Internal Controls Will Save You! (Or Save Your Money!) Tiffany R. Winters, Esquire twinters@bruman.com Brustein & Manasevit, PLLC Fall Forum 2013 Twitter: @trwinters Brustein & Manasevit, PLLC Why Do We Have Internal Controls? The Federal Managers’ Financial Integrity Act of 1982 Requires the General Accounting Office (GAO) to issue standards for internal controls in the government. GAO: Standards for Internal Controls Management and Evaluation Tool: http://www.gao.gov/new.items/d011008g.pdf Chief Financial Officers Act of 1990 Financial Management Systems must comply with internal control standards Federal Financial Management Improvement Act of 1996 Brustein & Manasevit, PLLC 2 Lower Audit Threshold Materiality threshold lowered Old: Material Weaknesses For every compliance requirement selected for audit, the auditor must assess: The likelihood of whether the agency’s internal controls can prevent and detect noncompliance that is “more than inconsequential” from occurring in a timely manner MORE INTERNAL CONTROL FINDINGS! Brustein & Manasevit, PLLC 3 Definition of Internal Controls OMB Circular A-133 (page 291) Internal control activities are the policies and procedures as well as the daily activities that occur within an agency to ensure effectiveness and efficiency of operations and compliance with laws. Internal controls play an important role in preventing and detecting fraud and protecting resources. Brustein & Manasevit, PLLC 4 The Goals of Internal Controls • Safeguard assets – Well designed internal controls protect assets from accidental loss or loss from fraud. • Ensure the reliability and integrity of financial information – Internal controls ensure that management has accurate, timely and complete information, including accounting records, in order to plan, monitor and report business operations. • Ensure compliance – Internal controls help to ensure the agency is in compliance with the many federal, State and local laws and regulations affecting the operations of our business. Brustein & Manasevit, PLLC 5 The Goals of Internal Controls (cont.) • Promote efficient and effective operations – Internal controls provide an environment in which supervisors and staff can maximize the efficiency and effectiveness of their operations. • Accomplishment of goals and objectives of the agency – Internal controls provide a mechanism for management to monitor the achievement of operational goals and objectives. Brustein & Manasevit, PLLC 6 The Goals of Internal Controls (cont.) • Internal controls work best when they are applied to multiple divisions and deal with the interactions between the various business departments. • No two systems of internal controls are identical, but many core philosophies regarding financial integrity and accounting practices have become standard management practices. Brustein & Manasevit, PLLC 7 Types of Internal Controls • Preventive: Preventive control activities aim to deter the instance of errors or fraud. – Preventive activities include thorough documentation and authorization practices. – Preventive control activities prevent undesirable "activities" from happening, thus require well thought out processes and risk identification. • Detective: Detective control activities identify undesirable "occurrences" after the fact. – The most obvious detective control activity is reconciliation. Brustein & Manasevit, PLLC 8 Components of Internal Controls Risk Assessment Control Environment Monitoring Control Activities Information and Communications Brustein & Manasevit, PLLC 9 9 Control Environment • Allows management and employees to maintain a positive and supporting attitude toward compliance • Maintaining a level of competence that allows personnel to accomplish their assigned duties • Clearly defined organizational structure • Proper amounts of supervision • Maintaining a good relationship with oversight agencies (like ED and OIG for example!) 10 Brustein & Manasevit, PLLC 10 Control Environment (cont.) • Examples: – Well-written policies and procedures manuals • Addressing employee responsibilities, limits to authority, performance standards, control procedures, conflict of interests and reporting relationships. – Organizational chart – Clear job descriptions – Adequate training programs and performance evaluations. Brustein & Manasevit, PLLC 11 Risk Assessment You are all at risk for noncompliance (and probably already are noncompliant!) • Determine internal and external risks to obtaining agency objectives: – – – – What could go wrong (or has gone wrong)? What assets do we need to protect? How could someone steal or disrupt operations? What information do we rely on? Brustein & Manasevit, PLLC 12 Risk Assessment (cont.) Examples: Risks are not stagnate; they increase and change as laws and New personnel operational environments change. Experienced personnel More Examples: Lack of personnel Change in Laws and Reorganizations Regulations Cost Reduction Strategies New Technology New Grants Competition Rapid growth 13 Brustein & Manasevit, PLLC Risk Assessment (cont.) • Once risks are identified, conduct risk analysis: Risk – Assess the likelihood (or frequency) of risk occurring – Estimate the potential impact if the risk were to occur – Determine how the risk should be managed High Judgment Required Low Low Impact High Brustein & Manasevit, PLLC 14 Control Activity Examples • • • • • • Segregating Key Responsibilities Restricting Access to Systems and Records (Authorizations / Passwords) Implementing Clear Written Policies in Key Areas Maintaining Physical Control Over Valuable Assets (Security) Maintaining Appropriate Documentation (Approvals, Record Retention) Accurate and Timely Recording of Information – Check for accounting of transactions in numerical sequence Brustein & Manasevit, PLLC 15 Example: Data Security Control Activities Concern: Access to electronic records: Physical access to records: Internal Controls Establish and communicate standards for screensavers and password protected screens. Set up password protected access to electronic records. Do not allow electronic records to be downloaded to mobile workstations and transported outside of the office. Keep important records in lockable, fireproof storage Employee Turnover: Develop a checklist for removing access to records upon separation of an employee or upon transfer out of the unit. Develop a process and assign a point person the responsibility of administering the process for deleting access to records. Passwords: Have a prescribed standard for departmental passwords. Make them complex and enforce a policy for changing passwords periodically. Brustein & Manasevit, PLLC 16 Information and Communications Goal: Ensure personnel receive relevant, reliable and timely information that enables them to carry out their responsibilities. Develop procedures for identifying pertinent information and distributing it in a form and timeframe that permits people to perform their duties efficiently. All personnel must receive a clear message from top down that control responsibilities must be taken seriously. Personnel must understand how they relate to one another in the system. Brustein & Manasevit, PLLC 17 Monitoring Goal: Assess the quality of internal controls over time and ensure any findings are promptly resolved. Ongoing program and fiscal monitoring Regular oversight by supervisors Record reconciliation Formal program reviews/audits OMB Circular A-133 audits Include policies and procedures for correcting any findings in a timely manner Brustein & Manasevit, PLLC 18 Example: Problem with Unallowable Costs – Potential Solutions Look at Resources/Guidance Create Checklists or Use of Funds Manual 1. 2. 3. 4. Is the cost consistent with federal cost principles? Is the cost allowable under the relevant federal program? Is the cost consistent with program specific fiscal rules? Is the cost consistent with the grant (and any special conditions placed on the grant)? Provide Training to Staff Lists of Allowable/Unallowable Costs Brustein & Manasevit, PLLC 19 Example: Problem with Unallowable Costs – Potential Solutions Look at the Budget Process Strengthen the application/budget process Link program elements to use of funds Drop down menu with only allowable costs Section to explain how other example costs are allowable Brustein & Manasevit, PLLC 20 Example: Problem with Unallowable Costs – Potential Solutions Look at Documentation/Record Trail Checklists Review polices and procedures identifying supporting documentation (as well as alternative documentation that will suffice if original is missing/destroyed) Brustein & Manasevit, PLLC 21 Reliability on A-133 Audits “We have no compliance issues, we have clean Single Audits” A-133 Audits are NOT necessarily reliable regarding compliance Not all programs are covered Depth of Review Problems with Quality Hold Firms Accountable – What did they look at? What standard was used in their determinations? Question findings. Brustein & Manasevit, PLLC 22 How To Test Your Internal Controls 1. 2. Identify significant transactions Document an understanding of internal controls in place – 3. 4. Use checklists, flowcharts, narratives or questionnaires to determine the current internal controls Select sample transactions and determine if the sample correctly flows through the internal controls system Note any deviations Brustein & Manasevit, PLLC 23 Internal Controls Test Example Requisition Requested Invoice Sent to Accounts Payable Check Sent to Vendor Requisition approved by Program Director Goods Delivered and Verified Check Cleared; Money Withdrawn from Account Requisition Approved by Finance Office Purchase Order Created Brustein & Manasevit, PLLC 24 Internal Controls Test Example (cont.) Requisition Requested Invoice Sent to Accounts Payable Check Sent to Vendor Requisition approved by Program Director Goods Delivered and Verified Check Cleared; Money Withdrawn from Account Requisition Approved by Finance Office Purchase Order Created Brustein & Manasevit, PLLC 25 Weak Internal Controls – What Now? • Document findings • Discuss the results of the walkthrough with management and inform them of any deficiencies that need immediate attention. • When internal control weaknesses are determined – various options: 1. Increase supervision and monitoring Brustein & Manasevit, PLLC 2. Institute additional or compensating controls 26 No. 1 Indication there is a Compliance Problem… “Because we’ve always done it that way.” 27 Internal Control Weaknesses • Problems – Magical Letters – Unsigned Forms – Automatic Signatures – Stolen Property – Employees in the News Brustein & Manasevit, PLLC 28 If you already have great internal controls in place… • Periodically assess risks and the level of internal control required to protect assets and records related to those risks. – Document the process for review, including when it will take place. • Management is responsible for making sure that all staff are familiar with policies and changes in those policies. Brustein & Manasevit, PLLC 29 The Ultimate Internal Control ~ The Disclaimer ~ This presentation is intended solely to provide general information and does not constitute legal advice. Attendance at the presentation or later review of these printed materials does not create an attorney-client relationship with Brustein & Manasevit, PLLC. You should not take any action based upon any information in this presentation without first consulting legal counsel familiar with your particular circumstances. Brustein & Manasevit, PLLC 30