Internal Controls: LCEC’s Case Study & an External Auditor’ss Perspective an External Auditor Perspective
Presented by: Peggy Boldissar & Heidi Lee August, 2014 NSAC Tax & Accounting Conference
Presenters Peggy Boldissar,
Heidi Lee, CPA
Manager of Financial Accounting
LCEC LCEC (Lee County Electric Cooperative) Ph. (239) 656‐2117 Fax (239) 656‐2256 [email protected]
Ph. (334) 240‐3669 Fax (334) 956‐5069 [email protected]
Today’s Agenda • LCEC: a case study in evaluating internal controls (Peggy Boldissar) • Internal Controls: an audit perspective (Heidi Lee)
About LCEC Electric Transmission & Distribution Cooperative 5‐County area in Southwest Florida Serve approx. 200,000 customers In business since 1940 In business since 1940 # of Full‐time Employees (Equivalents) approx. 400 230 miles of Transmission, 6,120 miles of Overhead Distribution, 1,769 miles of Underground Distribution https://www.lcec.net/
Guidelines for Best Practices
COSO (Committee of Sponsoring Organizations of the Treadway Commission) SOX 404 (Section 404 of the 2002 Sarbanes‐Oxley Act)) Electric Utility Industry practices
Internal Control Defined “Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1) Effectiveness and efficiency of operations. 2) Reliability of reporting. 3) Compliance with applicable laws and regulations.” From: http://www.coso.org/documents/coso_framework_body_v 6.pdf
General triggers for assessment • Processes that are suspected of containing significant deficiencies or material weaknesses • Processes about which little information is available • Recent merger & acquisition activity • Implementation of new computer systems • Changes in staffing, policies, or procedures • Reported audit findings (internal or external)
LCEC‐specific triggers for assessment • New budgeting and new accounting system implementations within 2‐year time frame • Substantial change in many business processes as a result of new systems processes as a result of new systems • Change in some accounting staff members (some long‐time employees left Finance Department)
LCEC Functional Areas Evaluated • • • • • • • •
Financial Reporting Accounts Payable Cash Management and Treasury Budgeting Purchasing Inventory Billing and Collections Plant Accounting
* Payroll not evaluated (is an HR function @ LCEC)
LCEC Project Plan Departmental Project initiated titled “Financial Accounting Departmental Analysis, Assessment, and Recommendation of Internal Controls” Followed LCEC’s PMO (Project Management Office) project methodology Project Plan developed to address project: Business Case Business Case Scope Objectives/Deliverables Measures of success Project team (Accounting/Finance staff, IT PMO staff) Project schedule (4 months) Sought out Budget Student Intern Project risk plan from FGCU to assist Project communications plan
LCEC Project Research Main documentation used: “Accounting Best Practices” by Steven Bragg (textbook) Sample Internal Control Questionnaires from different sources Internal Control Checklists Internal Control Best Practice Documentation LCEC Policies and Procedures for Functional Areas LCEC Internal Control Documentation LCEC Financial Statement Audit Reports
LCEC Project Steps Used documentation to: Evaluate internal controls for each functional area Staff completed questionnaires, follow‐up meetings held
Identify important controls necessary for LCEC Ensure best practice controls were in place for each E b t ti t l i l f h functional area, identify gaps and recommend new controls based upon risk assessments Prepare cost‐benefit analysis of implementation if new control was to be recommended Analyze and document the risks of not implementing a control that was considered best practice
5 Best Practices Evaluated for Effectiveness of each Control Authorization Documentation Reconciliation
Security Separation of Duties
Risk Assessment Performed Five Steps Followed:
• Identify • Decide • Evaluate • Record • Review
• High Risk • Medium Risk • Low Risk
Generalized Findings Gaps Identified by Category Total Gaps = 56 19
Number of Gaps Identified by Category 20 18 16 14 12 10 8 6 4 2 0
Case Study Conclusions • High risk items – recommended controls were implemented a.s.a.p. • Medium/Low risk items – low‐hanging opportunities addressed and implemented • Remaining Medium/Low risk items – Remaining Medium/Low risk items under under further analysis or tabled, mitigating controls considered • Monitoring processes implemented for continuous improvement of existing controls • Risk categorization was subjective, and could vary depending upon perspectives
Reducing Fraud Risk in an Increasingly Paperless Environment Heidi Lee, CPA | Jackson Thornton
Disclaimer The information contained herein is general in nature and based on authorities that are subject to change. Jackson Thornton guarantees neither the accuracy nor completeness of any information and is not responsible for any errors or omissions, or for results obtained by others as a result of reliance upon such information. Jackson Thornton assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect information contained herein. This publication does not, and is not intended to, provide legal, tax or accounting advice, and readers should consult their tax advisors concerning the application of tax laws to their particular situations. Circular 230 Disclosure This analysis is not tax advice and is not intended or written to be used, and cannot be used, for purposes of avoiding tax penalties that may be imposed on any taxpayer.
Considering Fraud Risk Areas Can you really teach me to steal? Who is responsible? Where did all the paper go? The good old day The good old day Risk areas No worries, we’re bonded. How do we reduce risk?
Can you really teach me to steal?
Well only if you promise not to Well … only if you promise not to.
Board Responsibilities • Five groups – To customers – To lenders – To management To management – To employees – To owners or stakeholders
Board Responsibilities • • • •
Appropriate policies Hiring top management Good service Appropriate rates Appropriate rates • Adequate to meet debt covenants • Adequate to appropriately staff system • Reasonable to customer
• Fiscal responsibility • System for reporting known or suspected fraud
Management Responsibilities • Implementation of policies established by the Board • Appropriate work environment for employees • Appropriate internal control to provide asset safeguards • Adequate quantity of staff • Appropriate qualifications of staff
• Appropriate software • To maintain required accounting records • To safeguard client information
• Financial reporting • Financial statements • Budgets • Rate recommendations
Appropriate Internal Controls Designing internal control • Controls that prevent fraud • Controls that deter fraud • Controls that detect fraud Controls that detect fraud
Appropriate Software • • • •
Financial reporting Customer information Security Physical access y
The Good Old Day • • • •
Internal control designed Assets are protected Reputation is protected How long does a well‐designed internal control last? How long does a well‐designed internal control last?
Where did all the paper go? • • • • •
Checks Deposit slips Payroll checks Inventory receiving reports Inventory receiving reports Spreads ‐ overhead and transportation costs Controlling physical access was key
Fraud Categories • Asset misappropriations • Corruption • Fraudulent statements
Asset Misappropriation • Theft or misuse of an organization’s assets • Skimming revenues • Stealing inventory • Payroll fraud
Corruption • Misuse of influence • To procure some benefit • For themselves or another person, contrary to their duty • Accepting kickbacks A i ki kb k • Engaging in conflicts of interest
Fraudulent Statements • Falsification of an organization’s financial statements • Overstating revenues • Understating liabilities or expenses
Revenue, Billing and Accounts Receivable • • • •
Billing adjustments Billing adjustments and cash receipts Access to customer information Storage of customer banking and credit card information
Cash Receipts • Mail payments • Over‐the‐counter payments • Cash and checks • Access to mail payments
• Electronic drafts • Credit cards
Risk Areas Cash Management • Bank deposits • Currency versus checks
• Wire transfers between internal accounts • Wire transfers to vendors • Reconciling bank accounts • Reviewed • To the penny • Timely
Risk Areas Cash Disbursements & Accounts Payable • Establishment of vendor • Access to vendor details • Establishment of accounts payable • Approval of accounts payable for payment • Preparation, signing, and mailing of checks
Risk Areas Payroll • Communication of company policies and expectations • Granting access to the information system • Strict IT policies that are enforced l h f d • Access to employee information
No Worries – We’re Bonded
• When does bonding pay? • When you prosecute! – Will your controls prove that you tried to prevent theft? – Can your records stand the scrutiny? – How will it look on the front page of the paper? – What is my company’s reputation worth?
How do we reduce risk?
Tone at the Top • Goes beyond the code of ethics p • Creates positive work environment • Increases deterrence effectiveness
How do we reduce risk? Brainstorm • Conduct session at least annually • Think like a perpetrator • Address vulnerable areas
Which assets are most susceptible to misappropriation? The answer will vary slightly from organization to organization, but the most common ones are: – Cash – Inventory – Assets easily converted into cash – Equipment that is readily marketable
How do we reduce risk?
Effective Monitoring • Internal Audit – employees or contract • Have an outsider review your controls • Anonymous Tip Hotline
How do we reduce risk?
Regulations & Laws • Competitive Bids y g • Lobbying & Gifts • Private Use of Public Assets
Elements for an effective program • Tone at the top: Create an expectation in the workplace • Brainstorm: Think like a thief • Policy: Give employees an opportunity to report Monitor: Don’tt just establish controls just establish controls – test test • Monitor: Don controls – – – –
Internal audit External audit Special engagements Compliance with the law
Ask us more about internal controls: Peggy Boldissar Manager of Financial Accounting | LCEC 239.656.2117 [email protected]
Heidi H. Lee, CPA Principal | Jackson Thornton 334.240.3669 [email protected]