2 Definition of Internal Control Internal control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulations.
3 Benefits of Internal Control Having controls in place minimizes embezzlement and/or misappropriation of funds. The temptation to steal assets from the church is lessened once steps have been taken to put checks and balances in place. These controls would help to promote ethical behavior.There is also a reduction in the need to accuse and confront employees. The internal controls would provide accurate information that would be used to detect illegal behavior and also to make reporting easier.The internal controls minimize the embarrassment of the church because of negative publicity from the media should inappropriate behavior occurs. It is a good practice to try and prevent the image of the church from being damaged in any way. Fraud in the headlines is a strike against any organization.
4 External/regulatory oversight Unlike corporations which provide quarterly financial statements to the SEC and hold quarterly conference calls with outside analysts, the church is subject to almost no recurring outside financial scrutinySince many churches and dioceses are not required by law to be transparent and accountable in their finances, they choose to keep their finances private.
5 Canon Law and Other Guidelines Canon law contains a number of provisions directed at good management and financial practices.The primary diocesan institution to monitor diocesan finances is the diocesan finance council (DFC). According to canon law, each diocese is required to establish a DFC, to be presided over by the bishop or his delegate.In addition to canon law, the United States Conference of Catholic Bishops (USCCB) has established recommended guidelines for diocesan financial management.But they are just that - guidelines
6 5 Elements of the IC Process Control EnvironmentRisk AssessmentControl ActivitiesInformation and CommunicationMonitoring
7 Control EnvironmentThe core of any business is its people - their individual attributes, including integrity, ethical values, and competence and the environment in which they operate.Clear lines of authority and accountability that emphasize the importance of internal controlsA documented code of conduct/ethical standardsA formal budget process and prompt variance analysis.A plan to attract and retain competent personnel.An effective audit committee and internal audit functions.More on the Control Environment later
8 Risk AssessmentThe entity must be aware of and deal with the risks it faces. It must set objectives, integrated with the sales, production, marketing, financial, and other activities so that the organization is operating in concert. It also must establish mechanisms to identify, analyze, and manage the related risks.Clear objectives regarding operating, financial reporting, and law compliance functions.An entity-wide review to assess and evaluate risk (discussed later)
9 Control ActivitiesControl policies and procedures must be established to ensure that management's responses to risks are effectively carried out.Segregation of duties: collections of cash contributions counted by two or more people.Independent counting and/or confirmation of investments.Controlled access to electronic data processing operations and adequate back-up (disaster recovery) in place.
10 Information and Communication Information and communication systems surround all of these activities. They enable people to capture and share the information needed to conduct, manage, and control operations.Management support for developing and maintaining effective financial management information systems.The sharing of information on emerging risk issues with other dioceses.Channels of communication for employees and church workers to report suspected irregularities or illegal acts.
11 Monitoring.The entire process must be monitored, and modifications must be made as necessary. In this way, the system can react dynamically, changing as conditions warrant.Regular receipt and prompt acting on reports of problems in internal controls (from external/internal auditors, etc.).Prompt follow-up on unusual variances from budget.Periodic comparison of physical inventories of saleable items (textbooks, cemetery lots, etc.) and permanent assets (sacred vessels, historical treasures, office equipment) to accounting records and the reconciliation of differences.
12 Limitations of ICMistakes and human errors in applying the established policies and procedures.Circumvention of controls by collusion of two or more people (e.g., an employee and a vendor).Intentional disregard of controls (e.g., management override, falsifying documents, forgery, etc.).Discussed in more detail later
13 People and IC Bishop Finance Officers Internal Auditors Other Diocesan PersonnelVolunteersCommitteesFinance CouncilAudit committeeFinancial/project review committeeProperties committeeInvestments committeeExternal Auditors
14 Key Business Cycles Financial planning and control Cash management (includes the revenue cycle)PayrollPurchasing
15 Elements of IC Honest Employees Separation of duties Require vacationsBonding when appropriateAwareness of conflict of interest policies“know” your employeesBackground checks on all potential hiresSeparation of dutiesRecordkeeping, custodianship, authorizationAppropriate policies and procedures over transactionsSuitable documents and accounting recordsPhysical control over assetsIndependent verification of performance
16 Financial Planning and Control Cycle Monthly Comparative Financial StatementsChart of AccountsPolicy and Procedures Manuals.
17 Cash Management Cycle Proper Control over: Bank accounts Cash disbursementsCash receiptsPetty cashMarketable securitiesReceivablesPayablesPayroll
18 Payroll Cycle Personnel Administration and Employment File Maintenance Timekeeping and Payroll PreparationPayment of PayrollPreparation of Payroll Tax Returns and Payment of Taxes
19 Purchasing Cycle Authorization of Purchase Processing Purchase Orders Receiving Goods and ServicesRecognizing the LiabilityProcessing and Recording Cash Disbursements
20 Guidelines for an IC Review Risk Assessment and EvaluationSuggested StepsA project committee should be established (perhaps a subcommittee of the diocese's finance council) composed of, at a minimum:The committee should be charged with undertaking and documenting a study of the diocesan internal control process and making recommendations for improvement. Its chair should regularly report to the bishop on progress. (Items 3-8 refer to the study/review.)The committee should assess the overall control environmentThe committee should divide the entity into natural business cyclesThe committee should review the flow of transactions through these cycles to understand each processing system and its controls.The committee should determine whether control techniques in place in each cycle achieve the defined internal control objectivesWhere objectives are not met, the committee should assess the resultant risks and make specific recommendations to improve internal controls at a cost below the value of the related benefit to be attained.The committee should draft a report summarizing the project and detailing the recommendations.The implementation of the recommendations should be periodically reviewed to ensure the desired results are achieved and to promote the diocesan culture of appreciating and embracing the value of internal controls.Ongoing Commitment
21 Fraud and Irregularities The fraud triangleOpportunity, rationalization, pressureTypes of fraudManagement overrideCollusionLappingTheftAccounts Payable FraudPayroll Ghosts and Unauthorized Pay ChargesKickbacksSupplies or Inventory Fraud
22 Detecting FraudChanges in employee's lifestyle, spending habits, or behaviorInventory shortagesIgnoring of internal/external policies or audit recommendationsUnusual banking activitiesDecline in employee morale/attendanceExceedingly high expenses/purchasesUnexplained budget variances
23 Zech & West: Control environment The organizational structure of the firm (in the Catholic Church, this involves questions such as is the diocese organized as a corporation sole?)Oversight by the board (in the Catholic Church, this is the diocesan finance council, or DFC)Management's philosophy and operating styleProcedures for delegating responsibility and authorityManagement's methods for evaluating performanceExternal influences (e.g., regulatory oversight)
24 Results of Zech and West Study: Part 1: Risk Factors (as cited by CFOs) CFO’s ranked the following risk factors in this order (highest risk to lowest risk):Lack of expertise at the parish levelParish finances and controlsLitigationAdequacy of insurance coverageProperty management
25 Results of Zech and West Study: Part 2: Importance of DFC If the Diocesan Finance Council (or one of its committees) is involved in reviewing the diocesan budget, there is less fraud detected (better prevention). The more frequently the DFC meets, the greater the amount of fraud detected (better detection)
26 Results of Zech and West Study: Part 3: Importance of CFO the tenure (years of the experience on the job) of the CFO, whether the CFO had an accounting background, and if the CFO selects the auditors all seemed to imply better fraud preventionHowever, in cases where the bishop or DFC feels capable of making the auditor selection, it seems appropriate that they do so, from at least an independence viewpoint
27 Results of Zech and West Study: Part 4: Internal Control Variables Those dioceses with formal, written fraud policies experienced less embezzlement, presumably the result of better prevention.A second variable that had a positive impact on fraud detection was the frequency with which parishes submit theirfinancial data.A third internal control variable that was significant is difficult to interpret. Dioceses that presented comparative financial data in their monthly budget versus actual reports experienced more embezzlement. This control is really a financial reporting control. It is not a control that would typically be used to detect embezzlements. It is a control that would more likely be used to detect errors in financial reporting.
28 Results of Zech and West Study: Part 5: Audit Category the frequency of internal audits of parishes was significant and positive, and, based on the value of the standardized coefficient, the most important factor in explaining the level of diocesan fraud. This seems logical in that more frequent internal audits result in more detected embezzlements. On the other hand, one could argue that more internal audits would be a deterrent to employees and less fraud and embezzlements should occur.
29 Recommended environment control policies (Zech and West) Implementation in every Catholic diocese of the policies prescribed in the USCCB handbook Diocesan Financial IssuesThe establishment of fraud policies in every dioceseAnnual internal audits of parishes supplemented by external audits conducted at east every three yearsPublic disclosure of the names and professions of every member of the Diocesan Finance Council, along with their conflict of interest guidelines
30 Continued - Recommendations At a minimum, quarterly meetings of the DFC (or one of its subcommittees) to monitor diocesan office, parish, and school financial reportsSelection of the diocesan auditor by someone (bishop or DFC) other than the diocesan CFOAt least annual (and preferably more frequent) submission of financial data by all parishes and high schoolsEstablishment of a uniform budgeting process and standardized software for all diocesan entitiesEstablishment of communication channels for church workers to report suspected irregularities or fraudulent activities while protecting their anonymity.
31 Recommendations from USCCB An annual letter from the parish to the bishop containingThe names and professional titles of the parish finance council members,Dates when the council met in the preceding fiscal year and since the end of the fiscal year,Date(s) when the approved (i.e. by the parish finance council) parish financial statements/budgets were made available to the parishioners during the preceding fiscal year and since the end of the fiscal year. A copy of the published financial statements/budgets should be provided to the bishop, it added.A statement signed by the parish priest and the finance council members that they have met, developed, and discussed the financial statements and budget of the parish.Thorough diocesan training for parish finance council members relative to their roles and responsibilities.Establishment of diocesan policies to cover conflicts of interest, protection of whistleblowers, and a fraud policy which would include prosecution of all fraud cases in the diocese.Completion of an annual internal control questionnaire by each parish with proper review and follow-up made by qualified diocesan personnel.
32 USCCB Recommendations - continued In longer-term recommendations, the committee urgedDevelopment of a parish best practices manual, similar to the Diocesan Financial Issues document, which has been developed for dioceses.Integration of financial training into seminarian programs so students will be better prepared to handle parish financial matters.
33 Other General Recommendations A full auditExpensive and time consuming, but very thorough“Agreed upon procedures” in which an outside firm will look at specific areas of the church’s finances and then make a report with recommendations.firm can perform an internal control review or they can assist in the compilation of the church’s financial statementsHave a certified public accountant (CPA) review the church’s financial procedures and issue a management letter noting weaknesses of the system and offering recommendations.An “inside audit” done by a committee comprised by members of the church who have expertise in accounting and finance.These can be effective, but they do have limitations because they do not have the independence of an outside auditorIf churches have good financial policies and procedures in place, a full audit may not be necessary.It is important to report the finances of a church on a regular basis in a manner that can be understood easily; in a nutshell, be forthright about the church’s financesHave a time for members to ask questions and to have someone on hand who can answer those questionsUse of an internal control checklist