Internal Controls
{
Introduction to Accounting Unit 3 Module 1
Pretend for a moment you own a business, selling bobble-heads. You have many items you must spend money on to operate, such as:
Wages Equipment & Vehicles Inventory Other Operating expenses
If someone froze the bank account, how long could you stay in business? Why?
CA$H is KING
A company cannot survive without operating capital. Other assets are extremely important as well Inventory – this is what you sell. If it is lost, damaged, or stolen you cannot sell it Supplies – are needed for day to day operations to produce, market, and distribute your product Fixed Assets – such as equipment and vehicles. If they are damaged or destroyed prematurely, this interrupts your supply chain and revenue stream
CA$H is KING
The highest priority a business has is NOT making a profit. It is protecting company ASSETS. Why? Profit is generated to produce ASSETS for the owners. It is a means to an end. The assets are the end. The business cannot function without sufficient assets, even if it is profitable
Protecting Assets
INTERNAL CONTROLS – are the sum of all systems, tools, and processes in place designed to protect company assets From inefficiency – Inefficient use of assets means the company is using more assets than necessary to generate a profit. From fraud and theft – Internal and external loss of company assets by illegitimate means. From external threats – like economic, industry, or legal developments that could undermine the viability or effectiveness of the company’s operations
Protecting Assets
Let’s pretend you are having a problem with bobble-heads disappearing from the warehouse. Option 1: The “Mercedes” security system Option 2: The “Ford” security system Option 3: The “Yugo” (look it up) security system Option 4: Do Nothing.
Cost / Benefit Analysis
Which do you choose? Option 1: The “Mercedes” security system
Option 2: The “Ford” security system
Includes basic surveillance systems and security personnel at high risk times Costs $80,000 per year
Option 3: The “Yugo” (look it up) security system
Includes state of the art technology and 24/7 military trained armed guards. Costs $200,000 per year
Includes fake cameras installed as a deterrent Costs $500 to install
Option 4: Do Nothing.
Costs nothing
Cost / Benefit Analysis
Which do you choose? Let’s say your Net Income last year was $600,000, and you experienced $120,000 in inventory losses due to theft. Now what? Option 1: The “Mercedes” security system
Option 2: The “Ford” security system
Includes basic surveillance systems and security personnel at high risk times Costs $80,000 per year
Option 3: The “Yugo” (look it up) security system
Includes state of the art technology and 24/7 military trained armed guards. Costs $200,000 per year
Includes fake cameras installed as a deterrent Costs $500 to install
Option 4: Do Nothing.
Costs nothing
Cost / Benefit Analysis
Which do you choose? Let’s say your Net Income last year was $600,000, and you experienced $120,000 in inventory losses due to theft. Now what? Option 1: The “Mercedes” security system
Includes state of the art technology and 24/7 military trained armed guards. Costs $200,000 per year
May not be the best option. You will probably stop the theft and save $120,000 in losses, but it will cost you $200,000 to use.
Cost / Benefit Analysis
Which do you choose? Let’s say your Net Income last year was $600,000, and you experienced $120,000 in inventory losses due to theft. Now what? Option 4: Do Nothing.
Costs nothing
This is probably the worst option. You are losing too much to justify ignoring the issue
Cost / Benefit Analysis
Which do you choose? Let’s say your Net Income last year was $600,000, and you experienced $120,000 in inventory losses due to theft. Now what? Option 3: The “Yugo” (look it up) security system
Includes fake cameras installed as a deterrent Costs $500 to install
This may not be a bad option if the losses were relatively small. But with losses as large as this, you might want to invest in a more robust system that could help you catch the thieves
Cost / Benefit Analysis
Which do you choose? Let’s say your Net Income last year was $600,000, and you experienced $120,000 in inventory losses due to theft. Now what? Option 2: The “Ford” security system
Includes basic surveillance systems and security personnel at high risk times Costs $80,000 per year
In this scenario this may be the most reasonable option. You will likely recoup the cost and then some in prevented losses
Cost / Benefit Analysis
With any tool designed to mitigate any type of internal control failure, whether it is a loss, efficiency, or other issue, we always have to consider: COST – what resources are required? BENEFIT – what savings are realized, losses prevented, etc. RISK – what is the likelihood of the type of loss we are mitigating? Impact – if that event occurs, how big is the impact to our company?
Cost / Benefit Analysis
Here is a suggested partial decision grid: Cost
Benefit
Implement the Measure?
HIGH
HIGH
Probable ; evaluate Risk and Impact
HIGH
LOW
No; not cost effective
MODERATE
HIGH
Possible; evaluate Risk and Impact
MODERATE
MODERATE
Possible; evaluate Risk and Impact
MODERATE
LOW
Unlikely; evaluate Risk and Impact
LOW
HIGH
Yes; good “net benefit”
LOW
LOW
Unlikely; evaluate Risk and Impact
Cost / Benefit Analysis
A business faces many types of potential threats to its assets: Internal
Compliance Failures – may result in fines, loss of customer base Operating Inefficiencies – reduce profit through higher expenses Fraud, theft, embezzlement – by employees at any level
External
Market forces – industry changes, inflation, innovations – can all make current operating model ineffective Regulatory environment – may threaten resources and efficiency Malicious software, attacks, information breaches – may cause loss of assets and customers, fines via lawsuits, etc.
Risks and Threats
It is unrealistic and cost prohibitive to prevent all losses We can RESPOND to failures in a way to minimize the impact
What is the SOURCE of the failure? How can we reduce the ongoing impact of the failure?
We can PLAN and organize to better deter and detect failures
What SYSTEMS can we use to identify a potential failure is happening? What tools and processes would make it less likely for a failure to occur?
Mitigation vs. Prevention
There are a number areas that merit special scrutiny: The PURCHASING cycle – how expenditures are approved, executed, and accounted for Payroll Certain ASSETS:
Cash – the Cash Cycle – how cash is handled and accounted for Inventory Portable Equipment
Information Systems
Networks Databases Software systems Internal and External Access
WHERE failures happen
An EXAMPLE: Your payroll manager enters fictitious employees into the payroll system, and all their checks are going to his bank account via direct deposit. He uses a PO Box for their addresses
HOW might you discover this? HOW could you prevent it?
The Ghost Employee
SIMPLE SOLUTIONS Your payroll manager enters fictitious employees into the payroll system, and all their checks are going to his bank account via direct deposit. He uses a PO Box for their addresses
If the payroll manager ever takes a vacation, someone filling in may notice the ghost employees are not real Cross checking the database of employee addresses and bank account #s (for Direct Deposit employees) may show the same PO Box and bank account being used for multiple employees Using a validation system that requires a departmental manager to approve the entry of a new employee in his/her department may prevent them from being created (especially if the software requires this validation)
The Ghost Employee
What could those solutions NOT fix? Your payroll manager enters fictitious employees into the payroll system, and all their checks are going to his bank account via direct deposit. He uses a PO Box for their addresses
Your payroll manager works in collusion with a department manager to commit the fraud Multiple addresses / bank accounts are used
The Ghost Employee
This is an easy way to think about a couple of the important features of a good internal control system Segregation of Duties
You don’t want someone to have both the ACCESS needed to commit a fraud AND the means to cover it up Management and Accounting should be separate functions For Payables, the person approving purchases should not be the same as the person entering payables
Third Party Verification
Physical inventory counts, department manager verifications of active employees, outside audits, etc. Mandatory vacations – make it more difficult to conceal fraud Cross-training employees (as appropriate)
Internal Controls
What causes people to commit fraud? These are the questions that drove criminologists Donald Cressey and Edwin Sutherland to interview myriads of financial criminals. Their findings indicated that three key elements were in place in every case where financial trust was abused. They are:
A financial need or pressure that the individual feels he must not share The opportunity to commit the fraud (access, trust, etc.) Perceived justification / rationalization
Why does fraud happen?
These elements have been visualized as a triangle, as follows
The Fraud Triangle
CASE STUDY: Bookkeeper Gone Bad Susan is an office manager for a small construction company and maintains all company books, including payables and receivables. She has worked for the company for 5 years without a raise, and seen the profits increase every year. She feels the owners do not appreciate how essential her work is to the company’s success. Susan has online access to bank accounts and prints all checks to be signed by one of the owners. Her husband has been unemployed for 2 years and his medical bills are piling up. They are in danger of losing their house to the bank. She realizes that she can cut checks for suppliers for invoices that don’t exist, then destroy the checks and make online payments to her own account from the company account in the same amounts so that the bank account will reconcile.
What is her pressure? What gives her opportunity? Why might she feel justified in taking company funds?
A Fraud Triangle Example
CASE STUDY: Bookkeeper Gone Bad In this case, there were some internal controls in place, and some that were weak or absent. Think about how the employer could mitigate these risks.
Pressure: The company cannot control personal lives, but in the hiring process they may be able to identify financial problems, or criminal history
Opportunity: The company had a Purchase Order System, but since no one was verifying vendor records against company records, the discrepancy in purchases was not discovered. Validating cleared checks and third party records (even a close look at a bank statement) would have revealed a problem.
Rationalization: Perhaps this employee was in fact under-appreciated and under-compensated. While this doesn’t make fraud morally right, it creates a situation where a person may feel justified in such action – and that is all that is needed. Work environment, fair annual review practices, and often a simple “thank you” can go a long way towards prevention
A Fraud Triangle Example
CASH CYCLE
Cash is one of the most vulnerable assets. Here are a few tools often used to protect it from unauthorized use:
Bank Reconciliations Cash drawer daily reconciliations
Imprest System for Petty Cash
Daily deposits in a drop safe Requires documentation for purchases and reconciliation of the account.
Account Authority Restrictions
Multiple signatures required on checks Limited privileges for online users (e.g. the ability to see but not execute transactions) Special authorizations for transactions over a threshold amount
Some Common Controls
PAYROLL CYCLE Fraud related to payroll is very preventable. Here are some common protections:
Separation of duties
Validation
Hours validated by one party, checks made by another, checks signed by another Cross check addresses, phone numbers to identify ghost employees Validate employees paid against current roster (via department managers)
Final Payroll Approval
Owner, VP, or similar to validate paper trail of the above controls
Some Common Controls
PAYABLES CYCLE This is one of the most commonly used areas where embezzlement occurs. Common controls are:
Separation of duties
Bills entered by different party than the party paying bills Purchasing (ordering) separated from entering / paying bills
Purchase Order System
PO issued by vendor, approved by supervisor PO validated against bill before entry Paper trail validated before checks signed
Some Common Controls
INFORMATION SECURITY This area is becoming one of the bigger vulnerabilities for many companies, and is increasingly difficult to handle. Common tools are
Network Security
Online Transactions
Adequate firewalls Limited user access to systems based on needs to perform job functions Robust anti-malware software Employee training to prevent Phishing, other network threats Encryption
Systems that encrypt data on web site interfaces
Physical Security
Protection of sensitive information, customer data, physical files Employee training on protection of files and data, and mitigation procedures for potential breaches
Some Common Controls
INVENTORY Inventory can be lost, stolen or damaged. Protecting inventory involves:
Physical Count
Validation
Regular (weekly-quarterly-semi annually, depending on risks) Performed by outside party, owner, (someone not involved in physical management or accounting for inventory) Compare Receiving reports against POs (also part of PO system)
Physical Security
Appropriate physical protection, monitoring based on risk / value
Some Common Controls
Since the advent of Sarbanes-Oxley, publicly traded companies are required to report on the adequacy of internal controls Auditors also must report material weaknesses in internal controls Research these requirements and discuss:
How objective are these reports? How reliable? What do you think the role of executive management is in setting an ethical tone in a company?
Learning Activity
Next time ….