Evaluating A Government’s Internal Controls and a Review of How Fraud Relates to Internal Controls Presented By Paul E. Glick Paul E. Glick Glick Consulting.

Evaluating A Government’s Internal Controls and a Review of How Fraud Relates to Internal Controls Presented By Paul E. Glick Paul E. Glick Glick Consulting Group Glick Consulting Group Email pglick@mindspring.com Email pglick@mindspring.com

THE AGENDA Introduction and Overview Introduction and Overview What Are Internal Controls What Are Internal Controls Management’s Objectives and Responsibilities Management’s Objectives and Responsibilities Who Is Responsible for Internal Controls? Who Is Responsible for Internal Controls? What Types of Public Sector Fraud Exists? What Types of Public Sector Fraud Exists?

The Agenda Where is the Independent Auditor? Where is the Independent Auditor? Internal Control Environment Internal Control Environment Risk Assessment Risk Assessment Control Activities Control Activities Information and Communication (Step 4) Information and Communication (Step 4) Monitoring Monitoring

The Agenda Evaluation Controls Over Accounting And Financial Reporting Evaluation Controls Over Accounting And Financial Reporting Other Internal Control Pitfalls Other Internal Control Pitfalls

Seminar Objectives Review The Framework And Concepts Of Internal Controls Review The Framework And Concepts Of Internal Controls Relate These Concepts To Financial Cycles (I.E., The Real World) Relate These Concepts To Financial Cycles (I.E., The Real World) Understand Who Might Be “Ripping Us Off” Understand Who Might Be “Ripping Us Off”

Factors Affecting our Current Environment

Global financial crisis Global financial crisis Uncertainty in unexpected places (Municipal Bond Ratings) Uncertainty in unexpected places (Municipal Bond Ratings) Increased regulation and oversight (Tax Reform, ARRA) leading to diminished control over revenues Increased regulation and oversight (Tax Reform, ARRA) leading to diminished control over revenues Smaller staff due to budget cuts Smaller staff due to budget cuts

Factors Affecting our Current Environment Trends in the Audit Community Trends in the Audit Community SAS 115 (documentation of internal controls and communication with those in governance) SAS 115 (documentation of internal controls and communication with those in governance) Risk Assessments Risk Assessments Fraud Risks Fraud Risks Oversight at the Federal Level Oversight at the Federal Level Transparency Transparency COSO COSO

Factors Affecting our Current Environment Governments are being asked to do more with less Governments are being asked to do more with less Money and human resources Money and human resources

The Nature of Fraud Industry Fraud Can Be Explained By Three Key Factors: Fraud Can Be Explained By Three Key Factors: A Supply Of Motivated Offenders A Supply Of Motivated Offenders The Availability Of Suitable Targets The Availability Of Suitable Targets The Absence Of Capable Guardians Or A Control System To “Mind The Store” The Absence Of Capable Guardians Or A Control System To “Mind The Store”

The Nature of Fraud Industry The Opportunity To Commit & Conceal Fraud Is The Only Element Over Which You Have Significant Control. The Opportunity To Commit & Conceal Fraud Is The Only Element Over Which You Have Significant Control. What Are Some Of The Warning Signs? What Are Some Of The Warning Signs? What Can We Do About It? What Can We Do About It?

A Survey Of Folks Regarding Fraud 31% of All Americans are Dishonest 31% of All Americans are Dishonest Another 40% are Situationally Honest (i.e., they will be honest if it pays to be honest and dishonest if it pays to be dishonest) Another 40% are Situationally Honest (i.e., they will be honest if it pays to be honest and dishonest if it pays to be dishonest) $200 Billion Employee Fraud Cost per Year Compared to $11 Billion from Violent Crime $200 Billion Employee Fraud Cost per Year Compared to $11 Billion from Violent Crime In Banks, 95% of Losses are from Employees and 5% are Caused by Bank Robberies In Banks, 95% of Losses are from Employees and 5% are Caused by Bank Robberies In Retail, 70% of Losses are from Employees and 5% are Caused by Shoplifters and Customers In Retail, 70% of Losses are from Employees and 5% are Caused by Shoplifters and Customers

Fraud and Abuse in The U.S. U.S. Cost About $990 Billion A Year U.S. Cost About $990 Billion A Year Government And Public Administration Have A Median Loss Of $93,000 Per Fraud Scheme Government And Public Administration Have A Median Loss Of $93,000 Per Fraud Scheme Average Organization Loses 7% Of Revenue Average Organization Loses 7% Of Revenue 12% Of Cases In A Study Were Frauds That Occurred In Government 12% Of Cases In A Study Were Frauds That Occurred In Government Street Crime Only Costs The U.S. $4 Billion Annually Street Crime Only Costs The U.S. $4 Billion Annually

The Facts Fraud Schemes Frequently Continue For Years Before They Are Detected Fraud Schemes Frequently Continue For Years Before They Are Detected The Typical Fraud In The Study Lasted 2 Years From The Time It Began Until It Was Discovered The Typical Fraud In The Study Lasted 2 Years From The Time It Began Until It Was Discovered Frauds Are Much More Likely To Be Detected By A Tip Than By Audits, Controls Or Any Other Means Frauds Are Much More Likely To Be Detected By A Tip Than By Audits, Controls Or Any Other Means Lack Of Adequate Internal Controls Was Most Commonly Cited As The Factor That Allowed Fraud To Occur Lack Of Adequate Internal Controls Was Most Commonly Cited As The Factor That Allowed Fraud To Occur Occupational Fraudsters Are Generally First-time Offenders Occupational Fraudsters Are Generally First-time Offenders

What Is Fraud? It’s When Folks Are Ripping Off The Government In Lots Of Different Ways It’s When Folks Are Ripping Off The Government In Lots Of Different Ways Fraud Is Like A Four Letter Word Fraud Is Like A Four Letter Word Just Ignore It And It Will Go Away Just Ignore It And It Will Go Away It Will Never Happen To Us It Will Never Happen To Us

Common Myths About Fraud Most Folks Will Not Commit Fraud Most Folks Will Not Commit Fraud Fraud Is Not Material Fraud Is Not Material Most Fraud Goes Undetected Most Fraud Goes Undetected Fraud Is Well Concealed Fraud Is Well Concealed Prosecuting Will Deter Others Prosecuting Will Deter Others

Potential Cost Of Fraud Lose The Confidence In The Government Lose The Confidence In The Government Loss To The Reputation Of Innocent Third Parties (I.E., The Remaining Staff) Loss To The Reputation Of Innocent Third Parties (I.E., The Remaining Staff) Cost To The Perpetrator Cost To The Perpetrator The Public Loss The Public Loss

Potential Cost Of Fraud Diversion Of Public Resources From Intended Purpose Diversion Of Public Resources From Intended Purpose Loss Of Money, Assets And Time Loss Of Money, Assets And Time Embarrassment, Guilt, Humiliation And Shame Embarrassment, Guilt, Humiliation And Shame Subsequent Management Decisions Are Reviewed Under A Microscope Subsequent Management Decisions Are Reviewed Under A Microscope Any Investigation Turns The Government Or Agency Inside Out Any Investigation Turns The Government Or Agency Inside Out

Personal Rip Offs For Glick Send Banking Information Send Banking Information Bank of America Wachovia Bank TCF Bank HSBC Bank Catawba Valley Bank Regions Bank Bank of the West Washington Mutual Bank Financial Huntington Bank Smith Barney

Personal Rip Offs For Glick Frank Senger - $20.5 Million Frank Senger - $20.5 Million Chief Adeniran Aderogba - $10 Million Chief Adeniran Aderogba - $10 Million Dr Sikas Usman - 30% of $45.8 Million - $10.5 Million Dr.Ahmed Kassim - $10.5 Million Miss Caroline Williams – 30% Of $16.5 Million Miss Caroline Williams – 30% Of $16.5 Million Mr Jack Chow – No Amount Mr Jack Chow – No Amount Jim Mcconville - $20 Million British Pounds Jim Mcconville - $20 Million British Pounds

Personal Rip Offs For Glick Richard H Mason – 10% On All Payments Made Richard H Mason – 10% On All Payments Made Mr. Brendon Hopkins – 30% Of $26.5 Million British Pounds (Twice) Mr. Brendon Hopkins – 30% Of $26.5 Million British Pounds (Twice) Mr. Mark Johnson – Lottery - $2.5 Million British Pounds Mr. Mark Johnson – Lottery - $2.5 Million British Pounds Mr.Carlos Moreno – 50% Of $34.5 Million Mr.Carlos Moreno – 50% Of $34.5 Million Miss Joyce Awuse - $5.5 Million Miss Joyce Awuse - $5.5 Million Irs - $109.30 Irs - $109.30 Dr Dansuki Dan - $25.5 Million Dr Dansuki Dan - $25.5 Million

Session 2 What Are Internal Controls

What Are Internal Controls? To put it simply, internal controls are an exercise of common sense. You are practicing good internal controls when you? To put it simply, internal controls are an exercise of common sense. You are practicing good internal controls when you? Balance your checkbook Balance your checkbook Keep your ATM/debit card pin number separate from your card Keep your ATM/debit card pin number separate from your card Keep copies of your tax return Keep copies of your tax return Compare your monthly credit card statement to the credit card receipts Compare your monthly credit card statement to the credit card receipts Lock your car doors Lock your car doors

What Are Internal Controls? Internal Control Is A Process, Affected By Management And Other Personnel, Designed To Provide Reasonable Assurance Regarding The Achievement Of Objectives In The Following Categories: Internal Control Is A Process, Affected By Management And Other Personnel, Designed To Provide Reasonable Assurance Regarding The Achievement Of Objectives In The Following Categories: Effectiveness And Efficiency Of Operations Effectiveness And Efficiency Of Operations Reliability Of Financial Reporting Reliability Of Financial Reporting Compliance With Laws And Regulations Compliance With Laws And Regulations

What Are Internal Controls? Internal Control Consists Of Five Interrelated Components That Affect Each Of The Three Categories Internal Control Consists Of Five Interrelated Components That Affect Each Of The Three Categories

What Are Internal Controls? Internal control is a process. It is a means to an end, not an end itself. Internal control is a process. It is a means to an end, not an end itself. Internal control is effected by people. Internal control is effected by people. It’s not merely policy manuals and forms, but people functioning at every level of the institution. It’s not merely policy manuals and forms, but people functioning at every level of the institution.

Limitations on Internal Controls Considerations Of Costs Will Prevent Management From Ever Installing A “Perfect System” Considerations Of Costs Will Prevent Management From Ever Installing A “Perfect System” Controls Are Potentially Subject To “Management Override” Controls Are Potentially Subject To “Management Override” Risk Of Collusion Risk Of Collusion

Applying the COSO Framework Committee of Sponsoring Organizations of the Treadway Commission Committee of Sponsoring Organizations of the Treadway Commission www.coso.org www.coso.org

Who Are The Organizations American Accounting Association American Accounting Association American Institute of Certified Public Accountants American Institute of Certified Public Accountants Financial Executives International Financial Executives International Institute of Management Accountants Institute of Management Accountants The Institute of Internal Auditors The Institute of Internal Auditors

COSO Internal Control – Integrated Framework Established A Common Definition Of Internal Control Established A Common Definition Of Internal Control Provides A Standard Against Which A Government Can Assess Their Control Systems And Determine How To Make Improvements Provides A Standard Against Which A Government Can Assess Their Control Systems And Determine How To Make Improvements

Internal Control Components Control Environment Control Environment Risk Assessment Risk Assessment Control Activities Control Activities Information and Communication Information and Communication Monitoring Monitoring

Internal Control Components Internal Control Components Interact With: Internal Control Components Interact With:Operations Financial Reporting Compliance

Evaluating Internal Controls Often, Evaluations Are Piecemeal Approaches To The Task Often, Evaluations Are Piecemeal Approaches To The Task Internal Controls Are Not Isolated And Are Related To One Another Internal Controls Are Not Isolated And Are Related To One Another

Internal Controls Are Actually: A Coordinated Set Of Policies And Procedures That Reflect A Comprehensive Strategy For Achieving Management’s Objectives A Coordinated Set Of Policies And Procedures That Reflect A Comprehensive Strategy For Achieving Management’s Objectives

Assessing The Internal Control Framework Provides A Favorable Control Environment. Provides A Favorable Control Environment. Continually Assesses Risk. Continually Assesses Risk. Establishes And Maintains Effective Control- Related Policies And Procedures. Establishes And Maintains Effective Control- Related Policies And Procedures. Effectively Communicates Information. Effectively Communicates Information. Monitors The Effectiveness Of Control Policies And Procedures And The Resolution Of Potential Problems Identified By Controls. Monitors The Effectiveness Of Control Policies And Procedures And The Resolution Of Potential Problems Identified By Controls.

A Basic Rule More Is Not Better More Is Not Better The Cost Of Excessive Or Redundant Controls Could Exceed The Benefits The Cost Of Excessive Or Redundant Controls Could Exceed The Benefits Employees May View Controls As Unnecessary “Red Tape” Employees May View Controls As Unnecessary “Red Tape”

Why Are Internal Controls So Important? Because The Prevention Of Fraud Is Critical And Costs Are High Because The Prevention Of Fraud Is Critical And Costs Are High

Session 3 MANAGEMENT’S OBJECTIVES AND RESPONSIBILITIES

MANAGEMENT’S RESPONSIBILITIES AND THE INTERNAL CONTROL FRAMEWORK EFFECTIVENESS EFFECTIVENESS EFFICIENCY EFFICIENCY COMPLIANCE COMPLIANCE FINANCIAL REPORTING FINANCIAL REPORTING

EFFECTIVENESS DETERMINES WHETHER THE GOVERNMENT AND ITS DEPARTMENTS ARE MEETING THEIR OBJECTIVES DETERMINES WHETHER THE GOVERNMENT AND ITS DEPARTMENTS ARE MEETING THEIR OBJECTIVES GOALS AND OBJECTIVES IDENTIFIED IN BUDGETARY PROCESS GOALS AND OBJECTIVES IDENTIFIED IN BUDGETARY PROCESS FOCUSES ON RESULTS RATHER THAN EFFORTS FOCUSES ON RESULTS RATHER THAN EFFORTS INCLUDE OUTPUTS - HOW MUCH OF GOODS AND SERVICES ARE PROVIDED INCLUDE OUTPUTS - HOW MUCH OF GOODS AND SERVICES ARE PROVIDED INCLUDE OUTCOMES - WHAT IS THE QUALITY OF GOODS OR SERVICES TO BE PROVIDED INCLUDE OUTCOMES - WHAT IS THE QUALITY OF GOODS OR SERVICES TO BE PROVIDED

EFFICIENCY MAKING OPTIMAL USE OF THE RESOURCES MADE AVAILABLE MAKING OPTIMAL USE OF THE RESOURCES MADE AVAILABLE OBTAINING DESIRED RESULTS WITH THE LEAST EXPENDITURE OF RESOURCES OBTAINING DESIRED RESULTS WITH THE LEAST EXPENDITURE OF RESOURCES MEASURES COSTS (I.E., EFFORT) TO RESULTS (I.E., EFFECTIVENESS) MEASURES COSTS (I.E., EFFORT) TO RESULTS (I.E., EFFECTIVENESS)

COMPLIANCE ANNUAL APPROPRIATED BUDGET ANNUAL APPROPRIATED BUDGET GRANTOR REQUIREMENTS GRANTOR REQUIREMENTS STATE OVERSIGHT REQUIREMENTS STATE OVERSIGHT REQUIREMENTS IRS REQUIREMENTS IRS REQUIREMENTS BOND COVENANTS BOND COVENANTS LOCAL LAWS AND REGULATIONS LOCAL LAWS AND REGULATIONS

FINANCIAL REPORTING INTERNAL FINANCIAL REPORTING INTERNAL FINANCIAL REPORTING EXTERNAL FINANCIAL REPORTING EXTERNAL FINANCIAL REPORTING - SPECIAL PURPOSE - SPECIAL PURPOSE - GENERAL PURPOSE - GENERAL PURPOSE - CAFR - CAFR

Session 4 Who Is Responsible For Internal Controls?

Who is Responsible for Internal Controls? Everyone has a part in the internal control system. Everyone has a part in the internal control system. The roles vary depending upon what level of responsibility and the nature of involvement by the individual. The roles vary depending upon what level of responsibility and the nature of involvement by the individual.

Who is Responsible for Internal Controls? Managers and supervisors are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of their unit. Managers and supervisors are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of their unit. Each employee within an area should be made aware of proper internal control procedures associated with their specific job function. Each employee within an area should be made aware of proper internal control procedures associated with their specific job function.

Is This Just A Problem For The Finance Office? Most Folks Think This Is Finance’s Problem Most Folks Think This Is Finance’s Problem But Not Really But Not Really However, We Are Emphasizing the Finance Department In This Seminar However, We Are Emphasizing the Finance Department In This Seminar

Management’s Responsibilities And The Internal Control Framework Any Entity, Be It A Government, A Business Or A Nonprofit Organization, Exists To Achieve Some Purpose Any Entity, Be It A Government, A Business Or A Nonprofit Organization, Exists To Achieve Some Purpose It Is The Role Of Management To Provide The Leadership Needed For An Entity To Realize That Purpose It Is The Role Of Management To Provide The Leadership Needed For An Entity To Realize That Purpose

Management’s Responsibilities And The Internal Control Framework Furthermore, Management Is Not Free Simply To Act In Any Way It Might Choose To Achieve The Entity's Goals Furthermore, Management Is Not Free Simply To Act In Any Way It Might Choose To Achieve The Entity's Goals Management's Options And Actions Are Circumscribed By Constraints And Expectations, Both Implicit And Explicit. Management's Options And Actions Are Circumscribed By Constraints And Expectations, Both Implicit And Explicit.

Responsibility For Internal Controls Management Is Primarily Responsible For The Effectiveness Of Internal Controls, Like Any Other Aspects of Performance Management Is Primarily Responsible For The Effectiveness Of Internal Controls, Like Any Other Aspects of Performance A Side Note - Authority And Responsibility Should Not Be Separated A Side Note - Authority And Responsibility Should Not Be Separated

Responsibility For Internal Controls Management Is Subject To Oversight By The Government’s Elected Officials Management Is Subject To Oversight By The Government’s Elected Officials The Governing Body Is Ultimately Responsible The Governing Body Is Ultimately Responsible Internal And External Auditors Can Assist Management Internal And External Auditors Can Assist Management

Responsibility For Internal Controls This Stuff Is Not Something Different From This Stuff Is Not Something Different From Your Basic Responsibilities As Leaders And As Fiduciaries

Basic Management Responsibilities Achieving The Government’s Purpose (Effectiveness) Achieving The Government’s Purpose (Effectiveness) Making Optional Use Of Scarce Resources (Efficiency) Making Optional Use Of Scarce Resources (Efficiency) Observing Restrictions On The Use Of Resources (Compliance) Observing Restrictions On The Use Of Resources (Compliance) Periodically Demonstrating Accountability For Stewardship Of Resources Place In The Care (Reporting) Periodically Demonstrating Accountability For Stewardship Of Resources Place In The Care (Reporting)

Session 5 What Types of Public Sector Fraud Exists

Profile of Fraud Perpetrator Male Or Female (White Males Over 60?) Male Or Female (White Males Over 60?) No Prior Criminal History (<8%) No Prior Criminal History (<8%) Well Liked By Co-workers Well Liked By Co-workers Likes To Give Gifts/Compulsive Shopper Likes To Give Gifts/Compulsive Shopper Gambling Problems Not Unusual Gambling Problems Not Unusual Long-term Employee Long-term Employee Rationalizes: Starts Small Or “Borrows” Rationalizes: Starts Small Or “Borrows” Lifestyle Clues Lifestyle Clues

General Observations Of A Fraudster Male Male Intelligent (Bored With The Job Routine) Intelligent (Bored With The Job Routine) Egotistical (Scornful Of Obvious Control Flaws) Egotistical (Scornful Of Obvious Control Flaws) Inquisitive (E.G., Tempted By The Discovery Of A Computer Vulnerability) Inquisitive (E.G., Tempted By The Discovery Of A Computer Vulnerability) A Risk Taker A Risk Taker A Rule Breaker A Rule Breaker A Hard Worker A Hard Worker Under Stress Under Stress Disgruntled At Work Disgruntled At Work

The Fraud Triangle Perceived Pressure Facing Individual Facing Individual Perceived Opportunity To Commit Fraud Exacerbated in Economic Downturn Person’s Rationalization Or Integrity

Conditions Present When Fraud Occurs Incentive/Pressure Incentive/Pressure Opportunity Opportunity Attitude and Rationalization Attitude and Rationalization

Causes Of Fraud Character And Personality Character And Personality – Financial Stress – Financial Stress -- Addiction -- Addiction -- Disaffection -- Disaffection -- Pathologies -- Pathologies Perceived Opportunity Perceived Opportunity - Permits Fraud - Permits Fraud - Promotes Fraud - Promotes Fraud

Why Folks Commit Fraud Grumpy Gus Stressed Sally Pill poppin’ Paula Never goes home Ned

Why Folks Commit Fraud Extravagant Ellen Over-spent Ollie Lotto Larry Compulsive Connie

Who Commits Fraud? Fraud Losses Caused By Managers And Executives Were 16 Times Greater Than Those Caused By Non-managerial Employees. Fraud Losses Caused By Managers And Executives Were 16 Times Greater Than Those Caused By Non-managerial Employees. Losses Caused By Men Were Four Times More Those Caused By Women. Losses Caused By Men Were Four Times More Those Caused By Women. Those 60 And Older Were 28 Times Those Caused By Perpetrators 25 Or Younger. Those 60 And Older Were 28 Times Those Caused By Perpetrators 25 Or Younger.

Generally, What is the Goal of A Fraudster? Cash, Cash, Cash Cash, Cash, Cash

Types Of Public Sector Fraud Receipts Fraud Receipts Fraud Disbursements Fraud Disbursements Fraud Assets Fraud Assets Fraud

Cash Schemes Stealing Cash Funds Processed Or On Hand Stealing Cash Funds Processed Or On Hand Not Recording & Stealing The Cash Receipts Not Recording & Stealing The Cash Receipts Under Ringing & Stealing The Difference In Cash Receipts Under Ringing & Stealing The Difference In Cash Receipts Altering Bank Deposits Altering Bank Deposits

Receipts Fraud Receipts Fraud Lapping – Too Much Work! Lapping – Too Much Work! Kiting – Bank Deposit Schemes Kiting – Bank Deposit Schemes Granting Bogus Credit Memos Granting Bogus Credit Memos Forging Check Received Forging Check Received

Receipts Fraud Receipts Fraud Duplicate Payments Duplicate Payments Charge Off Fraud – Bogus Write-offs Charge Off Fraud – Bogus Write-offs Disposal Fraud Disposal Fraud Credit Card Manipulation Credit Card Manipulation

Disbursements Fraud Personal Bills Personal Bills Bid Rigging Bid Rigging False Claims (Fictitious Suppliers, Kickbacks) False Claims (Fictitious Suppliers, Kickbacks) Conflict of Interest Conflict of Interest

Disbursements Fraud Travel Claim Fraud Travel Claim Fraud Procurement and Credit Cards Procurement and Credit Cards

Payroll and Benefits Fraud Ghost Employees Ghost Employees Unclaimed Payroll Checks Unclaimed Payroll Checks Excess Payroll Payments (Falsifying Time Cards) Excess Payroll Payments (Falsifying Time Cards) Withholdings and W-2’s Withholdings and W-2’s Vacation and Sick Pay Vacation and Sick Pay

Theft Of Assets Fraud Petty Cash Fraud Petty Cash Fraud Cash Register Theft Cash Register Theft Consumable Inventory Theft Consumable Inventory Theft Capital Asset Theft Capital Asset Theft Using Assets For Personal Use Using Assets For Personal Use

Red Flags A Red Flag Is: A Red Flag Is: A Set Of Circumstances That Are Unusual In Nature Or Vary From The Normal Activity. A Set Of Circumstances That Are Unusual In Nature Or Vary From The Normal Activity. A Signal That Something Is Out Of The Ordinary And May Need To Be Investigated Further. A Signal That Something Is Out Of The Ordinary And May Need To Be Investigated Further. Not About Guilt Or Innocence But Merely Provides Possible Warning Signs Of Fraud. Not About Guilt Or Innocence But Merely Provides Possible Warning Signs Of Fraud.

Red Flags Do Not Ignore A Red Flag–studies Of Fraud Cases Consistently Show That Red Flags Were Present, But Were Either Not Recognized Or Were Recognized But Not Acted Upon By Anyone. Do Not Ignore A Red Flag–studies Of Fraud Cases Consistently Show That Red Flags Were Present, But Were Either Not Recognized Or Were Recognized But Not Acted Upon By Anyone. Sometimes An Error Is Just An Error–red Flags Should Lead To Some Kind Of Appropriate Action, I.E. An Investigation By A Measured & Responsible Person, But Sometimes An Error Is Just An Error And No Fraud Exists Sometimes An Error Is Just An Error–red Flags Should Lead To Some Kind Of Appropriate Action, I.E. An Investigation By A Measured & Responsible Person, But Sometimes An Error Is Just An Error And No Fraud Exists

Employee Red Flags Employee Lifestyle Changes Employee Lifestyle Changes High Employee Turnover High Employee Turnover Significant Personal Debt And Credit Problems Significant Personal Debt And Credit Problems Refusal To Take Vacation Or Sick Leave Refusal To Take Vacation Or Sick Leave Behavioral Changes Behavioral Changes Lack Of Segregation Of Duties In A High-risk (Vulnerable) Area Lack Of Segregation Of Duties In A High-risk (Vulnerable) Area

Employee Red Flags Reluctance To Provide Information To Auditors Reluctance To Provide Information To Auditors Photocopied Or Missing Documents Photocopied Or Missing Documents Weak Internal Control Environment Weak Internal Control Environment Unexpected Overdrafts Or Declines In Cash Balances Unexpected Overdrafts Or Declines In Cash Balances Decisions Dominated By An Individual Or Small Group Decisions Dominated By An Individual Or Small Group

Employee Red Flags Excessive Number Of Year-end Transactions Excessive Number Of Year-end Transactions Management Displays Significant Disrespect For Regulatory Bodies Management Displays Significant Disrespect For Regulatory Bodies Excessive Number Of Or Frequent Changes In Checking Accounts Excessive Number Of Or Frequent Changes In Checking Accounts Accounting Personnel Are Lax Or Inexperienced Accounting Personnel Are Lax Or Inexperienced

Employee Red Flags High Employee Turnover Rate High Employee Turnover Rate Compensation Is Out Of Proportion Compensation Is Out Of Proportion Decentralization Without Adequate Monitoring Decentralization Without Adequate Monitoring Frequent Changes In External Auditors Frequent Changes In External Auditors

Red Flags in Cash Excessive Number Of Voids Excessive Number Of Voids Presence Of Personal Checks In Petty Cash Presence Of Personal Checks In Petty Cash Unauthorized Bank Accounts Unauthorized Bank Accounts Excessive Or Unjustified Cash Transactions Excessive Or Unjustified Cash Transactions Large Number Of Account Write-offs Large Number Of Account Write-offs Sudden Activity In A Dormant Account Sudden Activity In A Dormant Account

Red Flags in Payroll Inconsistent Overtime Hours For A Cost Center / Department Inconsistent Overtime Hours For A Cost Center / Department Overtime Charged During A Slack Period Overtime Charged During A Slack Period Overtime Charges For Employees Who Normally Would Not Have Overtime Wages Overtime Charges For Employees Who Normally Would Not Have Overtime Wages Budget Variations For Payroll By Cost Center / Department Budget Variations For Payroll By Cost Center / Department Employees With Duplicate Social Security Numbers, Names, And Addresses Employees With Duplicate Social Security Numbers, Names, And Addresses Employees With Few Or No Payroll Deductions Employees With Few Or No Payroll Deductions

Red Flags in Procurement Increasing Number Of Complaints About Services Increasing Number Of Complaints About Services Vendors Without Physical Address Vendors Without Physical Address Lack Of Physical Security Over Assets / Inventory Lack Of Physical Security Over Assets / Inventory Payments To Vendors Not Included On An Approved Vendor List Payments To Vendors Not Included On An Approved Vendor List Vendor Address Matching Employee Address Vendor Address Matching Employee Address

Red Flags in Procurement Purchases That Bypass Normal Procedures Purchases That Bypass Normal Procedures Charges Without Shipping Documents Charges Without Shipping Documents Vendor Payments Picked Up Rather Than Having It Mailed Vendor Payments Picked Up Rather Than Having It Mailed High Volume Of Purchases From New Vendors High Volume Of Purchases From New Vendors

Profiles of an Government At Risk Less Than 100 Employees. Less Than 100 Employees. Management Ignores Irregularities. Management Ignores Irregularities. High Turnover With Low Morale. High Turnover With Low Morale. Staff Lacks Training Staff Lacks Training

Session 6 Where Is The Independent Auditor?

The Independent Auditor Once The Independent Auditor Is Finished With The Annual Audit, Can Everyone Relax And Assume That “No One Got Us This Year?” Once The Independent Auditor Is Finished With The Annual Audit, Can Everyone Relax And Assume That “No One Got Us This Year?” Of Discovered Fraud, the Independent Auditor Only Finds about 9% Of Discovered Fraud, the Independent Auditor Only Finds about 9%

Why Do Auditors Fail To Detect Fraud? Lack of Training Lack of Training Accept any Reasonable Explanations Accept any Reasonable Explanations Going Through the Process of Ticking and Tying Numbers Going Through the Process of Ticking and Tying Numbers They May Not Want to Find Fraud, It Causes Problems They May Not Want to Find Fraud, It Causes Problems They May Be Embarrassed They May Be Embarrassed Not Enough Time Budgeted for the Audit Not Enough Time Budgeted for the Audit

Types of Audits Financial Audits Financial Audits Performance Audits Performance Audits

The Independent Auditor The Auditor Reports On The Adequacy Of Existing Controls Within The Government The Auditor Reports On The Adequacy Of Existing Controls Within The Government The Auditor Must Carefully Evaluate The Internal Control System As A Basis To Determine The Degree Of Audit Procedures Necessary In The Circumstances The Auditor Must Carefully Evaluate The Internal Control System As A Basis To Determine The Degree Of Audit Procedures Necessary In The Circumstances

New Statements on Auditing Standards A Few Years Ago, The Rules For Auditors Were Changed And Expanded Substantially A Few Years Ago, The Rules For Auditors Were Changed And Expanded Substantially

What Created The Need? ● Corporate Fraud In The “Roaring 90’s” Which Became Known In The Early 2000’s ● Sarbanes Oxley Act Of 2002 (Private Sector) ● Required Additional Internal Controls By Management ● Created A New Agency (PCAOB) To Closely Scrutinize Public Company Audits ● Removed The AICPA From Any Authority For Public Company Audit Standards And Peer Review

A New Audit Approach ● A Risk Based Audit ● The Government Must Identify Key Internal Controls That Relate To High Risk Areas ● Some of the Areas Might Include: ● Cash ● Investments ● Budget ● Revenue Receipts ● Expenditures ● Payroll ● Consumable Inventories ● Capital Assets ● Grants

Do the Auditors Look At Everything? ● Auditors Obtain Reasonable Assurance, Not Absolute Assurance ● Materiality ● The Single Audit ● The Auditor May Report on Compliance and Internal Controls ● Major Federal Awards

Internal Audit Function ● Management Can Improve The Quality Of The Environment By Establishing An Internal Audit Function ● Report Directly To Top Management (Or The Elected Officials?) ● Monitoring The Effectiveness Of Control Related Policies And Procedures

Internal Audit Function Internal Auditors Can Be Of Great Value To State And Local Governments In A Variety Of Ways. Internal Auditors Can Be Of Great Value To State And Local Governments In A Variety Of Ways. In Particular, They Commonly Assist Management In Monitoring The Design And Proper Functioning Of Internal Control Policies And Procedures. In Particular, They Commonly Assist Management In Monitoring The Design And Proper Functioning Of Internal Control Policies And Procedures.

Internal Audit Function In This Capacity, Internal Auditors Themselves Function As An Additional Level Of Control And So Help To Improve The Government’s Overall Control Environment. In This Capacity, Internal Auditors Themselves Function As An Additional Level Of Control And So Help To Improve The Government’s Overall Control Environment. Internal Auditors Also Can Play A Valuable Role Conducting Performance Audits, As Well As Special Investigations And Studies Internal Auditors Also Can Play A Valuable Role Conducting Performance Audits, As Well As Special Investigations And Studies

Internal Audit Considerations Don’t Let The Audit Function Become A Political Football Don’t Let The Audit Function Become A Political Football Don’t Promise The Moon Don’t Promise The Moon Don’t Let The Auditors Become Free Roaming Chickens. Don’t Let The Auditors Become Free Roaming Chickens. Don’t Fly By The Seats Of Your Pants Don’t Fly By The Seats Of Your Pants

Internal Audit Considerations Don’t Use The Shotgun Approach To Scoping An Audit Don’t Use The Shotgun Approach To Scoping An Audit Never Leave A White Elephant In The Auditee’s Office. Never Leave A White Elephant In The Auditee’s Office. Don’t Count Your Chickens Before They Hatch. Never Assume The Auditee Fixed The Problem. Don’t Count Your Chickens Before They Hatch. Never Assume The Auditee Fixed The Problem.

GFOA Recommendations Every Government Should Consider The Feasibility Of Establishing A Formal Internal Audit Function Because Such A Function Can Play An Important Role In Helping Management To Maintain A Comprehensive Framework Of Internal Controls. Every Government Should Consider The Feasibility Of Establishing A Formal Internal Audit Function Because Such A Function Can Play An Important Role In Helping Management To Maintain A Comprehensive Framework Of Internal Controls. As A Rule, A Formal Internal Audit Function Is Particularly Valuable For Those Activities Involving A High Degree Of Risk (E.G., Complex Accounting Systems, Contracts With Outside Parties, A Rapidly Changing Environment). As A Rule, A Formal Internal Audit Function Is Particularly Valuable For Those Activities Involving A High Degree Of Risk (E.G., Complex Accounting Systems, Contracts With Outside Parties, A Rapidly Changing Environment).

GFOA Recommendations If It Is Not Feasible To Establish A Separate Internal Audit Function, A Government Is Encouraged To Consider Either If It Is Not Feasible To Establish A Separate Internal Audit Function, A Government Is Encouraged To Consider Either 1) Assigning Internal Audit Responsibilities To Its Regular Employees Or 1) Assigning Internal Audit Responsibilities To Its Regular Employees Or 2) Obtaining The Services Of An Accounting Firm (Other Than The Independent Auditor) For This Purpose 2) Obtaining The Services Of An Accounting Firm (Other Than The Independent Auditor) For This Purpose

GFOA Recommendations The Internal Audit Function Should Be Established Formally By Charter, Enabling Resolution, Or Other Appropriate Legal Means; The Internal Audit Function Should Be Established Formally By Charter, Enabling Resolution, Or Other Appropriate Legal Means; It Is Recommended That Internal Auditors Of State And Local Governments Conduct Their Work In Accordance With The Professional Standards Relevant To Internal Auditing Contained In The U.S. General Accounting Office’s Publication Government Auditing Standards, Including Those Applicable To The Independence Of Internal Auditors; It Is Recommended That Internal Auditors Of State And Local Governments Conduct Their Work In Accordance With The Professional Standards Relevant To Internal Auditing Contained In The U.S. General Accounting Office’s Publication Government Auditing Standards, Including Those Applicable To The Independence Of Internal Auditors;

GFOA Recommendations At A Minimum, The Head Of The Internal Audit Function Should Possess A College Degree And Appropriate Relevant Experience. At A Minimum, The Head Of The Internal Audit Function Should Possess A College Degree And Appropriate Relevant Experience. It Also Is Highly Desirable That The Head Of The Internal Audit Function Hold Some Appropriate Form Of Professional Certification (E.G., Certified Internal Auditor, Certified Public Accountant, Certified Information Systems Auditor); And It Also Is Highly Desirable That The Head Of The Internal Audit Function Hold Some Appropriate Form Of Professional Certification (E.G., Certified Internal Auditor, Certified Public Accountant, Certified Information Systems Auditor); And All Reports Of Internal Auditors, As Well As The Annual Internal Audit Work Plan, Should Be Made Available To The Government’s Audit Committee Or Its Equivalent. All Reports Of Internal Auditors, As Well As The Annual Internal Audit Work Plan, Should Be Made Available To The Government’s Audit Committee Or Its Equivalent.

Goals Of Audit Committee Ensure That Management Is Maintaining A Comprehensive Framework Of Internal Control Ensure That Management Is Maintaining A Comprehensive Framework Of Internal Control Ensure That Management’s Financial- reporting Practices Are Assessed Objectively Ensure That Management’s Financial- reporting Practices Are Assessed Objectively Determine That The Financial Statements Are Properly Audited And That Any Problems Disclosed In The Course Of The Audit Are Satisfactorily Resolved Determine That The Financial Statements Are Properly Audited And That Any Problems Disclosed In The Course Of The Audit Are Satisfactorily Resolved

Key Benefits Practical Tool For Focusing Board Attention Practical Tool For Focusing Board Attention Direct Communications Link Between The Independent Auditors And The Governing Body Direct Communications Link Between The Independent Auditors And The Governing Body Forum In Which The Independent Auditors Can Candidly Discuss Audit-related Matters With Members Of The Governing Board Apart From Management Forum In Which The Independent Auditors Can Candidly Discuss Audit-related Matters With Members Of The Governing Board Apart From Management

Applicability to Small Governments Smaller Governments Have The Same Basic Responsibility As Larger Governments Smaller Governments Have The Same Basic Responsibility As Larger Governments An Audit Committee Is Just As Necessary For Both An Audit Committee Is Just As Necessary For Both

Level Of Expertise Needed Of Members Sufficient Understanding To Perform Duties With Expert Assistance (I.E., Financial Expert) Sufficient Understanding To Perform Duties With Expert Assistance (I.E., Financial Expert) New Or Prospective Members Typically Should Receive Some Brief Formal Training New Or Prospective Members Typically Should Receive Some Brief Formal Training Role Of The Audit Committee Role Of The Audit Committee Their Personal Responsibility As Audit Committee Members Their Personal Responsibility As Audit Committee Members Training Should Underscore Professional Skepticism In Dealing With Management Training Should Underscore Professional Skepticism In Dealing With Management

Relationship With Independent Auditors Auditors Report Directly To Audit Committee Auditors Report Directly To Audit Committee Provision To Meet Privately Provision To Meet Privately Amend “Sunshine” And “Open Meetings” Laws Accordingly Amend “Sunshine” And “Open Meetings” Laws Accordingly

Relationship With Independent Auditors Two Views Two Views Traditional Traditional Internal Auditors/Management As Audit Committee/Governing Body Internal Auditors/Management As Audit Committee/Governing Body Emerging Emerging Completely Independent Of Management Completely Independent Of Management Trade-off Trade-off Management Involvement And Cooperation V. Independence Management Involvement And Cooperation V. Independence

Basic Tasks Determining The Scope Of The Audit Determining The Scope Of The Audit Determining The Scope Of “Nonaudit” Services Determining The Scope Of “Nonaudit” Services Managing The Audit Procurement Process Managing The Audit Procurement Process Selecting The Independent Auditors Selecting The Independent Auditors Reviewing The Financial Statements Reviewing The Financial Statements

Basic Tasks Reviewing The Auditor’s Report Reviewing The Auditor’s Report Reviewing The Comprehensive Framework Of Internal Control Reviewing The Comprehensive Framework Of Internal Control Assessing The Performance Of The Independent Auditors Assessing The Performance Of The Independent Auditors Providing An Independent Forum For Findings Of Fraud, Abuse, Or Control Override Providing An Independent Forum For Findings Of Fraud, Abuse, Or Control Override

Session 7 The Internal Control Environment

The Control Environment Sets The Tone For The Government Sets The Tone For The Government Influences Control Consciousness Influences Control Consciousness Foundation For All Other Control Components Foundation For All Other Control Components Includes: Integrity, Ethical Values, Competency, Management’s Philosophy, And The Way Authority And Responsibility Is Assigned Includes: Integrity, Ethical Values, Competency, Management’s Philosophy, And The Way Authority And Responsibility Is Assigned

The Control Environment Corporate Culture (Enron) (A 60 Page Code of Ethics) Corporate Culture (Enron) (A 60 Page Code of Ethics) Does Management Believe That Internal Controls Are Important To Achieving Its Goals And Objectives? Does Management Believe That Internal Controls Are Important To Achieving Its Goals And Objectives? Does Management View Internal Controls As An Obstacle To Achieving Its Goals And Objectives? Does Management View Internal Controls As An Obstacle To Achieving Its Goals And Objectives?

The Control Environment “Who Knew Who They Were? There Was No Place For Me To Voice My Concerns, Either To The Internal Audit Function Or The Audit Committee. Remember, I Was Not In The Accounting Department. But Even If I Were, I Think I Would Have Known It Would Have Been Fruitless, Because I Would Have Had Access To Junior Auditors Who Were Simply Not In The Position To Raise The Flags That Would Have Hurt Their Senior Auditors And Account Executives.” “Who Knew Who They Were? There Was No Place For Me To Voice My Concerns, Either To The Internal Audit Function Or The Audit Committee. Remember, I Was Not In The Accounting Department. But Even If I Were, I Think I Would Have Known It Would Have Been Fruitless, Because I Would Have Had Access To Junior Auditors Who Were Simply Not In The Position To Raise The Flags That Would Have Hurt Their Senior Auditors And Account Executives.” Sherron Watkins Enron Corporation

The Control Environment The “Way We Do Things Around Here” The “Way We Do Things Around Here” Sets The Tone Of The Government, Influencing The Control Consciousness Of Its Staff Sets The Tone Of The Government, Influencing The Control Consciousness Of Its Staff

Management’s Attitude What Is The Tone At The Top? What Is The Tone At The Top? - Management - Management - Elected Officials - Elected Officials Will Management Allocate Resources To Internal Controls? Will Management Allocate Resources To Internal Controls? Are There High Ethical And Professional Standards? Are There High Ethical And Professional Standards? Does Management Cut Corners? Does Management Cut Corners?

The Typical Environment in Which Fraud Occurs Trust Is Placed In Employees Trust Is Placed In Employees Employees Have Detailed Knowledge Of The Accounting Systems And Their Weaknesses Employees Have Detailed Knowledge Of The Accounting Systems And Their Weaknesses Management Domination Subverts Normal Internal Controls Management Domination Subverts Normal Internal Controls

The Typical Environment in which Fraud Occurs Management Adds Pressure To “Make The Numbers” Management Adds Pressure To “Make The Numbers” Expected Moral Behavior Is Not Communicated To Employees Expected Moral Behavior Is Not Communicated To Employees Unduly Liberal Accounting Practices Unduly Liberal Accounting Practices

The Typical Environment in which Fraud Occurs Ineffective Or Nonexistent Internal Auditing Staff. Ineffective Or Nonexistent Internal Auditing Staff. Lack Of Effective Internal Controls. Lack Of Effective Internal Controls. Poor Accounting Records. Poor Accounting Records. Related Party Transactions. Related Party Transactions. Incomplete And Out Of Date Procedural Documentation. Incomplete And Out Of Date Procedural Documentation. Management Sets A Bad Example. Management Sets A Bad Example.

Practical Application - Control Environment Establish Current Policies With Regard To Ethical Behavior (Code Of Conduct), Conflict Of Interest, Nepotism Establish Current Policies With Regard To Ethical Behavior (Code Of Conduct), Conflict Of Interest, Nepotism Enforce Appropriate Discipline For Failure To Comply With These Policies Enforce Appropriate Discipline For Failure To Comply With These Policies Ensure Personal Adherence To Strong Moral Code Ensure Personal Adherence To Strong Moral Code Reward Competency Reward Competency

Practical Application - Control Environment Place High Degree Of Importance On Maintaining Strong Internal Control Place High Degree Of Importance On Maintaining Strong Internal Control Provide For A “Whistle Blower” Policy That Allows Employees And Others To Report Fraud Or False Statements By The Management Team Provide For A “Whistle Blower” Policy That Allows Employees And Others To Report Fraud Or False Statements By The Management Team

Impact of the Control Environment Don’t Underestimate The Importance Of This Part Of The Control System. Don’t Underestimate The Importance Of This Part Of The Control System. All The Great Control Activities In The World Will Not Be Effective If Employees Know That Management Is Not Concerned With Strong Internal Control, Lacks Integrity Or Does Not Value Their Employees All The Great Control Activities In The World Will Not Be Effective If Employees Know That Management Is Not Concerned With Strong Internal Control, Lacks Integrity Or Does Not Value Their Employees

Control Environment Pitfalls Ignoring The Tone That Management Sets Or Thinking That The Control Environment Is Not Important. Ignoring The Tone That Management Sets Or Thinking That The Control Environment Is Not Important. Inconsistency In Treatment Of Lapses In Ethical Conduct. Inconsistency In Treatment Of Lapses In Ethical Conduct. Allowing Employees To Feel Devalued. Allowing Employees To Feel Devalued.

Maintaining A Qualified Staff Competent And Honest Staff Competent And Honest Staff Up To Date Job Descriptions Up To Date Job Descriptions Follow Appropriate Hiring Policies (E.G., Not Hiring A Relative Or A Buddy) Follow Appropriate Hiring Policies (E.G., Not Hiring A Relative Or A Buddy) Assign Authority And Responsibility Assign Authority And Responsibility Ensure That Employees Are Trained Ensure That Employees Are Trained Review And Document Performance Review And Document Performance Set Appropriate Performance Goals For Promotion Set Appropriate Performance Goals For Promotion

Session 8 Risk Assessment

What Is Risk Monitoring And Assessment? The Government’s Identification And Analysis Of Relevant Risks To Achieve It Objectives, Forming A Basis On How They Should Manage The Risks The Government’s Identification And Analysis Of Relevant Risks To Achieve It Objectives, Forming A Basis On How They Should Manage The Risks

Risk Assessment Risks Result From Both External And Internal Sources Risks Result From Both External And Internal Sources These Change Over Time Based On Economic, Regulatory, And Operating Conditions These Change Over Time Based On Economic, Regulatory, And Operating Conditions Risk Assessment Must Link Identified Policy Objectives To Specific Risk Factors Risk Assessment Must Link Identified Policy Objectives To Specific Risk Factors

Risk Assessment Example: A Policy Of Receiving The Highest Rate Of Return On Investments Must Be Linked To Interest Rate Risk Example: A Policy Of Receiving The Highest Rate Of Return On Investments Must Be Linked To Interest Rate Risk Example: A Policy Of Allowing Payment From Vendor Statements Rather Than Original Invoices Only Must Be Linked To The Risk Of Duplicate Payments Example: A Policy Of Allowing Payment From Vendor Statements Rather Than Original Invoices Only Must Be Linked To The Risk Of Duplicate Payments

Risk Assessment Example: A Policy Of Decentralized Cash Receipts Must Be Linked To The Risk Of Untimely Deposit And Recording To The General Ledger. Example: A Policy Of Decentralized Cash Receipts Must Be Linked To The Risk Of Untimely Deposit And Recording To The General Ledger.

Risk Assessment Risk Assessment Must Also Link Identified Control Objectives To Specific Risk Factors Risk Assessment Must Also Link Identified Control Objectives To Specific Risk Factors All Transactions Are Properly Authorized All Transactions Are Properly Authorized Transactions Are Recorded In The Correct Period For The Correct Amount Transactions Are Recorded In The Correct Period For The Correct Amount All Revenues Are Received And Recorded Timely All Revenues Are Received And Recorded Timely Assets Are Not Stolen Or Lost Assets Are Not Stolen Or Lost

Risk Assessment Risk Factors Are Created By: Risk Factors Are Created By: The Nature Of Particular Accounts Or Transactions The Nature Of Particular Accounts Or Transactions Turnover In Key Employee Positions Turnover In Key Employee Positions Changes In The Financial Markets Changes In The Financial Markets The Expertise Of The Personnel Handling Transactions The Expertise Of The Personnel Handling Transactions Ineffective Or Poorly Designed Control Activities Ineffective Or Poorly Designed Control Activities

Practical Application - Risk Assessment Be Realistic About The True Risk With Regard To A Particular Account Or Cycle Of Transactions Be Realistic About The True Risk With Regard To A Particular Account Or Cycle Of Transactions Consider All Types Of Applicable Risk: Inherent, Control Risk, Fraud Risk, Credit Risk, Etc Consider All Types Of Applicable Risk: Inherent, Control Risk, Fraud Risk, Credit Risk, Etc Make Sure To Address IT Risk Make Sure To Address IT Risk Identify “What Could Go Wrong?” Identify “What Could Go Wrong?”

Risk Detection It Is Like A Physician It Is Like A Physician It Is Like An Attorney It Is Like An Attorney Prevention And Quick Corrective Action Prevention And Quick Corrective Action

Inherent Risk It Is Life! It Is Life!

Inherent Risk Complexity Complexity Cash Receipts Cash Receipts Direct Third Party Beneficiaries Direct Third Party Beneficiaries Degree Of Centralization Degree Of Centralization Prior Problems Prior Problems Prior Unresponsiveness To Identify Control Weaknesses Prior Unresponsiveness To Identify Control Weaknesses

Effect Of Change On Risk Management Changes In The Environment Changes In The Environment Changes In Personnel Changes In Personnel Changes In Technology Changes In Technology Rapid Growth Rapid Growth New Programs And Services New Programs And Services Changes In Structure Changes In Structure

What Could Go Wrong? Example: Cash Disbursements Payments Could Be Made To Fictitious Vendors Payments Could Be Made To Fictitious Vendors Disbursements Could Be Made For The Wrong Amount Disbursements Could Be Made For The Wrong Amount Duplicate Payments Could Be Made On An Invoice Duplicate Payments Could Be Made On An Invoice Disbursements Could Be Recorded In The Wrong Period Disbursements Could Be Recorded In The Wrong Period

What Could Go Wrong? Example: Investments Excessive Transaction Fees Could Be Charged To The Government. Excessive Transaction Fees Could Be Charged To The Government. Investments Held By The Government Could Be Stolen (Certificates Of Deposit). Investments Held By The Government Could Be Stolen (Certificates Of Deposit). Investments Outside The Government’s Risk Tolerance Could Be Purchased And Result In Loss Of Principal. Investments Outside The Government’s Risk Tolerance Could Be Purchased And Result In Loss Of Principal.

What Could Go Wrong? Example: Cash Receipts Funds Received Could Be Credited To The Wrong Customer Account Funds Received Could Be Credited To The Wrong Customer Account Cash Could Be Stolen By An Employee Cash Could Be Stolen By An Employee Amounts Received Could Be Recorded Net Rather Than Gross Amounts Received Could Be Recorded Net Rather Than Gross Amounts Receivable May Never Be Collected Due To Failure To Follow On Past Due Amounts Amounts Receivable May Never Be Collected Due To Failure To Follow On Past Due Amounts

Risk Matrix – Cash Receipts

Practical Application - Risk Assessments Risk Assessments Can Be Documented Via Narrative, Checklist Or Matrix Risk Assessments Can Be Documented Via Narrative, Checklist Or Matrix Tools Available Include: Tools Available Include: COSO Documents Available Via AICPA COSO Documents Available Via AICPA PPC Checklists Or Other Auditor Utilized Templates PPC Checklists Or Other Auditor Utilized Templates Local Government Websites (Perform Google Search For “Government Internal Control”) Local Government Websites (Perform Google Search For “Government Internal Control”)

Practical Application - Risk Assessments Remember That Use Of A Third Party Does Not Eliminate Management’s Responsibility For Assessing Risks. Remember That Use Of A Third Party Does Not Eliminate Management’s Responsibility For Assessing Risks. Structure Of Agreement Is Important Structure Of Agreement Is Important Obtain SAS 70 Obtain SAS 70 Reconcile Reports To General Ledger (As Applicable) Reconcile Reports To General Ledger (As Applicable)

Practical Application - Risk Assessments Remember That IT Controls Can Affect Risk For All Cycles Of Transactions. Well Designed Internal Controls Can Be Made Ineffective By Poor Controls Over IT. Remember That IT Controls Can Affect Risk For All Cycles Of Transactions. Well Designed Internal Controls Can Be Made Ineffective By Poor Controls Over IT. System Log-in Should Mirror Job Responsibilities System Log-in Should Mirror Job Responsibilities Passwords Passwords Remove Temporary Access Granted Once No Longer Appropriate Remove Temporary Access Granted Once No Longer Appropriate

Risk Assessment Pitfalls Trying To Identify A Control For Every Risk Factor. Trying To Identify A Control For Every Risk Factor. Ignoring The Possibility Of Existing Compensating Controls. Ignoring The Possibility Of Existing Compensating Controls. Not Performing A Risk Assessment Annually Or At Least When Key Factors Have Changed (Regulatory, Employee Turnover, Etc.) Not Performing A Risk Assessment Annually Or At Least When Key Factors Have Changed (Regulatory, Employee Turnover, Etc.) Ignoring It Controls. Ignoring It Controls.

Session 9 Control Activities

The Policies And Procedures That Ensure Management’s Directives Are Followed The Policies And Procedures That Ensure Management’s Directives Are Followed These Occur At All Levels Throughout The Organization These Occur At All Levels Throughout The Organization Include : Approvals, Authorizations, Verifications, Reconciliations, Security Of Assets, Segregation Of Duties And Review Of Operating Performance Include : Approvals, Authorizations, Verifications, Reconciliations, Security Of Assets, Segregation Of Duties And Review Of Operating Performance

Practical Application - Control Activities Address Control Objectives: Existence Or Occurrence, Completeness, Valuation Or Allocation, Rights And Obligations, Accuracy Or Classification, Cutoff And Presentation And Disclosure Address Control Objectives: Existence Or Occurrence, Completeness, Valuation Or Allocation, Rights And Obligations, Accuracy Or Classification, Cutoff And Presentation And Disclosure Tie Control Activities To Risks Previously Identified And Address “What Could Go Wrong” Scenarios Tie Control Activities To Risks Previously Identified And Address “What Could Go Wrong” Scenarios Balance Cost And Benefit Balance Cost And Benefit

Identify Control Objectives And The Risks Of What Could Happen Identify Control Objectives And The Risks Of What Could Happen For Each Risk Factor Identified, Evaluate The Potential Impact And Probability Of Occurrence For Each Risk Factor Identified, Evaluate The Potential Impact And Probability Of Occurrence Design Control Activities To Address High Impact, High Probability Concerns Design Control Activities To Address High Impact, High Probability Concerns Evaluate Annually Evaluate Annually Practical Application - Control Activities

Risk Matrix Cash Receipt Example Cash Receipt Example

Risk Matrix Cash Disbursements Example Cash Disbursements Example

Practical Application - Control Activities It Is Not Necessary To Address Every Risk Factor With A Specific Control Activity – Focus On Key Areas It Is Not Necessary To Address Every Risk Factor With A Specific Control Activity – Focus On Key Areas Utilize Compensating Controls Where “Textbook Approach” Is Not Practical Utilize Compensating Controls Where “Textbook Approach” Is Not Practical Evaluate The Benefit Of Existing Monitoring Controls Evaluate The Benefit Of Existing Monitoring Controls

Risk Matrix Cash Disbursements Example Cash Disbursements Example

Key Control Activities Address Unusual Transactions Or Variance From Expected Benchmarks In Timely Fashion Address Unusual Transactions Or Variance From Expected Benchmarks In Timely Fashion Reconcile Accounts Per General Ledger To Subsidiary Ledgers Or Statements From Trustee/Custodian (As Applicable) Reconcile Accounts Per General Ledger To Subsidiary Ledgers Or Statements From Trustee/Custodian (As Applicable) Separate Initiation And Authorization From Recording Of Transactions Separate Initiation And Authorization From Recording Of Transactions

Key Control Activities Provide For Oversight By Interested Party Such As Investment Committee (Include Trustee Activities), Audit Committee Or Citizens’ Group Provide For Oversight By Interested Party Such As Investment Committee (Include Trustee Activities), Audit Committee Or Citizens’ Group Utilize Disclosure Checklist To Ensure Presentation And Disclosure Requirements Are Met Utilize Disclosure Checklist To Ensure Presentation And Disclosure Requirements Are Met

Control Activities Pitfalls Remember That For Small Governments Key Objectives Must Be Identified Remember That For Small Governments Key Objectives Must Be Identified Reducing The Risk Of Theft Or Fraud Reducing The Risk Of Theft Or Fraud Providing For Accountability Providing For Accountability Ensuring Compliance With Regulations Ensuring Compliance With Regulations Focus On True Effectiveness – Not Just Cookie Cutter Approaches Focus On True Effectiveness – Not Just Cookie Cutter Approaches Ensure Benefit Justifies The Cost Ensure Benefit Justifies The Cost

Session 10 Information and Communications

Information and Communication Includes Both Internal And External Interaction Includes Both Internal And External Interaction Requires Pertinent Information To Be Identified, Captured And Communicated In A Form And Timeframe For Employees To Carry Out Their Responsibilities Requires Pertinent Information To Be Identified, Captured And Communicated In A Form And Timeframe For Employees To Carry Out Their Responsibilities Reports Must Contain Relevant Operational, Financial And Compliance Information Reports Must Contain Relevant Operational, Financial And Compliance Information

Practical Application - Information and Communication System Generated Reports Must Include Relevant Information System Generated Reports Must Include Relevant Information Statements From Outside Third Parties (Broker/Dealers, Bank Statements, Grantor Agency) Must Be Channeled To Correct Personnel And Provided Timely Statements From Outside Third Parties (Broker/Dealers, Bank Statements, Grantor Agency) Must Be Channeled To Correct Personnel And Provided Timely

Information And Communication Example: Investments Communication With Investment Committee Or Other Oversight Body Should Include: Communication With Investment Committee Or Other Oversight Body Should Include: Types Of Investments Held Types Of Investments Held Average Rate Of Return For Period And YTD Compared With Benchmarks Average Rate Of Return For Period And YTD Compared With Benchmarks Average Maturity Of Portfolio Average Maturity Of Portfolio Compliance With Investment Policy Provisions Compliance With Investment Policy Provisions

Information and Communication Example: Investments Information and Communication Example: Investments Communication With Investment Committee Or Other Oversight Body Should Also Include: Communication With Investment Committee Or Other Oversight Body Should Also Include: Changes In Investment Strategy (If Any) Changes In Investment Strategy (If Any) Interest Rate Environment Changes Interest Rate Environment Changes Discussion Of Any Unusual Transaction Or Particularly Risky Investment Discussion Of Any Unusual Transaction Or Particularly Risky Investment

Information and Communication Example: Cash Disbursements Information and Communication Example: Cash Disbursements Communication With Departments Communication With Departments Budget To Actual Report By Budgeted Line Budget To Actual Report By Budgeted Line Request To Explain Certain Variances Request To Explain Certain Variances Detail Of Capital Assets Added To Subledger Detail Of Capital Assets Added To Subledger Communication With Council Communication With Council Budget To Actual Comparison By Department Budget To Actual Comparison By Department Explanations For Variances Over A Certain Threshold Explanations For Variances Over A Certain Threshold

Information and Communication Example: Cash Receipts Information and Communication Example: Cash Receipts Daily Cash Reports Should Show Revenue By Major Categories Such That Reconciliation To The General Ledger Is Facilitated. The Date Of Receipt And Date Of Deposit Should Be Included Along With The General Ledger And Bank Account Information.

Information And Communication Pitfalls Information And Communication Pitfalls Generating Reports That Provide Inaccurate, Untimely Or Unnecessary Information Generating Reports That Provide Inaccurate, Untimely Or Unnecessary Information Providing Inappropriate Information Outside The Organization (SS #, Employee Evaluations) Providing Inappropriate Information Outside The Organization (SS #, Employee Evaluations) Failure To Verify Accuracy Of Externally Provided Reports Failure To Verify Accuracy Of Externally Provided Reports

Session 11 Monitoring

Monitoring Assessing The Quality Of The Internal Control System And Making Modifications As Needed Assessing The Quality Of The Internal Control System And Making Modifications As Needed This Process Is Ongoing Through The Normal Course Of Operations And At Separate Specific Evaluations Of A Particular Process This Process Is Ongoing Through The Normal Course Of Operations And At Separate Specific Evaluations Of A Particular Process

Monitoring COSO Framework States That “Monitoring Ensures That Internal Control Continues To Operate Effectively.” The COSO Framework Recognizes That Risks Change Over Time And That Management Needs To “Determine Whether The Internal Control System Continues To Be Relevant And Able To Address New Risks.”

Monitoring The Original COSO Report On Internal Controls Was Issued In 1992. The Original COSO Report On Internal Controls Was Issued In 1992. In 2009, COSO Issued “Guidance On Monitoring Internal Control Systems” In 2009, COSO Issued “Guidance On Monitoring Internal Control Systems” Emphasized Importance Of Monitoring Controls As Part Of Even Small Government Environments. Emphasized Importance Of Monitoring Controls As Part Of Even Small Government Environments.

Monitoring Monitoring Is Both An On-going Process And Can Be Annual In Nature (Testing Of Key Controls) Monitoring Is Both An On-going Process And Can Be Annual In Nature (Testing Of Key Controls) Process Can Be Done Annually By The Internal Audit Department (As Applicable) Or As An Internal Review By Finance Personnel. Process Can Be Done Annually By The Internal Audit Department (As Applicable) Or As An Internal Review By Finance Personnel.

Practical Application – Examples of Monitoring Cash Receipts Cash Receipts Performing A Review Of Bank Reconciliations On A Monthly Basis And Signing Off As Having Reviewed These. Performing A Review Of Bank Reconciliations On A Monthly Basis And Signing Off As Having Reviewed These. Monthly Comparison Of Actual Receipts To Budgeted Receipts And Investigation Of Significant Discrepancies. Monthly Comparison Of Actual Receipts To Budgeted Receipts And Investigation Of Significant Discrepancies. Annually Selecting A Few Transactions To Ensure Proper Recording. Annually Selecting A Few Transactions To Ensure Proper Recording.

Practical Application – Examples Of Monitoring Cash Disbursements Cash Disbursements Performing A Review Of Bank Reconciliations On A Monthly Basis And Signing Off As Having Reviewed These. Performing A Review Of Bank Reconciliations On A Monthly Basis And Signing Off As Having Reviewed These. Monthly Comparison Of Cash Disbursements To Budgeted Expenditures/Expenses And Investigation Of Significant Discrepancies. Monthly Comparison Of Cash Disbursements To Budgeted Expenditures/Expenses And Investigation Of Significant Discrepancies.

Practical Application – Examples Of Monitoring Cash Disbursements Cash Disbursements Reconciliation Of P-card Purchases By Someone Other Than The Card Holder Reconciliation Of P-card Purchases By Someone Other Than The Card Holder Annual Test Of A Selection Of Transactions For Proper Recording. Annual Test Of A Selection Of Transactions For Proper Recording.

Practical Application – Examples of Monitoring Investments Investments Performing Investment Portfolio Review (Including Evaluation Of Concentration And Type Of Investments) Quarterly By Person Independent Of Investment Portfolio Management Performing Investment Portfolio Review (Including Evaluation Of Concentration And Type Of Investments) Quarterly By Person Independent Of Investment Portfolio Management Disclosure Of Conflict Of Interest Statement Annually By Portfolio Manager Disclosure Of Conflict Of Interest Statement Annually By Portfolio Manager Obtaining A SAS 70 Report From Custodian Annually Obtaining A SAS 70 Report From Custodian Annually

Practical Application - Monitoring Controls Will Change As The Makeup Of An Account Changes Controls Will Change As The Makeup Of An Account Changes Controls Should Be Evaluated When There Are Changes In Key Personnel Or Software Applications Controls Should Be Evaluated When There Are Changes In Key Personnel Or Software Applications Be Responsive To Information Requests Of Key Management Personnel Be Responsive To Information Requests Of Key Management Personnel Review Polices And Procedures Annually Review Polices And Procedures Annually

Monitoring Pitfalls Failure To Perform Any Monitoring Control Activities. Failure To Perform Any Monitoring Control Activities. Overkill For The Organizations Size. One Or Two Key Data Cycles Or Areas Can Be Selected Each Year For Testing Of Controls. Overkill For The Organizations Size. One Or Two Key Data Cycles Or Areas Can Be Selected Each Year For Testing Of Controls. No Attempt To Actually Test Key Controls In Some Fashion. No Attempt To Actually Test Key Controls In Some Fashion. Failure To Evaluate Controls When Personnel Or Software Changes. Failure To Evaluate Controls When Personnel Or Software Changes.

Session 12 Evaluation Controls Over Accounting And Financial Reporting

Know Where To Start Identify Control Cycles Identify Control Cycles Basic Control Cycles Basic Control Cycles - Obtaining Resources - Obtaining Resources - Applying Resources - Applying Resources

Identify Control Cycles It Is Easy For Management To Be Daunted By The Sheer Volume And Complexity Of Controls Over Accounting And Financial Reporting. It Is Easy For Management To Be Daunted By The Sheer Volume And Complexity Of Controls Over Accounting And Financial Reporting. Accordingly, The First Step In Evaluating These Controls Is To Know Where To Start. Accordingly, The First Step In Evaluating These Controls Is To Know Where To Start. The Best Place To Begin Is By "Breaking Down" What A Government Does Into Manageable Groupings Of Similar Or Related Activities, Commonly Known As "Control Cycles." The Best Place To Begin Is By "Breaking Down" What A Government Does Into Manageable Groupings Of Similar Or Related Activities, Commonly Known As "Control Cycles."

Obtaining Resources The Resources Inflows Control Cycle The Resources Inflows Control Cycle - Obtaining Legal Claim (Levy The Tax, Provide The Service) - Obtaining Legal Claim (Levy The Tax, Provide The Service) - Demanding Payment (From Taxpayers, Customers And Grantors) - Demanding Payment (From Taxpayers, Customers And Grantors) - Converting To Cash (Collect) - Converting To Cash (Collect)

Applying Resources The Resources Outflows Control Cycle The Resources Outflows Control Cycle Applying Resources (Issue Purchase Orders, Approve Contracts, Hire Employees, Award Grants) Applying Resources (Issue Purchase Orders, Approve Contracts, Hire Employees, Award Grants)

Applying Resources The Resources Outflows Control Cycle The Resources Outflows Control Cycle - Ensuring Conditions Met (Receipt Of Goods Or Services, Compliance With Grant Requirements) - Ensuring Conditions Met (Receipt Of Goods Or Services, Compliance With Grant Requirements) - Making Cash Payments - Making Cash Payments

Applying Resources The Resources Outflows Control Cycle The Resources Outflows Control Cycle - Making Cash Payments - Making Cash Payments

Interim Management Governments Are Not Able To Apply Immediately All Of The Resources They Obtain. Governments Are Not Able To Apply Immediately All Of The Resources They Obtain. Rather, There Will Be A Greater Or Lesser Interval Between When Resources Are First Obtained And When Those Resources Are Finally Converted Into Goods And Services Rather, There Will Be A Greater Or Lesser Interval Between When Resources Are First Obtained And When Those Resources Are Finally Converted Into Goods And Services During This Interval, A Government Must Carefully Manage The Resources Entrusted To Its Care. During This Interval, A Government Must Carefully Manage The Resources Entrusted To Its Care.

Interim Management First, Liquid Resources (E.G., Cash) Must Be Properly Protected And Used To Best Advantage Until Needed (I.E., Invested Or Placed On Deposit). First, Liquid Resources (E.G., Cash) Must Be Properly Protected And Used To Best Advantage Until Needed (I.E., Invested Or Placed On Deposit). Second, Non Liquid Assets Used In The Provision Of Services (E.G., Equipment, Inventories Of Supplies) Must Be Properly Protected And Maintained. Second, Non Liquid Assets Used In The Provision Of Services (E.G., Equipment, Inventories Of Supplies) Must Be Properly Protected And Maintained. When Both Of These Processes Are Combined Together, The Result Is A Third Control Cycle For "Resource Management." When Both Of These Processes Are Combined Together, The Result Is A Third Control Cycle For "Resource Management."

Seven Important Steps Vulnerability Assessment Vulnerability Assessment Documenting Transactions Documenting Transactions Identifying Specific Risks Identifying Specific Risks Identifying Compensating Controls Identifying Compensating Controls

Seven Important Steps Evaluating The Design Of Comensating Controls Evaluating The Design Of Comensating Controls Testing Compensating Controls Testing Compensating Controls Assessing The Results Of Testing Assessing The Results Of Testing

Session 13 Control Cycles A Final Review

Cash Controls Collection Controls Collection Controls Disbursement Controls Disbursement Controls Custody Controls Custody Controls Accounting Controls Accounting Controls Reconciliation Controls Reconciliation Controls

Investments Controls Segregation of Duties Segregation of Duties Procedural Controls Procedural Controls Custody Controls Custody Controls Accounting Controls Accounting Controls

Capital Asset Controls Segregation of Duties Segregation of Duties Procedural Controls Procedural Controls Authorization Controls Authorization Controls Asset Accountability Controls Asset Accountability Controls General Ledger Controls General Ledger Controls

Inventory Controls Segregation of Duties Segregation of Duties Authorization Controls Authorization Controls Receipt/Issues Controls Receipt/Issues Controls Physical Inventory Controls Physical Inventory Controls

Procurement Controls Segregation of Duties Segregation of Duties Procedural Controls Procedural Controls Requisition Controls Requisition Controls Procurement Controls Procurement Controls Receiving Controls Receiving Controls Invoice Processing Controls Invoice Processing Controls

Personnel and Payroll Controls Segregation of Duties Segregation of Duties Procedural Controls Procedural Controls Personnel Controls Personnel Controls Payroll Processing Controls Payroll Processing Controls

IT Controls Segregation of Duties Segregation of Duties Procedural Controls Procedural Controls Documentation Controls Documentation Controls Data Controls Data Controls Security Controls Security Controls Inventory Controls Inventory Controls

Session 14 Other Internal Control Pitfalls

A Final Reminder About I/C Pitfalls Don’t Focus On Areas Where Risk Is Low Don’t Focus On Areas Where Risk Is Low Don’t Ignore Risk Factors You Become Aware Of Throughout The Year Don’t Ignore Risk Factors You Become Aware Of Throughout The Year Talk To Your Auditors About Areas Of Concern They May Have And New Auditing Standards That Will Affect Your Audit. Talk To Your Auditors About Areas Of Concern They May Have And New Auditing Standards That Will Affect Your Audit. Make Sure To Tailor Any “Borrowed” P&P To Your Organization. Make Sure To Tailor Any “Borrowed” P&P To Your Organization.

A Final Reminder About I/C Pitfalls Remember That The Cost Of Implementing The Control Structure Should Not Outweigh The Benefit. Remember That The Cost Of Implementing The Control Structure Should Not Outweigh The Benefit. Remember To Address Budget, Grant And It Controls. Remember To Address Budget, Grant And It Controls.

Summary The Control Environment Establishes The Importance Of Internal Control. The Control Environment Establishes The Importance Of Internal Control. Risk Assessments Must Be Realistic And Performed When Changes To Objectives Or Policies Occur, There Is Turn Over In Key Employees Or Significant Changes In The Financial Markets. Risk Assessments Must Be Realistic And Performed When Changes To Objectives Or Policies Occur, There Is Turn Over In Key Employees Or Significant Changes In The Financial Markets.

Summary Control Activities Should Be Focused On Areas Of Highest Risk. Monitoring Controls Are Effective Stopgap For Smaller Entities. Control Activities Should Be Focused On Areas Of Highest Risk. Monitoring Controls Are Effective Stopgap For Smaller Entities. Information And Communication Must Provide Relevant Information For Managing The Assets And Liabilities Of The Entity. Information And Communication Must Provide Relevant Information For Managing The Assets And Liabilities Of The Entity. Monitoring Of The Internal Control System Is An Ongoing Process. Monitoring Of The Internal Control System Is An Ongoing Process.

Session 15 Red Flags and Fraud

How to Catch a Fraudster Independent Auditor Internal Audit Getting Ratted Out Oops Method

How to Catch a Fraudster Rotate those Job Duties The Spot Check And, the Surprise Attack

Eliminate Fraudster Potential Background Check CriminalCreditReferences Verify the Social

Eliminate Fraudster Potential Background Check Driving Record The Education Professional Credentials Drug Testing

Tips – Employee Changes AttendanceTardiness Avoiding Others Bathroom Breaks

Tips – Employee Changes ListenLookSmellObserveAsk

Top Ten Reasons Fraud Beats Internal Controls And What Management Can Do About It?

“Fighting the Last War” Accountants Too Often Allow Themselves To Focus Almost Exclusively On Past Weaknesses Rather Than On Current And Future Exposures (Like Putting Up Traffic Signals Only After An Accident Occurs) Accountants Too Often Allow Themselves To Focus Almost Exclusively On Past Weaknesses Rather Than On Current And Future Exposures (Like Putting Up Traffic Signals Only After An Accident Occurs)

Establish A System Of Proactive Fraud Policies – Don’t Wait For Something To Pop Up! Use Of The Analytical Review Use Of The Analytical Review Watch For Increasing Expenses, Increasing Receivables/Decreasing Cash, Increasing Revenue/Decreasing Cash Watch For Increasing Expenses, Increasing Receivables/Decreasing Cash, Increasing Revenue/Decreasing Cash Use Fraud Assessment Questions With Each Employee Use Fraud Assessment Questions With Each Employee

Establish A System Of Proactive Fraud Policies – Don’t Wait For Something To Pop Up! Enforce A Mandatory Vacation Policy With A Senior Person Filling The Position For Several Days Enforce A Mandatory Vacation Policy With A Senior Person Filling The Position For Several Days Enforce A Mandatory Job Rotation Policy Enforce A Mandatory Job Rotation Policy Periodically, Stage A Surprise Audit Of Each Position Periodically, Stage A Surprise Audit Of Each Position

Detection of Fraud Schemes Tip (46.2%) Tip (46.2%) By Accident (20%) By Accident (20%) Internal Audit (19.4%) Internal Audit (19.4%) Internal Controls (23.3%) Internal Controls (23.3%) External Audit (9.1%) External Audit (9.1%) Notified by Police (3.2%) Notified by Police (3.2%)

Control Related Policies Authorization Authorization Properly Designed Records Properly Designed Records Security Of Assets And Records Security Of Assets And Records Segregation Of Duties Segregation Of Duties Periodic Reconciliations Periodic Reconciliations Periodic Verifications Periodic Verifications Analytical Review Analytical Review

1. Goin’ Through the Motions Process Mentality Process Mentality Just Doing The Steps In The Process Just Doing The Steps In The Process Not Thinking About What One Is Doing Not Thinking About What One Is Doing Example: Two Signatures Required On Checks. Both Check Signers Fail To Notice The Check Has No Payee And Still Sign The Check Example: Two Signatures Required On Checks. Both Check Signers Fail To Notice The Check Has No Payee And Still Sign The Check Remedy: Reinforce The Need To Pay Attention And The Consequences For Failure Remedy: Reinforce The Need To Pay Attention And The Consequences For Failure

2. See No Evil, Hear No Evil Blind Trust Blind Trust Failure To Acknowledge Warning Signals Failure To Acknowledge Warning Signals Example: Failure To Follow Up On A Customer Complaint Of An Incorrect Bill For Service And Relying On The Experienced And Valued Billing Clerk’s Response That It Was Just An Error. Example: Failure To Follow Up On A Customer Complaint Of An Incorrect Bill For Service And Relying On The Experienced And Valued Billing Clerk’s Response That It Was Just An Error. Remedy: Realize That Anyone Can Commit Fraud. Assume Discrepancies Are Fraud And Prove To Yourself It Is Only An Error. Remedy: Realize That Anyone Can Commit Fraud. Assume Discrepancies Are Fraud And Prove To Yourself It Is Only An Error.

3. It’s Good to be The King Positional Immunity Positional Immunity Rationalizing That Controls Don’t Apply To Me Because I Am In Upper Management. Rationalizing That Controls Don’t Apply To Me Because I Am In Upper Management. Often Referred To As Management Override. Often Referred To As Management Override. Example: Executive Director Doesn’t Report Leave Used, But Still Gets Paid For Unused Leave Annually. Example: Executive Director Doesn’t Report Leave Used, But Still Gets Paid For Unused Leave Annually. Remedy: Identify Someone Within Or Outside The Entity That You Can Report These Circumstances To And Not Jeopardize Your Job. Remedy: Identify Someone Within Or Outside The Entity That You Can Report These Circumstances To And Not Jeopardize Your Job.

4. New Kid on the Block Situational Incompetence Situational Incompetence New Employee Not In A Position To Question Why New Employee Not In A Position To Question Why Example: New Accounts Payable Clerk Questions Why Purchases From A Certain Vendor Do Not Require Bids, And Is Told That Such Purchases Are Exempt. Example: New Accounts Payable Clerk Questions Why Purchases From A Certain Vendor Do Not Require Bids, And Is Told That Such Purchases Are Exempt. Remedy: If You Are The Supervisor, Don’t Assume New Employee Just Doesn’t Understand. Take Their Questions Seriously And Ask Your Self Why. If You Are The Employee, Ask More Than One Person. Remedy: If You Are The Supervisor, Don’t Assume New Employee Just Doesn’t Understand. Take Their Questions Seriously And Ask Your Self Why. If You Are The Employee, Ask More Than One Person.

5. Where’s All the Time Gone? Workload Overload Workload Overload Not Enough Time To Perform Control Procedures Not Enough Time To Perform Control Procedures Example: Knowing That The Supervisor Is Too Busy To Reconcile Accounts Receivable, A Billing Clerk Steals Cash And Posts Unauthorized Adjustments. Example: Knowing That The Supervisor Is Too Busy To Reconcile Accounts Receivable, A Billing Clerk Steals Cash And Posts Unauthorized Adjustments. Remedy: Reevaluate Assignment Of Duties, And When Needed, Demand More Resources By Focusing On The Consequences Of Fraud. Remedy: Reevaluate Assignment Of Duties, And When Needed, Demand More Resources By Focusing On The Consequences Of Fraud.

6. Can’t We All Be Happy? Conflict Avoidance Conflict Avoidance Responsible Employees Not Comfortable In Confronting Other Employees Responsible Employees Not Comfortable In Confronting Other Employees Example: A Supervisor Recognizes That The Cash Drawer Is Always Short At The End Of The Day, But Is Uncomfortable In Confronting The Employee. Example: A Supervisor Recognizes That The Cash Drawer Is Always Short At The End Of The Day, But Is Uncomfortable In Confronting The Employee. Remedy: Reinforce Supervisory Responsibilities. Provide Employee Management Training. Don’t Tolerate Poor Performance. Remedy: Reinforce Supervisory Responsibilities. Provide Employee Management Training. Don’t Tolerate Poor Performance.

7. Where’s the Beef? Informational Restraint Informational Restraint Responsible Employees Lack The Information They Need To Identify An Improper Transaction Responsible Employees Lack The Information They Need To Identify An Improper Transaction Example: An Accounts Payable Clerk Is Not Provided A Contract That Includes A Not-to- exceed Price Limit And Vendor Takes Advantage By Over-billing. Example: An Accounts Payable Clerk Is Not Provided A Contract That Includes A Not-to- exceed Price Limit And Vendor Takes Advantage By Over-billing. Remedy: Reinforce With Employees The Openness And Availability Of Records And Information. Remedy: Reinforce With Employees The Openness And Availability Of Records And Information.

8. It’s None of My Business Behavioral Ignorance Behavioral Ignorance Responsible Employees Ignore Behavioral Signs Or Indicators Of Possible Fraud Responsible Employees Ignore Behavioral Signs Or Indicators Of Possible Fraud Example: Management And Other Employees Fail To Investigate Or Question An Employee That Is Living Well Above Their Means Or Salary Level. Example: Management And Other Employees Fail To Investigate Or Question An Employee That Is Living Well Above Their Means Or Salary Level. Remedy: Create An Environment Within The Government That Fosters Ethical And Responsible Behavior. Create An Anonymous hotline Remedy: Create An Environment Within The Government That Fosters Ethical And Responsible Behavior. Create An Anonymous hotline

9. It’s Over My Head Informational Ignorance Informational Ignorance Officials Ignore Fraud Warning Signs In Reports Because They Don’t Understand The Reports Officials Ignore Fraud Warning Signs In Reports Because They Don’t Understand The Reports Example: Highway Patrol Fine Revenue Was Embezzled And Monthly Budget Report Shows A Potential Problem, But The Report Is Too Complicated For Management And Governing Board To Understand. Example: Highway Patrol Fine Revenue Was Embezzled And Monthly Budget Report Shows A Potential Problem, But The Report Is Too Complicated For Management And Governing Board To Understand. Remedy: When It Comes To Reports, Use The Kiss Principle And Train The Users. Remedy: When It Comes To Reports, Use The Kiss Principle And Train The Users.

10. A Bad Apple in the Bunch Ethically Challenged Ethically Challenged Employees Responsible For Controls Are Just Not Ethical And Morally Responsible Individuals Employees Responsible For Controls Are Just Not Ethical And Morally Responsible Individuals Example: Purchasing Supervisor Is Dishonest And Convinces An Accounts Payable Employee To Process Fake Invoices For Payment And Split The Money Between Them. Example: Purchasing Supervisor Is Dishonest And Convinces An Accounts Payable Employee To Process Fake Invoices For Payment And Split The Money Between Them. Remedy: Don’t Hire Crooks. Remedy: Don’t Hire Crooks.

To Summarize Internal Controls: Provide A Favorable Control Environment Provide A Favorable Control Environment Provide For The Continuing Assessment Of Risk Provide For The Continuing Assessment Of Risk Provide For The Design, Implementation And Maintenance Of Effective Control Related Policies And Procedures Provide For The Design, Implementation And Maintenance Of Effective Control Related Policies And Procedures Provide For The Effective Communication Of Information (We Kind Of Skipped This Topic) Provide For The Effective Communication Of Information (We Kind Of Skipped This Topic) Provide For The Ongoing Monitoring Of The Effectiveness Of Control Related Policies And Procedures Provide For The Ongoing Monitoring Of The Effectiveness Of Control Related Policies And Procedures

We Are Finished Please “Don’t Steal” Please “Don’t Steal” Contact Paul @ Contact Paul @pglick@mindspring.com

Evaluating A Government’s Internal Controls and a Review of How Fraud Relates to Internal Controls Presented By Paul E. Glick Paul E. Glick Glick Consulting.

Similar presentations

Presentation on theme: "Evaluating A Government’s Internal Controls and a Review of How Fraud Relates to Internal Controls Presented By Paul E. Glick Paul E. Glick Glick Consulting."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Evaluating A Government’s Internal Controls and a Review of How Fraud Relates to Internal Controls Presented By Paul E. Glick Paul E. Glick Glick Consulting.

Similar presentations

Presentation on theme: "Evaluating A Government’s Internal Controls and a Review of How Fraud Relates to Internal Controls Presented By Paul E. Glick Paul E. Glick Glick Consulting."— Presentation transcript:

Similar presentations

About project

Feedback