Good Internal Controls - PowerPoint Presentation

Slide1

Good Internal Controls

CUNY Finance Officers’ ForumOffice of Internal Audit and Management ServicesJune 25, 2013Updated November 2017

… and why they fail

Slide2

Agenda

Internal Control FrameworkWinning the Battle Against Fraud Internal Control Case Study Questions and Answers

Slide3

A

process, effected by an entity’s board of trustees/directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.” Committee of Sponsoring Organizations of the Treadway Commission

What Are Internal Controls?

Slide4

The COSO Organizations

Slide5

A

process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself.Effected by people. It is not merely about policy manuals, systems, and forms, but

about people at every level of an organization that impact internal control.Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management and board.

Geared to the

achievement of

objectives

in

one or more separate but

overlapping

categories.

Adaptable

to the

entity’s structure.

What Are Internal Controls?

Slide6

Operations Objectives

—These pertain to effectiveness and efficiency of the entity’s operations, including operations and financial performance goals and safeguarding assets against loss. Reporting Objectives—These pertain to the reliability of reporting. They include internal and external financial and non-financial reporting. Compliance Objectives—These pertain to adherence to laws and regulations to which the entity is subject

. (e.g., NCAA, Clery Act, R2T4, FLSA, ADA, etc.)

Internal Control Objectives

Slide7

Control

Environment• Risk Assessment• Control Activities• Information and Communication• Monitoring Activities

COSO Components of Internal Controls A sound system of internal controls comprises the following five components

Slide8

Control

EnvironmentTone at the topCommitment to integrity and ethics• Risk AssessmentOrganization’s objectives are clear enough to enable risk identification

Risk is assessed enterprise-wise and risk is analyzed so that risk management plans can be developedFraud potential is examined as a contributor to risk• Control ActivitiesConsists of actions based on policies and procedures that help ensure that management’s risk mitigation directives are carried outActivities are performed at all levels of entity and within all business processes

General control activities are placed over technology to support goal attainment

COSO Components of Internal Controls

Slide9

•

Information and Communication Internal and external communications provides management with the information needed to meet objectives Relevant, quality information supports the functioning of other internal control components•Monitoring Activities

Continuous and periodic evaluations are conducted to ensure that internal controls are in place and are functioning as intendedControl deficiencies are timely communicated to those responsible for taking corrective action

COSO Components of Internal Controls

Slide10

Management’s Responsibility for Internal Controls

Management and Administrators are directly responsible for:Implementing and monitoring internal controlsDocumenting policies and procedures to be followed in performance of dutiesPeriodically

assessing risk of errors and irregularitiesRegularly testing controls, reporting results, and

taking

corrective action

Slide11

Control Activities Framework

Segregation of Duties--no single individual should have control over two or more phases of a transaction or operation (authorization of transactions, custody of assets, recording, processing, reconciliation). Management should ensure a crosscheck of duties. In smaller units, such as an office with only Department Chairman and an Office Assistant, where segregation of duties is more challenging, a necessary compensating control is increased supervisory oversight.

Slide12

Control Activities FrameworkProper

Authorization for transactions—by a person delegated approval authorityReview and Reconciliation of records—by someone other than the preparer to determine that transactions have been properly processed.Ensuring that college and university property is physically

Secured and accounted for.

Slide13

Control Activities FrameworkProviding employees with appropriate

Training and guidance to ensure that they have the knowledge to do their jobs, have appropriate supervision, and know of the channels for reporting suspected improprieties.Ensuring that University and departmental level Policies and operating Procedures

are documented and communicated to employees.

Slide14

Examples of Control Activities

Check Tampering ControlsOrder check stock on controlled check paper stock with security features pre-printed.Keep Check stock in locked cabinets. If cabinets have combination locks, code should be restricted to a few individuals and should be changed when employees leave department.Use positive pay or reverse positive pay—Bank only clears checks shown on list received from the college. With reverse positive pay, bank sends list of checks presented and gets permission to clear.

Slide15

Examples of Control Activities

Billing Fraud ControlsHave written policies and procedures for Purchasing, and Accounts Payable. Include P-card purchases.Restrict access to vendor database. No temporary employees should have access.Make payments from original invoices, not statements or emailsCancel

paid invoices by stamp or defacementUse A-Routing only for emergencies, if at allUse IRS and state TIN matching services

Slide16

Examples of Control Activities

General IT ControlsEstablishment of procedures for creating, modifying, and deleting user accountsProviding all users with a unique user name and in a timely mannerUsing an authentication system to log on to the network and specific applications. Granting of user access only to the areas of the applications

(including within financial software) and the network needed to perform their job duties

Slide17

Why Internal Controls Fail

Poor tone at the topUpper management pays lip service to the importance of integrity and ethics or doesn’t adhere to rules others are expected to adhere toEmployees begin to sense that integrity and ethics don’t matter or pay off. Cost or effort exceeds benefitExcessive or expensive controls are difficult to sustain.Inefficiencies in processing will lead to workarounds and control gapsInherent Limitations of internal control systemsThese are largely unavoidable, but certain factors make them more likely to developCollusion

(two or more employees working in concert)Exacerbated by low employee moraleFailure to take action against other wrongdoersLack of clearly stated policies and procedures

Slide18

Why Internal Controls Fail

Inherent Limitations cont’dMistakes of judgmentLack of employee trainingLack of clearly stated policies and proceduresInadequate supervision

CarelessnessLack of employee trainingInadequate review and supervisionPresence of unnecessary workplace distractionsManagement OverridePoor system of accountability in organizationHigh performance expectationsAbsence of background checks for key positionsInadequate controls in IT systems

Slide19

Warning Signs of Internal Control Weakness

Internal control system focuses more on detective controls for errors and irregularities than on preventive controlsIncreased expenditures/ decreased revenuesGeneral ledger account anomalies such as high tuition refundsIncrease in duplicate vendor paymentsInvoices submitted for payment lack sufficient detailRise in number of internal/external audits and in audit findingsIncrease in sanctions, penalties, and fines assessed by regulatory bodiesIncrease in complaints alleging fraud, waste, or abuseIncrease in attempts to penetrate systems securityHigh turnover in key positionsLow

employee morale

Slide20

Internal Controls at CUNYInternal Control Self-AssessmentNYC Comptroller Directive #1 for CCs and HCS

Internal AuditsRisk Management and Internal Controls CommitteeEmployee Assistance ProgramChief Compliance Officer AppointedOffice of Environmental Health, Safety, and Risk ManagementVarious Councils (e.g., Administrative, Business Managers, Bursars, Revenue Management, R2T4 Coordinators, Financial Aid Directors, IT Steering Committee)Web Resources (e.g., Manual of General Policy, IT Security Policy, Tuition and Fee Manual, Board Minutes, Cash Management and Banking Guidelines, etc.)

Slide21

Internal Control Self-Assessment

Areas Covered PreviouslyAccounting Office (Non-Tax Levy)Accounts Payable

Adult and Continuing EducationBursarFinancial AidHuman ResourcesInstitutional Advancement

Office of Information Technology

Payroll

Property Management

Public Safety

Purchasing/Procurement

P-Card

Receiving

New Areas

Chief Academic Officer/Provost

Registrar

Child

Care

Slide22

FRAUD

Slide23

Fraud Defined

The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.

Association of Certified Fraud Examiners

Slide24

The Cost of Fraud

According to the Association of Certified Fraud Examiners:The average organization loses 5% of its annual revenues to fraud, or $3.7 trillion in 2014 Gross World Product.The median loss from fraud was $150,000 in the period of January 2014 through October 2015.

Asset misappropriation was the most common fraud scheme, occurring in 83% of cases, but the median loss was only $125,000.Financial Statement fraud, although less common,

occurring in on 10% of cases, caused

a median loss of

$975,000.

Billing schemes and check tampering schemes posed the greatest risk based on relative frequency and median loss.

The perpetrator’s level of authority is strongly correlated with the size of the fraud. The median loss in schemes by executives was $703,000, four times higher than losses caused by managers ($173,000), and 11 times higher than losses caused by employees ($65,000)

Slide25

Fraud in Government Organizations

Corruption 38.4%Billing 25.3%Non-cash 19.1%Expense Reimbursements 15.7%Skimming 14.0%Payroll 13.5%Cash on Hand 10.5%Check Tampering

9.2%Cash Larceny 7.9%Financial Statement Fraud 7.9%Register Disbursements 1.7%

Association of Certified Fraud Examiners 2016 Report to Nations

Slide26

Fraud in Educational OrganizationsBilling

34.1%Corruption 31.8%Skimming 25.0%Cash on Hand 17.4%Non-Cash 17.4%Expense Reimbursements 15.9%Cash Larceny 13.6%Payroll 7.6%Check Tampering 7.6%Register

Disbursements 1.5%Financial Statement Fraud 5.3%Association of Certified Fraud Examiners 2016 Report to Nations

Slide27

Initial Detection of FraudTip

43.3%Management Review 14.6%Internal Audit 14.4%By Accident 7.0%Account Reconciliation 4.8%Document Examination 4.1%External Audit 3.3%

Notified by Police 3.0%Surveillance/Monitoring 1.9%Confession 1.5%IT Controls 1.1%Association

of Certified

Fraud Examiners

2016

Report to

Nations

Slide28

Percentage of Victim Organizations that had theBelow Anti-fraud Controls in Place

External Financial Stmt Audit 81.7%Code of Conduct 81.1%Internal Audit Department 73.7%Management Certification of Fin Stmts 71.9%External audit of ICOFR* 67.6%Management Review 64.7%

Independent Audit Committee 62.5%Hotline 60.1%Employee Support Programs 56.1%Fraud Training for Employees 51.6%Fraud Training for Mgrs/Execs 51.3%Anti-Fraud Policy 49.6%Dedicated Fraud Dept, Function, or Team 41.2%

Formal Fraud Risk Assessments 39.3%

Surprise Audits 37.8%

Proactive Data Monitoring/Analysis 36.7%

Job Rotation/Mandatory Vacations 19.4%

Rewards for Whistleblowers 12.1%

* Internal Control Over Financial Reporting

Association of Certified

Fraud Examiners

2016

Report to

Nations

Slide29

Fraud Triangle*

Pressure/Incentive

OpportunityRationalization

*Some theorists are now suggesting a fraud diamond rather than a triangle, adding a fourth

factor, “Capability,” they believe is a necessary, separate element.

Slide30

Why Universities are Susceptible to Fraud

Slide31

CUNY’s Response to FraudFraud allegations reported to OGC, Internal Audit, or University Public Safety are routinely referred by OGC to the State Inspector General.

CUNY has a zero-tolerance policy for handling perpetratorsInternal/Surprise auditsCUNY has updated many of its policies and proceduresCUNY is considering the establishment of a fraud hotline/helpline

Slide32

Fraud Schemes Seen at CUNYSecret bank account opened for diverting of tuition and fee revenue

P-Card used to purchase goods for personal benefit including sale on eBayStudent housing fees misappropriated by student services accountantInvoices altered by A/P manager so payment would be made to bank account in another localityNew York check-fraud ring cashing fraudulent CUNY checks at check-cashing establishmentsFacilities Rental/Licensing fees misappropriated in billing fraud/skimming scheme Faculty charging students directly for unauthorized courses and unauthorized certifications

Slide33

P-Card Case Study Exercise

Slide34

Internal Control Basics Purchase Card Case StudyAssignment:

Given the objective, risk, and control activities, identify at least 5 violations of internal control in the example case study below. A small state agency has four employees: an executive director, a deputy director, a fiscal analyst (FA), and an administrative assistant (AA). All employees have been with the agency since it was formed about two years ago. The agency has been using purchase cards for about a year. The FA and AA each have a purchase card that they ordered themselves. They also each set their own spending limits on their cards. They each order goods and services. They are careful to follow the state purchasing rules, and use state contracts whenever possible. The FA and AA each verify that their own goods and services were received, and sign the packing slip or invoice. The FA authorizes payment on both purchase cards. The executive director does not have a purchase card in his name. However, the AA has written the account number for her purchase card in his planner so that he can occasionally order goods and services. He usually does not keep the credit card receipts for his purchases, but he does tell the AA what he purchased and instructs her on what expenditure coding to use. The AA then forwards the bill to the FA for payment.

Slide35

P-Card Case Study—Cont’dThe AA purchases most of the goods and services for the agency with her purchase card. She always keeps her purchase card with her in her purse. She also keeps receipts for all purchases that she has made in a folder in her desk drawer, verifies that the goods and services were received, and reconciles all receipts to her purchase card statement before sending to the FA for payment.

The FA has known the AA since high school. Since he has known her for so long, he trusts her and takes her word that she has reconciled all receipts to her statement. He always authorizes and makes payment on her purchase card based on her word, especially since he knows that she keeps all documentation. The FA also purchases goods and services with his purchase card. Most of the charges on his card are for recurring payments, like the lease of office space, agency phone bills, etc. Since these are all agency charges, he authorizes and makes payment on his purchase card. The agency has written policies on purchase cards, but they aren’t specific to the agency yet. They were obtained from a friend at another agency, and the AA is eventually going to make some modifications so that they are specific to the agency. Training is not formally provided since only two people in the agency are primarily using purchase cards. They tell each other when problems are encountered with the cards, so they feel that they are informed enough to be able to use them.

Slide36

Answers:

1. The FA and AA should not order their own cards. That is the agency program administrator’s role, to order cards, receive them, and then deliver them to card holders. 2. The FA and AA should not be setting their own spending limits on their cards. That should be the approving official’s role. 3. There isn’t an agency program administrator. It seems that would be an appropriate role for either the director or deputy director. (The same position should not act as both the agency program administrator and the approving official.) 4. There isn’t an approving official. It seems that would be an appropriate role for either the director or deputy director. (The same position should not act as both the agency program administrator and the approving official.)

5. An approving official should be verifying that the FA and AA did in fact receive the goods and services they ordered, that they have completed timely reconciliations of their card statements, and that they have kept appropriate documentation. This should be done on a routine basis.

Slide37

P-Card Case Study Answers—Cont’d6. The FA should not be authorizing payment on his own card. The authorization should come from the approving official, who should also review the FA’s reconciliations before authorizing payment.

7. The security of the AA’s card is compromised by her writing her account number in the director’s planner and keeping the card in her purse. The card should be kept in a locked location when not in use. 8. Since the agency has individually assigned cards, only the person to whom the card has been assigned should be using the card. So the director shouldn’t be making purchases using the AA’s card number. Also, the director usually doesn’t keep the receipts for his purchases. All receipts should be kept. 9. The FA should not be authorizing payment on the AA’s card based solely on her word. An independent person, like an approving official, should be reviewing the AA’s reconciliations and be the one to authorize payment. 10. The agency should update its written policies on purchase cards so that they are specific to the agency.

Slide38

P-Card Case Study Answers—Cont’d11. Even though this is a small agency, training should still be provided on the agency and state policies and procedures, and the appropriate use of the purchase card. It should be provided before the cardholders start using the card.

12. There are no signed card user agreements. The agency program administrator should ensure that a card user agreement form has been signed by both the card user and the appropriate approving official before issuing the card.

Slide39

P-Card Best Practice Process Flow

Slide40

P-Card Do’s and Don’tsAppropriate P-Card Purchases

Preferred sourcesOGS ContractsMaintenance/Repairs of EquipmentSupplies and MaterialsEquipmentPrintingConference/seminarsFreightPersonal Services (non-travel)Inappropriate P-Card PurchasesPersonal UseTravel/entertainment (e.g., airline, car rental, lodging)

RentCash AdvancesGas (Fleet Card s/b used)Cash refundsFormal contracts (payments may not be used for formal contracts or purchase orders approved by OSC, except OGS contracts)

Slide41

Questions and Answers

How do you measure the success of an internal control program?Would a fraud hotline do more harm than good?

Slide42

References

Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study, 2016, Austin, TX: Association of Certified Fraud Examiners McMillan, Edward J., Policies and Procedures to Prevent Fraud and Embezzlement—Guidance, Internal Controls, and Investigation,

New Jersey, Wiley, 2006Bragg, Steven M., Accounting Best Practices (6th Edition) New Jersey, Wiley, 2010

Bragg, Steven M.,

Accounting Control Best Practices(2

nd

Edition)

, New Jersey, Wiley,

2009

The Practice of Internal Controls—Local Government Management Guide, Office of the State Comptroller, Division of Local Government and School Accountability, New York, 2010

Internal Control—Integrated Framework (Draft), 2011, Committee of Sponsoring Organizations of the

Treadway

Commission

Schwartz, Larson, and

Kranacher

,

Helping to Prevent University Fraud

, 2008, Deloitte