1 / 81

Government Risk Briefings Internal Controls & Fraud Prevention in Local Government November 16, 2012

Government Risk Briefings Internal Controls & Fraud Prevention in Local Government November 16, 2012. Ron Steinkamp, CPA, CIA, CFE, CRMA 314.983.1238 | rsteinkamp@bswllc.com. Agenda. INTERNAL CONTROL DEFINED. COSO .

rance
Télécharger la présentation

Government Risk Briefings Internal Controls & Fraud Prevention in Local Government November 16, 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Government Risk BriefingsInternal Controls & Fraud Prevention in Local GovernmentNovember 16, 2012 Ron Steinkamp, CPA, CIA, CFE, CRMA314.983.1238 | rsteinkamp@bswllc.com 1050 N. Lindbergh Blvd. │ St. Louis, Missouri 63132 │ 314.983.1200 1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000 2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100 1.888.279.2792 │ www.bswllc.com

  2. Agenda 1

  3. INTERNAL CONTROL DEFINED 2

  4. COSO The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - Internal Control Integrated Framework The Report: • Established a common definition of internal control • Provided a standard (criteria) to assess the effectiveness of internal controls • Became the standard for internal control recognized by the U.S. accounting profession 3

  5. Definition of Internal Control COSO defines internal control “as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations Internal Controls can help… • An organization ensure the quality of financial reporting • An organization achieve its performance and profitability targets and prevent a loss of resources • An organization comply with laws and regulations, avoiding damage to its reputation and other consequences • An organization prevent the theft or inappropriate use of assets 4

  6. COSO Control Categories COSO defines five categories of Internal Control: • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring 5

  7. COSO Control Categories Control Environment - Sets the tone of an organization and influences the control consciousness of its people. • Is the foundation for all other components of internal control, and • Provides discipline and structure • Factors include… • Integrity, ethical values and competence of the entity’s people • Management’s philosophy and operating style • The way management assigns authority and responsibility, and organizes and develops its people, and • The attention and direction provided by the board of directors 6

  8. COSO Control Categories Risk Assessment - Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level • The identification and analysis of relevant risks to the achievement of objectives • Forming a basis for determining how the risks should be managed 7

  9. COSO Control Categories Control Activities - Are the policies and procedures that help ensure management directives are carried out • Help ensure that necessary actions are taken to address risks to the achievement of the entity’s objectives • Occur throughout the organization, at all levels and in all functions • Include activities such as approvals, authorizations, verifications, reconciliations 8

  10. COSO Control Categories Information and Communication – Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components • Produces reports containing operational, financial and compliance related information • Also deals with information concerning external events, activities and conditions necessary to enable informed business decision-making and external reporting 9

  11. COSO Control Categories Monitoring - Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time • Occurs in the course of operations • Includes reviews of operating performance, security of assets and segregation of duties • Internal control deficiencies should be reported upstream, with significant deficiencies and material weaknesses reported to top management, the audit committee, and the external auditor 10

  12. Control Roles and Responsibilities Management Board of Directors Internal Audit Other Personnel 11

  13. KEY CONTROLS 12

  14. Types of Controls • Preventative controls • Detective controls • Manual controls • Computer controls • Management controls 13

  15. General Controls • Code of conduct • Policies and procedures manual • Segregation of duties • Records retention • Documentation of transactions • Budgetary • Fraud Policy and reporting • Access to systems 14

  16. Cash Management Controls • Policies and procedures. • All bank accounts opened and maintained in organizations name with proper approval. • Segregate access to cash from accounting for cash. • Monthly reconciliation of recorded balances to bank account detail by employees not involved in cash activities. • Control credit cards and reconcile to receipts on a timely basis. 15

  17. Revenue Cycle Common Controls • Policies and procedures. • All orders received are processed and recorded. • All orders processed are invoiced. • All invoices are posted to customer accounts. • Billings are accurate.

  18. Procurement Cycle Common Controls • Policies and procedures. • All purchase orders are authorized. • All vendors are authorized. • Individuals have authorization limits. • Check stock is controlled. • EDI/ACH transactions require authorization. • Credit card purchases are controlled and statements are reconciled to detailed receipts.

  19. Payroll Common Controls • Procedures for adding, changing, removing employees and related pay and benefits. • Payroll personnel can not add/change/delete employees and related pay and benefits. • All changes are authorized by management. • Payroll preparation segregated from payroll authorization, check signing and distribution. • Access to payroll is restricted. • Safeguard checks. • Reconciliations. 18

  20. Fixed Assets Common Controls • Procedures for adding and removing fixed assets. • Detailed records of all fixed assets. • Tracking of fixed assets. • Inventory fixed assets and reconcile to records periodically. 19

  21. Management Reporting Common Controls • Accurate, Timely, and Consistent Reporting. • Recorded balances should be periodically substantiated and evaluated. 20

  22. Inventory Monitoring Common Controls • Exception reporting • Shipping/Receiving • Physical Inventory Monitoring • Perpetual Records • Controlling slow-moving and obsolete inventories • Scrap • Adjustments are controlled • Cycle counting • Disposal 21

  23. IT Common Controls • Back-ups • Disaster Recovery • Security (Physical & logical) • Virus Protection • Administrative • Change control • Trouble reporting • Helpdesk • Systems Development Life Cycle 22

  24. CONTROL EXAMPLES 23

  25. Authorization Controls Authorization – Authorization controls require that a transaction be “authorized” or approved prior to executing the transaction. Examples: • Legal department approves a contract prior to execution. • Controller signs Accounts Payable checks greater than a set amount. • Accounting Supervisor approves journal entries prepared by the Clerk prior to entry into the system. 24

  26. Segregation of Duties Segregation of Duties – These controls split responsibilities for a process so that it requires more than one person to execute a transaction or complete a process. Examples: • Personnel accepting/processing cash receipts do not deposit, record or reconcile receipts. • Personnel that edit the vendor master files do not process invoices. • A person separate from the approval process sets up users on the system. 25

  27. Reconciliations Reconciliations – This involves comparing to items, from different sources, to determine if transactions were executed accurately and completely. Examples: • Reconciling the accounts receivable sub-ledger to the general ledger. • Reconciling the bank statements to the general ledger. • Reconciling credit card statements to the related detail. • Physically inventorying fixed assets and comparing them to the fixed asset system.

  28. Management Review Management Review – This involves a review, by a manager/supervisor, of executed transactions/activities for appropriateness. Examples: • The Finance Director review the bank and credit card reconciliations for reasonableness. • The Payroll Manager reviews a report of the payroll run to ensure that the total run is consistent with past periods. • The owner of a process reviews a listing of personnel that have access to the system that supports the process.

  29. System Access Controls System Access – System Access controls prevent a person from executing a transaction because they cannot log on to the system or have not been granted the specific transaction authority. Examples: • AP personnel are not given user accounts on the payroll system. • Only accounting personnel can post journal entries in the system. • Only the Finance Director and/or City Administrator can authorize payments out of the system. 28

  30. Configuration/Account Mapping Configuration/Account Mapping – This is a control that is performed by the system/application and prevents the execution of a transaction unless certain parameters are met. Examples: • The AP system automatically populates the payee field of a check from the vendor master file. • The Revenue system automatically calculates the invoice amount based on contract data and payroll data. • System functionality prevents the posting of journal entries to a prior period. 29

  31. Exception/Edit Reports Exception/Edit Reports –These controls alert you to changes/issues in the system via an online or paper report. Examples: • An edit report that lists all changes to the vendor master file. • An exception report that identifies all AP checks over a certain amount. • A report that identifies payroll exceptions/adjustments. 30

  32. Key Performance Indicators Key Performance Indicators – These are analytical indicators of performance metrics that help to identify incorrect transactions or breakdowns in the control system. Examples: • Variance Reports (Budget to Actual, Prior to Current Period, Etc.) • Production Reports (Rate per Hour, Utilization, Etc.)

  33. FRAUD DEFINED 32

  34. What is Fraud? The use of one’s occupation for personal enrichment through the deliberate misuse or application of the employing organization’s resources or assets. Three general categories: • Asset misappropriation • Corruption • Financial statement fraud 33

  35. Asset Misappropriation Perpetrator steals or misuses an organizations resources. • Examples: • Clerk stealing cash receipts. • Payroll Clerk creating a ghost employee. • Purchasing Clerk creating a fictitious vendor and false invoice. • Street Department personnel “borrowing” equipment. • City Manager purchasing personal items on the City credit card. 34

  36. Corruption Employee’s use of his/her influence in business transactions in a way that violates his/her duty to the employer for the purpose of obtaining benefit for him/herself or someone else. • Examples: • City Council member trading votes for personal favors. • Purchasing Department Manager awarding a City contract to a vendor for a kickback. • Human Resources Director hiring unqualified “friends” to fill positions. 35

  37. Financial Statement Fraud Intentional misstatement or omission of material information in the organization’s financial reports. • Examples: • Inflating City revenues on the Consolidated Annual Financial Report. • Forcing actual expenditures to match budget by moving expenses between accounts. • Improperly accounting for grant receipts and expenditures. 36

  38. FRAUD SURVEY RESULTS 37

  39. 2012 ACFE Global Fraud Study 2012 Report to the Nations on Occupational Fraud and Abuse 38

  40. Summary of Findings • Typical fraud losses equal 5% of revenue • Asset misappropriation - the most common • Financial statement fraud - the least common • Frauds are most likely to be detected by tips • Small organizations are disproportionately victimized by occupational fraud • Fraud perpetrators often display warning signs 7. Government/public administration is one of the most victimized industries 8. Anti-fraud controls help reduce the cost and duration of occupational fraud 9. High-level perpetrators cause the greatest damage to their organizations 10. Nearly 50% of all victim organizations do not recover any losses 39

  41. Conclusions & Recommendations Implement hotlines to receive tips from internal/external sources Organizations over-rely on audits Most frauds are detected by tips Anti-fraud training among employees and managers result in fewer fraud losses Surprise audits are an effective fraud prevention tool 40

  42. Conclusions & Recommendations Using internal controls as your sole fraud prevention strategy is insufficient Employees exhibit behavior warning signs Employees should be trained to recognize common signs of fraud Effective fraud prevention measures are critical 41

  43. Common Characteristic/Red Flags Pressure or Incentive (NEED) High personal debts Substance or gambling abuse Job frustration Resentment of superiors Rationalization • Unfairly compensated • Everyone else does it • Intension of repayment • Financial need • Opportunity • Inadequate internal controls • Weak management • Excessive turnover • Large amounts of cash on hand or processed 42

  44. COMMON AREAS OF CONTROL ABUSE 43

  45. Internal Control Abuse by Management Failure to establish: • Policies & procedures • Segregation of duties • Third-party oversight (boards) Failure to oversee/supervise/review Overworking/underpaying staff to make budget Inappropriate use of cell phone, company credit cards, autos, and expense reports Inadequate IT Access Controls Not allowing Internal Audit to look at a department Non-responsive to management inquiries 44

  46. Why Management? Three major reasons these events occur: 1. It pays to do it 2. It is easy to do 3. It is unlikely you will get caught Indicators of possible management fraud 1. A week control environment 2. Management facing extreme competitive pressure 3. Management known or suspected of having questionable character 45

  47. Internal Control Abuses by Employees • Accounts payable fabrication • Accounts receivable manipulation • Bank fraud • Bid rigging • Check forgery and counterfeiting • Credit card fraud • Embezzlement • Expense account abuse • Fictitious vendors, customers, employees • Kickbacks • Material misstatement • Medical/insurance claims overstatement • Unnecessary purchases or purchases for own use 46

  48. Example – Check Tampering Check tampering occurs when an employee: • Prepares a fraudulent check for his/her own benefit • Intercepts a check intended for a third party and converts the check to benefit his/herself. 47

  49. Example – Check Tampering How can check tampering be prevented? • Check stock should be locked in a secure location to ensure blank checks are not accessible to potential fraudsters. • Checks should be mailed immediately after signing to reduce the risk of legitimate checks being stolen. 48

  50. Example – Check Tampering How can check tampering potentially be detected through data analysis? • Perhaps better identified through other ways. • Bank reconciliations • Communication with vendors 49

More Related