cover misappropriated collections, under or overestimating cash or receivables.
3 4
Practical Application - Practical Application - Risk AssessmentsRisk Assessments
Risk Assessments Can Be Documented Via Risk Assessments Can Be Documented Via Narrative, Checklist Or MatrixNarrative, Checklist Or Matrix
Tools Available Include:Tools Available Include: COSO Documents Available Via AICPACOSO Documents Available Via AICPA PPC Checklists Or Other Auditor Utilized PPC Checklists Or Other Auditor Utilized
TemplatesTemplates Local Government Websites (Perform Google Local Government Websites (Perform Google
Search For “Government Internal Control”)Search For “Government Internal Control”)
Practical Application - Practical Application - Risk AssessmentsRisk Assessments
Remember That Use Of A Third Party Remember That Use Of A Third Party Does Not Eliminate Management’s Does Not Eliminate Management’s Responsibility For Assessing Risks.Responsibility For Assessing Risks.Structure Of Agreement Is Structure Of Agreement Is
ImportantImportantObtain SAS 70Obtain SAS 70Reconcile Reports To General Reconcile Reports To General
Ledger (As Applicable)Ledger (As Applicable)
Practical Application - Practical Application - Risk AssessmentsRisk Assessments
Remember That IT Controls Can Affect Risk For All Remember That IT Controls Can Affect Risk For All Cycles Of Transactions. Well Designed Internal Cycles Of Transactions. Well Designed Internal Controls Can Be Made Ineffective By Poor Controls Controls Can Be Made Ineffective By Poor Controls Over IT.Over IT. System Log-in Should Mirror Job ResponsibilitiesSystem Log-in Should Mirror Job Responsibilities PasswordsPasswords Remove Temporary Access Granted Once No Longer Remove Temporary Access Granted Once No Longer
AppropriateAppropriate
Risk Assessment PitfallsRisk Assessment Pitfalls Trying To Identify A Control For Every Trying To Identify A Control For Every
Risk Factor.Risk Factor. Ignoring The Possibility Of Existing Ignoring The Possibility Of Existing
Compensating Controls.Compensating Controls. Not Performing A Risk Assessment Not Performing A Risk Assessment
Annually Or At Least When Key Annually Or At Least When Key Factors Have Changed (Regulatory, Factors Have Changed (Regulatory, Employee Turnover, Etc.)Employee Turnover, Etc.)
Ignoring It Controls.Ignoring It Controls.
Session 9Session 9
Control ActivitiesControl Activities
Control ActivitiesControl Activities The Policies And Procedures That Ensure The Policies And Procedures That Ensure
Management’s Directives Are FollowedManagement’s Directives Are Followed
These Occur At All Levels Throughout These Occur At All Levels Throughout The OrganizationThe Organization
Include : Approvals, Authorizations, Include : Approvals, Authorizations, Verifications, Reconciliations, Security Verifications, Reconciliations, Security Of Assets, Segregation Of Duties And Of Assets, Segregation Of Duties And Review Of Operating PerformanceReview Of Operating Performance
Practical Application - Practical Application - Control ActivitiesControl Activities
Address Control Objectives: Existence Or Address Control Objectives: Existence Or Occurrence, Completeness, Valuation Or Occurrence, Completeness, Valuation Or Allocation, Rights And Obligations, Accuracy Allocation, Rights And Obligations, Accuracy Or Classification, Cutoff And Presentation Or Classification, Cutoff And Presentation And DisclosureAnd Disclosure
Tie Control Activities To Risks Previously Tie Control Activities To Risks Previously Identified And Address “What Could Go Identified And Address “What Could Go Wrong” ScenariosWrong” Scenarios
Balance Cost And Benefit Balance Cost And Benefit
Identify Control Objectives And The Risks Of Identify Control Objectives And The Risks Of What Could HappenWhat Could Happen
For Each Risk Factor Identified, Evaluate The For Each Risk Factor Identified, Evaluate The Potential Impact And Probability Of Potential Impact And Probability Of OccurrenceOccurrence
Design Control Activities To Address High Design Control Activities To Address High Impact, High Probability ConcernsImpact, High Probability Concerns
Evaluate AnnuallyEvaluate Annually
Practical Application - Practical Application - Control ActivitiesControl Activities
Risk MatrixRisk MatrixCash Receipt ExampleCash Receipt Example
Objective Risk FactorsImpact
RankingProbability
Ranking Control ProcedureAll collections are properly identified, control totals developed, and collections promptly deposited intact.
Failure to record cash receipts, withholding or delaying the recording of cash receipts.
5 4
Cash receipts are posted daily to the accounts receivable. The cash receipts are reconciled to daily bank deposits. Bank reconciliations are performed timely to reconcile all bank deposits.
All bank accounts and cash on hand are subject to effective custodial accountability procedures and physical safeguards.
Misappropriated cash or petty cash funds, diverted cash receipts, unauthorized cash disbursements, loss of funds.
5 3
Bank reconciliations are performed timely to reconcile all bank deposits and disbursements to the general ledger. Petty cash funds and cash receipts deposits are securely maintained in a safety bag, lockbox, or safe depending on their location. Bank deposits are delivered to the bank daily in secure bank bags.
All transactions are properly accumulated, correctly classified and summarized in the general ledger; balances are properly and timely reconciled with bank statement balances.
Misstating cash balances, covering unauthorized transactions by falsifying bank reconciliation.
4 3
Bank reconciliations are reviewed by management independent of the individual that prepares them.
All transactions are promptly and accurately recorded in adequate detail records and appropriate reports are issued.
Covering unauthorized transactions by substituting unsupported credits or fictitious expenditures to cover misappropriated collections, under or overestimating cash or receivables.
3 4
Cash receipts are posted daily to the accounts receivable. The cash receipts are reconciled to daily bank deposits. Bank reconciliations are performed timely to reconcile all bank deposits.
Risk MatrixRisk MatrixCash Disbursements ExampleCash Disbursements Example
Objective Risk FactorsImpact
RankingProbability
Ranking Control ProcedureAll checks are prepared on the basis of adequate and approved documentation, compared with supporting data and properly approved, s igned and mailed.
Incorrect or duplicate payments, alteration of checks, disbursement for materials or services not properly documented or approved.
5 5
Cash disbursements are prepared by the Accounts Payable Clerk and then reviewed with supporting documentation by the Finance Manager before being processed for printing and sent out.
All requests for goods and services are initiated and approved by authorized individuals, and are in accordance with budget and appropriation guidelines.
Purchases from unauthorized vendors, purchases in violation of a conflict of interest policy, purchases that demonstrate unfair bidding practices, purchases are not made timely, purchases not in accordance with budget provisions.
5 4
Purchases are made in accordance with the City's purchasing policy and purchase orders are reviewed for appropriateness by the Accounts Payable Clerk when matched with incoming invoices. Purchase orders are entered to the appropriate expenditure/expense accounts and City budget officer reviews for budget restrictions on purchase orders.
All invoices processed for payment represent goods and services received and are accurate as to terms, quantities, prices and extensions; account distributions are accurate and agree with established account classifications.
Payment based on improper price or terms, accounting distribution of cost is inaccurate.
5 3
The City only processes payment from invoices and costs are allocated based on the expenditure accounts on the initiating purchase order.
Practical Application - Practical Application - Control ActivitiesControl Activities
It Is Not Necessary To Address Every It Is Not Necessary To Address Every Risk Factor With A Specific Control Risk Factor With A Specific Control Activity – Focus On Key AreasActivity – Focus On Key Areas
Utilize Compensating Controls Where Utilize Compensating Controls Where “Textbook Approach” Is Not Practical“Textbook Approach” Is Not Practical
Evaluate The Benefit Of Existing Evaluate The Benefit Of Existing Monitoring ControlsMonitoring Controls
Risk MatrixRisk MatrixCash Disbursements ExampleCash Disbursements Example
Control ProcedureCash disbursements are prepared by the Accounts Payable Clerk and then reviewed with supporting documentation by the Finance Manager before being processed for printing and sent out.
Purchases are made in accordance with the City's purchasing policy and purchase orders are reviewed for appropriateness by the Accounts Payable Clerk when matched with incoming invoices. Purchase orders are entered to the appropriate expenditure/expense accounts and City budget officer reviews for budget restrictions on purchase orders.
Cash disbursements are prepared by the Accounts Payable Clerk and then reviewed with supporting documentation by the City Clerk (City Manager) before being processed for printing and sent out.
Purchases are made in accordance with the City's purchasing policy and purchase orders are reviewed for appropriateness by the Accounts Payable Clerk when matched with incoming invoices. Purchase orders are entered to the appropriate expenditure/expense accounts and City Clerk reviews for budget restrictions on purchase orders.
Compensating Control
Key Control ActivitiesKey Control Activities Address Unusual Transactions Or Address Unusual Transactions Or
Variance From Expected Benchmarks In Variance From Expected Benchmarks In Timely FashionTimely Fashion
Reconcile Accounts Per General Ledger Reconcile Accounts Per General Ledger To Subsidiary Ledgers Or Statements To Subsidiary Ledgers Or Statements From Trustee/Custodian (As Applicable)From Trustee/Custodian (As Applicable)
Separate Initiation And Authorization Separate Initiation And Authorization From Recording Of TransactionsFrom Recording Of Transactions
Key Control ActivitiesKey Control ActivitiesProvide For Oversight By Provide For Oversight By
Interested Party Such As Interested Party Such As Investment Committee (Include Investment Committee (Include Trustee Activities) , Audit Trustee Activities) , Audit Committee Or Citizens’ GroupCommittee Or Citizens’ Group
Utilize Disclosure Checklist To Utilize Disclosure Checklist To Ensure Presentation And Ensure Presentation And Disclosure Requirements Are MetDisclosure Requirements Are Met
Control Activities PitfallsControl Activities Pitfalls Remember That For Small Governments Key Remember That For Small Governments Key
Objectives Must Be IdentifiedObjectives Must Be Identified Reducing The Risk Of Theft Or FraudReducing The Risk Of Theft Or Fraud Providing For AccountabilityProviding For Accountability Ensuring Compliance With Regulations Ensuring Compliance With Regulations
Focus On True Effectiveness – Not Just Focus On True Effectiveness – Not Just Cookie Cutter ApproachesCookie Cutter Approaches
Ensure Benefit Justifies The CostEnsure Benefit Justifies The Cost
Session 10Session 10
Information and Information and CommunicationsCommunications
Information and Information and CommunicationCommunication
Includes Both Internal And External Includes Both Internal And External InteractionInteraction
Requires Pertinent Information To Be Requires Pertinent Information To Be Identified, Captured And Communicated In Identified, Captured And Communicated In A Form And Timeframe For Employees To A Form And Timeframe For Employees To Carry Out Their ResponsibilitiesCarry Out Their Responsibilities
Reports Must Contain Relevant Operational, Reports Must Contain Relevant Operational, Financial And Compliance InformationFinancial And Compliance Information
Practical Application - Practical Application - Information and Information and CommunicationCommunication
System Generated Reports Must System Generated Reports Must Include Relevant InformationInclude Relevant Information
Statements From Outside Third Statements From Outside Third Parties (Broker/Dealers, Bank Parties (Broker/Dealers, Bank Statements, Grantor Agency) Must Be Statements, Grantor Agency) Must Be Channeled To Correct Personnel And Channeled To Correct Personnel And Provided TimelyProvided Timely
Information And Information And CommunicationCommunication
Example: InvestmentsExample: Investments Communication With Investment Committee Communication With Investment Committee
Or Other Oversight Body Should Include:Or Other Oversight Body Should Include:
Types Of Investments HeldTypes Of Investments Held Average Rate Of Return For Period And Average Rate Of Return For Period And
YTD Compared With BenchmarksYTD Compared With Benchmarks Average Maturity Of PortfolioAverage Maturity Of Portfolio Compliance With Investment Policy Compliance With Investment Policy
ProvisionsProvisions
Information and Information and CommunicationCommunication
Example: InvestmentsExample: Investments Communication With Investment Committee Communication With Investment Committee
Or Other Oversight Body Should Also Or Other Oversight Body Should Also Include: Include:
Changes In Investment Strategy (If Any)Changes In Investment Strategy (If Any) Interest Rate Environment ChangesInterest Rate Environment Changes Discussion Of Any Unusual Transaction Or Discussion Of Any Unusual Transaction Or
Particularly Risky InvestmentParticularly Risky Investment
Information and Information and CommunicationCommunication
Example: Cash DisbursementsExample: Cash Disbursements Communication With DepartmentsCommunication With Departments
Budget To Actual Report By Budgeted LineBudget To Actual Report By Budgeted Line Request To Explain Certain VariancesRequest To Explain Certain Variances Detail Of Capital Assets Added To SubledgerDetail Of Capital Assets Added To Subledger
Communication With CouncilCommunication With Council Budget To Actual Comparison By DepartmentBudget To Actual Comparison By Department Explanations For Variances Over A Certain Explanations For Variances Over A Certain
ThresholdThreshold
Information and Information and CommunicationCommunication
Example: Cash ReceiptsExample: Cash ReceiptsDaily Cash Reports Should Show Revenue Daily Cash Reports Should Show Revenue
By Major Categories Such That By Major Categories Such That Reconciliation To The General Ledger Is Reconciliation To The General Ledger Is Facilitated.Facilitated.
The Date Of Receipt And Date Of Deposit The Date Of Receipt And Date Of Deposit Should Be Included Along With The Should Be Included Along With The General Ledger And Bank Account General Ledger And Bank Account Information.Information.
Information And Information And Communication PitfallsCommunication Pitfalls
Generating Reports That Provide Generating Reports That Provide Inaccurate, Untimely Or Unnecessary Inaccurate, Untimely Or Unnecessary InformationInformation
Providing Inappropriate Information Providing Inappropriate Information Outside The Organization (SS #, Outside The Organization (SS #, Employee Evaluations)Employee Evaluations)
Failure To Verify Accuracy Of Externally Failure To Verify Accuracy Of Externally Provided ReportsProvided Reports
Session 11Session 11
MonitoringMonitoring
MonitoringMonitoringAssessing The Quality Of The Assessing The Quality Of The
Internal Control System And Internal Control System And Making Modifications As NeededMaking Modifications As Needed
This Process Is Ongoing Through This Process Is Ongoing Through The Normal Course Of Operations The Normal Course Of Operations And At Separate Specific And At Separate Specific Evaluations Of A Particular Evaluations Of A Particular ProcessProcess
MonitoringMonitoringCOSO Framework COSO Framework States That States That “Monitoring “Monitoring Ensures That Ensures That Internal Control Internal Control Continues To Continues To Operate Operate Effectively.”Effectively.”
The COSO The COSO Framework Framework Recognizes That Recognizes That Risks Change Over Risks Change Over Time And That Time And That Management Management Needs To Needs To “Determine “Determine Whether The Whether The Internal Control Internal Control System Continues System Continues To Be Relevant To Be Relevant And Able To And Able To Address New Address New Risks.”Risks.”
MonitoringMonitoringThe Original COSO Report On Internal The Original COSO Report On Internal
Controls Was Issued In 1992. Controls Was Issued In 1992.
In 2009, COSO Issued “Guidance On In 2009, COSO Issued “Guidance On Monitoring Internal Control Systems”Monitoring Internal Control Systems”
Emphasized Importance Of Emphasized Importance Of Monitoring Controls As Part Of Even Monitoring Controls As Part Of Even Small Government Environments.Small Government Environments.
MonitoringMonitoringMonitoring Is Both An On-going Monitoring Is Both An On-going
Process And Can Be Annual In Process And Can Be Annual In Nature (Testing Of Key Controls)Nature (Testing Of Key Controls)
Process Can Be Done Annually By Process Can Be Done Annually By The Internal Audit Department The Internal Audit Department (As Applicable) Or As An Internal (As Applicable) Or As An Internal Review By Finance Personnel.Review By Finance Personnel.
Practical Application – Practical Application – Examples of MonitoringExamples of Monitoring
Cash ReceiptsCash ReceiptsPerforming A Review Of Bank Performing A Review Of Bank
Reconciliations On A Monthly Basis And Reconciliations On A Monthly Basis And Signing Off As Having Reviewed These.Signing Off As Having Reviewed These.
Monthly Comparison Of Actual Receipts Monthly Comparison Of Actual Receipts To Budgeted Receipts And Investigation To Budgeted Receipts And Investigation Of Significant Discrepancies.Of Significant Discrepancies.
Annually Selecting A Few Transactions Annually Selecting A Few Transactions To Ensure Proper Recording.To Ensure Proper Recording.
Practical Application – Practical Application – Examples Of Monitoring Examples Of Monitoring
Cash DisbursementsCash DisbursementsPerforming A Review Of Bank Performing A Review Of Bank
Reconciliations On A Monthly Basis And Reconciliations On A Monthly Basis And Signing Off As Having Reviewed These.Signing Off As Having Reviewed These.
Monthly Comparison Of Cash Monthly Comparison Of Cash Disbursements To Budgeted Disbursements To Budgeted Expenditures/Expenses And Expenditures/Expenses And Investigation Of Significant Investigation Of Significant Discrepancies.Discrepancies.
Practical Application – Practical Application – Examples Of Monitoring Examples Of Monitoring
Cash DisbursementsCash Disbursements
Reconciliation Of P-card Purchases Reconciliation Of P-card Purchases By Someone Other Than The Card By Someone Other Than The Card HolderHolder
Annual Test Of A Selection Of Annual Test Of A Selection Of Transactions For Proper Recording.Transactions For Proper Recording.
Practical Application – Practical Application – Examples of Monitoring Examples of Monitoring
InvestmentsInvestments Performing Investment Portfolio Review Performing Investment Portfolio Review
(Including Evaluation Of Concentration And (Including Evaluation Of Concentration And Type Of Investments) Quarterly By Person Type Of Investments) Quarterly By Person Independent Of Investment Portfolio Independent Of Investment Portfolio ManagementManagement
Disclosure Of Conflict Of Interest Statement Disclosure Of Conflict Of Interest Statement Annually By Portfolio ManagerAnnually By Portfolio Manager
Obtaining A SAS 70 Report From Custodian Obtaining A SAS 70 Report From Custodian AnnuallyAnnually
Practical Application - Practical Application - MonitoringMonitoring
Controls Will Change As The Makeup Controls Will Change As The Makeup Of An Account ChangesOf An Account Changes
Controls Should Be Evaluated When Controls Should Be Evaluated When There Are Changes In Key Personnel There Are Changes In Key Personnel Or Software ApplicationsOr Software Applications
Be Responsive To Information Be Responsive To Information Requests Of Key Management Requests Of Key Management PersonnelPersonnel
Review Polices And Procedures Review Polices And Procedures AnnuallyAnnually
Monitoring PitfallsMonitoring Pitfalls Failure To Perform Any Monitoring Control Failure To Perform Any Monitoring Control
Activities.Activities.
Overkill For The Organizations Size. One Or Two Overkill For The Organizations Size. One Or Two Key Data Cycles Or Areas Can Be Selected Each Key Data Cycles Or Areas Can Be Selected Each Year For Testing Of Controls.Year For Testing Of Controls.
No Attempt To Actually Test Key Controls In No Attempt To Actually Test Key Controls In Some Fashion.Some Fashion.
Failure To Evaluate Controls When Personnel Or Failure To Evaluate Controls When Personnel Or Software Changes.Software Changes.
Session 12Session 12
Evaluation Controls Over Evaluation Controls Over Accounting And Financial Accounting And Financial
ReportingReporting
Know Where To StartKnow Where To Start
Identify Control CyclesIdentify Control Cycles
Basic Control CyclesBasic Control Cycles
- Obtaining Resources- Obtaining Resources
- Applying Resources- Applying Resources
Identify Control CyclesIdentify Control Cycles
It Is Easy For Management To Be Daunted By It Is Easy For Management To Be Daunted By The Sheer Volume And Complexity Of Controls The Sheer Volume And Complexity Of Controls Over Accounting And Financial Reporting. Over Accounting And Financial Reporting.
Accordingly, The First Step In Evaluating Accordingly, The First Step In Evaluating These Controls Is To Know Where To Start. These Controls Is To Know Where To Start.
The Best Place To Begin Is By "Breaking The Best Place To Begin Is By "Breaking Down" What A Government Does Into Down" What A Government Does Into Manageable Groupings Of Similar Or Related Manageable Groupings Of Similar Or Related Activities, Commonly Known As "Control Activities, Commonly Known As "Control Cycles."Cycles."
Obtaining ResourcesObtaining Resources
The Resources Inflows Control CycleThe Resources Inflows Control Cycle
- Obtaining Legal Claim (Levy The - Obtaining Legal Claim (Levy The Tax, Provide The Service)Tax, Provide The Service)
- Demanding Payment (From - Demanding Payment (From Taxpayers, Customers And Grantors)Taxpayers, Customers And Grantors)
- Converting To Cash (Collect)- Converting To Cash (Collect)
Applying ResourcesApplying Resources
The Resources Outflows Control The Resources Outflows Control CycleCycle
Applying Resources (Issue Applying Resources (Issue Purchase Orders, Approve Purchase Orders, Approve Contracts, Hire Employees, Contracts, Hire Employees, Award Grants)Award Grants)
Applying ResourcesApplying Resources
The Resources Outflows Control The Resources Outflows Control CycleCycle
- Ensuring Conditions Met - Ensuring Conditions Met (Receipt Of Goods Or Services, (Receipt Of Goods Or Services, Compliance With Grant Compliance With Grant Requirements)Requirements)
- Making Cash Payments- Making Cash Payments
Applying ResourcesApplying Resources
The Resources Outflows Control The Resources Outflows Control CycleCycle
- Making Cash Payments- Making Cash Payments
Interim ManagementInterim Management Governments Are Not Able To Apply Governments Are Not Able To Apply
Immediately All Of The Resources They Immediately All Of The Resources They Obtain. Obtain.
Rather, There Will Be A Greater Or Rather, There Will Be A Greater Or Lesser Interval Between When Resources Lesser Interval Between When Resources Are First Obtained And When Those Are First Obtained And When Those Resources Are Finally Converted Into Resources Are Finally Converted Into Goods And ServicesGoods And Services
During This Interval, A Government Must During This Interval, A Government Must Carefully Manage The Resources Carefully Manage The Resources Entrusted To Its Care. Entrusted To Its Care.
Interim ManagementInterim Management
First, Liquid Resources (E.G., Cash) Must Be First, Liquid Resources (E.G., Cash) Must Be Properly Protected And Used To Best Properly Protected And Used To Best Advantage Until Needed (I.E., Invested Or Advantage Until Needed (I.E., Invested Or Placed On Deposit). Placed On Deposit).
Second, Non Liquid Assets Used In The Second, Non Liquid Assets Used In The Provision Of Services (E.G., Equipment, Provision Of Services (E.G., Equipment, Inventories Of Supplies) Must Be Properly Inventories Of Supplies) Must Be Properly Protected And Maintained. Protected And Maintained.
When Both Of These Processes Are Combined When Both Of These Processes Are Combined Together, The Result Is A Third Control Cycle Together, The Result Is A Third Control Cycle For "Resource Management."For "Resource Management."
Seven Important StepsSeven Important Steps
Vulnerability AssessmentVulnerability Assessment
Documenting TransactionsDocumenting Transactions
Identifying Specific RisksIdentifying Specific Risks
Identifying Compensating Identifying Compensating ControlsControls
Seven Important StepsSeven Important Steps
Evaluating The Design Of Evaluating The Design Of Comensating ControlsComensating Controls
Testing Compensating ControlsTesting Compensating Controls
Assessing The Results Of Assessing The Results Of TestingTesting
Session 13Session 13
Control CyclesControl CyclesA Final ReviewA Final Review
Cash ControlsCash ControlsCollection ControlsCollection Controls
Disbursement ControlsDisbursement Controls
Custody ControlsCustody Controls
Accounting ControlsAccounting Controls
Reconciliation ControlsReconciliation Controls
Investments ControlsInvestments ControlsSegregation of DutiesSegregation of Duties
Procedural ControlsProcedural Controls
Custody ControlsCustody Controls
Accounting ControlsAccounting Controls
Capital Asset ControlsCapital Asset ControlsSegregation of DutiesSegregation of Duties
Procedural ControlsProcedural Controls
Authorization ControlsAuthorization Controls
Asset Accountability ControlsAsset Accountability Controls
General Ledger ControlsGeneral Ledger Controls
Inventory ControlsInventory ControlsSegregation of DutiesSegregation of Duties
Authorization ControlsAuthorization Controls
Receipt/Issues ControlsReceipt/Issues Controls
Physical Inventory ControlsPhysical Inventory Controls
Procurement ControlsProcurement Controls Segregation of DutiesSegregation of Duties
Procedural ControlsProcedural Controls
Requisition ControlsRequisition Controls
Procurement ControlsProcurement Controls
Receiving ControlsReceiving Controls
Invoice Processing ControlsInvoice Processing Controls
Personnel and Payroll Personnel and Payroll ControlsControls
Segregation of DutiesSegregation of Duties
Procedural ControlsProcedural Controls
Personnel ControlsPersonnel Controls
Payroll Processing ControlsPayroll Processing Controls
IT ControlsIT Controls Segregation of DutiesSegregation of Duties
Procedural ControlsProcedural Controls
Documentation ControlsDocumentation Controls
Data ControlsData Controls
Security ControlsSecurity Controls
Inventory ControlsInventory Controls
Session 14Session 14
Other Internal Control Other Internal Control PitfallsPitfalls
A Final Reminder About A Final Reminder About I/C PitfallsI/C Pitfalls
Don’t Focus On Areas Where Risk Is LowDon’t Focus On Areas Where Risk Is Low
Don’t Ignore Risk Factors You Become Aware Don’t Ignore Risk Factors You Become Aware Of Throughout The YearOf Throughout The Year
Talk To Your Auditors About Areas Of Talk To Your Auditors About Areas Of Concern They May Have And New Auditing Concern They May Have And New Auditing Standards That Will Affect Your Audit.Standards That Will Affect Your Audit.
Make Sure To Tailor Any “Borrowed” P&P To Make Sure To Tailor Any “Borrowed” P&P To Your Organization.Your Organization.
A Final Reminder About A Final Reminder About I/C PitfallsI/C Pitfalls
Remember That The Cost Of Remember That The Cost Of Implementing The Control Implementing The Control Structure Should Not Outweigh Structure Should Not Outweigh The Benefit.The Benefit.
Remember To Address Budget, Remember To Address Budget, Grant And It ControlsGrant And It Controls..
SummarySummaryThe Control Environment Establishes The Control Environment Establishes
The Importance Of Internal Control.The Importance Of Internal Control.
Risk Assessments Must Be Realistic Risk Assessments Must Be Realistic And Performed When Changes To And Performed When Changes To Objectives Or Policies Occur, There Is Objectives Or Policies Occur, There Is Turn Over In Key Employees Or Turn Over In Key Employees Or Significant Changes In The Financial Significant Changes In The Financial Markets.Markets.
SummarySummary Control Activities Should Be Focused Control Activities Should Be Focused
On Areas Of Highest Risk. Monitoring On Areas Of Highest Risk. Monitoring Controls Are Effective Stopgap For Controls Are Effective Stopgap For Smaller Entities.Smaller Entities.
Information And Communication Must Information And Communication Must Provide Relevant Information For Provide Relevant Information For Managing The Assets And Liabilities Managing The Assets And Liabilities Of The Entity.Of The Entity.
Monitoring Of The Internal Control Monitoring Of The Internal Control System Is An Ongoing Process.System Is An Ongoing Process.
Session 15Session 15
Red Flags and FraudRed Flags and Fraud
How to Catch a How to Catch a FraudsterFraudster
Independent AuditorIndependent Auditor
Internal AuditInternal Audit
Getting Ratted OutGetting Ratted Out
Oops MethodOops Method
How to Catch a How to Catch a FraudsterFraudster
Rotate those Job DutiesRotate those Job Duties
The Spot CheckThe Spot Check
And, the Surprise AttackAnd, the Surprise Attack
Eliminate Fraudster Eliminate Fraudster PotentialPotential
Background CheckBackground Check
CriminalCriminal
CreditCredit
ReferencesReferences
Verify the SocialVerify the Social
Eliminate Fraudster Eliminate Fraudster PotentialPotential
Background CheckBackground CheckDriving RecordDriving RecordThe EducationThe EducationProfessional CredentialsProfessional CredentialsDrug TestingDrug Testing
Tips – Employee ChangesTips – Employee Changes
AttendanceAttendance
TardinessTardiness
Avoiding OthersAvoiding Others
Bathroom BreaksBathroom Breaks
Tips – Employee ChangesTips – Employee Changes
ListenListen
LookLook
SmellSmell
ObserveObserve
AskAsk
Top Ten ReasonsTop Ten ReasonsFraud Beats InternalFraud Beats Internal
ControlsControls
And What Management Can Do And What Management Can Do About It?About It?
““Fighting the Last War”Fighting the Last War”
Accountants Too Often Allow Accountants Too Often Allow Themselves To Focus Almost Themselves To Focus Almost Exclusively On Past Weaknesses Exclusively On Past Weaknesses Rather Than On Current And Rather Than On Current And Future Exposures (Like Putting Future Exposures (Like Putting Up Traffic Signals Only After An Up Traffic Signals Only After An Accident Occurs)Accident Occurs)
Establish A System Of Proactive FraudEstablish A System Of Proactive FraudPolicies – Don’t Wait For Something To Policies – Don’t Wait For Something To
PopPopUp!Up!
Use Of The Analytical ReviewUse Of The Analytical Review
Watch For Increasing Expenses, Watch For Increasing Expenses, Increasing Receivables/Decreasing Increasing Receivables/Decreasing Cash, Increasing Revenue/Decreasing Cash, Increasing Revenue/Decreasing CashCash
Use Fraud Assessment Questions Use Fraud Assessment Questions With Each EmployeeWith Each Employee
Establish A System Of Proactive FraudEstablish A System Of Proactive FraudPolicies – Don’t Wait For Something To Policies – Don’t Wait For Something To
PopPopUp!Up!
Enforce A Mandatory Vacation Policy Enforce A Mandatory Vacation Policy With A Senior Person Filling The With A Senior Person Filling The Position For Several DaysPosition For Several Days
Enforce A Mandatory Job Rotation Enforce A Mandatory Job Rotation PolicyPolicy
Periodically, Stage A Surprise Audit Periodically, Stage A Surprise Audit Of Each PositionOf Each Position
Detection of Fraud Detection of Fraud SchemesSchemes
Tip (46.2%)Tip (46.2%)By Accident (20%)By Accident (20%)Internal Audit (19.4%)Internal Audit (19.4%)Internal Controls (23.3%)Internal Controls (23.3%)External Audit (9.1%)External Audit (9.1%)Notified by Police (3.2%)Notified by Police (3.2%)
Control Related PoliciesControl Related Policies
AuthorizationAuthorization Properly Designed RecordsProperly Designed Records Security Of Assets And RecordsSecurity Of Assets And Records Segregation Of DutiesSegregation Of Duties Periodic ReconciliationsPeriodic Reconciliations Periodic VerificationsPeriodic Verifications Analytical ReviewAnalytical Review
1. Goin’ Through the 1. Goin’ Through the MotionsMotions
Process MentalityProcess Mentality Just Doing The Steps In The ProcessJust Doing The Steps In The Process Not Thinking About What One Is DoingNot Thinking About What One Is Doing
Example: Two Signatures Required On Example: Two Signatures Required On Checks. Both Check Signers Fail To Notice Checks. Both Check Signers Fail To Notice The Check Has No Payee And Still Sign The The Check Has No Payee And Still Sign The CheckCheck
Remedy: Reinforce The Need To Pay Remedy: Reinforce The Need To Pay Attention And The Consequences For FailureAttention And The Consequences For Failure
2. See No Evil, Hear No Evil2. See No Evil, Hear No Evil
Blind TrustBlind Trust Failure To Acknowledge Warning SignalsFailure To Acknowledge Warning Signals
Example: Failure To Follow Up On A Customer Example: Failure To Follow Up On A Customer Complaint Of An Incorrect Bill For Service And Complaint Of An Incorrect Bill For Service And Relying On The Experienced And Valued Billing Relying On The Experienced And Valued Billing Clerk’s Response That It Was Just An Error.Clerk’s Response That It Was Just An Error.
Remedy: Realize That Anyone Can Commit Remedy: Realize That Anyone Can Commit Fraud. Assume Discrepancies Are Fraud And Fraud. Assume Discrepancies Are Fraud And Prove To Yourself It Is Only An Error.Prove To Yourself It Is Only An Error.
3. It’s Good to be The 3. It’s Good to be The KingKing
Positional ImmunityPositional Immunity Rationalizing That Controls Don’t Apply To Me Rationalizing That Controls Don’t Apply To Me
Because I Am In Upper Management.Because I Am In Upper Management. Often Referred To As Management Override.Often Referred To As Management Override.
Example: Executive Director Doesn’t Report Example: Executive Director Doesn’t Report Leave Used, But Still Gets Paid For Unused Leave Leave Used, But Still Gets Paid For Unused Leave Annually.Annually.
Remedy: Identify Someone Within Or Outside Remedy: Identify Someone Within Or Outside The Entity That You Can Report These The Entity That You Can Report These Circumstances To And Not Jeopardize Your Job.Circumstances To And Not Jeopardize Your Job.
4. New Kid on the Block4. New Kid on the Block Situational IncompetenceSituational Incompetence New Employee Not In A Position To Question WhyNew Employee Not In A Position To Question Why
Example: New Accounts Payable Clerk Questions Example: New Accounts Payable Clerk Questions Why Purchases From A Certain Vendor Do Not Why Purchases From A Certain Vendor Do Not Require Bids, And Is Told That Such Purchases Are Require Bids, And Is Told That Such Purchases Are Exempt.Exempt.
Remedy: If You Are The Supervisor, Don’t Assume Remedy: If You Are The Supervisor, Don’t Assume New Employee Just Doesn’t Understand. Take Their New Employee Just Doesn’t Understand. Take Their Questions Seriously And Ask Your Self Why. If You Questions Seriously And Ask Your Self Why. If You Are The Employee, Ask More Than One Person.Are The Employee, Ask More Than One Person.
5. Where’s All the Time 5. Where’s All the Time Gone?Gone?
Workload OverloadWorkload Overload Not Enough Time To Perform Control Not Enough Time To Perform Control
ProceduresProcedures
Example: Knowing That The Supervisor Is Too Example: Knowing That The Supervisor Is Too Busy To Reconcile Accounts Receivable, A Busy To Reconcile Accounts Receivable, A Billing Clerk Steals Cash And Posts Billing Clerk Steals Cash And Posts Unauthorized Adjustments.Unauthorized Adjustments.
Remedy: Reevaluate Assignment Of Duties, Remedy: Reevaluate Assignment Of Duties, And When Needed, Demand More Resources By And When Needed, Demand More Resources By Focusing On The Consequences Of Fraud.Focusing On The Consequences Of Fraud.
6. Can’t We All Be Happy?6. Can’t We All Be Happy? Conflict AvoidanceConflict Avoidance Responsible Employees Not Comfortable In Responsible Employees Not Comfortable In
Confronting Other EmployeesConfronting Other Employees
Example: A Supervisor Recognizes That The Example: A Supervisor Recognizes That The Cash Drawer Is Always Short At The End Of The Cash Drawer Is Always Short At The End Of The Day, But Is Uncomfortable In Confronting The Day, But Is Uncomfortable In Confronting The Employee.Employee.
Remedy: Reinforce Supervisory Responsibilities. Remedy: Reinforce Supervisory Responsibilities. Provide Employee Management Training. Don’t Provide Employee Management Training. Don’t Tolerate Poor Performance.Tolerate Poor Performance.
7. Where’s the Beef?7. Where’s the Beef? Informational RestraintInformational Restraint Responsible Employees Lack The Information Responsible Employees Lack The Information
They Need To Identify An Improper TransactionThey Need To Identify An Improper Transaction
Example: An Accounts Payable Clerk Is Not Example: An Accounts Payable Clerk Is Not Provided A Contract That Includes A Not-to-Provided A Contract That Includes A Not-to-exceed Price Limit And Vendor Takes Advantage exceed Price Limit And Vendor Takes Advantage By Over-billing.By Over-billing.
Remedy: Reinforce With Employees The Remedy: Reinforce With Employees The Openness And Availability Of Records And Openness And Availability Of Records And Information.Information.
8. It’s None of My 8. It’s None of My BusinessBusiness
Behavioral IgnoranceBehavioral Ignorance Responsible Employees Ignore Behavioral Signs Responsible Employees Ignore Behavioral Signs
Or Indicators Of Possible FraudOr Indicators Of Possible Fraud
Example: Management And Other Employees Fail Example: Management And Other Employees Fail To Investigate Or Question An Employee That Is To Investigate Or Question An Employee That Is Living Well Above Their Means Or Salary Level.Living Well Above Their Means Or Salary Level.
Remedy: Create An Environment Within The Remedy: Create An Environment Within The Government That Fosters Ethical And Government That Fosters Ethical And Responsible Behavior. Create An Anonymous Responsible Behavior. Create An Anonymous hotlinehotline
9. It’s Over My Head9. It’s Over My Head Informational IgnoranceInformational Ignorance Officials Ignore Fraud Warning Signs In Reports Officials Ignore Fraud Warning Signs In Reports
Because They Don’t Understand The ReportsBecause They Don’t Understand The Reports
Example: Highway Patrol Fine Revenue Was Example: Highway Patrol Fine Revenue Was Embezzled And Monthly Budget Report Shows A Embezzled And Monthly Budget Report Shows A Potential Problem, But The Report Is Too Potential Problem, But The Report Is Too Complicated For Management And Governing Complicated For Management And Governing Board To Understand.Board To Understand.
Remedy: When It Comes To Reports, Use The Remedy: When It Comes To Reports, Use The Kiss Principle And Train The Users.Kiss Principle And Train The Users.
10. A Bad Apple in the 10. A Bad Apple in the BunchBunch
Ethically ChallengedEthically Challenged Employees Responsible For Controls Are Just Employees Responsible For Controls Are Just
Not Ethical And Morally Responsible Not Ethical And Morally Responsible IndividualsIndividuals
Example: Purchasing Supervisor Is Dishonest Example: Purchasing Supervisor Is Dishonest And Convinces An Accounts Payable And Convinces An Accounts Payable Employee To Process Fake Invoices For Employee To Process Fake Invoices For Payment And Split The Money Between Them.Payment And Split The Money Between Them.
Remedy: Don’t Hire Crooks.Remedy: Don’t Hire Crooks.
To Summarize Internal To Summarize Internal Controls:Controls:
Provide A Favorable Control EnvironmentProvide A Favorable Control Environment Provide For The Continuing Assessment Of Provide For The Continuing Assessment Of
RiskRisk Provide For The Design, Implementation Provide For The Design, Implementation
And Maintenance Of Effective Control And Maintenance Of Effective Control Related Policies And ProceduresRelated Policies And Procedures
Provide For The Effective Communication Of Provide For The Effective Communication Of Information (We Kind Of Skipped This Topic)Information (We Kind Of Skipped This Topic)
Provide For The Ongoing Monitoring Of The Provide For The Ongoing Monitoring Of The Effectiveness Of Control Related Policies Effectiveness Of Control Related Policies And ProceduresAnd Procedures
We Are FinishedWe Are Finished
Please “Don’t Steal”Please “Don’t Steal”
Contact Paul @Contact Paul @
[email protected]@mindspring.com