7/17/2014

Internal Controls:  LCEC’s Case Study &  an External Auditor’ss Perspective an External Auditor Perspective

Presented by: Peggy Boldissar & Heidi Lee August, 2014 NSAC Tax & Accounting Conference

Presenters Peggy Boldissar, 

Heidi Lee, CPA

Manager of Financial  Accounting

Jackson Thornton

Principal

LCEC LCEC  (Lee County Electric  Cooperative) Ph. (239) 656‐2117 Fax (239) 656‐2256 [email protected]

Ph. (334) 240‐3669 Fax (334) 956‐5069 [email protected]

Today’s Agenda • LCEC: a case study in evaluating internal  controls (Peggy Boldissar) • Internal Controls: an audit perspective  (Heidi Lee)

1

7/17/2014

About LCEC  Electric Transmission & Distribution Cooperative  5‐County area in Southwest Florida  Serve approx. 200,000 customers  In business since 1940 In business since 1940  # of Full‐time Employees (Equivalents) approx. 400  230 miles of Transmission, 6,120 miles of Overhead  Distribution, 1,769 miles of Underground  Distribution  https://www.lcec.net/

Guidelines for Best Practices   

COSO (Committee of Sponsoring Organizations of  the Treadway Commission)  SOX 404 (Section 404 of the 2002 Sarbanes‐Oxley  Act)) Electric Utility Industry practices

From  COSO

2

7/17/2014

Internal Control Defined “Internal control is a process, effected by an entity’s  board of directors, management, and other  personnel, designed to provide reasonable assurance  regarding the achievement of objectives in the  following categories: 1) Effectiveness and efficiency of operations. 2) Reliability of reporting. 3) Compliance with applicable laws and  regulations.” From:  http://www.coso.org/documents/coso_framework_body_v 6.pdf

General triggers for assessment • Processes that are suspected of containing  significant deficiencies or material weaknesses • Processes about which little information is  available • Recent merger & acquisition activity • Implementation of new computer systems • Changes in staffing, policies, or procedures • Reported audit findings (internal or external)

LCEC‐specific triggers for assessment • New budgeting and new accounting system  implementations within 2‐year time frame • Substantial change in many business  processes as a result of new systems processes as a result of new systems • Change in some accounting staff members  (some long‐time employees left Finance  Department)

3

7/17/2014

LCEC Functional Areas Evaluated • • • • • • • •

Financial Reporting Accounts Payable Cash Management and Treasury Budgeting Purchasing Inventory Billing and Collections Plant Accounting

* Payroll not evaluated (is an HR function @ LCEC)

LCEC Project Plan  Departmental Project initiated titled “Financial Accounting  Departmental Analysis, Assessment, and Recommendation of  Internal Controls”  Followed LCEC’s PMO (Project Management Office) project  methodology  Project Plan developed to address project:  Business Case Business Case  Scope   Objectives/Deliverables  Measures of success  Project team (Accounting/Finance staff, IT PMO staff)  Project schedule (4 months) Sought out   Budget Student Intern   Project risk plan from FGCU to  assist  Project communications plan

LCEC Project Research  Main documentation used:  “Accounting Best Practices” by Steven Bragg (textbook)   Sample Internal Control Questionnaires from different  sources  Internal Control Checklists  Internal Control Best Practice Documentation  LCEC Policies and Procedures for Functional Areas  LCEC Internal Control Documentation  LCEC Financial Statement Audit Reports

4

7/17/2014

LCEC Project Steps Used documentation to:  Evaluate internal controls for each functional area  Staff completed questionnaires, follow‐up meetings held

 Identify important controls necessary for LCEC  Ensure best practice controls were in place for each  E b t ti t l i l f h functional area, identify gaps and recommend new  controls based upon risk assessments  Prepare cost‐benefit analysis of implementation if new  control was to be recommended  Analyze and document the risks of not implementing a  control that was considered best practice

5 Best Practices Evaluated for  Effectiveness of each Control Authorization Documentation Reconciliation

Gaps  Identified

Security Separation of Duties

Risk Assessment Performed  Five Steps Followed:

Then Categorized:

• Identify • Decide • Evaluate • Record • Review

• High Risk • Medium Risk • Low Risk

5

7/17/2014

Generalized Findings Gaps Identified by Category Total Gaps = 56 19

4

33

High

Medium

Low

Number of Gaps Identified by Category 20 18 16 14 12 10 8 6 4 2 0

High

Medium

Low

Case Study Conclusions • High risk items – recommended controls were  implemented a.s.a.p. • Medium/Low risk items – low‐hanging  opportunities addressed and implemented • Remaining Medium/Low risk items – Remaining Medium/Low risk items under  under further analysis or tabled, mitigating controls  considered • Monitoring processes implemented for  continuous improvement of existing controls • Risk categorization was subjective, and could vary  depending upon perspectives

6

7/17/2014

Questions

Reducing Fraud Risk in an Increasingly Paperless Environment Heidi Lee, CPA | Jackson Thornton

Disclaimer The information contained herein is general in nature and based on authorities that are subject to change. Jackson Thornton guarantees neither the accuracy nor completeness of any information and is not responsible for any errors or omissions, or for results obtained by others as a result of reliance upon such information. Jackson Thornton assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect information contained herein. This publication does not, and is not intended to, provide legal, tax or accounting advice, and readers should consult their tax advisors concerning the application of tax laws to their particular situations. Circular 230 Disclosure This analysis is not tax advice and is not intended or written to be used, and cannot be used, for purposes of avoiding tax penalties that may be imposed on any taxpayer.

7

7/17/2014

Considering Fraud Risk Areas  Can you really teach me to steal?  Who is responsible?  Where did all the paper go?  The good old day The good old day  Risk areas  No worries, we’re bonded.  How do we reduce risk?

Can you really teach me to steal?

Well only if you promise not to Well … only if you promise not to.

Board Responsibilities • Five groups – To customers – To lenders – To management To management – To employees – To owners or stakeholders

8

7/17/2014

Board Responsibilities • • • •

Appropriate policies Hiring top management Good service Appropriate rates Appropriate rates • Adequate to meet debt covenants • Adequate to appropriately staff system • Reasonable to customer

• Fiscal responsibility • System for reporting known or suspected fraud

Management Responsibilities • Implementation of policies established by the Board • Appropriate work environment for employees • Appropriate internal control to provide asset safeguards • Adequate quantity of staff • Appropriate qualifications of staff

• Appropriate software  • To maintain required accounting records • To safeguard client information

• Financial reporting • Financial statements • Budgets • Rate recommendations

Appropriate Internal Controls Designing internal control • Controls that prevent fraud • Controls that deter fraud • Controls that detect fraud Controls that detect fraud

9

7/17/2014

Appropriate Software • • • •

Financial reporting Customer information Security Physical access y

The Good Old Day • • • •

Internal control designed Assets are protected Reputation is protected How long does a well‐designed internal control last? How long does a well‐designed internal control last?

Where did all the paper go? • • • • •

Checks Deposit slips Payroll checks Inventory receiving reports Inventory receiving reports Spreads ‐ overhead and transportation costs Controlling physical access was key

10

7/17/2014

Fraud Categories • Asset misappropriations • Corruption • Fraudulent statements

Asset Misappropriation • Theft or misuse of an organization’s assets • Skimming revenues • Stealing inventory • Payroll fraud

Corruption • Misuse of  influence  • To procure some benefit  • For themselves or another person, contrary to  their duty • Accepting kickbacks A i ki kb k • Engaging in conflicts of interest

11

7/17/2014

Fraudulent Statements • Falsification of an organization’s financial  statements • Overstating revenues • Understating liabilities or expenses

Risk Areas

Revenue, Billing and Accounts Receivable • • • •

Billing adjustments Billing adjustments and cash receipts Access to customer information Storage of customer banking and credit card  information

Risk Areas

Cash Receipts • Mail payments • Over‐the‐counter payments • Cash and checks • Access to mail payments

• Electronic drafts • Credit cards

12

7/17/2014

Risk Areas Cash Management • Bank deposits • Currency versus checks

• Wire transfers between internal accounts • Wire transfers to vendors • Reconciling bank accounts • Reviewed • To the penny • Timely

Risk Areas Cash Disbursements & Accounts Payable • Establishment of vendor • Access to vendor details • Establishment of accounts payable • Approval of accounts payable for payment • Preparation, signing, and mailing of checks

Risk Areas Payroll • Communication of company policies and  expectations • Granting access to the information system • Strict IT policies that are enforced l h f d • Access to employee information

13

7/17/2014

No Worries – We’re Bonded

• When does bonding pay?  • When you prosecute! – Will your controls prove that you tried to  prevent theft? – Can your records stand the scrutiny? – How will it look on the front page of the  paper? – What is my company’s reputation worth?

How do we reduce risk?

Tone at the Top • Goes beyond the code of ethics p • Creates positive work environment • Increases deterrence effectiveness

How do we reduce risk? Brainstorm • Conduct session at least annually • Think like a perpetrator • Address vulnerable areas

14

7/17/2014

Vulnerable Areas

Which assets are most susceptible to  misappropriation? The answer will vary slightly from  organization to organization, but the most  common ones are: – Cash – Inventory – Assets easily converted into cash – Equipment that is readily marketable

How do we reduce risk?

Effective Monitoring • Internal Audit – employees or contract • Have an outsider review your controls • Anonymous Tip Hotline

How do we reduce risk?

Regulations & Laws • Competitive Bids y g • Lobbying & Gifts • Private Use of Public Assets

15

7/17/2014

Elements for an effective program • Tone at the top: Create an expectation in the  workplace • Brainstorm: Think like a thief • Policy: Give employees an opportunity to report Monitor: Don’tt just establish controls  just establish controls – test  test • Monitor:  Don controls – – – –

Internal audit External audit Special engagements Compliance with the law

Ask us more about internal controls: Peggy Boldissar  Manager of Financial Accounting | LCEC 239.656.2117 [email protected] Heidi H. Lee, CPA Principal  |  Jackson Thornton 334.240.3669  [email protected] jacksonthornton.com 

16