Small Government Internal Controls

Small Government Internal Controls

Presented by

Donna Collins

Milestone Professional Services

Why are Internal Controls So Important?

• Accountability– Citizens

• Approved budget has been followed• Spending and letting of contracts has been legal• Appropriate safeguards taken against fraud

– Grantors• Funds have been used for the purpose given• Compliance requirements have been met

– Management• Data is reliable for decision making


• Accurate reporting– Internal

• Budgeting and planning purposes• Cash flow management

– External• Creditors (Bankers, bondholders, etc.)• Grantors• Financial statement users

– State and other governments– Companies moving to our City


• Efficient use of resources– Eliminating redundancy in our process to

allow for a streamlined workforce– Protecting against loss due to fraud and

misappropriation– Communicating clearly internally and

externally so that operations flow smoothly– Providing for the ability to recognize

excellence within our government

Internal Control - Definition• Internal Control is a process, affected by

management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:– Effectiveness and efficiency of operations– Reliability of financial reporting– Compliance with laws and regulations

Internal Control - Definition

• Internal control consists of five interrelated components that affect each of the three categories

Internal Control - Components

• Control Environment• Risk Assessment• Control Activities• Information and Communication• Monitoring

Internal Control - Components

• Internal control components interact with operations, financial reporting and compliance

Control Environment• Sets the tone for the government• Influences control consciousness• Foundation for all other control

components• Includes: integrity, ethical values,

competency, management’s philosophy, and the way authority and responsibility is assigned

Practical Application - Control Environment

• Establish current policies with regard to ethical behavior (Code of Conduct), Conflict of Interest, Nepotism

• Enforce appropriate discipline for failure to comply with these policies

• Ensure personal adherence to strong moral code

• Reward competency

Practical Application - Control Environment

• Place high degree of importance on maintaining strong internal control

• Provide for a “whistle blower” policy that allows employees and others to report fraud or false statements by the management team

Impact of the Control Environment

• Don’t underestimate the importance of this part of the control system. All the great control activities in the world will not be effective if employees know that management is not concerned with strong internal control, lacks integrity or does not value their employees.

Control Environment Pitfalls• Ignoring the tone that management sets or

thinking that the control environment is not important.

• Inconsistency in treatment of lapses in ethical conduct.

• Allowing employees to feel devalued.

Risk Assessment• Risks result from both external and

internal sources• These change over time based on

economic, regulatory, and operating conditions

• Risk Assessment must link identified policy objectives to specific risk factors

Risk Assessment

• Example: a policy of receiving the highest rate of return on investments must be linked to interest rate risk

Risk Assessment

• Example: a policy of allowing payment from vendor statements rather than original invoices only must be linked to the risk of duplicate payments

Risk Assessment

• Example: a policy of decentralized cash receipts must be linked to the risk of untimely deposit and recording to the general ledger.

Risk Assessment• Risk Assessment must also link identified

control objectives to specific risk factors– All transactions are properly authorized– Transactions are recorded in the correct

period for the correct amount– All revenues are received and recorded timely– Assets are not stolen or lost

Risk Assessment• Risk factors are created by:

– The nature of particular accounts or transactions

– Turnover in key employee positions– Changes in the financial markets– The expertise of the personnel handling

transactions– Ineffective or poorly designed control activities

Practical Application - Risk Assessment

• Be realistic about the true risk with regard to a particular account or cycle of transactions

• Consider all types of applicable risk: inherent, control risk, fraud risk, credit risk, etc

• Make sure to address IT risk• Identify “What could go wrong?”

What could go wrong?Example: Cash Disbursements

• Payments could be made to fictitious vendors

• Disbursements could be made for the wrong amount

• Duplicate payments could be made on an invoice

• Disbursements could be recorded in the wrong period

What could go wrong?Example: Investments

• Excessive transaction fees could be charged to the government.

• Investments held by the government could be stolen (Certificates of Deposit).

• Investments outside the government’s risk tolerance could be purchased and result in loss of principal.

What could go wrong?Example: Cash Receipts

• Funds received could be credited to the wrong customer account

• Cash could be stolen by an employee• Amounts received could be recorded net

rather than gross• Amounts receivable may never be

collected due to failure to follow on past due amounts

How to perform an effective risk assessment

• Use “What could go wrong” scenarios to identify areas of potential risk.

• Rank the likelihood and impact of each of these risk factors.

• Identify controls that mitigate risk for the highest ranked risk factors.

Objective Risk FactorsImpact

RankingProbability

RankingAll collections are properly identified, control totals developed, and collections promptly deposited intact.

Failure to record cash receipts, withholding or delaying the recording of cash receipts.

5 4All bank accounts and cash on hand are subject to effective custodial accountability procedures and physical safeguards.

Misappropriated cash or petty cash funds, diverted cash receipts, unauthorized cash disbursements, loss of funds.

5 3All transactions are properly accumulated, correctly classified and summarized in the general ledger; balances are properly and timely reconciled with bank statement balances.

Misstating cash balances, covering unauthorized transactions by falsifying bank reconciliation.

4 3All transactions are promptly and accurately recorded in adequate detail records and appropriate reports are issued.

Covering unauthorized transactions by substituting unsupported credits or fictitious expenditures to cover misappropriated collections, under or overestimating cash or receivables.

3 4

Risk Matrix – Cash Receipts

Practical Application - Risk Assessments

• Risk Assessments can be documented via narrative, checklist or matrix

• Tools available include:– COSO documents available via AICPA– PPC checklists or other auditor utilized templates– Local government websites (perform Google

search for “government internal control”)


• Remember that use of a third party does not eliminate management’s responsibility for assessing risks.– Structure of agreement is important– Obtain SAS 70– Reconcile reports to general ledger (as

applicable)


• Remember that IT controls can affect risk for all cycles of transactions. Well designed internal controls can be made ineffective by poor controls over IT.– System log-in should mirror job responsibilities– Passwords– Remove temporary access granted once no longer

appropriate

Risk Assessment Pitfalls• Trying to identify a control for every risk

factor.• Ignoring the possibility of existing

compensating controls.• Not performing a risk assessment annually

or at least when key factors have changed (regulatory, employee turnover, etc.)

• Ignoring IT controls.

Control Activities• The policies and procedures that ensure

management’s directives are followed• These occur at all levels throughout the

organization• Include : approvals, authorizations,

verifications, reconciliations, security of assets, segregation of duties and review of operating performance

Practical Application - Control Activities

• Address control objectives: existence or occurrence, completeness, valuation or allocation, rights and obligations, accuracy or classification, cutoff and presentation and disclosure

• Tie control activities to risks previously identified and address “What could go wrong” scenarios

• Balance cost and benefit

• Identify control objectives and the risks of what could happen

• For each risk factor identified, evaluate the potential impact and probability of occurrence

• Design control activities to address high impact, high probability concerns

• Evaluate annually


Risk Matrix• Cash Receipt Example


RankingProbability

Ranking Control ProcedureAll collections are properly identified, control totals developed, and collections promptly deposited intact.

Failure to record cash receipts, withholding or delaying the recording of cash receipts.

5 4

Cash receipts are posted daily to the accounts receivable. The cash receipts are reconciled to daily bank deposits. Bank reconciliations are performed timely to reconcile all bank deposits.

All bank accounts and cash on hand are subject to effective custodial accountability procedures and physical safeguards.

Misappropriated cash or petty cash funds, diverted cash receipts, unauthorized cash disbursements, loss of funds.

5 3

Bank reconciliations are performed timely to reconcile all bank deposits and disbursements to the general ledger. Petty cash funds and cash receipts deposits are securely maintained in a safety bag, lockbox, or safe depending on their location. Bank deposits are delivered to the bank daily in secure bank bags.

All transactions are properly accumulated, correctly classified and summarized in the general ledger; balances are properly and timely reconciled with bank statement balances.

Misstating cash balances, covering unauthorized transactions by falsifying bank reconciliation.

4 3

Bank reconciliations are reviewed by management independent of the individual that prepares them.

All transactions are promptly and accurately recorded in adequate detail records and appropriate reports are issued.

Covering unauthorized transactions by substituting unsupported credits or fictitious expenditures to cover misappropriated collections, under or overestimating cash or receivables.

3 4

Cash receipts are posted daily to the accounts receivable. The cash receipts are reconciled to daily bank deposits. Bank reconciliations are performed timely to reconcile all bank deposits.

Risk Matrix• Cash Disbursements Example


RankingProbability

Ranking Control ProcedureAll checks are prepared on the basis of adequate and approved documentation, compared with supporting data and properly approved, signed and mailed.

Incorrect or duplicate payments, alteration of checks, disbursement for materials or services not properly documented or approved.

5 5

Cash disbursements are prepared by the Accounts Payable Clerk and then reviewed with supporting documentation by the Finance Manager before being processed for printing and sent out.

All requests for goods and services are initiated and approved by authorized individuals, and are in accordance with budget and appropriation guidelines.

Purchases from unauthorized vendors, purchases in violation of a conflict of interest policy, purchases that demonstrate unfair bidding practices, purchases are not made timely, purchases not in accordance with budget provisions.

5 4

Purchases are made in accordance with the City's purchasing policy and purchase orders are reviewed for appropriateness by the Accounts Payable Clerk when matched with incoming invoices. Purchase orders are entered to the appropriate expenditure/expense accounts and City budget officer reviews for budget restrictions on purchase orders.

All invoices processed for payment represent goods and services received and are accurate as to terms, quantities, prices and extensions; account distributions are accurate and agree with established account classifications.

Payment based on improper price or terms, accounting distribution of cost is inaccurate.

5 3

The City only processes payment from invoices and costs are allocated based on the expenditure accounts on the initiating purchase order.


• It is not necessary to address every risk factor with a specific control activity – focus on key areas

• Utilize compensating controls where “textbook approach” is not practical

• Evaluate the benefit of existing monitoring controls

Risk Matrix• Cash Disbursements Example

Control ProcedureCash disbursements are prepared by the Accounts Payable Clerk and then reviewed with supporting documentation by the Finance Manager before being processed for printing and sent out.

Purchases are made in accordance with the City's purchasing policy and purchase orders are reviewed for appropriateness by the Accounts Payable Clerk when matched with incoming invoices. Purchase orders are entered to the appropriate expenditure/expense accounts and City budget officer reviews for budget restrictions on purchase orders.

Cash disbursements are prepared by the Accounts Payable Clerk and then reviewed with supporting documentation by the City Clerk (City Manager) before being processed for printing and sent out.

Purchases are made in accordance with the City's purchasing policy and purchase orders are reviewed for appropriateness by the Accounts Payable Clerk when matched with incoming invoices. Purchase orders are entered to the appropriate expenditure/expense accounts and City Clerk reviews for budget restrictions on purchase orders.

Compensating Control

Key Control Activities• Address unusual transactions or variance

from expected benchmarks in timely fashion

• Reconcile accounts per general ledger to subsidiary ledgers or statements from trustee/custodian (as applicable)

• Separate initiation and authorization from recording of transactions

Key Control Activities• Provide for oversight by interested party

such as Investment Committee (include trustee activities) , Audit Committee or Citizens’ Group

• Utilize disclosure checklist to ensure presentation and disclosure requirements are met

Control Activities Pitfalls• Remember that for small governments key

objectives must be identified– Reducing the risk of theft or fraud– Providing for accountability– Ensuring compliance with regulations

• Focus on true effectiveness – not just cookie cutter approaches

• Ensure benefit justifies the cost

Information and Communication• Includes both internal and external

interaction• Requires pertinent information to be

identified, captured and communicated in a form and timeframe for employees to carry out their responsibilities

• Reports must contain relevant operational, financial and compliance information

Practical Application - Information and Communication

• System generated reports must include relevant information

• Statements from outside third parties (broker/dealers, bank statements, grantor agency) must be channeled to correct personnel and provided timely

Information and CommunicationExample: Investments

• Communication with Investment Committee or other oversight body should include: – Types of investments held– Average rate of return for period and YTD

compared with benchmarks– Average maturity of portfolio– Compliance with investment policy provisions

Information and CommunicationExample: Investments

• Communication with Investment Committee or other oversight body should also include: – Changes in investment strategy (if any)– Interest rate environment changes– Discussion of any unusual transaction or

particularly risky investment

Information and CommunicationExample: Cash Disbursements

• Communication with Departments– Budget to Actual Report by budgeted line– Request to explain certain variances– Detail of Capital Assets added to subledger

• Communication with Council– Budget to Actual Comparison by Department– Explanations for variances over a certain

threshold

Information and CommunicationExample: Cash Receipts

Daily Cash reports should show revenue by major categories such that reconciliation to the general ledger is facilitated.

The date of receipt and date of deposit should be included along with the general ledger and bank account information.

Information and Communication Pitfalls

• Generating reports that provide inaccurate, untimely or unnecessary information

• Providing inappropriate information outside the organization (SS #, employee evaluations)

• Failure to verify accuracy of externally provided reports

Monitoring• Assessing the quality of the internal

control system and making modifications as needed

• This process is ongoing through the normal course of operations and at separate specific evaluations of a particular process

MonitoringCOSO Framework states that “Monitoring ensures that internal control continues to operate effectively.”

The COSO Framework recognizes that risks change over time and that management needs to “determine whether the internal control system continues to be relevant and able to address new risks.”

Monitoring• The original COSO report on internal

controls was issued in 1992. • In 2009, COSO issued “Guidance on

Monitoring Internal Control Systems”• Emphasized importance of monitoring

controls as part of even small government environments.

Monitoring• Monitoring is both an on-going process

and can be annual in nature (testing of key controls)

• Process can be done annually by the Internal Audit Department (as applicable) or as an Internal Review by Finance personnel.

Practical Application – Examples of Monitoring

• Cash Receipts– Performing a review of bank reconciliations on

a monthly basis and signing off as having reviewed these.

– Monthly comparison of actual receipts to budgeted receipts and investigation of significant discrepancies.

– Annually selecting a few transactions to ensure proper recording.


• Cash Disbursements– Performing a review of bank reconciliations on

a monthly basis and signing off as having reviewed these.

– Monthly comparison of cash disbursements to budgeted expenditures/expenses and investigation of significant discrepancies.


• Cash Disbursements– Reconciliation of P-card purchases by

someone other than the card holder– Annual test of a selection of transactions for

proper recording.


• Investments– Performing investment portfolio review

(including evaluation of concentration and type of investments) quarterly by person independent of investment portfolio management

– Disclosure of Conflict of Interest Statement annually by portfolio manager

– Obtaining a SAS 70 report from custodian annually

Practical Application - Monitoring

• Controls will change as the makeup of an account changes

• Controls should be evaluated when there are changes in key personnel or software applications

• Be responsive to information requests of key management personnel

• Review polices and procedures annually

Monitoring Pitfalls• Failure to perform any monitoring control

activities.• Overkill for the organizations size. One or

two key data cycles or areas can be selected each year for testing of controls.

• No attempt to actually test key controls in some fashion.

• Failure to evaluate controls when personnel or software changes.

Resources Available• Where can I find sample policies and

procedures?• What reference materials are available?• Where can I find answers to my

questions?

Resources Available• Professional organization websites:

FGFOA,GFOA, FICPA, AICPA• Local chapter meetings• Auditors• Continuing Education opportunities• Website searches• List serves (FGFOA and FICPA)• Network of other local government officials

Resources Available• Florida Government Finance Officers

Association– Sample policies and procedures– Small Government Resource Manual– List Serves : Treasury, Accounting and

Auditing, Debt Management, Budgeting and Financial Administration

– Training (Annual Conference, School of Government Finance, local chapter meetings,

– Webinars)

Resources Available• Government Finance Officers Association

– Best Practices– Training (Annual Conference, webinars and

numerous one day training opportunities)– Publications

• Elected Officials’ Guide to Internal Controls• Evaluation Internal Control: A Local Government

Manager’s Guide

Resources Available• Florida Institute of Certified Public

Accountants – Training

• Frequent Frauds Found in Governments and Not-for-Profits (Miami 12/1/10)

• Identifying Fraudulent Financial Transactions (Tampa 12/9/10)

– Publications– List Serves (A&A, S&LG, Business IT)

Resources Available• American Institute of Certified Public

Accountants– Training– Publications

• COSO documents• Articles in the Journal of Accountancy• Controls.Doc For Documenting and Assessing

Internal Controls– Government Resource Center

A final reminder about I/C Pitfalls• Don’t focus on areas where risk is low• Don’t ignore risk factors you become

aware of throughout the year• Talk to your auditors about areas of

concern they may have and new auditing standards that will affect your audit.

• Make sure to tailor any “borrowed” P&P to your organization.

A final reminder about I/C Pitfalls• Remember that the cost of implementing

the control structure should not outweigh the benefit.

• Remember to address budget, grant and IT controls.

Summary• The control environment establishes the

importance of internal control.• Risk Assessments must be realistic and

performed when changes to objectives or policies occur, there is turn over in key employees or significant changes in the financial markets.

Summary• Control Activities should be focused on

areas of highest risk. Monitoring controls are effective stopgap for smaller entities.

• Information and Communication must provide relevant information for managing the assets and liabilities of the entity.

• Monitoring of the internal control system is an ongoing process.

Questions?

Small Government Internal Controls

Documents

Transcript of Small Government Internal Controls