acumen insight ideas
Practical Lessons in Internal Controls
attention reach expertise depth
Presented by: Amanda Eaves, CPA
agility
Director BKD CPA’s & Advisors
talent
Cost of Fraud & Abuse $3.7 trillion worldwide 5% of revenues Almost half recover nothing after fraud is discovered
©2014 by the Association of Certified Fraud Examiners, Inc.
2
©2014 by the Association of Certified Fraud Examiners, Inc.
3
©2014 by the Association of Certified Fraud Examiners, Inc.
4
©2014 by the Association of Certified Fraud Examiners, Inc.
5
©2014 by the Association of Certified Fraud Examiners, Inc.
6
Damages to Victims Go Beyond Dollars & Cents
Reputation Loss of public confidence Damage to relationships Sagging staff morale Distraction from the mission
7
COSO Framework
The Five Framework Components Control environment Risk assessment Control activities Information and communication Monitoring
8
COSO Framework
Control environment “Tone at the top” Foundation for all other framework components Integrity, ethical values, and competence of employees Management’s philosophy and operating style
9
COSO Framework
Risk assessment Identify events/risks – both internal and external
Analyze and prioritize risks Decide how to respond to risks
10
Risk Assessment – Identifying risks
What information is critical to our operations?
Which areas are the most susceptible to fraud?
Which areas are inherently risky?
What kind of things do our auditors look for?
11
Risk Assessment – Analyze and prioritize risks
How important is the risk?
What is the likelihood that this risk will occur?
What is the impact on the entity if this risk does occur (monetary and non-monetary)?
12
Risk Assessment – Analyze and prioritize risks
Likelihood – the possibility that a given event may occur
Impact – the result or effect of an event 3 = High = Mitigate or reduce the risk 2 = Medium = Manage the risk 1 = Low = Accept the risk
High Likelihood Medium Likelihood Low Likelihood
Low Impact
Medium Impact
High Impact
2
3
3
1
2
3
1
1
2
13
COSO Framework
Control activities Ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity’s objectives Include a range of activities such as approvals, authorizations, verifications, reconciliations, security of assets, and segregation of duties The greater the risk, the greater the control necessary 14
COSO Framework
Information and communication Ensure that accurate and relevant information is identified, captured, and communicated in a timely manner Effective information and communication systems enable individuals within the entity to exchange the information needed to conduct, manage, and control its operations
15
COSO Framework
Monitoring Internal control systems must be monitored to assess their effectiveness – are they operating as intended? Accomplished through: – Ongoing monitoring activities – Separate evaluations
16
Internal Controls
17
Internal Controls
Used everyday Lock-up your valuable belongings Maintain copies of important documents Review bills/credit card statements Balance your checkbook Schedule appointments
18
Internal Controls
Divided into 2 primary groups 1.
Preventive
2.
Detective
Preventive vs. detective 1.
Authorizations
2.
Segregation of duties
3.
Security of assets and records
4.
Periodic reconciliations
5.
Periodic verifications
6.
Analytical review
19
Internal Controls
Preventive vs. detective 1.
Authorizations - preventive
2.
Segregation of duties - preventive
3.
Security of assets and records - preventive
4.
Periodic reconciliations - detective
5.
Periodic verifications - detective
6.
Analytical review - detective
20
Internal Controls
Primary control areas Information technology (IT) Cash inflows (receivables, revenues) Cash outflows (payables, expenses) Payroll Investing and financing – Investments – Capital assets – Debt
21
Internal Controls - IT
Security of physical components (servers, hardware, etc.)
Documentation of IT system and processes
Periodic backups of data
User access restrictions Usernames and passwords (ever changed?) Review of user logs
Segregation of duties is still important!! 22
Internal Controls – Cash inflows
Who actually receives the payment?
Who prepares the listing of cash receipts and/or the bank deposit? For both, we recommend this individual be independent of accounting/financial reporting
Reconciliation of bank deposit slip to bank statement and general ledger
Regular review of outstanding receivables Also a review of write-offs
23
Internal Controls – Cash outflows
Controls around Master Vendor list – ever reviewed by other members of management??
Review and approval of vendor invoices
Check processing – system vs. manual
Review and approval of check registers – Sequential numbering
Bank reconciliations and reviews
Controls over signed checks to be mailed
Check signing abilities are not a control on their own 24
City of Dixon, Illinois
25
City of Dixon, Illinois
26
City of Dixon, Illinois
27
City of Dixon, Illinois
28
City of Dixon, Illinois
29
City of Dixon, Illinois
30
City of Dixon, Illinois
31
City of Dixon, Illinois
32
City of Dixon, Illinois
33
Internal Controls – Payroll
Employee personnel and payroll data should be input and updated by someone independent of the accounting function (Personnel/HR Dept.)
Payroll registers should be reviewed by another individual independent of the accounting function
Reconciliation from payroll records to bank statements
34
Internal Controls – Investments Service Provider (i.e. Trustee)
Review of investment statements
Reconciliation of investment statements to general ledger
Test/challenge fair values
Monitoring of service provider – SSAE 16 review report 35
Internal Controls – Investments No Service Provider
Authorization of investment activity
Review of investment statements
Reconciliation of investment statements to general ledger
Test/challenge fair values
36
Internal Controls – Capital assets
Physical security of assets
Periodic counts and reconciliations
Review of disbursements by accounting department/finance
Depreciation recalculations and analytical review
37
Internal Controls – Debt
Authorization of debt activity
Reconciliation between debt records/statements to general ledger
Maintenance of debt covenant listing
38
Internal Controls – Limitations
The human factor
Management override
Collusion between 2 or more people
Cost vs. benefit
39
©2014 by the Association of Certified Fraud Examiners, Inc.
40
41
Questions? Thank You! Amanda Eaves, CPA BKD CPA’s & Advisors 2800 Post Oak Blvd, Suite 3200 Houston, Texas 77056 713.499.4600 713.499.4603- Direct
[email protected]
42