Overview of Internal Audit, Internal Controls, and Fraud and Abuse

1. Overview of Internal Audit, Internal Controls, and Fraud and Abuse Presentation – Financial Services Workshop March 14, 2013 Amanda Robinson, MSA – Internal Auditor

2. Agenda • Internal Audit • Internal Controls • Fraud and Abuse • Internal Audit Website

3. Internal Audit – Who We Are Independent Function • Reports functionally to ECU BOT Audit Committee • Reports administratively to the Chancellor Partner with Management • Risk Management • Governance • Internal Control

4. Internal Audit – What We Do • Financial, Operational, Compliance, and Information Technology Audits • Management Advisory Services • Investigate Allegations of Fraud and Abuse • Education and Training on Internal Control and Fraud Awareness • Liaison with External Auditors

5. Core Principles Integrity Objectivity Confidentiality Competence

6. What We Are Not… Do what I say or ye walk the plank!

7. Internal Controls • Achieve goals • Carry out management directives • Reduce unpleasant surprises • Enhance the reliability of information • Promote effectiveness and efficiency of operations • Safeguard assets • Comply with rules and regulations

8. Internal Controls Two types: • Preventive • Detective

9. Internal Controls Adhering to and strengthening internal controls is the responsibility of every employee at East Carolina University.

10. Security of Assets • Physically control access to your department's valuable assets - computers, iPads, iPods, mobile devices, cameras, other equipment • Maintain a departmental inventory, and periodically review to ensure all assets are on hand

11. Protection of Sensitive Data • Do not store sensitive data (such as student, patient, personnel, credit card data, SSNs, etc.) on local computers or portable media such as external hard drives or thumb drives.  Use the University's central storage platforms for such data. • Control access to your department's servers and central data storage locations.  Periodically review the users who have access to your data (at least twice annually). • Encrypt and physically secure any media that contain University data.  • Enable automatic, passphrase-protected screen savers on your computers, laptops, and other devices.

12. Segregation of Duties • Assign duties to different individuals • Never let a single individual control a transaction or process from start to finish • Separate incompatible duties, such as authorizing the purchase of an asset and then maintaining custody of that asset; or requesting access to a system or data, and actually controlling access to the system/data.

13. Cash Management • If your department collects payments, comply with the University Cash Management Plan. • Issue a pre-numbered receipt for all payments received, and retain a carbon copy of all receipts.  Receipts should be used in numerical order. • Ensure that a person who is not involved in the collection process reconciles the collection records with the Banner deposit  information.  • Physically safeguard cash, checks, and credit card information.  Change the combinations to any safes or other storage areas immediately upon the termination or transfer of personnel with knowledge of the combinations.

14. Transaction Review and Approval • Ensure that the people assigned to review and approve transactions are in a position to know whether or not they are related to a legitimate University business. • Ensure that people assigned to review and approve transactions have the authority to disapprove or question specific expenses. • Periodically review the department's expenses to ensure their validity and appropriateness (and to track whether or not you are operating within budget).

15. Reconciliations • Ensure that the expenditures that have been charged to the department’s accounts were properly approved and charged to the correct account • Ensure that all revenues that have been earned and/or collected by the department have been credited and deposited to the correct account • Provide management with documented evidence that the general ledger account balances are valid, appropriate, approved, and adequate • Discover accounting errors, omissions, and misclassifications in a timely fashion

16. Reconciliations • Be sure to properly segregate duties • Departmental account reconciliations should generally be performed monthly • The reconciliation should have documented review and approval by someone other than the preparer

17. Fraud and Abuse Occupational Fraud: “The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.”

18. Fraud and Abuse FRAUD = the “theft” of assets ABUSE = the “misuse” of assets

19. Fraud Triangle INCENTIVE/MOTIVE OPPORTUNITY RATIONALIZATION

20. Behavioral Red Flags • Living beyond means • Financial difficulties • Wheeler-dealer attitude • Control issues – unwillingness to share duties • Divorce • Unusually close with vendors

21. Behavioral Red Flags • Irritable, defensive • Addiction problems • Refusal to take vacations • Complains about pay, lack of authority

22. Commonly Seen at the University • Misuse of University resources • Misuse of time • Theft of University assets • Personal purchases with University funds • Improper employee reimbursements • Failure to report secondary employment

23. Internal Audit Website http://www.ecu.edu/Audit/

24. Report Fraud and Abuse If you have concerns or knowledge of FRAUD, WASTE, or ABUSE please contact us at: 252-328-9025 or visit our website at: http://www.ecu.edu/Audit

25. Questions/Comments Amanda Robinson Internal Auditor/Healthcare Auditor robinsonam@ecu.edu 328-9026