Internal Controls Will Save You!
(Or Save Your Money!)
Tiffany R. Winters, Esquire
twinters@bruman.com
Brustein & Manasevit, PLLC
Fall Forum 2013
Twitter: @trwinters
Brustein & Manasevit, PLLC
Why Do We Have Internal Controls?
 The Federal Managers’ Financial Integrity Act of 1982
 Requires the General Accounting Office (GAO) to issue standards for
internal controls in the government.
GAO: Standards for Internal Controls Management and Evaluation
Tool: http://www.gao.gov/new.items/d011008g.pdf
 Chief Financial Officers Act of 1990
 Financial Management Systems must comply with internal control
standards
 Federal Financial Management Improvement Act of 1996
Brustein & Manasevit, PLLC
2
Lower Audit Threshold

Materiality threshold lowered

Old: Material Weaknesses
 For every compliance requirement selected for audit, the auditor must
assess:
 The likelihood of whether the agency’s internal controls can prevent
and detect noncompliance that is “more than inconsequential” from
occurring in a timely manner
MORE INTERNAL CONTROL FINDINGS!
Brustein & Manasevit, PLLC
3
Definition of Internal Controls
OMB Circular A-133 (page 291)
 Internal control activities are the policies and procedures as
well as the daily activities that occur within an agency to
ensure effectiveness and efficiency of operations and
compliance with laws.
 Internal controls play an important role in preventing and
detecting fraud and protecting resources.
Brustein & Manasevit, PLLC
4
The Goals of Internal Controls
• Safeguard assets
– Well designed internal controls protect assets from accidental loss or loss from
fraud.
• Ensure the reliability and integrity of financial
information
– Internal controls ensure that management has accurate, timely and complete
information, including accounting records, in order to plan, monitor and report
business operations.
• Ensure compliance
– Internal controls help to ensure the agency is in compliance with the many federal,
State and local laws and regulations affecting the operations of our business.
Brustein & Manasevit, PLLC
5
The Goals of Internal Controls
(cont.)
• Promote efficient and effective operations
– Internal controls provide an environment in which supervisors and
staff can maximize the efficiency and effectiveness of their
operations.
• Accomplishment of goals and objectives of the agency
– Internal controls provide a mechanism for management to monitor
the achievement of operational goals and objectives.
Brustein & Manasevit, PLLC
6
The Goals of Internal Controls
(cont.)
• Internal controls work best when they are applied to multiple
divisions and deal with the interactions between the various
business departments.
• No two systems of internal controls are identical, but many
core philosophies regarding financial integrity and accounting
practices have become standard management practices.
Brustein & Manasevit, PLLC
7
Types of Internal Controls
• Preventive: Preventive control activities aim to deter the instance of errors
or fraud.
– Preventive activities include thorough documentation and
authorization practices.
– Preventive control activities prevent undesirable "activities" from
happening, thus require well thought out processes and risk
identification.
• Detective: Detective control activities identify undesirable "occurrences"
after the fact.
– The most obvious detective control activity is reconciliation.
Brustein & Manasevit, PLLC
8
Components of Internal
Controls
Risk
Assessment
Control
Environment
Monitoring
Control
Activities
Information
and
Communications
Brustein & Manasevit, PLLC
9
9
Control Environment
• Allows management and employees to maintain a positive and
supporting attitude toward compliance
• Maintaining a level of competence that allows personnel to
accomplish their assigned duties
• Clearly defined organizational structure
• Proper amounts of supervision
• Maintaining a good relationship with oversight agencies (like ED
and OIG for example!)
10
Brustein & Manasevit, PLLC
10
Control Environment (cont.)
• Examples:
– Well-written policies and procedures manuals
• Addressing employee responsibilities, limits to authority,
performance standards, control procedures, conflict of interests
and reporting relationships.
– Organizational chart
– Clear job descriptions
– Adequate training programs and performance evaluations.
Brustein & Manasevit, PLLC
11
Risk Assessment
You are all at risk for noncompliance
(and probably already are noncompliant!)
• Determine internal and external risks to obtaining agency objectives:
–
–
–
–
What could go wrong (or has gone wrong)?
What assets do we need to protect?
How could someone steal or disrupt operations?
What information do we rely on?
Brustein & Manasevit, PLLC
12
Risk Assessment (cont.)
Examples:
Risks are not stagnate; they increase and change as laws and
 New personnel
operational environments change.
 Experienced personnel
More Examples:
 Lack of personnel
 Change in Laws and
 Reorganizations
Regulations
 Cost Reduction Strategies
 New Technology
 New Grants
 Competition
 Rapid growth
13
Brustein & Manasevit, PLLC
Risk Assessment (cont.)
• Once risks are identified,
conduct risk analysis:
Risk
– Assess the likelihood (or
frequency) of risk
occurring
– Estimate the potential
impact if the risk were to
occur
– Determine how the risk
should be managed
High
Judgment
Required
Low
Low
Impact
High
Brustein & Manasevit, PLLC
14
Control Activity Examples
•
•
•
•
•
•
Segregating Key Responsibilities
Restricting Access to Systems and Records (Authorizations / Passwords)
Implementing Clear Written Policies in Key Areas
Maintaining Physical Control Over Valuable Assets (Security)
Maintaining Appropriate Documentation (Approvals, Record Retention)
Accurate and Timely Recording of Information
– Check for accounting of transactions in numerical sequence
Brustein & Manasevit, PLLC
15
Example: Data Security Control
Activities
Concern:
Access to electronic
records:
Physical access to
records:
Internal Controls
Establish and communicate standards for screensavers and
password protected screens. Set up password protected access to
electronic records.
Do not allow electronic records to be downloaded to mobile
workstations and transported outside of the office. Keep important
records in lockable, fireproof storage
Employee Turnover:
Develop a checklist for removing access to records upon separation
of an employee or upon transfer out of the unit. Develop a process
and assign a point person the responsibility of administering the
process for deleting access to records.
Passwords:
Have a prescribed standard for departmental passwords. Make them
complex and enforce a policy for changing passwords periodically.
Brustein & Manasevit, PLLC
16
Information and
Communications
Goal: Ensure personnel receive relevant, reliable and timely information that
enables them to carry out their responsibilities.
 Develop procedures for identifying pertinent information and distributing
it in a form and timeframe that permits people to perform their duties
efficiently.
 All personnel must receive a clear message from top down that control
responsibilities must be taken seriously.
 Personnel must understand how they relate to one another in the system.
Brustein & Manasevit, PLLC
17
Monitoring
Goal: Assess the quality of internal controls over time and
ensure any findings are promptly resolved.
 Ongoing program and fiscal monitoring
 Regular oversight by supervisors
 Record reconciliation
 Formal program reviews/audits
 OMB Circular A-133 audits
 Include policies and procedures for correcting any findings in
a timely manner
Brustein & Manasevit, PLLC
18
Example: Problem with
Unallowable Costs – Potential
Solutions
Look at Resources/Guidance
 Create Checklists or Use of Funds Manual
1.
2.
3.
4.
Is the cost consistent with federal cost principles?
Is the cost allowable under the relevant federal program?
Is the cost consistent with program specific fiscal rules?
Is the cost consistent with the grant (and any special conditions
placed on the grant)?
 Provide Training to Staff
 Lists of Allowable/Unallowable Costs
Brustein & Manasevit, PLLC
19
Example: Problem with
Unallowable Costs – Potential
Solutions
Look at the Budget Process
 Strengthen the application/budget process
 Link program elements to use of funds
 Drop down menu with only allowable costs
 Section to explain how other example costs are
allowable
Brustein & Manasevit, PLLC
20
Example: Problem with
Unallowable Costs – Potential
Solutions
Look at Documentation/Record Trail
Checklists
Review polices and procedures
identifying supporting
documentation (as well as
alternative documentation that will
suffice if original is
missing/destroyed)
Brustein & Manasevit, PLLC
21
Reliability on A-133 Audits
“We have no compliance issues, we have clean Single
Audits”
A-133 Audits are NOT necessarily reliable
regarding compliance
 Not all programs are covered
 Depth of Review
 Problems with Quality
Hold Firms Accountable – What did they look
at? What standard was used in their
determinations? Question findings.
Brustein & Manasevit, PLLC
22
How To Test Your Internal
Controls
1.
2.
Identify significant transactions
Document an understanding of internal controls in place
–
3.
4.
Use checklists, flowcharts, narratives or questionnaires to determine the
current internal controls
Select sample transactions and determine if the sample correctly
flows through the internal controls system
Note any deviations
Brustein & Manasevit, PLLC
23
Internal Controls Test
Example
Requisition
Requested
Invoice Sent to
Accounts Payable
Check Sent to
Vendor
Requisition
approved by
Program Director
Goods Delivered
and Verified
Check Cleared;
Money Withdrawn
from Account
Requisition
Approved by
Finance Office
Purchase Order
Created
Brustein & Manasevit, PLLC
24
Internal Controls Test
Example (cont.)
Requisition
Requested
Invoice Sent to
Accounts Payable
Check Sent to
Vendor
Requisition
approved by
Program Director
Goods Delivered
and Verified
Check Cleared;
Money Withdrawn
from Account
Requisition
Approved by
Finance Office
Purchase Order
Created
Brustein & Manasevit, PLLC
25
Weak Internal Controls –
What Now?
• Document findings
• Discuss the results of the walkthrough
with management and inform them of
any deficiencies that need immediate
attention.
• When internal control weaknesses are
determined – various options:
1. Increase supervision and monitoring
Brustein & Manasevit, PLLC
2. Institute additional or compensating controls
26
No. 1 Indication there is a
Compliance Problem…
“Because we’ve always
done it that way.”
27
Internal Control Weaknesses
• Problems
– Magical Letters
– Unsigned Forms
– Automatic Signatures
– Stolen Property
– Employees in the News
Brustein & Manasevit, PLLC
28
If you already have great internal
controls in place…
• Periodically assess risks and the level of internal control required to
protect assets and records related to those risks.
– Document the process for review, including when it will take
place.
• Management is responsible for making sure that all staff are
familiar with policies and changes in those policies.
Brustein & Manasevit, PLLC
29
The Ultimate Internal Control
~ The Disclaimer ~
This presentation is intended solely to provide general information
and does not constitute legal advice. Attendance at the
presentation or later review of these printed materials does not
create an attorney-client relationship with Brustein & Manasevit,
PLLC. You should not take any action based upon any information
in this presentation without first consulting legal counsel familiar
with your particular circumstances.
Brustein & Manasevit, PLLC
30