Kuliah Minggu ke 5 Internal Controls and Fraud Protection Board and Management Responsibilities

Agenda Part I:  Overview of Board and Management Responsibilities  Auditor Responsibilities  Framework of Internal Controls Part II:  Overview of an Organization-Wide Model of Internal Control  Best Practices Pertaining to Board and Management Oversight

Elements of an Organizational System of Internal Control 1.Financial Controls a. Preventive controls b. Detective controls 2.Non-Financial Systems 3.Management Oversight and Behavior

II. Non-Financial Systems Several Non-Financial Systems Are Important to Internal Controls and Fraud Protection Among the Most Important:  Human Resources Systems  Information Technology Systems  Communications Systems  Insurance Protection

Human Resources Systems Hiring Policies and Practices New Employee Orientation Code of Ethics and Related Policies Performance Evaluation Systems Compensation Adjustment Practices Grievance Policies Counseling of Troubled Employees Exit Interviews

Communications Organization Chart  Clear understanding of lines of communication Access to Audit Committee  Or equivalent board-level representatives Hotlines  Anonymous reporting of suspected fraud and abuse, or any other misconduct, by employees External  Crisis management

Methods of Detection: NPOs Overall Tips 34.4% 34.2% By Accident 28.7% 25.4% Internal Controls 19.7% 19.2% Internal Audit 16.4% 20.2% External Audit 14.8% 12.0% Notified by Police 4.9% 3.8% Source: 2006 ACFE Report to the Nation on Occupational Fraud and Abuse

Tips Came From: Employee – 64.1% Anonymous – 18.1% Customer – 10.7% Vendor – 7.1%

III. Management Oversight Day-to-Day Management Activities Board of Directors Financial Oversight and Monitoring  Board and management level  Department/program level

Day-to-Day Management Understanding Responsibilities and Risks Setting an Example – Follow all Policies  “Tone at the top”  Communicate seriousness of internal control All Supervisors and Managers Have Responsibilities  Awareness of red flags of problems Enforcement of Policies  And reward ethical behavior Responding to Fraud and Deficiencies in I.C. Open-Door Policies – Receive Communications Regarding Allegations of Wrongdoing Corrective Actions

Board of Directors Oversight Responsibilities in Many Areas Establishment of Committees so That Committee can Address Issues in Greater Detail Than Full Board  Separate Audit Committee Committee Charters  Outline Responsibilities and Authority  Committees Deal With Issues in Detail, Bringing Summaries and Recommendations to the Full Board  Audit Committee Should be Independent of Finance Committee

So, what’s it all mean for me as a board member?

Best Practices for Board Members 1. Codes of Ethics 2. Hotlines and Whistleblower Protection 3. Functioning Audit Committee 4. Fraud Risk Assessment Process 5. Model Oversight and Policies After U.S. Sentencing Commission Guidelines 6. Make Inquiries Regarding The NPC’s Financial and Non-Financial Controls

1. Codes of Ethics 1. Draft or edit to make sure it is comprehensive and accurate 2. Draft or edit related written policies and procedures 3. Reinforce awareness and importance 4. Staff training and certification

Codes of Ethics Two Approaches to Drafting  Detailed – identifying specific acts  Broad – conduct in general terms If Broad, Cross-Reference Other Written Policies, Such as Personnel Manual, etc.

Codes of Ethics Borrowing from SOX – Codes Should Deter Wrongdoing and Promote:  Honest, ethical conduct, including handling of conflicts of interest  Full, fair, timely disclosures  Compliance with applicable laws and regulations  Prompt internal reporting of violations  Description of what constitutes fraudulent behavior  Accountability for adherence to the code and sanctions for those who breach it

Codes of Ethics Communicate the Code Effectively, Through Policy Manuals, etc. Have Employees Sign, Acknowledging They Understand it and Agree to Comply With it Emphasized at Orientation for New Employees Training and Periodic Re-certification Monitoring of Code is the Responsibility of:  Management  Audit committee

Ethics Training Topics Code of Ethics Conflicts of Interest Ethical Issues Kickbacks Hotline Usage & Other Methods of Reporting Protection from Retaliation Each Person’s Role in Maintaining an Ethical Workplace

The Value of Ethics Training With Fraud Awareness or Ethics Training:  Median Loss = $100,000  Median Months to Detection = 15 Without:  Median Loss = $200,000  Median Months to Detection = 24

Policy on Suspected Misconduct Functions in Conjunction With Code of Ethics Identifies How to Report Suspected Activities Incorporates Whistleblower Protection Provisions States Employer’s Rights  Including right to inspect and search employee files, lockers, desks, etc. that are provided as an employee convenience by the employer Explains Disciplinary Actions That May Result, Including Termination

2. Hotlines Allows for Anonymous Reporting of Suspected Wrongdoing Utilize Third-Party Services (EthicsLine of Association of CFE’s; The Network; Pinkerton Security; Other Services) FraudNet, a Service of GAO to Report Wrongdoing Involving Federal Funds  or  (202)

Hotlines Consider Method of Reporting:  Telephone interview  Voic service  Web-based format Consider Protocol for Dissemination of Information:  Direct to audit committee  Compliance officer  Human resources  Internal audit

Promote the Hotline Personnel Manual and Other Policy Manuals Staff Meetings Memos/Newsletters Postings in Break Rooms Intranet

The Value of Hotlines With Hotlines  Median Loss = $100,000  Months Prior to Detection = 15 Without Hotlines  Median Loss = $200,000  Months Prior to Detection = 24

Whistleblower Protection Key to Encouraging Proper Use of a Hotline is Protection of Whistleblower Does Not Protect Trouble-Makers Protects Employees Who Report Possible Misconduct Based on Information They Believe to be Truthful Protects Against Retaliation Against Whistleblower in any Form

3. Audit Committee Functions Oversee All Audit Functions  Selection, Planning, etc. Review and Approve Audit Reports Oversee Corrective Actions in Response to Auditor Findings Monitor Adequacy of Internal Controls Receive Communications Investigate Allegations of Fraud

Audit Committee Functions (2) Monitor Compliance With Code of Conduct Manage Conflicts of Interest Monitor Adequacy of Insurance Protection Assess Financial Risks Due to Current Operating Environment

Audit Committee Charter Clearly Describe Responsibilities Provide Committee With Proper Authority  Access to records  Authority to hire investigators, if deemed necessary Describe Member and Meeting Requirements

4. Fraud Risk Assessments Active, ongoing discussion involving each of the following:  Identification of potential fraud risks  Evaluation of current internal controls in response to those risks  Consideration of changes necessary to properly respond to the risks  Design and implement changes in internal controls  Monitoring of the performance of internal controls  Receive input regarding control breakdowns

Who is Involved? The Board’s role is to oversee and make sure this process is taking place; Direct involvement depends on the individual circumstances (size and structure of NPC) Others with roles:  Senior management  Chief financial and operations officers  Program personnel (research and education)  Auditors  Others as deemed necessary

5. Model Practices After USSC Directly applicable only in certain federal cases; Includes guidelines for assessing penalties against corporations Similar approach often taken to penalizing corporations in non-federal non-criminal cases Excellent source of best practices regarding establishment of an ethical culture by boards and senior management

Sentencing Guidelines Due Diligence 1. Establish standards and procedures (internal controls) to prevent and detect criminal conduct 2. Assign high-level personnel responsibility for compliance and ethics program, and specific individuals for day-to-day operational responsibility for the program 3. Reasonable efforts not to include within substantial authority any person the organization knew, or should have known through due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program

Sentencing Guidelines Due Diligence 4. Communicate standards and procedures of the compliance and ethics program periodically and in a practical manner by conducting training and otherwise disseminating information 5. Take reasonable steps to ensure the program is followed (monitoring and auditing), including having a publicized system for employees and agents to report problems or seek guidance 6. When criminal conduct is detected, take steps to prevent further similar criminal conduct

Sentencing Guidelines Due Diligence 7. Periodically assess risk of criminal conduct and design, implement, or modify the preceding requirements to reduce the risk of criminal conduct 8. Large organizations should encourage small organizations (such as subcontractors and vendors) to implement effective compliance and ethics programs

6. Make Inquiries As stated earlier, the role of the NPC board is not necessarily to be internal control experts or to directly carry out each of the steps described in this presentation Direct involvement in development of policies or practices that are the responsibility of the board Make inquiries of management and staff regarding how each of the other areas is being addressed Make inquiries regarding fraud risks and the existence of internal controls in response to specific fraud risks that we’ll explain in the second part of this series.