Evaluating A Government’s Internal Controls and a Review of How Fraud Relates to Internal Controls...

Evaluating A Evaluating A Government’s Internal Government’s Internal Controls and a Review Controls and a Review

of How Fraud Relates to of How Fraud Relates to Internal Controls Internal Controls

Presented ByPresented By Paul E. GlickPaul E. Glick

Glick Consulting GroupGlick Consulting Group Email [email protected] [email protected]

THE AGENDATHE AGENDA

Introduction and OverviewIntroduction and Overview

What Are Internal ControlsWhat Are Internal Controls

Management’s Objectives and Management’s Objectives and ResponsibilitiesResponsibilities

Who Is Responsible for Internal Who Is Responsible for Internal Controls?Controls?

What Types of Public Sector Fraud What Types of Public Sector Fraud Exists?Exists?

The AgendaThe Agenda

Where is the Independent Auditor?Where is the Independent Auditor?

Internal Control EnvironmentInternal Control Environment

Risk AssessmentRisk Assessment

Control ActivitiesControl Activities

Information and Communication (Step 4)Information and Communication (Step 4)

MonitoringMonitoring

The AgendaThe Agenda

Evaluation Controls Over Accounting And Evaluation Controls Over Accounting And Financial ReportingFinancial Reporting

Other Internal Control PitfallsOther Internal Control Pitfalls

Seminar ObjectivesSeminar Objectives

Review The Framework And Concepts Review The Framework And Concepts Of Internal ControlsOf Internal Controls

Relate These Concepts To Financial Relate These Concepts To Financial Cycles (I.E., The Real World)Cycles (I.E., The Real World)

Understand Who Might Be “Ripping Understand Who Might Be “Ripping Us Off”Us Off”

Factors Affecting our Factors Affecting our Current EnvironmentCurrent Environment


Global financial crisisGlobal financial crisis Uncertainty in unexpected places Uncertainty in unexpected places

(Municipal Bond Ratings)(Municipal Bond Ratings) Increased regulation and oversight Increased regulation and oversight

(Tax Reform, ARRA) leading to (Tax Reform, ARRA) leading to diminished control over revenuesdiminished control over revenues

Smaller staff due to budget cutsSmaller staff due to budget cuts


Trends in the Audit CommunityTrends in the Audit CommunitySAS 115 (documentation of internal SAS 115 (documentation of internal

controls and communication with those in controls and communication with those in governance)governance)

Risk AssessmentsRisk AssessmentsFraud RisksFraud Risks

Oversight at the Federal LevelOversight at the Federal LevelTransparencyTransparency

COSOCOSO


Governments are being Governments are being asked to do more with asked to do more with lesslessMoney and human Money and human resourcesresources

The Nature of Fraud IndustryThe Nature of Fraud Industry

Fraud Can Be Explained By Three Key Fraud Can Be Explained By Three Key Factors:Factors:

A Supply Of Motivated OffendersA Supply Of Motivated Offenders The Availability Of Suitable TargetsThe Availability Of Suitable Targets The Absence Of Capable Guardians Or A The Absence Of Capable Guardians Or A

Control System To “Mind The Store”Control System To “Mind The Store”

The Nature of Fraud IndustryThe Nature of Fraud Industry

The Opportunity To Commit & Conceal The Opportunity To Commit & Conceal Fraud Is The Only Element Over Fraud Is The Only Element Over Which You Have Significant Control.Which You Have Significant Control.

What Are Some Of The Warning Signs?What Are Some Of The Warning Signs? What Can We Do About It?What Can We Do About It?

A Survey Of Folks Regarding A Survey Of Folks Regarding FraudFraud

31% of All Americans are Dishonest31% of All Americans are Dishonest

Another 40% are Situationally Honest (i.e., they will Another 40% are Situationally Honest (i.e., they will be honest if it pays to be honest and dishonest if it be honest if it pays to be honest and dishonest if it pays to be dishonest)pays to be dishonest)

$200 Billion Employee Fraud Cost per Year $200 Billion Employee Fraud Cost per Year Compared to $11 Billion from Violent CrimeCompared to $11 Billion from Violent Crime

In Banks, 95% of Losses are from Employees and 5% In Banks, 95% of Losses are from Employees and 5% are Caused by Bank Robberiesare Caused by Bank Robberies

In Retail, 70% of Losses are from Employees and 5% In Retail, 70% of Losses are from Employees and 5% are Caused by Shoplifters and Customersare Caused by Shoplifters and Customers

Fraud and Abuse in The U.S.Fraud and Abuse in The U.S.

U.S. Cost About $990 Billion A YearU.S. Cost About $990 Billion A Year

Government And Public Administration Have A Government And Public Administration Have A Median Loss Of $93,000 Per Fraud SchemeMedian Loss Of $93,000 Per Fraud Scheme

Average Organization Loses 7% Of Revenue Average Organization Loses 7% Of Revenue

12% Of Cases In A Study Were Frauds That Occurred 12% Of Cases In A Study Were Frauds That Occurred In GovernmentIn Government

Street Crime Only Costs The U.S. $4 Billion AnnuallyStreet Crime Only Costs The U.S. $4 Billion Annually

The FactsThe Facts

Fraud Schemes Frequently Continue For Years Before Fraud Schemes Frequently Continue For Years Before They Are DetectedThey Are Detected

The Typical Fraud In The Study Lasted 2 Years From The The Typical Fraud In The Study Lasted 2 Years From The Time It Began Until It Was DiscoveredTime It Began Until It Was Discovered

Frauds Are Much More Likely To Be Detected By A Tip Frauds Are Much More Likely To Be Detected By A Tip Than By Audits, Controls Or Any Other MeansThan By Audits, Controls Or Any Other Means

Lack Of Adequate Internal Controls Was Most Commonly Lack Of Adequate Internal Controls Was Most Commonly Cited As The Factor That Allowed Fraud To OccurCited As The Factor That Allowed Fraud To Occur

Occupational Fraudsters Are Generally First-time Occupational Fraudsters Are Generally First-time OffendersOffenders

What Is Fraud?What Is Fraud?

It’s When Folks Are Ripping Off The It’s When Folks Are Ripping Off The Government In Lots Of Different WaysGovernment In Lots Of Different Ways

Fraud Is Like A Four Letter WordFraud Is Like A Four Letter Word

Just Ignore It And It Will Go AwayJust Ignore It And It Will Go Away

It Will Never Happen To UsIt Will Never Happen To Us

Common Myths About FraudCommon Myths About Fraud

Most Folks Will Not Commit FraudMost Folks Will Not Commit Fraud

Fraud Is Not MaterialFraud Is Not Material

Most Fraud Goes UndetectedMost Fraud Goes Undetected

Fraud Is Well ConcealedFraud Is Well Concealed

Prosecuting Will Deter OthersProsecuting Will Deter Others

Potential Cost Of FraudPotential Cost Of Fraud

Lose The Confidence In The Lose The Confidence In The GovernmentGovernment

Loss To The Reputation Of Innocent Loss To The Reputation Of Innocent Third Parties (I.E., The Remaining Third Parties (I.E., The Remaining Staff)Staff)

Cost To The PerpetratorCost To The Perpetrator

The Public LossThe Public Loss

Potential Cost Of FraudPotential Cost Of Fraud

Diversion Of Public Resources From Diversion Of Public Resources From Intended PurposeIntended Purpose

Loss Of Money, Assets And TimeLoss Of Money, Assets And Time

Embarrassment, Guilt, Humiliation And Embarrassment, Guilt, Humiliation And ShameShame

Subsequent Management Decisions Are Subsequent Management Decisions Are Reviewed Under A MicroscopeReviewed Under A Microscope

Any Investigation Turns The Government Or Any Investigation Turns The Government Or Agency Inside OutAgency Inside Out

Personal Rip Offs For GlickPersonal Rip Offs For Glick Send Banking InformationSend Banking Information

Bank of AmericaBank of AmericaWachovia BankWachovia BankTCF BankTCF BankHSBC BankHSBC BankCatawba Valley BankCatawba Valley BankRegions BankRegions BankBank of the WestBank of the WestWashington MutualWashington MutualBank FinancialBank FinancialHuntington BankHuntington BankSmith BarneySmith Barney

Personal Rip Offs For GlickPersonal Rip Offs For Glick Frank Senger - $20.5 MillionFrank Senger - $20.5 Million

Chief Adeniran Aderogba - $10 MillionChief Adeniran Aderogba - $10 Million

Dr Sikas Usman - 30% of $45.8 Million

Dr.Ahmed Kassim - $10.5 Million- $10.5 Million

Miss Caroline Williams – 30% Of $16.5 MillionMiss Caroline Williams – 30% Of $16.5 Million

Mr Jack Chow – No AmountMr Jack Chow – No Amount

Jim Mcconville - $20 Million British PoundsJim Mcconville - $20 Million British Pounds

Personal Rip Offs For GlickPersonal Rip Offs For Glick

Richard H Mason – 10% On All Payments MadeRichard H Mason – 10% On All Payments Made

Mr. Brendon Hopkins – 30% Of $26.5 Million British Mr. Brendon Hopkins – 30% Of $26.5 Million British Pounds (Twice)Pounds (Twice)

Mr. Mark Johnson – Lottery - $2.5 Million British PoundsMr. Mark Johnson – Lottery - $2.5 Million British Pounds

Mr.Carlos Moreno – 50% Of $34.5 MillionMr.Carlos Moreno – 50% Of $34.5 Million

Miss Joyce Awuse - $5.5 MillionMiss Joyce Awuse - $5.5 Million

Irs - $109.30Irs - $109.30

Dr Dansuki Dan - $25.5 MillionDr Dansuki Dan - $25.5 Million

Session 2Session 2

What Are Internal What Are Internal ControlsControls

What Are Internal Controls?What Are Internal Controls? To put it simply, internal controls are an To put it simply, internal controls are an

exercise of common sense. You are exercise of common sense. You are practicing good internal controls when you?practicing good internal controls when you?

Balance your checkbookBalance your checkbook Keep your ATM/debit card pin number separate from Keep your ATM/debit card pin number separate from

your cardyour card Keep copies of your tax returnKeep copies of your tax return Compare your monthly credit card statement to the Compare your monthly credit card statement to the

credit card receiptscredit card receipts Lock your car doorsLock your car doors

What Are Internal Controls?What Are Internal Controls?

Internal Control Is A Process, Affected By Internal Control Is A Process, Affected By Management And Other Personnel, Management And Other Personnel, Designed To Provide Reasonable Assurance Designed To Provide Reasonable Assurance Regarding The Achievement Of Objectives Regarding The Achievement Of Objectives In The Following Categories:In The Following Categories:

Effectiveness And Efficiency Of Effectiveness And Efficiency Of OperationsOperations

Reliability Of Financial ReportingReliability Of Financial Reporting Compliance With Laws And RegulationsCompliance With Laws And Regulations


Internal Control Consists Of Five Internal Control Consists Of Five Interrelated Components That Interrelated Components That Affect Each Of The Three Affect Each Of The Three CategoriesCategories


Internal control is a process. It is a Internal control is a process. It is a means to an end, not an end itself.means to an end, not an end itself.

Internal control is effected by Internal control is effected by people.people.

It’s not merely policy manuals and It’s not merely policy manuals and forms, but people functioning at forms, but people functioning at every level of the institution.every level of the institution.

Limitations on Internal ControlsLimitations on Internal Controls

Considerations Of Costs Will Considerations Of Costs Will Prevent Management From Ever Prevent Management From Ever Installing A “Perfect System”Installing A “Perfect System”

Controls Are Potentially Subject Controls Are Potentially Subject To “Management Override”To “Management Override”

Risk Of CollusionRisk Of Collusion

Applying the COSOApplying the COSOFrameworkFramework

Committee of Sponsoring Committee of Sponsoring Organizations of the Treadway Organizations of the Treadway CommissionCommission

www.coso.orgwww.coso.org

Who Are The OrganizationsWho Are The Organizations

American Accounting AssociationAmerican Accounting Association American Institute of Certified Public American Institute of Certified Public

AccountantsAccountants Financial Executives InternationalFinancial Executives International Institute of Management AccountantsInstitute of Management Accountants The Institute of Internal AuditorsThe Institute of Internal Auditors

COSO Internal Control – COSO Internal Control – Integrated FrameworkIntegrated Framework

Established A Common Definition Established A Common Definition Of Internal ControlOf Internal Control

Provides A Standard Against Provides A Standard Against Which A Government Can Assess Which A Government Can Assess Their Control Systems And Their Control Systems And Determine How To Make Determine How To Make ImprovementsImprovements

Internal Control ComponentsInternal Control Components

CControl Environmentontrol EnvironmentRisk AssessmentRisk AssessmentControl ActivitiesControl ActivitiesInformation and CommunicationInformation and CommunicationMonitoringMonitoring

Internal Control ComponentsInternal Control Components

Internal Control Components Internal Control Components Interact With:Interact With:

Operations Operations

Financial Reporting Financial Reporting

ComplianceCompliance

Evaluating Internal ControlsEvaluating Internal Controls

Often, Evaluations Are Piecemeal Often, Evaluations Are Piecemeal Approaches To The TaskApproaches To The Task

Internal Controls Are Not Internal Controls Are Not Isolated And Are Related To One Isolated And Are Related To One AnotherAnother

Internal Controls Are Internal Controls Are ActuallyActually::

A Coordinated Set Of Policies A Coordinated Set Of Policies And Procedures That Reflect A And Procedures That Reflect A Comprehensive Strategy For Comprehensive Strategy For Achieving Management’s Achieving Management’s ObjectivesObjectives

Assessing The Internal Assessing The Internal Control FrameworkControl Framework

Provides A Favorable Control Provides A Favorable Control Environment.Environment.

Continually Assesses Risk.Continually Assesses Risk. Establishes And Maintains Effective Establishes And Maintains Effective

Control- Related Policies And Procedures.Control- Related Policies And Procedures. Effectively Communicates Information. Effectively Communicates Information. Monitors The Effectiveness Of Control Monitors The Effectiveness Of Control

Policies And Procedures And The Policies And Procedures And The Resolution Of Potential Problems Resolution Of Potential Problems Identified By Controls.Identified By Controls.

A Basic RuleA Basic Rule

More Is Not BetterMore Is Not Better

The Cost Of Excessive Or The Cost Of Excessive Or Redundant Controls Could Redundant Controls Could Exceed The BenefitsExceed The Benefits

Employees May View Controls Employees May View Controls As Unnecessary “Red Tape”As Unnecessary “Red Tape”

Why Are Internal Controls So Why Are Internal Controls So Important?Important?

Because The Prevention Of Fraud Because The Prevention Of Fraud Is Critical And Costs Are HighIs Critical And Costs Are High

Session 3Session 3

MANAGEMENT’S OBJECTIVES AND MANAGEMENT’S OBJECTIVES AND RESPONSIBILITIESRESPONSIBILITIES

MANAGEMENT’S MANAGEMENT’S RESPONSIBILITIES AND THE RESPONSIBILITIES AND THE

INTERNAL CONTROL FRAMEWORKINTERNAL CONTROL FRAMEWORK

EFFECTIVENESSEFFECTIVENESS

EFFICIENCYEFFICIENCY

COMPLIANCECOMPLIANCE

FINANCIAL REPORTINGFINANCIAL REPORTING

EFFECTIVENESSEFFECTIVENESS

DETERMINES WHETHER THE GOVERNMENT AND ITS DETERMINES WHETHER THE GOVERNMENT AND ITS DEPARTMENTS ARE MEETING THEIR OBJECTIVESDEPARTMENTS ARE MEETING THEIR OBJECTIVES

GOALS AND OBJECTIVES IDENTIFIED IN BUDGETARY GOALS AND OBJECTIVES IDENTIFIED IN BUDGETARY PROCESSPROCESS

FOCUSES ON RESULTS RATHER THAN EFFORTSFOCUSES ON RESULTS RATHER THAN EFFORTS

INCLUDE OUTPUTS - HOW MUCH OF GOODS AND INCLUDE OUTPUTS - HOW MUCH OF GOODS AND SERVICES ARE PROVIDEDSERVICES ARE PROVIDED

INCLUDE OUTCOMES - WHAT IS THE QUALITY OF INCLUDE OUTCOMES - WHAT IS THE QUALITY OF GOODS OR SERVICES TO BE PROVIDEDGOODS OR SERVICES TO BE PROVIDED

EFFICIENCYEFFICIENCY

MAKING OPTIMAL USE OF THE MAKING OPTIMAL USE OF THE RESOURCES MADE AVAILABLERESOURCES MADE AVAILABLE

OBTAINING DESIRED RESULTS OBTAINING DESIRED RESULTS WITH THE LEAST EXPENDITURE OF WITH THE LEAST EXPENDITURE OF RESOURCESRESOURCES

MEASURES COSTS (I.E., EFFORT) MEASURES COSTS (I.E., EFFORT) TO RESULTS (I.E., EFFECTIVENESS)TO RESULTS (I.E., EFFECTIVENESS)

COMPLIANCECOMPLIANCE

ANNUAL APPROPRIATED BUDGETANNUAL APPROPRIATED BUDGET

GRANTOR REQUIREMENTSGRANTOR REQUIREMENTS

STATE OVERSIGHT REQUIREMENTSSTATE OVERSIGHT REQUIREMENTS

IRS REQUIREMENTSIRS REQUIREMENTS

BOND COVENANTSBOND COVENANTS

LOCAL LAWS AND REGULATIONSLOCAL LAWS AND REGULATIONS

FINANCIAL REPORTINGFINANCIAL REPORTING

INTERNAL FINANCIAL REPORTINGINTERNAL FINANCIAL REPORTING

EXTERNAL FINANCIAL REPORTINGEXTERNAL FINANCIAL REPORTING

- SPECIAL PURPOSE - SPECIAL PURPOSE - GENERAL PURPOSE- GENERAL PURPOSE - CAFR- CAFR

Session 4Session 4

Who Is Responsible Who Is Responsible For Internal For Internal Controls?Controls?

Who is Responsible for Internal Who is Responsible for Internal Controls?Controls?

Everyone has a part in the Everyone has a part in the internal control system.internal control system.

The roles vary depending upon The roles vary depending upon what level of responsibility and what level of responsibility and the nature of involvement by the the nature of involvement by the individual.individual.

Who is Responsible for Internal Who is Responsible for Internal Controls?Controls?

Managers and supervisors are Managers and supervisors are responsible for ensuring that internal responsible for ensuring that internal controls are established and controls are established and functioning to achieve the mission functioning to achieve the mission and objectives of their unit.and objectives of their unit.

Each employee within an area should Each employee within an area should be made aware of proper internal be made aware of proper internal control procedures associated with control procedures associated with their specific job function.their specific job function.

Is This Just A Problem For The Is This Just A Problem For The Finance Office?Finance Office?

Most Folks Think This Is Most Folks Think This Is Finance’s ProblemFinance’s Problem

But Not ReallyBut Not Really

However, We Are Emphasizing However, We Are Emphasizing the Finance Department In This the Finance Department In This SeminarSeminar

Management’s Responsibilities Management’s Responsibilities And The Internal Control And The Internal Control

FrameworkFramework

Any Entity, Be It A Government, Any Entity, Be It A Government, A Business Or A Nonprofit A Business Or A Nonprofit Organization, Exists To Achieve Organization, Exists To Achieve Some PurposeSome Purpose

It Is The Role Of Management To It Is The Role Of Management To Provide The Leadership Needed Provide The Leadership Needed For An Entity To Realize That For An Entity To Realize That PurposePurpose

Management’s Responsibilities Management’s Responsibilities And The Internal Control And The Internal Control

FrameworkFramework

Furthermore, Management Is Not Furthermore, Management Is Not Free Simply To Act In Any Way It Free Simply To Act In Any Way It Might Choose To Achieve The Might Choose To Achieve The Entity's GoalsEntity's Goals

Management's Options And Management's Options And Actions Are Circumscribed By Actions Are Circumscribed By Constraints And Expectations, Constraints And Expectations, Both Implicit And Explicit.Both Implicit And Explicit.

Responsibility For Internal Responsibility For Internal ControlsControls

Management Is Primarily Management Is Primarily Responsible For The Responsible For The Effectiveness Of Internal Effectiveness Of Internal Controls, Like Any Other Controls, Like Any Other Aspects of PerformanceAspects of Performance

A Side Note - Authority And A Side Note - Authority And Responsibility Should Not Be Responsibility Should Not Be SeparatedSeparated


Management Is Subject To Oversight Management Is Subject To Oversight By The Government’s Elected OfficialsBy The Government’s Elected Officials

The Governing Body Is Ultimately The Governing Body Is Ultimately ResponsibleResponsible

Internal And External Auditors Can Internal And External Auditors Can Assist ManagementAssist Management


This Stuff Is This Stuff Is NotNot Something Different Something Different FromFrom

Your Basic Responsibilities As Your Basic Responsibilities As Leaders And As FiduciariesLeaders And As Fiduciaries

Basic Management Basic Management ResponsibilitiesResponsibilities

Achieving The Government’s Purpose Achieving The Government’s Purpose (Effectiveness)(Effectiveness)

Making Optional Use Of Scarce Making Optional Use Of Scarce Resources (Efficiency)Resources (Efficiency)

Observing Restrictions On The Use Of Observing Restrictions On The Use Of Resources (Compliance)Resources (Compliance)

Periodically Demonstrating Periodically Demonstrating Accountability For Stewardship Of Accountability For Stewardship Of Resources Place In The Care Resources Place In The Care (Reporting)(Reporting)

Session 5Session 5

What Types of Public What Types of Public Sector Fraud ExistsSector Fraud Exists

Profile of Fraud PerpetratorProfile of Fraud Perpetrator

Male Or Female (White Males Over 60?)Male Or Female (White Males Over 60?) No Prior Criminal History (<8%)No Prior Criminal History (<8%) Well Liked By Co-workersWell Liked By Co-workers Likes To Give Gifts/Compulsive ShopperLikes To Give Gifts/Compulsive Shopper Gambling Problems Not UnusualGambling Problems Not Unusual Long-term EmployeeLong-term Employee Rationalizes: Starts Small Or “Borrows”Rationalizes: Starts Small Or “Borrows” Lifestyle CluesLifestyle Clues

General Observations Of A General Observations Of A FraudsterFraudster

MaleMale Intelligent (Bored With The Job Routine)Intelligent (Bored With The Job Routine) Egotistical (Scornful Of Obvious Control Egotistical (Scornful Of Obvious Control

Flaws)Flaws) Inquisitive (E.G., Tempted By The Inquisitive (E.G., Tempted By The

Discovery Of A Discovery Of A Computer Vulnerability)Computer Vulnerability) A Risk TakerA Risk Taker A Rule BreakerA Rule Breaker A Hard Worker A Hard Worker Under StressUnder Stress Disgruntled At WorkDisgruntled At Work

The Fraud TriangleThe Fraud Triangle

Perceived PressurePerceived Pressure

Facing IndividualFacing Individual

Perceived OpportunityPerceived Opportunity

To Commit FraudTo Commit Fraud

Exacerbated in Economic Downturn

Person’s RationalizationOr Integrity

Conditions Present When Conditions Present When Fraud OccursFraud Occurs

Incentive/PressureIncentive/Pressure

OpportunityOpportunity

Attitude and RationalizationAttitude and Rationalization

Causes Of FraudCauses Of Fraud

Character And PersonalityCharacter And Personality

– – Financial StressFinancial Stress -- Addiction-- Addiction -- Disaffection-- Disaffection -- Pathologies-- Pathologies

Perceived OpportunityPerceived Opportunity

- Permits Fraud- Permits Fraud - Promotes Fraud- Promotes Fraud

Why Folks Commit FraudWhy Folks Commit Fraud

Grumpy GusGrumpy Gus

Stressed SallyStressed Sally

Pill poppin’ PaulaPill poppin’ Paula

Never goes Never goes home Nedhome Ned

Why Folks Commit FraudWhy Folks Commit Fraud

Extravagant EllenExtravagant Ellen

Over-spent OllieOver-spent Ollie

Lotto LarryLotto Larry

Compulsive ConnieCompulsive Connie

Who Commits Fraud?Who Commits Fraud?

Fraud Losses Caused By Managers Fraud Losses Caused By Managers And Executives Were 16 Times And Executives Were 16 Times Greater Than Those Caused By Non-Greater Than Those Caused By Non-managerial Employees.managerial Employees.

Losses Caused By Men Were Four Losses Caused By Men Were Four Times More Those Caused By Women.Times More Those Caused By Women.

Those 60 And Older Were 28 Times Those 60 And Older Were 28 Times Those Caused By Perpetrators 25 Or Those Caused By Perpetrators 25 Or Younger.Younger.

Generally, What is the Goal Generally, What is the Goal of A Fraudster?of A Fraudster?

Cash, Cash, CashCash, Cash, Cash

Types Of Public Sector FraudTypes Of Public Sector Fraud

Receipts FraudReceipts Fraud

Disbursements FraudDisbursements Fraud

Assets FraudAssets Fraud

Cash SchemesCash Schemes

Stealing Cash Funds Processed Stealing Cash Funds Processed Or On HandOr On Hand

Not Recording & Stealing The Not Recording & Stealing The Cash ReceiptsCash Receipts

Under Ringing & Stealing The Under Ringing & Stealing The Difference In Cash ReceiptsDifference In Cash Receipts

Altering Bank DepositsAltering Bank Deposits


Lapping – Too Much Work!Lapping – Too Much Work!

Kiting – Bank Deposit SchemesKiting – Bank Deposit Schemes

Granting Bogus Credit MemosGranting Bogus Credit Memos

Forging Check ReceivedForging Check Received


Duplicate PaymentsDuplicate Payments

Charge Off Fraud – Bogus Write-offsCharge Off Fraud – Bogus Write-offs

Disposal FraudDisposal Fraud

Credit Card ManipulationCredit Card Manipulation


Personal BillsPersonal Bills

Bid RiggingBid Rigging

False Claims (Fictitious Suppliers, False Claims (Fictitious Suppliers, Kickbacks)Kickbacks)

Conflict of InterestConflict of Interest


Travel Claim FraudTravel Claim Fraud

Procurement and Credit CardsProcurement and Credit Cards

Payroll and Benefits FraudPayroll and Benefits Fraud

Ghost EmployeesGhost Employees

Unclaimed Payroll ChecksUnclaimed Payroll Checks

Excess Payroll Payments (Falsifying Time Excess Payroll Payments (Falsifying Time Cards)Cards)

Withholdings and W-2’sWithholdings and W-2’s

Vacation and Sick PayVacation and Sick Pay

Theft Of Assets FraudTheft Of Assets Fraud

Petty Cash FraudPetty Cash Fraud

Cash Register TheftCash Register Theft

Consumable Inventory TheftConsumable Inventory Theft

Capital Asset TheftCapital Asset Theft

Using Assets For Personal UseUsing Assets For Personal Use

Red FlagsRed Flags

A Red Flag Is:A Red Flag Is:

A Set Of Circumstances That Are Unusual A Set Of Circumstances That Are Unusual In Nature Or Vary From The Normal In Nature Or Vary From The Normal Activity. Activity.

A Signal That Something Is Out Of The A Signal That Something Is Out Of The Ordinary And May Need To Be Ordinary And May Need To Be Investigated Further. Investigated Further.

Not About Guilt Or Innocence But Merely Not About Guilt Or Innocence But Merely Provides Possible Warning Signs Of Provides Possible Warning Signs Of Fraud.Fraud.

Red FlagsRed Flags

Do Not Ignore A Red Flag–studies Of Fraud Do Not Ignore A Red Flag–studies Of Fraud Cases Consistently Show That Red Flags Cases Consistently Show That Red Flags Were Present, But Were Either Not Were Present, But Were Either Not Recognized Or Were Recognized But Not Recognized Or Were Recognized But Not Acted Upon By Anyone.Acted Upon By Anyone.

Sometimes An Error Is Just An Error–red Sometimes An Error Is Just An Error–red Flags Should Lead To Some Kind Of Flags Should Lead To Some Kind Of Appropriate Action, I.E. An Investigation By Appropriate Action, I.E. An Investigation By A Measured & Responsible Person, But A Measured & Responsible Person, But Sometimes An Error Is Just An Error And No Sometimes An Error Is Just An Error And No Fraud ExistsFraud Exists

Employee Red FlagsEmployee Red Flags

Employee Lifestyle ChangesEmployee Lifestyle Changes

High Employee TurnoverHigh Employee Turnover

Significant Personal Debt And Credit ProblemsSignificant Personal Debt And Credit Problems

Refusal To Take Vacation Or Sick LeaveRefusal To Take Vacation Or Sick Leave

Behavioral ChangesBehavioral Changes

Lack Of Segregation Of Duties In A High-risk Lack Of Segregation Of Duties In A High-risk (Vulnerable) Area(Vulnerable) Area


Reluctance To Provide Information To AuditorsReluctance To Provide Information To Auditors

Photocopied Or Missing DocumentsPhotocopied Or Missing Documents

Weak Internal Control EnvironmentWeak Internal Control Environment

Unexpected Overdrafts Or Declines In Cash Unexpected Overdrafts Or Declines In Cash BalancesBalances

Decisions Dominated By An Individual Or Decisions Dominated By An Individual Or Small GroupSmall Group


Excessive Number Of Year-end TransactionsExcessive Number Of Year-end Transactions

Management Displays Significant Disrespect Management Displays Significant Disrespect For Regulatory BodiesFor Regulatory Bodies

Excessive Number Of Or Frequent Changes Excessive Number Of Or Frequent Changes In Checking AccountsIn Checking Accounts

Accounting Personnel Are Lax Or Accounting Personnel Are Lax Or InexperiencedInexperienced


High Employee Turnover RateHigh Employee Turnover Rate

Compensation Is Out Of ProportionCompensation Is Out Of Proportion

Decentralization Without Adequate Decentralization Without Adequate MonitoringMonitoring

Frequent Changes In External AuditorsFrequent Changes In External Auditors

Red Flags in CashRed Flags in Cash

Excessive Number Of VoidsExcessive Number Of Voids

Presence Of Personal Checks In Petty CashPresence Of Personal Checks In Petty Cash

Unauthorized Bank AccountsUnauthorized Bank Accounts

Excessive Or Unjustified Cash TransactionsExcessive Or Unjustified Cash Transactions

Large Number Of Account Write-offsLarge Number Of Account Write-offs

Sudden Activity In A Dormant AccountSudden Activity In A Dormant Account

Red Flags in PayrollRed Flags in Payroll Inconsistent Overtime Hours For A Cost Center / DepartmentInconsistent Overtime Hours For A Cost Center / Department

Overtime Charged During A Slack PeriodOvertime Charged During A Slack Period

Overtime Charges For Employees Who Normally Would Not Overtime Charges For Employees Who Normally Would Not Have Overtime WagesHave Overtime Wages

Budget Variations For Payroll By Cost Center / DepartmentBudget Variations For Payroll By Cost Center / Department

Employees With Duplicate Social Security Numbers, Names, Employees With Duplicate Social Security Numbers, Names, And AddressesAnd Addresses

Employees With Few Or No Payroll DeductionsEmployees With Few Or No Payroll Deductions

Red Flags in ProcurementRed Flags in Procurement Increasing Number Of Complaints About ServicesIncreasing Number Of Complaints About Services

Vendors Without Physical AddressVendors Without Physical Address

Lack Of Physical Security Over Assets / InventoryLack Of Physical Security Over Assets / Inventory

Payments To Vendors Not Included On An Approved Payments To Vendors Not Included On An Approved Vendor ListVendor List

Vendor Address Matching Employee AddressVendor Address Matching Employee Address

Red Flags in ProcurementRed Flags in Procurement Purchases That Bypass Normal ProceduresPurchases That Bypass Normal Procedures

Charges Without Shipping DocumentsCharges Without Shipping Documents

Vendor Payments Picked Up Rather Than Having It Vendor Payments Picked Up Rather Than Having It MailedMailed

High Volume Of Purchases From New VendorsHigh Volume Of Purchases From New Vendors

Profiles of an Government At Profiles of an Government At RiskRisk

Less Than 100 Employees. Less Than 100 Employees.

Management Ignores Irregularities.Management Ignores Irregularities.

High Turnover With Low Morale.High Turnover With Low Morale.

Staff Lacks TrainingStaff Lacks Training

Session 6Session 6

Where Is The Where Is The Independent Independent

Auditor?Auditor?

The Independent AuditorThe Independent Auditor

Once The Independent Auditor Is Once The Independent Auditor Is Finished With The Annual Audit, Can Finished With The Annual Audit, Can Everyone Relax And Assume That “No Everyone Relax And Assume That “No One Got Us This Year?”One Got Us This Year?”

Of Discovered Fraud, the Independent Of Discovered Fraud, the Independent Auditor Only Finds about 9%Auditor Only Finds about 9%

Why Do Auditors Fail Why Do Auditors Fail To Detect Fraud?To Detect Fraud?

Lack of TrainingLack of TrainingAccept any Reasonable ExplanationsAccept any Reasonable ExplanationsGoing Through the Process of Ticking Going Through the Process of Ticking

and Tying Numbersand Tying NumbersThey May Not Want to Find Fraud, It They May Not Want to Find Fraud, It

Causes ProblemsCauses ProblemsThey May Be EmbarrassedThey May Be EmbarrassedNot Enough Time Budgeted for the AuditNot Enough Time Budgeted for the Audit

Types of AuditsTypes of Audits

Financial AuditsFinancial Audits

Performance AuditsPerformance Audits

The Independent AuditorThe Independent Auditor

The Auditor Reports On The Adequacy The Auditor Reports On The Adequacy Of Existing Controls Within The Of Existing Controls Within The GovernmentGovernment

The Auditor Must Carefully Evaluate The Auditor Must Carefully Evaluate The Internal Control System As A Basis The Internal Control System As A Basis To Determine The Degree Of Audit To Determine The Degree Of Audit Procedures Necessary In The Procedures Necessary In The CircumstancesCircumstances

New Statements on Auditing New Statements on Auditing StandardsStandards

A Few Years Ago, The Rules For A Few Years Ago, The Rules For Auditors Were Changed And Expanded Auditors Were Changed And Expanded SubstantiallySubstantially

What Created The Need?What Created The Need?

● Corporate Fraud In The “Roaring 90’s” Which Corporate Fraud In The “Roaring 90’s” Which Became Known In The Early 2000’sBecame Known In The Early 2000’s

● Sarbanes Oxley Act Of 2002 (Private Sector)Sarbanes Oxley Act Of 2002 (Private Sector)● Required Additional Internal Controls By ManagementRequired Additional Internal Controls By Management● Created A New Agency (PCAOB) To Closely Scrutinize Created A New Agency (PCAOB) To Closely Scrutinize

Public Company AuditsPublic Company Audits● Removed The AICPA From Any Authority For Public Removed The AICPA From Any Authority For Public

Company Audit Standards And Peer ReviewCompany Audit Standards And Peer Review

A New Audit ApproachA New Audit Approach

● A Risk Based AuditA Risk Based Audit

● The Government Must Identify Key Internal Controls The Government Must Identify Key Internal Controls That Relate To High Risk AreasThat Relate To High Risk Areas

● Some of the Areas Might Include:Some of the Areas Might Include:● CashCash● InvestmentsInvestments● BudgetBudget● Revenue ReceiptsRevenue Receipts● ExpendituresExpenditures● PayrollPayroll● Consumable InventoriesConsumable Inventories● Capital AssetsCapital Assets● GrantsGrants

Do the Auditors Look At Do the Auditors Look At Everything?Everything?

● Auditors Obtain Reasonable Assurance, Not Absolute Auditors Obtain Reasonable Assurance, Not Absolute AssuranceAssurance

● MaterialityMateriality

● The Single AuditThe Single Audit

● The Auditor May Report on Compliance and Internal ControlsThe Auditor May Report on Compliance and Internal Controls● Major Federal AwardsMajor Federal Awards

Internal Audit FunctionInternal Audit Function

● Management Can Improve The Quality Of The Management Can Improve The Quality Of The Environment By Establishing An Internal Environment By Establishing An Internal Audit FunctionAudit Function

● Report Directly To Top Management (Or The Report Directly To Top Management (Or The Elected Officials?)Elected Officials?)

● Monitoring The Effectiveness Of Control Monitoring The Effectiveness Of Control Related Policies And ProceduresRelated Policies And Procedures


Internal Auditors Can Be Of Great Internal Auditors Can Be Of Great Value To State And Local Value To State And Local Governments In A Variety Of Ways. Governments In A Variety Of Ways.

In Particular, They Commonly Assist In Particular, They Commonly Assist Management In Monitoring The Management In Monitoring The Design And Proper Functioning Of Design And Proper Functioning Of Internal Control Policies And Internal Control Policies And Procedures. Procedures.


In This Capacity, Internal Auditors In This Capacity, Internal Auditors Themselves Function As An Additional Level Themselves Function As An Additional Level Of Control And So Help To Improve The Of Control And So Help To Improve The Government’s Overall Control Environment. Government’s Overall Control Environment.

Internal Auditors Also Can Play A Valuable Internal Auditors Also Can Play A Valuable Role Conducting Performance Audits, As Role Conducting Performance Audits, As Well As Special Investigations And Studies Well As Special Investigations And Studies

Internal Audit ConsiderationsInternal Audit Considerations

Don’t Let The Audit Function Become A Don’t Let The Audit Function Become A Political FootballPolitical Football

Don’t Promise The MoonDon’t Promise The Moon

Don’t Let The Auditors Become Free Don’t Let The Auditors Become Free Roaming Chickens.Roaming Chickens.

Don’t Fly By The Seats Of Your PantsDon’t Fly By The Seats Of Your Pants

Internal Audit ConsiderationsInternal Audit Considerations

Don’t Use The Shotgun Approach To Don’t Use The Shotgun Approach To Scoping An AuditScoping An Audit

Never Leave A White Elephant In The Never Leave A White Elephant In The Auditee’s Office.Auditee’s Office.

Don’t Count Your Chickens Before They Don’t Count Your Chickens Before They Hatch. Never Assume The Auditee Fixed The Hatch. Never Assume The Auditee Fixed The Problem. Problem.

GFOA RecommendationsGFOA Recommendations

Every Government Should Consider The Every Government Should Consider The Feasibility Of Establishing A Formal Internal Feasibility Of Establishing A Formal Internal Audit Function Because Such A Function Can Audit Function Because Such A Function Can Play An Important Role In Helping Management Play An Important Role In Helping Management To Maintain A Comprehensive Framework Of To Maintain A Comprehensive Framework Of Internal Controls. Internal Controls.

As A Rule, A Formal Internal Audit Function Is As A Rule, A Formal Internal Audit Function Is Particularly Valuable For Those Activities Particularly Valuable For Those Activities Involving A High Degree Of Risk (E.G., Complex Involving A High Degree Of Risk (E.G., Complex Accounting Systems, Contracts With Outside Accounting Systems, Contracts With Outside Parties, A Rapidly Changing Environment). Parties, A Rapidly Changing Environment).


If It Is Not Feasible To Establish A Separate If It Is Not Feasible To Establish A Separate Internal Audit Function, A Government Is Internal Audit Function, A Government Is Encouraged To Consider Either Encouraged To Consider Either

1) Assigning Internal Audit Responsibilities 1) Assigning Internal Audit Responsibilities To Its Regular Employees Or To Its Regular Employees Or

2) Obtaining The Services Of An Accounting 2) Obtaining The Services Of An Accounting Firm (Other Than The Independent Auditor) Firm (Other Than The Independent Auditor) For This PurposeFor This Purpose


The Internal Audit Function Should Be The Internal Audit Function Should Be Established Formally By Charter, Enabling Established Formally By Charter, Enabling Resolution, Or Other Appropriate Legal Means;Resolution, Or Other Appropriate Legal Means;

It Is Recommended That Internal Auditors Of It Is Recommended That Internal Auditors Of State And Local Governments Conduct Their State And Local Governments Conduct Their Work In Accordance With The Professional Work In Accordance With The Professional Standards Relevant To Internal Auditing Standards Relevant To Internal Auditing Contained In The U.S. General Accounting Contained In The U.S. General Accounting Office’s Publication Government Auditing Office’s Publication Government Auditing Standards, Including Those Applicable To The Standards, Including Those Applicable To The Independence Of Internal Auditors;Independence Of Internal Auditors;


At A Minimum, The Head Of The Internal Audit At A Minimum, The Head Of The Internal Audit Function Should Possess A College Degree And Function Should Possess A College Degree And Appropriate Relevant Experience. Appropriate Relevant Experience.

It Also Is Highly Desirable That The Head Of The It Also Is Highly Desirable That The Head Of The Internal Audit Function Hold Some Appropriate Form Internal Audit Function Hold Some Appropriate Form Of Professional Certification (E.G., Certified Internal Of Professional Certification (E.G., Certified Internal Auditor, Certified Public Accountant, Certified Auditor, Certified Public Accountant, Certified Information Systems Auditor); AndInformation Systems Auditor); And

All Reports Of Internal Auditors, As Well As The All Reports Of Internal Auditors, As Well As The Annual Internal Audit Work Plan, Should Be Made Annual Internal Audit Work Plan, Should Be Made Available To The Government’s Audit Committee Or Available To The Government’s Audit Committee Or Its Equivalent.Its Equivalent.

Goals Of Audit CommitteeGoals Of Audit Committee Ensure That Management Is Maintaining A Ensure That Management Is Maintaining A

Comprehensive Framework Of Internal Comprehensive Framework Of Internal ControlControl

Ensure That Management’s Financial-Ensure That Management’s Financial-reporting Practices Are Assessed Objectivelyreporting Practices Are Assessed Objectively

Determine That The Financial Statements Are Determine That The Financial Statements Are

Properly Audited And That Any Problems Properly Audited And That Any Problems Disclosed In The Course Of The Audit Are Disclosed In The Course Of The Audit Are Satisfactorily ResolvedSatisfactorily Resolved

Key BenefitsKey Benefits

Practical Tool For Focusing Board Practical Tool For Focusing Board AttentionAttention

Direct Communications Link Between The Direct Communications Link Between The Independent Auditors And The Governing Independent Auditors And The Governing BodyBody

Forum In Which The Independent Auditors Forum In Which The Independent Auditors Can Candidly Discuss Audit-related Can Candidly Discuss Audit-related Matters With Members Of The Governing Matters With Members Of The Governing Board Apart From ManagementBoard Apart From Management

Applicability to Small Applicability to Small GovernmentsGovernments

Smaller Governments Have The Same Smaller Governments Have The Same Basic Responsibility As Larger Basic Responsibility As Larger GovernmentsGovernments

An Audit Committee Is Just As An Audit Committee Is Just As Necessary For BothNecessary For Both

Level Of Expertise Needed Level Of Expertise Needed OfOf

MembersMembers Sufficient Understanding To Perform Duties Sufficient Understanding To Perform Duties

With Expert Assistance (I.E., Financial Expert)With Expert Assistance (I.E., Financial Expert)

New Or Prospective Members Typically New Or Prospective Members Typically Should Receive Some Brief Formal TrainingShould Receive Some Brief Formal Training Role Of The Audit CommitteeRole Of The Audit Committee Their Personal Responsibility As Audit Their Personal Responsibility As Audit

Committee Committee MembersMembers

Training Should Underscore Professional Training Should Underscore Professional Skepticism In Dealing With ManagementSkepticism In Dealing With Management

Relationship With Relationship With Independent AuditorsIndependent Auditors

Auditors Report Directly To Audit Auditors Report Directly To Audit CommitteeCommittee

Provision To Meet PrivatelyProvision To Meet Privately Amend “Sunshine” And “Open Meetings” Amend “Sunshine” And “Open Meetings”

Laws AccordinglyLaws Accordingly

Relationship With Relationship With Independent AuditorsIndependent Auditors

Two ViewsTwo Views TraditionalTraditional

Internal Auditors/Management As Audit Internal Auditors/Management As Audit Committee/Governing BodyCommittee/Governing Body

EmergingEmerging Completely Independent Of ManagementCompletely Independent Of Management

Trade-offTrade-off Management Involvement And Cooperation V. Management Involvement And Cooperation V.

IndependenceIndependence

Basic TasksBasic Tasks Determining The Scope Of The AuditDetermining The Scope Of The Audit

Determining The Scope Of “Nonaudit” Determining The Scope Of “Nonaudit” ServicesServices

Managing The Audit Procurement ProcessManaging The Audit Procurement Process

Selecting The Independent AuditorsSelecting The Independent Auditors

Reviewing The Financial StatementsReviewing The Financial Statements

Basic TasksBasic Tasks

Reviewing The Auditor’s ReportReviewing The Auditor’s Report

Reviewing The Comprehensive Framework Reviewing The Comprehensive Framework Of Internal ControlOf Internal Control

Assessing The Performance Of The Assessing The Performance Of The Independent AuditorsIndependent Auditors

Providing An Independent Forum For Providing An Independent Forum For Findings Of Fraud, Abuse, Or Control Findings Of Fraud, Abuse, Or Control Override Override

Session 7Session 7

The Internal Control The Internal Control EnvironmentEnvironment

The Control EnvironmentThe Control Environment

Sets The Tone For The GovernmentSets The Tone For The Government Influences Control ConsciousnessInfluences Control Consciousness Foundation For All Other Control Foundation For All Other Control

ComponentsComponents Includes: Integrity, Ethical Values, Includes: Integrity, Ethical Values,

Competency, Management’s Competency, Management’s Philosophy, And The Way Authority Philosophy, And The Way Authority And Responsibility Is AssignedAnd Responsibility Is Assigned


Corporate Culture (Enron) (A 60 Page Corporate Culture (Enron) (A 60 Page Code of Ethics)Code of Ethics)

Does Management Believe That Does Management Believe That Internal Controls Are Important To Internal Controls Are Important To Achieving Its Goals And Objectives?Achieving Its Goals And Objectives?

Does Management View Internal Does Management View Internal Controls As An Obstacle To Achieving Controls As An Obstacle To Achieving Its Goals And Objectives?Its Goals And Objectives?


““Who Knew Who They Were? There Was No Place Who Knew Who They Were? There Was No Place For Me To Voice My Concerns, Either To The For Me To Voice My Concerns, Either To The Internal Audit Function Or The Audit Committee. Internal Audit Function Or The Audit Committee. Remember, I Was Not In The Accounting Remember, I Was Not In The Accounting Department. But Even If I Were, I Think I Would Department. But Even If I Were, I Think I Would Have Known It Would Have Been Fruitless, Have Known It Would Have Been Fruitless, Because I Would Have Had Access To Junior Because I Would Have Had Access To Junior Auditors Who Were Simply Not In The Position To Auditors Who Were Simply Not In The Position To Raise The Flags That Would Have Hurt Their Raise The Flags That Would Have Hurt Their Senior Auditors And Account Executives.”Senior Auditors And Account Executives.”

Sherron Watkins Sherron Watkins

Enron CorporationEnron Corporation


The “Way We Do Things Around The “Way We Do Things Around Here”Here”

Sets The Tone Of The Sets The Tone Of The Government, Influencing The Government, Influencing The Control Consciousness Of Its Control Consciousness Of Its StaffStaff

Management’s AttitudeManagement’s Attitude

What Is The Tone At The Top?What Is The Tone At The Top?

- Management- Management - Elected Officials- Elected Officials

Will Management Allocate Resources To Will Management Allocate Resources To Internal Internal Controls?Controls?

Are There High Ethical And Professional Are There High Ethical And Professional Standards?Standards?

Does Management Cut Corners?Does Management Cut Corners?

The Typical Environment The Typical Environment in Which Fraud Occursin Which Fraud Occurs

Trust Is Placed In EmployeesTrust Is Placed In Employees

Employees Have Detailed Knowledge Of The Employees Have Detailed Knowledge Of The Accounting Systems And Their WeaknessesAccounting Systems And Their Weaknesses

Management Domination Subverts Normal Management Domination Subverts Normal Internal ControlsInternal Controls

The Typical Environment The Typical Environment in which Fraud Occursin which Fraud Occurs

Management Adds Pressure To “Make The Management Adds Pressure To “Make The Numbers”Numbers”

Expected Moral Behavior Is Not Expected Moral Behavior Is Not Communicated To EmployeesCommunicated To Employees

Unduly Liberal Accounting PracticesUnduly Liberal Accounting Practices

The Typical Environment in The Typical Environment in which Fraud Occurswhich Fraud Occurs

Ineffective Or Nonexistent Internal Auditing Staff.Ineffective Or Nonexistent Internal Auditing Staff.

Lack Of Effective Internal Controls.Lack Of Effective Internal Controls.

Poor Accounting Records.Poor Accounting Records.

Related Party Transactions.Related Party Transactions.

Incomplete And Out Of Date Procedural Incomplete And Out Of Date Procedural Documentation.Documentation.

Management Sets A Bad Example.Management Sets A Bad Example.

Practical Application - Practical Application - Control EnvironmentControl Environment

Establish Current Policies With Establish Current Policies With Regard To Ethical Behavior (Code Of Regard To Ethical Behavior (Code Of Conduct), Conflict Of Interest, Conduct), Conflict Of Interest, NepotismNepotism

Enforce Appropriate Discipline For Enforce Appropriate Discipline For Failure To Comply With These PoliciesFailure To Comply With These Policies

Ensure Personal Adherence To Strong Ensure Personal Adherence To Strong Moral CodeMoral Code

Reward CompetencyReward Competency

Practical Application - Practical Application - Control EnvironmentControl Environment

Place High Degree Of Importance On Place High Degree Of Importance On Maintaining Strong Internal ControlMaintaining Strong Internal Control

Provide For A “Whistle Blower” Policy Provide For A “Whistle Blower” Policy That Allows Employees And Others To That Allows Employees And Others To Report Fraud Or False Statements By Report Fraud Or False Statements By The Management TeamThe Management Team

Impact of the Control Impact of the Control EnvironmentEnvironment

Don’t Underestimate The Importance Don’t Underestimate The Importance Of This Part Of The Control System. Of This Part Of The Control System.

All The Great Control Activities In The All The Great Control Activities In The World Will Not Be Effective If World Will Not Be Effective If Employees Know That Management Is Employees Know That Management Is Not Concerned With Strong Internal Not Concerned With Strong Internal Control, Lacks Integrity Or Does Not Control, Lacks Integrity Or Does Not Value Their EmployeesValue Their Employees

Control Environment Control Environment PitfallsPitfalls

Ignoring The Tone That Management Ignoring The Tone That Management Sets Or Thinking That The Control Sets Or Thinking That The Control Environment Is Not Important.Environment Is Not Important.

Inconsistency In Treatment Of Lapses Inconsistency In Treatment Of Lapses In Ethical Conduct.In Ethical Conduct.

Allowing Employees To Feel Allowing Employees To Feel Devalued.Devalued.

Maintaining A Qualified StaffMaintaining A Qualified Staff

Competent And Honest StaffCompetent And Honest Staff

Up To Date Job DescriptionsUp To Date Job Descriptions

Follow Appropriate Hiring Policies (E.G., Not Hiring Follow Appropriate Hiring Policies (E.G., Not Hiring A A Relative Or A Buddy)Relative Or A Buddy)

Assign Authority And ResponsibilityAssign Authority And Responsibility

Ensure That Employees Are TrainedEnsure That Employees Are Trained

Review And Document PerformanceReview And Document Performance

Set Appropriate Performance Goals For PromotionSet Appropriate Performance Goals For Promotion

Session 8Session 8


What Is Risk Monitoring What Is Risk Monitoring And Assessment?And Assessment?

The Government’s Identification The Government’s Identification And Analysis Of Relevant Risks And Analysis Of Relevant Risks To Achieve It Objectives, To Achieve It Objectives, Forming A Basis On How They Forming A Basis On How They Should Manage The RisksShould Manage The Risks


Risks Result From Both External And Risks Result From Both External And Internal SourcesInternal Sources

These Change Over Time Based On These Change Over Time Based On Economic, Regulatory, And Operating Economic, Regulatory, And Operating ConditionsConditions

Risk Assessment Must Link Identified Risk Assessment Must Link Identified Policy Objectives To Specific Risk Policy Objectives To Specific Risk FactorsFactors


Example: A Policy Of Receiving The Example: A Policy Of Receiving The Highest Rate Of Return On Highest Rate Of Return On Investments Must Be Linked To Investments Must Be Linked To Interest Rate RiskInterest Rate Risk

Example: A Policy Of Allowing Example: A Policy Of Allowing Payment From Vendor Statements Payment From Vendor Statements Rather Than Original Invoices Only Rather Than Original Invoices Only Must Be Linked To The Risk Of Must Be Linked To The Risk Of Duplicate PaymentsDuplicate Payments


Example: A Policy Of Decentralized Example: A Policy Of Decentralized Cash Receipts Must Be Linked To The Cash Receipts Must Be Linked To The Risk Of Untimely Deposit And Risk Of Untimely Deposit And Recording To The General Ledger.Recording To The General Ledger.


Risk Assessment Must Also Link Risk Assessment Must Also Link Identified Control Objectives To Identified Control Objectives To Specific Risk FactorsSpecific Risk Factors

All Transactions Are Properly AuthorizedAll Transactions Are Properly AuthorizedTransactions Are Recorded In The Transactions Are Recorded In The

Correct Period For The Correct AmountCorrect Period For The Correct AmountAll Revenues Are Received And Recorded All Revenues Are Received And Recorded

TimelyTimelyAssets Are Not Stolen Or LostAssets Are Not Stolen Or Lost


Risk Factors Are Created By:Risk Factors Are Created By:The Nature Of Particular Accounts The Nature Of Particular Accounts

Or TransactionsOr TransactionsTurnover In Key Employee PositionsTurnover In Key Employee PositionsChanges In The Financial MarketsChanges In The Financial MarketsThe Expertise Of The Personnel The Expertise Of The Personnel

Handling TransactionsHandling TransactionsIneffective Or Poorly Designed Ineffective Or Poorly Designed


Practical Application - Risk Practical Application - Risk AssessmentAssessment

Be Realistic About The True Risk With Be Realistic About The True Risk With Regard To A Particular Account Or Regard To A Particular Account Or Cycle Of TransactionsCycle Of Transactions

Consider All Types Of Applicable Risk: Consider All Types Of Applicable Risk: Inherent, Control Risk, Fraud Risk, Inherent, Control Risk, Fraud Risk, Credit Risk, EtcCredit Risk, Etc

Make Sure To Address IT RiskMake Sure To Address IT Risk Identify “What Could Go Wrong?”Identify “What Could Go Wrong?”

Risk DetectionRisk Detection

It Is Like A PhysicianIt Is Like A Physician

It Is Like An AttorneyIt Is Like An Attorney

Prevention And Quick Corrective Prevention And Quick Corrective ActionAction

Inherent RiskInherent Risk

It Is Life!It Is Life!

Inherent RiskInherent Risk

ComplexityComplexity

Cash ReceiptsCash Receipts

Direct Third Party BeneficiariesDirect Third Party Beneficiaries

Degree Of CentralizationDegree Of Centralization

Prior ProblemsPrior Problems

Prior Unresponsiveness To Identify Control Prior Unresponsiveness To Identify Control WeaknessesWeaknesses

Effect Of Change On Risk Effect Of Change On Risk ManagementManagement

Changes In The EnvironmentChanges In The Environment Changes In PersonnelChanges In Personnel Changes In TechnologyChanges In Technology Rapid GrowthRapid Growth New Programs And ServicesNew Programs And Services Changes In StructureChanges In Structure

What Could Go Wrong?What Could Go Wrong?Example: Cash Example: Cash DisbursementsDisbursements

Payments Could Be Made To Fictitious Payments Could Be Made To Fictitious VendorsVendors

Disbursements Could Be Made For Disbursements Could Be Made For The Wrong AmountThe Wrong Amount

Duplicate Payments Could Be Made Duplicate Payments Could Be Made On An Invoice On An Invoice

Disbursements Could Be Recorded In Disbursements Could Be Recorded In The Wrong PeriodThe Wrong Period

What Could Go Wrong?What Could Go Wrong?Example: InvestmentsExample: Investments

Excessive Transaction Fees Could Be Excessive Transaction Fees Could Be Charged To The Government.Charged To The Government.

Investments Held By The Government Investments Held By The Government Could Be Stolen (Certificates Of Could Be Stolen (Certificates Of Deposit).Deposit).

Investments Outside The Investments Outside The Government’s Risk Tolerance Could Government’s Risk Tolerance Could Be Purchased And Result In Loss Of Be Purchased And Result In Loss Of Principal.Principal.

What Could Go Wrong?What Could Go Wrong?Example: Cash ReceiptsExample: Cash Receipts

Funds Received Could Be Credited To Funds Received Could Be Credited To The Wrong Customer AccountThe Wrong Customer Account

Cash Could Be Stolen By An EmployeeCash Could Be Stolen By An Employee Amounts Received Could Be Recorded Amounts Received Could Be Recorded

Net Rather Than GrossNet Rather Than Gross Amounts Receivable May Never Be Amounts Receivable May Never Be

Collected Due To Failure To Follow On Collected Due To Failure To Follow On Past Due Amounts Past Due Amounts

Risk Matrix – Cash ReceiptsRisk Matrix – Cash Receipts

Objective Risk FactorsImpact

RankingProbability

RankingAll collections are properly identified, control totals developed, and collections promptly deposited intact.

Failure to record cash receipts, withholding or delaying the recording of cash receipts.

5 4

All bank accounts and cash on hand are subject to effective custodial accountability procedures and physical safeguards.

Misappropriated cash or petty cash funds, diverted cash receipts, unauthorized cash disbursements, loss of funds.

5 3

All transactions are properly accumulated, correctly classified and summarized in the general ledger; balances are properly and timely reconciled with bank statement balances.

Misstating cash balances, covering unauthorized transactions by falsifying bank reconciliation.

4 3

All transactions are promptly and accurately recorded in adequate detail records and appropriate reports are issued.

Covering unauthorized transactions by substituting unsupported credits or fictitious expenditures to cover misappropriated collections, under or overestimating cash or receivables.

3 4

Practical Application - Practical Application - Risk AssessmentsRisk Assessments

Risk Assessments Can Be Documented Via Risk Assessments Can Be Documented Via Narrative, Checklist Or MatrixNarrative, Checklist Or Matrix

Tools Available Include:Tools Available Include: COSO Documents Available Via AICPACOSO Documents Available Via AICPA PPC Checklists Or Other Auditor Utilized PPC Checklists Or Other Auditor Utilized

TemplatesTemplates Local Government Websites (Perform Local Government Websites (Perform

Google Search For “Government Internal Google Search For “Government Internal Control”)Control”)


Remember That Use Of A Third Party Remember That Use Of A Third Party Does Not Eliminate Management’s Does Not Eliminate Management’s Responsibility For Assessing Risks.Responsibility For Assessing Risks.Structure Of Agreement Is Structure Of Agreement Is

ImportantImportantObtain SAS 70Obtain SAS 70Reconcile Reports To General Reconcile Reports To General

Ledger (As Applicable)Ledger (As Applicable)


Remember That IT Controls Can Affect Risk For All Remember That IT Controls Can Affect Risk For All Cycles Of Transactions. Well Designed Internal Cycles Of Transactions. Well Designed Internal Controls Can Be Made Ineffective By Poor Controls Controls Can Be Made Ineffective By Poor Controls Over IT.Over IT. System Log-in Should Mirror Job ResponsibilitiesSystem Log-in Should Mirror Job Responsibilities PasswordsPasswords Remove Temporary Access Granted Once No Remove Temporary Access Granted Once No

Longer AppropriateLonger Appropriate

Risk Assessment PitfallsRisk Assessment Pitfalls

Trying To Identify A Control For Every Trying To Identify A Control For Every Risk Factor.Risk Factor.

Ignoring The Possibility Of Existing Ignoring The Possibility Of Existing Compensating Controls.Compensating Controls.

Not Performing A Risk Assessment Not Performing A Risk Assessment Annually Or At Least When Key Annually Or At Least When Key Factors Have Changed (Regulatory, Factors Have Changed (Regulatory, Employee Turnover, Etc.)Employee Turnover, Etc.)

Ignoring It Controls.Ignoring It Controls.

Session 9Session 9



The Policies And Procedures That Ensure The Policies And Procedures That Ensure Management’s Directives Are FollowedManagement’s Directives Are Followed

These Occur At All Levels Throughout These Occur At All Levels Throughout The OrganizationThe Organization

Include : Approvals, Authorizations, Include : Approvals, Authorizations, Verifications, Reconciliations, Security Verifications, Reconciliations, Security Of Assets, Segregation Of Duties And Of Assets, Segregation Of Duties And Review Of Operating PerformanceReview Of Operating Performance

Practical Application - Practical Application - Control ActivitiesControl Activities

Address Control Objectives: Existence Or Address Control Objectives: Existence Or Occurrence, Completeness, Valuation Or Occurrence, Completeness, Valuation Or Allocation, Rights And Obligations, Accuracy Allocation, Rights And Obligations, Accuracy Or Classification, Cutoff And Presentation Or Classification, Cutoff And Presentation And DisclosureAnd Disclosure

Tie Control Activities To Risks Previously Tie Control Activities To Risks Previously Identified And Address “What Could Go Identified And Address “What Could Go Wrong” ScenariosWrong” Scenarios

Balance Cost And Benefit Balance Cost And Benefit

Identify Control Objectives And The Risks Of Identify Control Objectives And The Risks Of What Could HappenWhat Could Happen

For Each Risk Factor Identified, Evaluate For Each Risk Factor Identified, Evaluate The Potential Impact And Probability Of The Potential Impact And Probability Of OccurrenceOccurrence

Design Control Activities To Address High Design Control Activities To Address High Impact, High Probability ConcernsImpact, High Probability Concerns

Evaluate AnnuallyEvaluate Annually


Risk MatrixRisk Matrix

Cash Receipt ExampleCash Receipt Example


RankingProbability

Ranking Control ProcedureAll collections are properly identified, control totals developed, and collections promptly deposited intact.

Failure to record cash receipts, withholding or delaying the recording of cash receipts.

5 4

Cash receipts are posted daily to the accounts receivable. The cash receipts are reconciled to daily bank deposits. Bank reconciliations are performed timely to reconcile all bank deposits.

All bank accounts and cash on hand are subject to effective custodial accountability procedures and physical safeguards.

Misappropriated cash or petty cash funds, diverted cash receipts, unauthorized cash disbursements, loss of funds.

5 3

Bank reconciliations are performed timely to reconcile all bank deposits and disbursements to the general ledger. Petty cash funds and cash receipts deposits are securely maintained in a safety bag, lockbox, or safe depending on their location. Bank deposits are delivered to the bank daily in secure bank bags.

All transactions are properly accumulated, correctly classified and summarized in the general ledger; balances are properly and timely reconciled with bank statement balances.

Misstating cash balances, covering unauthorized transactions by falsifying bank reconciliation.

4 3

Bank reconciliations are reviewed by management independent of the individual that prepares them.

All transactions are promptly and accurately recorded in adequate detail records and appropriate reports are issued.

Covering unauthorized transactions by substituting unsupported credits or fictitious expenditures to cover misappropriated collections, under or overestimating cash or receivables.

3 4

Cash receipts are posted daily to the accounts receivable. The cash receipts are reconciled to daily bank deposits. Bank reconciliations are performed timely to reconcile all bank deposits.


Cash Disbursements ExampleCash Disbursements Example


RankingProbability

Ranking Control ProcedureAll checks are prepared on the basis of adequate and approved documentation, compared with supporting data and properly approved, signed and mailed.

Incorrect or duplicate payments, alteration of checks, disbursement for materials or services not properly documented or approved.

5 5

Cash disbursements are prepared by the Accounts Payable Clerk and then reviewed with supporting documentation by the Finance Manager before being processed for printing and sent out.

All requests for goods and services are initiated and approved by authorized individuals, and are in accordance with budget and appropriation guidelines.

Purchases from unauthorized vendors, purchases in violation of a conflict of interest policy, purchases that demonstrate unfair bidding practices, purchases are not made timely, purchases not in accordance with budget provisions.

5 4

Purchases are made in accordance with the City's purchasing policy and purchase orders are reviewed for appropriateness by the Accounts Payable Clerk when matched with incoming invoices. Purchase orders are entered to the appropriate expenditure/expense accounts and City budget officer reviews for budget restrictions on purchase orders.

All invoices processed for payment represent goods and services received and are accurate as to terms, quantities, prices and extensions; account distributions are accurate and agree with established account classifications.

Payment based on improper price or terms, accounting distribution of cost is inaccurate.

5 3

The City only processes payment from invoices and costs are allocated based on the expenditure accounts on the initiating purchase order.


It Is Not Necessary To Address Every It Is Not Necessary To Address Every Risk Factor With A Specific Control Risk Factor With A Specific Control Activity – Focus On Key AreasActivity – Focus On Key Areas

Utilize Compensating Controls Where Utilize Compensating Controls Where “Textbook Approach” Is Not Practical“Textbook Approach” Is Not Practical

Evaluate The Benefit Of Existing Evaluate The Benefit Of Existing Monitoring ControlsMonitoring Controls


Cash Disbursements ExampleCash Disbursements Example

Control ProcedureCash disbursements are prepared by the Accounts Payable Clerk and then reviewed with supporting documentation by the Finance Manager before being processed for printing and sent out.

Purchases are made in accordance with the City's purchasing policy and purchase orders are reviewed for appropriateness by the Accounts Payable Clerk when matched with incoming invoices. Purchase orders are entered to the appropriate expenditure/expense accounts and City budget officer reviews for budget restrictions on purchase orders.

Cash disbursements are prepared by the Accounts Payable Clerk and then reviewed with supporting documentation by the City Clerk (City Manager) before being processed for printing and sent out.

Purchases are made in accordance with the City's purchasing policy and purchase orders are reviewed for appropriateness by the Accounts Payable Clerk when matched with incoming invoices. Purchase orders are entered to the appropriate expenditure/expense accounts and City Clerk reviews for budget restrictions on purchase orders.

Compensating Control

Key Control ActivitiesKey Control Activities

Address Unusual Transactions Or Address Unusual Transactions Or Variance From Expected Benchmarks In Variance From Expected Benchmarks In Timely FashionTimely Fashion

Reconcile Accounts Per General Ledger Reconcile Accounts Per General Ledger To Subsidiary Ledgers Or Statements To Subsidiary Ledgers Or Statements From Trustee/Custodian (As Applicable)From Trustee/Custodian (As Applicable)

Separate Initiation And Authorization Separate Initiation And Authorization From Recording Of TransactionsFrom Recording Of Transactions

Key Control ActivitiesKey Control Activities

Provide For Oversight By Provide For Oversight By Interested Party Such As Interested Party Such As Investment Committee (Include Investment Committee (Include Trustee Activities) , Audit Trustee Activities) , Audit Committee Or Citizens’ GroupCommittee Or Citizens’ Group

Utilize Disclosure Checklist To Utilize Disclosure Checklist To Ensure Presentation And Ensure Presentation And Disclosure Requirements Are MetDisclosure Requirements Are Met

Control Activities PitfallsControl Activities Pitfalls

Remember That For Small Governments Key Remember That For Small Governments Key Objectives Must Be IdentifiedObjectives Must Be Identified Reducing The Risk Of Theft Or FraudReducing The Risk Of Theft Or Fraud Providing For AccountabilityProviding For Accountability Ensuring Compliance With Regulations Ensuring Compliance With Regulations

Focus On True Effectiveness – Not Just Focus On True Effectiveness – Not Just Cookie Cutter ApproachesCookie Cutter Approaches

Ensure Benefit Justifies The CostEnsure Benefit Justifies The Cost

Session 10Session 10

Information and Information and CommunicationsCommunications

Information and Information and CommunicationCommunication

Includes Both Internal And External Includes Both Internal And External InteractionInteraction

Requires Pertinent Information To Be Requires Pertinent Information To Be Identified, Captured And Communicated In Identified, Captured And Communicated In A Form And Timeframe For Employees To A Form And Timeframe For Employees To Carry Out Their ResponsibilitiesCarry Out Their Responsibilities

Reports Must Contain Relevant Operational, Reports Must Contain Relevant Operational, Financial And Compliance InformationFinancial And Compliance Information

Practical Application - Practical Application - Information and Information and CommunicationCommunication

System Generated Reports Must System Generated Reports Must Include Relevant InformationInclude Relevant Information

Statements From Outside Third Statements From Outside Third Parties (Broker/Dealers, Bank Parties (Broker/Dealers, Bank Statements, Grantor Agency) Must Be Statements, Grantor Agency) Must Be Channeled To Correct Personnel And Channeled To Correct Personnel And Provided TimelyProvided Timely

Information And Information And CommunicationCommunication

Example: InvestmentsExample: Investments Communication With Investment Committee Communication With Investment Committee

Or Other Oversight Body Should Include:Or Other Oversight Body Should Include:

Types Of Investments HeldTypes Of Investments Held Average Rate Of Return For Period And Average Rate Of Return For Period And

YTD Compared With BenchmarksYTD Compared With Benchmarks Average Maturity Of PortfolioAverage Maturity Of Portfolio Compliance With Investment Policy Compliance With Investment Policy

ProvisionsProvisions


Example: InvestmentsExample: Investments Communication With Investment Committee Communication With Investment Committee

Or Other Oversight Body Should Also Or Other Oversight Body Should Also Include: Include:

Changes In Investment Strategy (If Any)Changes In Investment Strategy (If Any) Interest Rate Environment ChangesInterest Rate Environment Changes Discussion Of Any Unusual Transaction Or Discussion Of Any Unusual Transaction Or

Particularly Risky InvestmentParticularly Risky Investment


Example: Cash DisbursementsExample: Cash Disbursements

Communication With DepartmentsCommunication With Departments Budget To Actual Report By Budgeted LineBudget To Actual Report By Budgeted Line Request To Explain Certain VariancesRequest To Explain Certain Variances Detail Of Capital Assets Added To SubledgerDetail Of Capital Assets Added To Subledger

Communication With CouncilCommunication With Council Budget To Actual Comparison By Budget To Actual Comparison By

DepartmentDepartment Explanations For Variances Over A Certain Explanations For Variances Over A Certain

ThresholdThreshold


Example: Cash ReceiptsExample: Cash Receipts

Daily Cash Reports Should Show Revenue Daily Cash Reports Should Show Revenue By Major Categories Such That By Major Categories Such That Reconciliation To The General Ledger Is Reconciliation To The General Ledger Is Facilitated.Facilitated.

The Date Of Receipt And Date Of Deposit The Date Of Receipt And Date Of Deposit Should Be Included Along With The Should Be Included Along With The General Ledger And Bank Account General Ledger And Bank Account Information.Information.

Information And Information And Communication PitfallsCommunication Pitfalls

Generating Reports That Provide Generating Reports That Provide Inaccurate, Untimely Or Unnecessary Inaccurate, Untimely Or Unnecessary InformationInformation

Providing Inappropriate Information Providing Inappropriate Information Outside The Organization (SS #, Outside The Organization (SS #, Employee Evaluations)Employee Evaluations)

Failure To Verify Accuracy Of Failure To Verify Accuracy Of Externally Provided ReportsExternally Provided Reports


Assessing The Quality Of The Assessing The Quality Of The Internal Control System And Internal Control System And Making Modifications As NeededMaking Modifications As Needed

This Process Is Ongoing Through This Process Is Ongoing Through The Normal Course Of The Normal Course Of Operations And At Separate Operations And At Separate Specific Evaluations Of A Specific Evaluations Of A Particular ProcessParticular Process

MonitoringMonitoringCOSO Framework COSO Framework States That States That “Monitoring “Monitoring Ensures That Ensures That Internal Control Internal Control Continues To Continues To Operate Operate Effectively.”Effectively.”

The COSO The COSO Framework Framework Recognizes That Recognizes That Risks Change Over Risks Change Over Time And That Time And That Management Management Needs To Needs To “Determine “Determine Whether The Whether The Internal Control Internal Control System Continues System Continues To Be Relevant To Be Relevant And Able To And Able To Address New Address New Risks.”Risks.”

MonitoringMonitoringThe Original COSO Report On Internal The Original COSO Report On Internal

Controls Was Issued In 1992. Controls Was Issued In 1992.

In 2009, COSO Issued “Guidance On In 2009, COSO Issued “Guidance On Monitoring Internal Control Systems”Monitoring Internal Control Systems”

Emphasized Importance Of Emphasized Importance Of Monitoring Controls As Part Of Even Monitoring Controls As Part Of Even Small Government Environments.Small Government Environments.


Monitoring Is Both An On-going Monitoring Is Both An On-going Process And Can Be Annual In Process And Can Be Annual In Nature (Testing Of Key Controls)Nature (Testing Of Key Controls)

Process Can Be Done Annually By Process Can Be Done Annually By The Internal Audit Department The Internal Audit Department (As Applicable) Or As An Internal (As Applicable) Or As An Internal Review By Finance Personnel.Review By Finance Personnel.

Practical Application – Practical Application – Examples of MonitoringExamples of Monitoring

Cash ReceiptsCash ReceiptsPerforming A Review Of Bank Performing A Review Of Bank

Reconciliations On A Monthly Basis And Reconciliations On A Monthly Basis And Signing Off As Having Reviewed These.Signing Off As Having Reviewed These.

Monthly Comparison Of Actual Receipts Monthly Comparison Of Actual Receipts To Budgeted Receipts And Investigation To Budgeted Receipts And Investigation Of Significant Discrepancies.Of Significant Discrepancies.

Annually Selecting A Few Transactions Annually Selecting A Few Transactions To Ensure Proper Recording.To Ensure Proper Recording.

Practical Application – Practical Application – Examples Of Monitoring Examples Of Monitoring

Cash DisbursementsCash DisbursementsPerforming A Review Of Bank Performing A Review Of Bank

Reconciliations On A Monthly Basis And Reconciliations On A Monthly Basis And Signing Off As Having Reviewed These.Signing Off As Having Reviewed These.

Monthly Comparison Of Cash Monthly Comparison Of Cash Disbursements To Budgeted Disbursements To Budgeted Expenditures/Expenses And Expenditures/Expenses And Investigation Of Significant Investigation Of Significant Discrepancies.Discrepancies.

Practical Application – Practical Application – Examples Of Monitoring Examples Of Monitoring

Cash DisbursementsCash Disbursements

Reconciliation Of P-card Purchases Reconciliation Of P-card Purchases By Someone Other Than The Card By Someone Other Than The Card HolderHolder

Annual Test Of A Selection Of Annual Test Of A Selection Of Transactions For Proper Recording.Transactions For Proper Recording.

Practical Application – Practical Application – Examples of Monitoring Examples of Monitoring

InvestmentsInvestments Performing Investment Portfolio Review Performing Investment Portfolio Review

(Including Evaluation Of Concentration And (Including Evaluation Of Concentration And Type Of Investments) Quarterly By Person Type Of Investments) Quarterly By Person Independent Of Investment Portfolio Independent Of Investment Portfolio ManagementManagement

Disclosure Of Conflict Of Interest Statement Disclosure Of Conflict Of Interest Statement Annually By Portfolio ManagerAnnually By Portfolio Manager

Obtaining A SAS 70 Report From Custodian Obtaining A SAS 70 Report From Custodian AnnuallyAnnually

Practical Application - Practical Application - MonitoringMonitoring

Controls Will Change As The Makeup Controls Will Change As The Makeup Of An Account ChangesOf An Account Changes

Controls Should Be Evaluated When Controls Should Be Evaluated When There Are Changes In Key Personnel There Are Changes In Key Personnel Or Software ApplicationsOr Software Applications

Be Responsive To Information Be Responsive To Information Requests Of Key Management Requests Of Key Management PersonnelPersonnel

Review Polices And Procedures Review Polices And Procedures AnnuallyAnnually

Monitoring PitfallsMonitoring Pitfalls

Failure To Perform Any Monitoring Control Failure To Perform Any Monitoring Control Activities.Activities.

Overkill For The Organizations Size. One Or Overkill For The Organizations Size. One Or Two Key Data Cycles Or Areas Can Be Selected Two Key Data Cycles Or Areas Can Be Selected Each Year For Testing Of Controls.Each Year For Testing Of Controls.

No Attempt To Actually Test Key Controls In No Attempt To Actually Test Key Controls In Some Fashion.Some Fashion.

Failure To Evaluate Controls When Personnel Failure To Evaluate Controls When Personnel Or Software Changes.Or Software Changes.


Evaluation Controls Over Evaluation Controls Over Accounting And Financial Accounting And Financial

ReportingReporting

Know Where To StartKnow Where To Start

Identify Control CyclesIdentify Control Cycles

Basic Control CyclesBasic Control Cycles

- Obtaining Resources- Obtaining Resources

- Applying Resources- Applying Resources

Identify Control CyclesIdentify Control Cycles

It Is Easy For Management To Be Daunted It Is Easy For Management To Be Daunted By The Sheer Volume And Complexity Of By The Sheer Volume And Complexity Of Controls Over Accounting And Financial Controls Over Accounting And Financial Reporting. Reporting.

Accordingly, The First Step In Evaluating Accordingly, The First Step In Evaluating These Controls Is To Know Where To Start. These Controls Is To Know Where To Start.

The Best Place To Begin Is By "Breaking The Best Place To Begin Is By "Breaking Down" What A Government Does Into Down" What A Government Does Into Manageable Groupings Of Similar Or Manageable Groupings Of Similar Or Related Activities, Commonly Known As Related Activities, Commonly Known As "Control Cycles.""Control Cycles."

Obtaining ResourcesObtaining Resources

The Resources Inflows Control CycleThe Resources Inflows Control Cycle

- Obtaining Legal Claim (Levy The - Obtaining Legal Claim (Levy The Tax, Provide The Service)Tax, Provide The Service)

- Demanding Payment (From - Demanding Payment (From Taxpayers, Customers And Grantors)Taxpayers, Customers And Grantors)

- Converting To Cash (Collect)- Converting To Cash (Collect)

Applying ResourcesApplying Resources

The Resources Outflows Control The Resources Outflows Control CycleCycle

Applying Resources (Issue Applying Resources (Issue Purchase Orders, Approve Purchase Orders, Approve Contracts, Hire Employees, Contracts, Hire Employees, Award Grants)Award Grants)



- Ensuring Conditions Met - Ensuring Conditions Met (Receipt Of Goods Or Services, (Receipt Of Goods Or Services, Compliance With Grant Compliance With Grant Requirements)Requirements)

- Making Cash Payments- Making Cash Payments



- Making Cash Payments- Making Cash Payments

Interim ManagementInterim Management

Governments Are Not Able To Apply Governments Are Not Able To Apply Immediately All Of The Resources They Immediately All Of The Resources They Obtain. Obtain.

Rather, There Will Be A Greater Or Rather, There Will Be A Greater Or Lesser Interval Between When Lesser Interval Between When Resources Are First Obtained And Resources Are First Obtained And When Those Resources Are Finally When Those Resources Are Finally Converted Into Goods And ServicesConverted Into Goods And Services

During This Interval, A Government During This Interval, A Government Must Carefully Manage The Resources Must Carefully Manage The Resources Entrusted To Its Care. Entrusted To Its Care.

Interim ManagementInterim Management

First, Liquid Resources (E.G., Cash) Must Be First, Liquid Resources (E.G., Cash) Must Be Properly Protected And Used To Best Properly Protected And Used To Best Advantage Until Needed (I.E., Invested Or Advantage Until Needed (I.E., Invested Or Placed On Deposit). Placed On Deposit).

Second, Non Liquid Assets Used In The Second, Non Liquid Assets Used In The Provision Of Services (E.G., Equipment, Provision Of Services (E.G., Equipment, Inventories Of Supplies) Must Be Properly Inventories Of Supplies) Must Be Properly Protected And Maintained. Protected And Maintained.

When Both Of These Processes Are When Both Of These Processes Are Combined Together, The Result Is A Third Combined Together, The Result Is A Third Control Cycle For "Resource Management."Control Cycle For "Resource Management."

Seven Important StepsSeven Important Steps

Vulnerability AssessmentVulnerability Assessment

Documenting TransactionsDocumenting Transactions

Identifying Specific RisksIdentifying Specific Risks

Identifying Compensating Identifying Compensating ControlsControls

Seven Important StepsSeven Important Steps

Evaluating The Design Of Evaluating The Design Of Comensating ControlsComensating Controls

Testing Compensating ControlsTesting Compensating Controls

Assessing The Results Of Assessing The Results Of TestingTesting


Control CyclesControl Cycles

A Final ReviewA Final Review

Cash ControlsCash ControlsCollection ControlsCollection Controls

Disbursement ControlsDisbursement Controls

Custody ControlsCustody Controls

Accounting ControlsAccounting Controls

Reconciliation ControlsReconciliation Controls

Investments ControlsInvestments Controls

Segregation of DutiesSegregation of Duties

Procedural ControlsProcedural Controls

Custody ControlsCustody Controls

Accounting ControlsAccounting Controls

Capital Asset ControlsCapital Asset ControlsSegregation of DutiesSegregation of Duties


Authorization ControlsAuthorization Controls

Asset Accountability ControlsAsset Accountability Controls

General Ledger ControlsGeneral Ledger Controls

Inventory ControlsInventory Controls


Authorization ControlsAuthorization Controls

Receipt/Issues ControlsReceipt/Issues Controls

Physical Inventory ControlsPhysical Inventory Controls

Procurement ControlsProcurement Controls Segregation of DutiesSegregation of Duties


Requisition ControlsRequisition Controls

Procurement ControlsProcurement Controls

Receiving ControlsReceiving Controls

Invoice Processing ControlsInvoice Processing Controls

Personnel and Payroll Personnel and Payroll ControlsControls



Personnel ControlsPersonnel Controls

Payroll Processing ControlsPayroll Processing Controls

IT ControlsIT Controls



Documentation ControlsDocumentation Controls

Data ControlsData Controls

Security ControlsSecurity Controls

Inventory ControlsInventory Controls


Other Internal Control Other Internal Control PitfallsPitfalls

A Final Reminder About A Final Reminder About I/C PitfallsI/C Pitfalls

Don’t Focus On Areas Where Risk Is LowDon’t Focus On Areas Where Risk Is Low

Don’t Ignore Risk Factors You Become Don’t Ignore Risk Factors You Become Aware Of Throughout The YearAware Of Throughout The Year

Talk To Your Auditors About Areas Of Talk To Your Auditors About Areas Of Concern They May Have And New Auditing Concern They May Have And New Auditing Standards That Will Affect Your Audit.Standards That Will Affect Your Audit.

Make Sure To Tailor Any “Borrowed” P&P To Make Sure To Tailor Any “Borrowed” P&P To Your Organization.Your Organization.

A Final Reminder About A Final Reminder About I/C PitfallsI/C Pitfalls

Remember That The Cost Of Remember That The Cost Of Implementing The Control Implementing The Control Structure Should Not Outweigh Structure Should Not Outweigh The Benefit.The Benefit.

Remember To Address Budget, Remember To Address Budget, Grant And It ControlsGrant And It Controls..

SummarySummary

The Control Environment Establishes The Control Environment Establishes The Importance Of Internal Control.The Importance Of Internal Control.

Risk Assessments Must Be Realistic Risk Assessments Must Be Realistic And Performed When Changes To And Performed When Changes To Objectives Or Policies Occur, There Objectives Or Policies Occur, There Is Turn Over In Key Employees Or Is Turn Over In Key Employees Or Significant Changes In The Financial Significant Changes In The Financial Markets.Markets.

SummarySummary

Control Activities Should Be Focused Control Activities Should Be Focused On Areas Of Highest Risk. Monitoring On Areas Of Highest Risk. Monitoring Controls Are Effective Stopgap For Controls Are Effective Stopgap For Smaller Entities.Smaller Entities.

Information And Communication Must Information And Communication Must Provide Relevant Information For Provide Relevant Information For Managing The Assets And Liabilities Managing The Assets And Liabilities Of The Entity.Of The Entity.

Monitoring Of The Internal Control Monitoring Of The Internal Control System Is An Ongoing Process.System Is An Ongoing Process.


Red Flags and FraudRed Flags and Fraud

How to Catch a How to Catch a FraudsterFraudster

Independent AuditorIndependent Auditor

Internal AuditInternal Audit

Getting Ratted OutGetting Ratted Out

Oops MethodOops Method

How to Catch a How to Catch a FraudsterFraudster

Rotate those Job DutiesRotate those Job Duties

The Spot CheckThe Spot Check

And, the Surprise AttackAnd, the Surprise Attack

Eliminate Fraudster Eliminate Fraudster PotentialPotential

Background CheckBackground Check

CriminalCriminal

CreditCredit

ReferencesReferences

Verify the SocialVerify the Social

Eliminate Fraudster Eliminate Fraudster PotentialPotential

Background CheckBackground Check

Driving RecordDriving Record

The EducationThe Education

Professional CredentialsProfessional Credentials

Drug TestingDrug Testing

Tips – Employee ChangesTips – Employee Changes

AttendanceAttendance

TardinessTardiness

Avoiding OthersAvoiding Others

Bathroom BreaksBathroom Breaks

Tips – Employee ChangesTips – Employee Changes

ListenListen

LookLook

SmellSmell

ObserveObserve

AskAsk

Top Ten ReasonsTop Ten ReasonsFraud Beats InternalFraud Beats Internal

ControlsControls

And What Management Can Do And What Management Can Do About It?About It?

““Fighting the Last War”Fighting the Last War”

Accountants Too Often Allow Accountants Too Often Allow Themselves To Focus Almost Themselves To Focus Almost Exclusively On Past Weaknesses Exclusively On Past Weaknesses Rather Than On Current And Rather Than On Current And Future Exposures (Like Putting Future Exposures (Like Putting Up Traffic Signals Only After An Up Traffic Signals Only After An Accident Occurs)Accident Occurs)

Establish A System Of Proactive FraudEstablish A System Of Proactive FraudPolicies – Don’t Wait For Something To Policies – Don’t Wait For Something To

PopPopUp!Up!

Use Of The Analytical ReviewUse Of The Analytical Review

Watch For Increasing Expenses, Watch For Increasing Expenses, Increasing Receivables/Decreasing Increasing Receivables/Decreasing Cash, Increasing Revenue/Decreasing Cash, Increasing Revenue/Decreasing CashCash

Use Fraud Assessment Questions Use Fraud Assessment Questions With Each EmployeeWith Each Employee

Establish A System Of Proactive FraudEstablish A System Of Proactive FraudPolicies – Don’t Wait For Something To Policies – Don’t Wait For Something To

PopPopUp!Up!

Enforce A Mandatory Vacation Policy Enforce A Mandatory Vacation Policy With A Senior Person Filling The With A Senior Person Filling The Position For Several DaysPosition For Several Days

Enforce A Mandatory Job Rotation Enforce A Mandatory Job Rotation PolicyPolicy

Periodically, Stage A Surprise Audit Periodically, Stage A Surprise Audit Of Each PositionOf Each Position

Detection of Fraud Detection of Fraud SchemesSchemes

Tip (46.2%)Tip (46.2%)By Accident (20%)By Accident (20%)Internal Audit (19.4%)Internal Audit (19.4%)Internal Controls (23.3%)Internal Controls (23.3%)External Audit (9.1%)External Audit (9.1%)Notified by Police (3.2%)Notified by Police (3.2%)

Control Related PoliciesControl Related Policies

AuthorizationAuthorization Properly Designed RecordsProperly Designed Records Security Of Assets And RecordsSecurity Of Assets And Records Segregation Of DutiesSegregation Of Duties Periodic ReconciliationsPeriodic Reconciliations Periodic VerificationsPeriodic Verifications Analytical ReviewAnalytical Review

1. Goin’ Through the 1. Goin’ Through the MotionsMotions

Process MentalityProcess Mentality Just Doing The Steps In The ProcessJust Doing The Steps In The Process Not Thinking About What One Is DoingNot Thinking About What One Is Doing

Example: Two Signatures Required On Example: Two Signatures Required On Checks. Both Check Signers Fail To Notice Checks. Both Check Signers Fail To Notice The Check Has No Payee And Still Sign The The Check Has No Payee And Still Sign The CheckCheck

Remedy: Reinforce The Need To Pay Remedy: Reinforce The Need To Pay Attention And The Consequences For FailureAttention And The Consequences For Failure

2. See No Evil, Hear No Evil2. See No Evil, Hear No Evil

Blind TrustBlind Trust Failure To Acknowledge Warning SignalsFailure To Acknowledge Warning Signals

Example: Failure To Follow Up On A Customer Example: Failure To Follow Up On A Customer Complaint Of An Incorrect Bill For Service And Complaint Of An Incorrect Bill For Service And Relying On The Experienced And Valued Relying On The Experienced And Valued Billing Clerk’s Response That It Was Just An Billing Clerk’s Response That It Was Just An Error.Error.

Remedy: Realize That Anyone Can Commit Remedy: Realize That Anyone Can Commit Fraud. Assume Discrepancies Are Fraud And Fraud. Assume Discrepancies Are Fraud And Prove To Yourself It Is Only An Error.Prove To Yourself It Is Only An Error.

3. It’s Good to be The 3. It’s Good to be The KingKing

Positional ImmunityPositional Immunity Rationalizing That Controls Don’t Apply To Me Rationalizing That Controls Don’t Apply To Me

Because I Am In Upper Management.Because I Am In Upper Management. Often Referred To As Management Override.Often Referred To As Management Override.

Example: Executive Director Doesn’t Report Example: Executive Director Doesn’t Report Leave Used, But Still Gets Paid For Unused Leave Used, But Still Gets Paid For Unused Leave Annually.Leave Annually.

Remedy: Identify Someone Within Or Outside Remedy: Identify Someone Within Or Outside The Entity That You Can Report These The Entity That You Can Report These Circumstances To And Not Jeopardize Your Job.Circumstances To And Not Jeopardize Your Job.

4. New Kid on the Block4. New Kid on the Block Situational IncompetenceSituational Incompetence New Employee Not In A Position To Question WhyNew Employee Not In A Position To Question Why

Example: New Accounts Payable Clerk Questions Example: New Accounts Payable Clerk Questions Why Purchases From A Certain Vendor Do Not Why Purchases From A Certain Vendor Do Not Require Bids, And Is Told That Such Purchases Require Bids, And Is Told That Such Purchases Are Exempt.Are Exempt.

Remedy: If You Are The Supervisor, Don’t Remedy: If You Are The Supervisor, Don’t Assume New Employee Just Doesn’t Understand. Assume New Employee Just Doesn’t Understand. Take Their Questions Seriously And Ask Your Self Take Their Questions Seriously And Ask Your Self Why. If You Are The Employee, Ask More Than Why. If You Are The Employee, Ask More Than One Person.One Person.

5. Where’s All the Time 5. Where’s All the Time Gone?Gone?

Workload OverloadWorkload Overload Not Enough Time To Perform Control Not Enough Time To Perform Control

ProceduresProcedures

Example: Knowing That The Supervisor Is Too Example: Knowing That The Supervisor Is Too Busy To Reconcile Accounts Receivable, A Busy To Reconcile Accounts Receivable, A Billing Clerk Steals Cash And Posts Billing Clerk Steals Cash And Posts Unauthorized Adjustments.Unauthorized Adjustments.

Remedy: Reevaluate Assignment Of Duties, Remedy: Reevaluate Assignment Of Duties, And When Needed, Demand More Resources And When Needed, Demand More Resources By Focusing On The Consequences Of Fraud.By Focusing On The Consequences Of Fraud.

6. Can’t We All Be Happy?6. Can’t We All Be Happy? Conflict AvoidanceConflict Avoidance Responsible Employees Not Comfortable In Responsible Employees Not Comfortable In

Confronting Other EmployeesConfronting Other Employees

Example: A Supervisor Recognizes That The Example: A Supervisor Recognizes That The Cash Drawer Is Always Short At The End Of The Cash Drawer Is Always Short At The End Of The Day, But Is Uncomfortable In Confronting The Day, But Is Uncomfortable In Confronting The Employee.Employee.

Remedy: Reinforce Supervisory Responsibilities. Remedy: Reinforce Supervisory Responsibilities. Provide Employee Management Training. Don’t Provide Employee Management Training. Don’t Tolerate Poor Performance.Tolerate Poor Performance.

7. Where’s the Beef?7. Where’s the Beef? Informational RestraintInformational Restraint Responsible Employees Lack The Information Responsible Employees Lack The Information

They Need To Identify An Improper TransactionThey Need To Identify An Improper Transaction

Example: An Accounts Payable Clerk Is Not Example: An Accounts Payable Clerk Is Not Provided A Contract That Includes A Not-to-Provided A Contract That Includes A Not-to-exceed Price Limit And Vendor Takes exceed Price Limit And Vendor Takes Advantage By Over-billing.Advantage By Over-billing.

Remedy: Reinforce With Employees The Remedy: Reinforce With Employees The Openness And Availability Of Records And Openness And Availability Of Records And Information.Information.

8. It’s None of My 8. It’s None of My BusinessBusiness

Behavioral IgnoranceBehavioral Ignorance Responsible Employees Ignore Behavioral Signs Responsible Employees Ignore Behavioral Signs

Or Indicators Of Possible FraudOr Indicators Of Possible Fraud

Example: Management And Other Employees Fail Example: Management And Other Employees Fail To Investigate Or Question An Employee That Is To Investigate Or Question An Employee That Is Living Well Above Their Means Or Salary Level.Living Well Above Their Means Or Salary Level.

Remedy: Create An Environment Within The Remedy: Create An Environment Within The Government That Fosters Ethical And Government That Fosters Ethical And Responsible Behavior. Create An Anonymous Responsible Behavior. Create An Anonymous hotlinehotline

9. It’s Over My Head9. It’s Over My Head Informational IgnoranceInformational Ignorance Officials Ignore Fraud Warning Signs In Reports Officials Ignore Fraud Warning Signs In Reports

Because They Don’t Understand The ReportsBecause They Don’t Understand The Reports

Example: Highway Patrol Fine Revenue Was Example: Highway Patrol Fine Revenue Was Embezzled And Monthly Budget Report Shows A Embezzled And Monthly Budget Report Shows A Potential Problem, But The Report Is Too Potential Problem, But The Report Is Too Complicated For Management And Governing Complicated For Management And Governing Board To Understand.Board To Understand.

Remedy: When It Comes To Reports, Use The Remedy: When It Comes To Reports, Use The Kiss Principle And Train The Users.Kiss Principle And Train The Users.

10. A Bad Apple in the 10. A Bad Apple in the BunchBunch

Ethically ChallengedEthically Challenged Employees Responsible For Controls Are Just Employees Responsible For Controls Are Just

Not Ethical And Morally Responsible Not Ethical And Morally Responsible IndividualsIndividuals

Example: Purchasing Supervisor Is Dishonest Example: Purchasing Supervisor Is Dishonest And Convinces An Accounts Payable Employee And Convinces An Accounts Payable Employee To Process Fake Invoices For Payment And To Process Fake Invoices For Payment And Split The Money Between Them.Split The Money Between Them.

Remedy: Don’t Hire Crooks.Remedy: Don’t Hire Crooks.

To Summarize Internal To Summarize Internal Controls:Controls:

Provide A Favorable Control EnvironmentProvide A Favorable Control Environment Provide For The Continuing Assessment Of Provide For The Continuing Assessment Of

RiskRisk Provide For The Design, Implementation Provide For The Design, Implementation

And Maintenance Of Effective Control And Maintenance Of Effective Control Related Policies And ProceduresRelated Policies And Procedures

Provide For The Effective Communication Of Provide For The Effective Communication Of Information (We Kind Of Skipped This Topic)Information (We Kind Of Skipped This Topic)

Provide For The Ongoing Monitoring Of The Provide For The Ongoing Monitoring Of The Effectiveness Of Control Related Policies Effectiveness Of Control Related Policies And ProceduresAnd Procedures

We Are FinishedWe Are Finished

Please “Don’t Steal”Please “Don’t Steal”

Contact Paul @Contact Paul @

[email protected]@mindspring.com

Evaluating A Government’s Internal Controls and a Review of How Fraud Relates to Internal Controls...

Documents

Transcript of Evaluating A Government’s Internal Controls and a Review of How Fraud Relates to Internal Controls...