acumen insight ideas

Internal Controls for a Small Utility

attention reach expertise depth

Presented by: Chris Lindner, CPA, CGFM

agility

Audit Manager BKD CPA’s & Advisors

talent

Why are controls so important? 

Public sector managers and employees are accountable for the resources entrusted to them and for ensuring programs and services are administered effectively and efficiently



A significant component in fulfilling this responsibility is ensuring that an adequate system of internal control has been developed and is operating effectively

2

Cost of Fraud & Abuse  $2.9 trillion worldwide  5% of revenues  Almost half recover nothing after fraud is discovered

©2012 by the Association of Certified Fraud Examiners, Inc.

3

©2012 by the Association of Certified Fraud Examiners, Inc.

4

©2012 by the Association of Certified Fraud Examiners, Inc.

5

©2012 by the Association of Certified Fraud Examiners, Inc.

6

©2012 by the Association of Certified Fraud Examiners, Inc.

7

©2012 by the Association of Certified Fraud Examiners, Inc.

8

©2012 by the Association of Certified Fraud Examiners, Inc.

9

Most Common Gov’t Cases  Purchasing schemes 

Vendor corruption



Misuse of P-cards and credit cards

 Skimming  Theft of fuel & other commodity-type assets

10

©2012 by the Association of Certified Fraud Examiners, Inc.

11

Damages to Victims Go Beyond Dollars & Cents     

Reputation Loss of public confidence Damage to relationships Sagging staff morale Distraction from the mission

12

COSO Framework 

The Five Framework Components  Control environment  Risk assessment  Control activities  Information and communication  Monitoring

13

COSO Framework 

Control environment  “Tone at the top”  Foundation for all other framework components  Integrity, ethical values, and competence of employees  Management’s philosophy and operating style

14

COSO Framework 

Risk assessment  Identify events/risks – both internal and external

 Analyze and prioritize risks  Decide how to respond to risks

15

Risk Assessment – Identifying risks 

What information is critical to our operations?



Which areas are the most susceptible to fraud?



Which areas are inherently risky?



What kind of things do our auditors look for?

16

Risk Assessment – Analyze and prioritize risks 

How important is the risk?



What is the likelihood that this risk will occur?



What is the impact on the entity if this risk does occur (monetary and non-monetary)?

17

Risk Assessment – Analyze and prioritize risks 

Likelihood – the possibility that a given event may occur



Impact – the result or effect of an event 3 = High = Mitigate or reduce the risk 2 = Medium = Manage the risk 1 = Low = Accept the risk

High  Likelihood Medium  Likelihood Low  Likelihood

Low  Impact

Medium  Impact

High  Impact

2

3

3

1

2

3

1

1

2

18

COSO Framework 

Control activities  Ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity’s objectives  Include a range of activities such as approvals, authorizations, verifications, reconciliations, security of assets, and segregation of duties  The greater the risk, the greater the control necessary 19

COSO Framework 

Information and communication  Ensure that accurate and relevant information is identified, captured, and communicated in a timely manner  Effective information and communication systems enable individuals within the entity to exchange the information needed to conduct, manage, and control its operations

20

COSO Framework 

Monitoring  Internal control systems must be monitored to assess their effectiveness – are they operating as intended?  Accomplished through: – Ongoing monitoring activities – Separate evaluations

21

Internal Controls

22

Internal Controls 

Used everyday  Lock-up your valuable belongings  Maintain copies of important documents  Review bills/credit card statements  Balance your checkbook  Schedule appointments

23

Internal Controls 



Divided into 2 primary groups 1.

Preventive

2.

Detective

Preventive vs. detective 1.

Authorizations

2.

Segregation of duties

3.

Security of assets and records

4.

Periodic reconciliations

5.

Periodic verifications

6.

Analytical review

24

Internal Controls 

Preventive vs. detective 1.

Authorizations - preventive

2.

Segregation of duties - preventive

3.

Security of assets and records - preventive

4.

Periodic reconciliations - detective

5.

Periodic verifications - detective

6.

Analytical review - detective

25

Internal Controls 

Primary control areas for governmental entities  Information technology (IT)  Cash inflows (receivables, revenues)  Cash outflows (payables, expenses)  Payroll  Inventory  Investing and financing – Capital assets – Investments – Debt 26

Internal Controls - IT 

Security of physical components (servers, hardware, etc.)



Documentation of IT system and processes



Periodic backups of data



User access restrictions  Usernames and passwords (ever changed?)  Review of user logs



Segregation of duties is still important!! 27

Internal Controls – Cash inflows 

Who actually receives the payment?



Who prepares the listing of cash receipts and/or the bank deposit?  For both, we recommend this individual be independent of accounting/financial reporting



Reconciliation of bank deposit slip to bank statement and general ledger



Regular review of customer aging 28

Internal Controls – Cash outflows

29

Internal Controls – Cash outflows 

Review and approval of vendor invoices



Check processing – system vs. manual



Review and approval of check registers – Sequential numbering



Bank reconciliations and reviews

 Check

signing abilities are not a control on their own 30

Internal Controls – Payroll 

Employee personnel and payroll data should be input and updated by someone independent of the accounting function (Personnel/HR Dept.)



Payroll registers should be reviewed by another individual independent of the accounting function



Reconciliation from payroll records to bank statements

31

Internal Controls – Inventory 

Physical security of items



Periodic counts and reconciliations



Review of unit prices



Segregation of duties is still important

32

Internal Controls – Capital assets 

Physical security of assets



Periodic counts and reconciliations



Review of disbursements by accounting department/finance



Depreciation recalculations and analytical review

33

Internal Controls – Investments Service Provider (i.e. Trustee) 

Review of investment statements



Reconciliation of investment statements to general ledger



Test/challenge fair values



Monitoring of service provider – SAS 70 review report 34

Internal Controls – Investments No Service Provider 

Authorization of investment activity



Review of investment statements



Reconciliation of investment statements to general ledger



Test/challenge fair values

35

Internal Controls – Debt 

Authorization of debt activity



Reconciliation between debt records/statements to general ledger



Maintenance of debt covenant listing

36

Internal Controls – Limitations



The human factor



Management override



Collusion between 2 or more people



Cost vs. benefit

37

©2012 by the Association of Certified Fraud Examiners, Inc.

38

Questions? Thank You! Chris Lindner, CPA, CGFM BKD CPA’s & Advisors 1248 ‘O’ Street, Suite 1040 Lincoln, Nebraska 68508 (402) 473-7600 (402) 473-7634 - Direct [email protected]

39