acumen insight ideas
Internal Controls for a Small Utility
attention reach expertise depth
Presented by: Chris Lindner, CPA, CGFM
agility
Audit Manager BKD CPA’s & Advisors
talent
Why are controls so important?
Public sector managers and employees are accountable for the resources entrusted to them and for ensuring programs and services are administered effectively and efficiently
A significant component in fulfilling this responsibility is ensuring that an adequate system of internal control has been developed and is operating effectively
2
Cost of Fraud & Abuse $2.9 trillion worldwide 5% of revenues Almost half recover nothing after fraud is discovered
©2012 by the Association of Certified Fraud Examiners, Inc.
3
©2012 by the Association of Certified Fraud Examiners, Inc.
4
©2012 by the Association of Certified Fraud Examiners, Inc.
5
©2012 by the Association of Certified Fraud Examiners, Inc.
6
©2012 by the Association of Certified Fraud Examiners, Inc.
7
©2012 by the Association of Certified Fraud Examiners, Inc.
8
©2012 by the Association of Certified Fraud Examiners, Inc.
9
Most Common Gov’t Cases Purchasing schemes
Vendor corruption
Misuse of P-cards and credit cards
Skimming Theft of fuel & other commodity-type assets
10
©2012 by the Association of Certified Fraud Examiners, Inc.
11
Damages to Victims Go Beyond Dollars & Cents
Reputation Loss of public confidence Damage to relationships Sagging staff morale Distraction from the mission
12
COSO Framework
The Five Framework Components Control environment Risk assessment Control activities Information and communication Monitoring
13
COSO Framework
Control environment “Tone at the top” Foundation for all other framework components Integrity, ethical values, and competence of employees Management’s philosophy and operating style
14
COSO Framework
Risk assessment Identify events/risks – both internal and external
Analyze and prioritize risks Decide how to respond to risks
15
Risk Assessment – Identifying risks
What information is critical to our operations?
Which areas are the most susceptible to fraud?
Which areas are inherently risky?
What kind of things do our auditors look for?
16
Risk Assessment – Analyze and prioritize risks
How important is the risk?
What is the likelihood that this risk will occur?
What is the impact on the entity if this risk does occur (monetary and non-monetary)?
17
Risk Assessment – Analyze and prioritize risks
Likelihood – the possibility that a given event may occur
Impact – the result or effect of an event 3 = High = Mitigate or reduce the risk 2 = Medium = Manage the risk 1 = Low = Accept the risk
High Likelihood Medium Likelihood Low Likelihood
Low Impact
Medium Impact
High Impact
2
3
3
1
2
3
1
1
2
18
COSO Framework
Control activities Ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity’s objectives Include a range of activities such as approvals, authorizations, verifications, reconciliations, security of assets, and segregation of duties The greater the risk, the greater the control necessary 19
COSO Framework
Information and communication Ensure that accurate and relevant information is identified, captured, and communicated in a timely manner Effective information and communication systems enable individuals within the entity to exchange the information needed to conduct, manage, and control its operations
20
COSO Framework
Monitoring Internal control systems must be monitored to assess their effectiveness – are they operating as intended? Accomplished through: – Ongoing monitoring activities – Separate evaluations
21
Internal Controls
22
Internal Controls
Used everyday Lock-up your valuable belongings Maintain copies of important documents Review bills/credit card statements Balance your checkbook Schedule appointments
23
Internal Controls
Divided into 2 primary groups 1.
Preventive
2.
Detective
Preventive vs. detective 1.
Authorizations
2.
Segregation of duties
3.
Security of assets and records
4.
Periodic reconciliations
5.
Periodic verifications
6.
Analytical review
24
Internal Controls
Preventive vs. detective 1.
Authorizations - preventive
2.
Segregation of duties - preventive
3.
Security of assets and records - preventive
4.
Periodic reconciliations - detective
5.
Periodic verifications - detective
6.
Analytical review - detective
25
Internal Controls
Primary control areas for governmental entities Information technology (IT) Cash inflows (receivables, revenues) Cash outflows (payables, expenses) Payroll Inventory Investing and financing – Capital assets – Investments – Debt 26
Internal Controls - IT
Security of physical components (servers, hardware, etc.)
Documentation of IT system and processes
Periodic backups of data
User access restrictions Usernames and passwords (ever changed?) Review of user logs
Segregation of duties is still important!! 27
Internal Controls – Cash inflows
Who actually receives the payment?
Who prepares the listing of cash receipts and/or the bank deposit? For both, we recommend this individual be independent of accounting/financial reporting
Reconciliation of bank deposit slip to bank statement and general ledger
Regular review of customer aging 28
Internal Controls – Cash outflows
29
Internal Controls – Cash outflows
Review and approval of vendor invoices
Check processing – system vs. manual
Review and approval of check registers – Sequential numbering
Bank reconciliations and reviews
Check
signing abilities are not a control on their own 30
Internal Controls – Payroll
Employee personnel and payroll data should be input and updated by someone independent of the accounting function (Personnel/HR Dept.)
Payroll registers should be reviewed by another individual independent of the accounting function
Reconciliation from payroll records to bank statements
31
Internal Controls – Inventory
Physical security of items
Periodic counts and reconciliations
Review of unit prices
Segregation of duties is still important
32
Internal Controls – Capital assets
Physical security of assets
Periodic counts and reconciliations
Review of disbursements by accounting department/finance
Depreciation recalculations and analytical review
33
Internal Controls – Investments Service Provider (i.e. Trustee)
Review of investment statements
Reconciliation of investment statements to general ledger
Test/challenge fair values
Monitoring of service provider – SAS 70 review report 34
Internal Controls – Investments No Service Provider
Authorization of investment activity
Review of investment statements
Reconciliation of investment statements to general ledger
Test/challenge fair values
35
Internal Controls – Debt
Authorization of debt activity
Reconciliation between debt records/statements to general ledger
Maintenance of debt covenant listing
36
Internal Controls – Limitations
The human factor
Management override
Collusion between 2 or more people
Cost vs. benefit
37
©2012 by the Association of Certified Fraud Examiners, Inc.
38
Questions? Thank You! Chris Lindner, CPA, CGFM BKD CPA’s & Advisors 1248 ‘O’ Street, Suite 1040 Lincoln, Nebraska 68508 (402) 473-7600 (402) 473-7634 - Direct
[email protected]
39