acumen insight ideas

Practical Lessons in Internal Controls

attention reach expertise depth

Presented by: Amanda Eaves, CPA

agility

Director BKD CPA’s & Advisors

talent

Cost of Fraud & Abuse  $3.7 trillion worldwide  5% of revenues  Almost half recover nothing after fraud is discovered

©2014 by the Association of Certified Fraud Examiners, Inc.

2

©2014 by the Association of Certified Fraud Examiners, Inc.

3

©2014 by the Association of Certified Fraud Examiners, Inc.

4

©2014 by the Association of Certified Fraud Examiners, Inc.

5

©2014 by the Association of Certified Fraud Examiners, Inc.

6

Damages to Victims Go Beyond Dollars & Cents     

Reputation Loss of public confidence Damage to relationships Sagging staff morale Distraction from the mission

7

COSO Framework 

The Five Framework Components  Control environment  Risk assessment  Control activities  Information and communication  Monitoring

8

COSO Framework 

Control environment  “Tone at the top”  Foundation for all other framework components  Integrity, ethical values, and competence of employees  Management’s philosophy and operating style

9

COSO Framework 

Risk assessment  Identify events/risks – both internal and external

 Analyze and prioritize risks  Decide how to respond to risks

10

Risk Assessment – Identifying risks 

What information is critical to our operations?



Which areas are the most susceptible to fraud?



Which areas are inherently risky?



What kind of things do our auditors look for?

11

Risk Assessment – Analyze and prioritize risks 

How important is the risk?



What is the likelihood that this risk will occur?



What is the impact on the entity if this risk does occur (monetary and non-monetary)?

12

Risk Assessment – Analyze and prioritize risks 

Likelihood – the possibility that a given event may occur



Impact – the result or effect of an event 3 = High = Mitigate or reduce the risk 2 = Medium = Manage the risk 1 = Low = Accept the risk

High  Likelihood Medium  Likelihood Low  Likelihood

Low  Impact

Medium  Impact

High  Impact

2

3

3

1

2

3

1

1

2

13

COSO Framework 

Control activities  Ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity’s objectives  Include a range of activities such as approvals, authorizations, verifications, reconciliations, security of assets, and segregation of duties  The greater the risk, the greater the control necessary 14

COSO Framework 

Information and communication  Ensure that accurate and relevant information is identified, captured, and communicated in a timely manner  Effective information and communication systems enable individuals within the entity to exchange the information needed to conduct, manage, and control its operations

15

COSO Framework 

Monitoring  Internal control systems must be monitored to assess their effectiveness – are they operating as intended?  Accomplished through: – Ongoing monitoring activities – Separate evaluations

16

Internal Controls

17

Internal Controls 

Used everyday  Lock-up your valuable belongings  Maintain copies of important documents  Review bills/credit card statements  Balance your checkbook  Schedule appointments

18

Internal Controls 



Divided into 2 primary groups 1.

Preventive

2.

Detective

Preventive vs. detective 1.

Authorizations

2.

Segregation of duties

3.

Security of assets and records

4.

Periodic reconciliations

5.

Periodic verifications

6.

Analytical review

19

Internal Controls 

Preventive vs. detective 1.

Authorizations - preventive

2.

Segregation of duties - preventive

3.

Security of assets and records - preventive

4.

Periodic reconciliations - detective

5.

Periodic verifications - detective

6.

Analytical review - detective

20

Internal Controls 

Primary control areas  Information technology (IT)  Cash inflows (receivables, revenues)  Cash outflows (payables, expenses)  Payroll  Investing and financing – Investments – Capital assets – Debt

21

Internal Controls - IT 

Security of physical components (servers, hardware, etc.)



Documentation of IT system and processes



Periodic backups of data



User access restrictions  Usernames and passwords (ever changed?)  Review of user logs



Segregation of duties is still important!! 22

Internal Controls – Cash inflows 

Who actually receives the payment?



Who prepares the listing of cash receipts and/or the bank deposit?  For both, we recommend this individual be independent of accounting/financial reporting



Reconciliation of bank deposit slip to bank statement and general ledger



Regular review of outstanding receivables  Also a review of write-offs

23

Internal Controls – Cash outflows 

Controls around Master Vendor list – ever reviewed by other members of management??



Review and approval of vendor invoices



Check processing – system vs. manual



Review and approval of check registers – Sequential numbering



Bank reconciliations and reviews



Controls over signed checks to be mailed



Check signing abilities are not a control on their own 24

City of Dixon, Illinois

25

City of Dixon, Illinois

26

City of Dixon, Illinois

27

City of Dixon, Illinois

28

City of Dixon, Illinois

29

City of Dixon, Illinois

30

City of Dixon, Illinois

31

City of Dixon, Illinois

32

City of Dixon, Illinois

33

Internal Controls – Payroll 

Employee personnel and payroll data should be input and updated by someone independent of the accounting function (Personnel/HR Dept.)



Payroll registers should be reviewed by another individual independent of the accounting function



Reconciliation from payroll records to bank statements

34

Internal Controls – Investments Service Provider (i.e. Trustee) 

Review of investment statements



Reconciliation of investment statements to general ledger



Test/challenge fair values



Monitoring of service provider – SSAE 16 review report 35

Internal Controls – Investments No Service Provider 

Authorization of investment activity



Review of investment statements



Reconciliation of investment statements to general ledger



Test/challenge fair values

36

Internal Controls – Capital assets 

Physical security of assets



Periodic counts and reconciliations



Review of disbursements by accounting department/finance



Depreciation recalculations and analytical review

37

Internal Controls – Debt 

Authorization of debt activity



Reconciliation between debt records/statements to general ledger



Maintenance of debt covenant listing

38

Internal Controls – Limitations



The human factor



Management override



Collusion between 2 or more people



Cost vs. benefit

39

©2014 by the Association of Certified Fraud Examiners, Inc.

40

41

Questions? Thank You! Amanda Eaves, CPA BKD CPA’s & Advisors 2800 Post Oak Blvd, Suite 3200 Houston, Texas 77056 713.499.4600 713.499.4603- Direct [email protected]

42