CUNY Finance Officers Forum Office of Internal Audit and Management Services June 25 2013 Updated November 2017 and why they fail Agenda Internal Control Framework Winning the Battle Against Fraud ID: 794997
Download The PPT/PDF document "Good Internal Controls" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Good Internal Controls
CUNY Finance Officers’ ForumOffice of Internal Audit and Management ServicesJune 25, 2013Updated November 2017
… and why they fail
Slide2Agenda
Internal Control FrameworkWinning the Battle Against Fraud Internal Control Case Study Questions and Answers
Slide3A
process, effected by an entity’s board of trustees/directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.” Committee of Sponsoring Organizations of the Treadway Commission
What Are Internal Controls?
Slide4The COSO Organizations
Slide5A
process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself.Effected by people. It is not merely about policy manuals, systems, and forms, but
about people at every level of an organization that impact internal control.Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management and board.
Geared to the
achievement of
objectives
in
one or more separate but
overlapping
categories.
Adaptable
to the
entity’s structure.
What Are Internal Controls?
Slide6Operations Objectives
—These pertain to effectiveness and efficiency of the entity’s operations, including operations and financial performance goals and safeguarding assets against loss. Reporting Objectives—These pertain to the reliability of reporting. They include internal and external financial and non-financial reporting. Compliance Objectives—These pertain to adherence to laws and regulations to which the entity is subject
. (e.g., NCAA, Clery Act, R2T4, FLSA, ADA, etc.)
Internal Control Objectives
Slide7Control
Environment• Risk Assessment• Control Activities• Information and Communication• Monitoring Activities
COSO Components of Internal Controls A sound system of internal controls comprises the following five components
Slide8Control
EnvironmentTone at the topCommitment to integrity and ethics• Risk AssessmentOrganization’s objectives are clear enough to enable risk identification
Risk is assessed enterprise-wise and risk is analyzed so that risk management plans can be developedFraud potential is examined as a contributor to risk• Control ActivitiesConsists of actions based on policies and procedures that help ensure that management’s risk mitigation directives are carried outActivities are performed at all levels of entity and within all business processes
General control activities are placed over technology to support goal attainment
COSO Components of Internal Controls
Slide9•
Information and Communication Internal and external communications provides management with the information needed to meet objectives Relevant, quality information supports the functioning of other internal control components•Monitoring Activities
Continuous and periodic evaluations are conducted to ensure that internal controls are in place and are functioning as intendedControl deficiencies are timely communicated to those responsible for taking corrective action
COSO Components of Internal Controls
Slide10Management’s Responsibility for Internal Controls
Management and Administrators are directly responsible for:Implementing and monitoring internal controlsDocumenting policies and procedures to be followed in performance of dutiesPeriodically
assessing risk of errors and irregularitiesRegularly testing controls, reporting results, and
taking
corrective action
Slide11Control Activities Framework
Segregation of Duties--no single individual should have control over two or more phases of a transaction or operation (authorization of transactions, custody of assets, recording, processing, reconciliation). Management should ensure a crosscheck of duties. In smaller units, such as an office with only Department Chairman and an Office Assistant, where segregation of duties is more challenging, a necessary compensating control is increased supervisory oversight.
Slide12Control Activities FrameworkProper
Authorization for transactions—by a person delegated approval authorityReview and Reconciliation of records—by someone other than the preparer to determine that transactions have been properly processed.Ensuring that college and university property is physically
Secured and accounted for.
Slide13Control Activities FrameworkProviding employees with appropriate
Training and guidance to ensure that they have the knowledge to do their jobs, have appropriate supervision, and know of the channels for reporting suspected improprieties.Ensuring that University and departmental level Policies and operating Procedures
are documented and communicated to employees.
Slide14Examples of Control Activities
Check Tampering ControlsOrder check stock on controlled check paper stock with security features pre-printed.Keep Check stock in locked cabinets. If cabinets have combination locks, code should be restricted to a few individuals and should be changed when employees leave department.Use positive pay or reverse positive pay—Bank only clears checks shown on list received from the college. With reverse positive pay, bank sends list of checks presented and gets permission to clear.
Slide15Examples of Control Activities
Billing Fraud ControlsHave written policies and procedures for Purchasing, and Accounts Payable. Include P-card purchases.Restrict access to vendor database. No temporary employees should have access.Make payments from original invoices, not statements or emailsCancel
paid invoices by stamp or defacementUse A-Routing only for emergencies, if at allUse IRS and state TIN matching services
Slide16Examples of Control Activities
General IT ControlsEstablishment of procedures for creating, modifying, and deleting user accountsProviding all users with a unique user name and in a timely mannerUsing an authentication system to log on to the network and specific applications. Granting of user access only to the areas of the applications
(including within financial software) and the network needed to perform their job duties
Slide17Why Internal Controls Fail
Poor tone at the topUpper management pays lip service to the importance of integrity and ethics or doesn’t adhere to rules others are expected to adhere toEmployees begin to sense that integrity and ethics don’t matter or pay off. Cost or effort exceeds benefitExcessive or expensive controls are difficult to sustain.Inefficiencies in processing will lead to workarounds and control gapsInherent Limitations of internal control systemsThese are largely unavoidable, but certain factors make them more likely to developCollusion
(two or more employees working in concert)Exacerbated by low employee moraleFailure to take action against other wrongdoersLack of clearly stated policies and procedures
Slide18Why Internal Controls Fail
Inherent Limitations cont’dMistakes of judgmentLack of employee trainingLack of clearly stated policies and proceduresInadequate supervision
CarelessnessLack of employee trainingInadequate review and supervisionPresence of unnecessary workplace distractionsManagement OverridePoor system of accountability in organizationHigh performance expectationsAbsence of background checks for key positionsInadequate controls in IT systems
Slide19Warning Signs of Internal Control Weakness
Internal control system focuses more on detective controls for errors and irregularities than on preventive controlsIncreased expenditures/ decreased revenuesGeneral ledger account anomalies such as high tuition refundsIncrease in duplicate vendor paymentsInvoices submitted for payment lack sufficient detailRise in number of internal/external audits and in audit findingsIncrease in sanctions, penalties, and fines assessed by regulatory bodiesIncrease in complaints alleging fraud, waste, or abuseIncrease in attempts to penetrate systems securityHigh turnover in key positionsLow
employee morale
Slide20Internal Controls at CUNYInternal Control Self-AssessmentNYC Comptroller Directive #1 for CCs and HCS
Internal AuditsRisk Management and Internal Controls CommitteeEmployee Assistance ProgramChief Compliance Officer AppointedOffice of Environmental Health, Safety, and Risk ManagementVarious Councils (e.g., Administrative, Business Managers, Bursars, Revenue Management, R2T4 Coordinators, Financial Aid Directors, IT Steering Committee)Web Resources (e.g., Manual of General Policy, IT Security Policy, Tuition and Fee Manual, Board Minutes, Cash Management and Banking Guidelines, etc.)
Slide21Internal Control Self-Assessment
Areas Covered PreviouslyAccounting Office (Non-Tax Levy)Accounts Payable
Adult and Continuing EducationBursarFinancial AidHuman ResourcesInstitutional Advancement
Office of Information Technology
Payroll
Property Management
Public Safety
Purchasing/Procurement
P-Card
Receiving
New Areas
Chief Academic Officer/Provost
Registrar
Child
Care
Slide22FRAUD
Slide23Fraud Defined
The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.
Association of Certified Fraud Examiners
Slide24The Cost of Fraud
According to the Association of Certified Fraud Examiners:The average organization loses 5% of its annual revenues to fraud, or $3.7 trillion in 2014 Gross World Product.The median loss from fraud was $150,000 in the period of January 2014 through October 2015.
Asset misappropriation was the most common fraud scheme, occurring in 83% of cases, but the median loss was only $125,000.Financial Statement fraud, although less common,
occurring in on 10% of cases, caused
a median loss of
$975,000.
Billing schemes and check tampering schemes posed the greatest risk based on relative frequency and median loss.
The perpetrator’s level of authority is strongly correlated with the size of the fraud. The median loss in schemes by executives was $703,000, four times higher than losses caused by managers ($173,000), and 11 times higher than losses caused by employees ($65,000)
Slide25Fraud in Government Organizations
Corruption 38.4%Billing 25.3%Non-cash 19.1%Expense Reimbursements 15.7%Skimming 14.0%Payroll 13.5%Cash on Hand 10.5%Check Tampering
9.2%Cash Larceny 7.9%Financial Statement Fraud 7.9%Register Disbursements 1.7%
Association of Certified Fraud Examiners 2016 Report to Nations
Slide26Fraud in Educational OrganizationsBilling
34.1%Corruption 31.8%Skimming 25.0%Cash on Hand 17.4%Non-Cash 17.4%Expense Reimbursements 15.9%Cash Larceny 13.6%Payroll 7.6%Check Tampering 7.6%Register
Disbursements 1.5%Financial Statement Fraud 5.3%Association of Certified Fraud Examiners 2016 Report to Nations
Slide27Initial Detection of FraudTip
43.3%Management Review 14.6%Internal Audit 14.4%By Accident 7.0%Account Reconciliation 4.8%Document Examination 4.1%External Audit 3.3%
Notified by Police 3.0%Surveillance/Monitoring 1.9%Confession 1.5%IT Controls 1.1%Association
of Certified
Fraud Examiners
2016
Report to
Nations
Slide28Percentage of Victim Organizations that had theBelow Anti-fraud Controls in Place
External Financial Stmt Audit 81.7%Code of Conduct 81.1%Internal Audit Department 73.7%Management Certification of Fin Stmts 71.9%External audit of ICOFR* 67.6%Management Review 64.7%
Independent Audit Committee 62.5%Hotline 60.1%Employee Support Programs 56.1%Fraud Training for Employees 51.6%Fraud Training for Mgrs/Execs 51.3%Anti-Fraud Policy 49.6%Dedicated Fraud Dept, Function, or Team 41.2%
Formal Fraud Risk Assessments 39.3%
Surprise Audits 37.8%
Proactive Data Monitoring/Analysis 36.7%
Job Rotation/Mandatory Vacations 19.4%
Rewards for Whistleblowers 12.1%
* Internal Control Over Financial Reporting
Association of Certified
Fraud Examiners
2016
Report to
Nations
Slide29Fraud Triangle*
Pressure/Incentive
OpportunityRationalization
*Some theorists are now suggesting a fraud diamond rather than a triangle, adding a fourth
factor, “Capability,” they believe is a necessary, separate element.
Slide30Why Universities are Susceptible to Fraud
Slide31CUNY’s Response to FraudFraud allegations reported to OGC, Internal Audit, or University Public Safety are routinely referred by OGC to the State Inspector General.
CUNY has a zero-tolerance policy for handling perpetratorsInternal/Surprise auditsCUNY has updated many of its policies and proceduresCUNY is considering the establishment of a fraud hotline/helpline
Slide32Fraud Schemes Seen at CUNYSecret bank account opened for diverting of tuition and fee revenue
P-Card used to purchase goods for personal benefit including sale on eBayStudent housing fees misappropriated by student services accountantInvoices altered by A/P manager so payment would be made to bank account in another localityNew York check-fraud ring cashing fraudulent CUNY checks at check-cashing establishmentsFacilities Rental/Licensing fees misappropriated in billing fraud/skimming scheme Faculty charging students directly for unauthorized courses and unauthorized certifications
Slide33P-Card Case Study Exercise
Slide34Internal Control Basics Purchase Card Case StudyAssignment:
Given the objective, risk, and control activities, identify at least 5 violations of internal control in the example case study below. A small state agency has four employees: an executive director, a deputy director, a fiscal analyst (FA), and an administrative assistant (AA). All employees have been with the agency since it was formed about two years ago. The agency has been using purchase cards for about a year. The FA and AA each have a purchase card that they ordered themselves. They also each set their own spending limits on their cards. They each order goods and services. They are careful to follow the state purchasing rules, and use state contracts whenever possible. The FA and AA each verify that their own goods and services were received, and sign the packing slip or invoice. The FA authorizes payment on both purchase cards. The executive director does not have a purchase card in his name. However, the AA has written the account number for her purchase card in his planner so that he can occasionally order goods and services. He usually does not keep the credit card receipts for his purchases, but he does tell the AA what he purchased and instructs her on what expenditure coding to use. The AA then forwards the bill to the FA for payment.
Slide35P-Card Case Study—Cont’dThe AA purchases most of the goods and services for the agency with her purchase card. She always keeps her purchase card with her in her purse. She also keeps receipts for all purchases that she has made in a folder in her desk drawer, verifies that the goods and services were received, and reconciles all receipts to her purchase card statement before sending to the FA for payment.
The FA has known the AA since high school. Since he has known her for so long, he trusts her and takes her word that she has reconciled all receipts to her statement. He always authorizes and makes payment on her purchase card based on her word, especially since he knows that she keeps all documentation. The FA also purchases goods and services with his purchase card. Most of the charges on his card are for recurring payments, like the lease of office space, agency phone bills, etc. Since these are all agency charges, he authorizes and makes payment on his purchase card. The agency has written policies on purchase cards, but they aren’t specific to the agency yet. They were obtained from a friend at another agency, and the AA is eventually going to make some modifications so that they are specific to the agency. Training is not formally provided since only two people in the agency are primarily using purchase cards. They tell each other when problems are encountered with the cards, so they feel that they are informed enough to be able to use them.
Slide36Answers:
1. The FA and AA should not order their own cards. That is the agency program administrator’s role, to order cards, receive them, and then deliver them to card holders. 2. The FA and AA should not be setting their own spending limits on their cards. That should be the approving official’s role. 3. There isn’t an agency program administrator. It seems that would be an appropriate role for either the director or deputy director. (The same position should not act as both the agency program administrator and the approving official.) 4. There isn’t an approving official. It seems that would be an appropriate role for either the director or deputy director. (The same position should not act as both the agency program administrator and the approving official.)
5. An approving official should be verifying that the FA and AA did in fact receive the goods and services they ordered, that they have completed timely reconciliations of their card statements, and that they have kept appropriate documentation. This should be done on a routine basis.
Slide37P-Card Case Study Answers—Cont’d6. The FA should not be authorizing payment on his own card. The authorization should come from the approving official, who should also review the FA’s reconciliations before authorizing payment.
7. The security of the AA’s card is compromised by her writing her account number in the director’s planner and keeping the card in her purse. The card should be kept in a locked location when not in use. 8. Since the agency has individually assigned cards, only the person to whom the card has been assigned should be using the card. So the director shouldn’t be making purchases using the AA’s card number. Also, the director usually doesn’t keep the receipts for his purchases. All receipts should be kept. 9. The FA should not be authorizing payment on the AA’s card based solely on her word. An independent person, like an approving official, should be reviewing the AA’s reconciliations and be the one to authorize payment. 10. The agency should update its written policies on purchase cards so that they are specific to the agency.
Slide38P-Card Case Study Answers—Cont’d11. Even though this is a small agency, training should still be provided on the agency and state policies and procedures, and the appropriate use of the purchase card. It should be provided before the cardholders start using the card.
12. There are no signed card user agreements. The agency program administrator should ensure that a card user agreement form has been signed by both the card user and the appropriate approving official before issuing the card.
Slide39P-Card Best Practice Process Flow
Slide40P-Card Do’s and Don’tsAppropriate P-Card Purchases
Preferred sourcesOGS ContractsMaintenance/Repairs of EquipmentSupplies and MaterialsEquipmentPrintingConference/seminarsFreightPersonal Services (non-travel)Inappropriate P-Card PurchasesPersonal UseTravel/entertainment (e.g., airline, car rental, lodging)
RentCash AdvancesGas (Fleet Card s/b used)Cash refundsFormal contracts (payments may not be used for formal contracts or purchase orders approved by OSC, except OGS contracts)
Slide41Questions and Answers
How do you measure the success of an internal control program?Would a fraud hotline do more harm than good?
Slide42References
Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study, 2016, Austin, TX: Association of Certified Fraud Examiners McMillan, Edward J., Policies and Procedures to Prevent Fraud and Embezzlement—Guidance, Internal Controls, and Investigation,
New Jersey, Wiley, 2006Bragg, Steven M., Accounting Best Practices (6th Edition) New Jersey, Wiley, 2010
Bragg, Steven M.,
Accounting Control Best Practices(2
nd
Edition)
, New Jersey, Wiley,
2009
The Practice of Internal Controls—Local Government Management Guide, Office of the State Comptroller, Division of Local Government and School Accountability, New York, 2010
Internal Control—Integrated Framework (Draft), 2011, Committee of Sponsoring Organizations of the
Treadway
Commission
Schwartz, Larson, and
Kranacher
,
Helping to Prevent University Fraud
, 2008, Deloitte