410pm - Checks and Balances - Improving

Checks and Balances:
Improving Accountability Through Internal
Controls
May 26, 2011
Dan Barrón, Partner
Darla Kerico, Senior Manager NPSG
Grant Thornton LLP
© Grant
GrantThornton.
Thornton.All
Allrights
rightsreserved.
reserved.
1
Checks and Balances:
Improving Accountability Through Internal Controls
Today's topics
•
•
•
•
Internal Controls- What Are They?
Internal Controls- Why Do You Care?
Common Control Activities
Fraud
© Grant Thornton. All rights reserved.
2
Internal Controls - What Are They?
• COSO definition – A process, effected by those
charged with governance, management and other
personnel, designed to provide reasonable
assurance regarding the achievement of objectives
in the following categories:
– Effectiveness and efficiency of operations
– Reliability of financial reporting
– Compliance with applicable laws & regulations
© Grant Thornton. All rights reserved.
3
Internal Controls - What Are They?
• Key COSO concepts:
– Internal control is a process
– Internal control is effected by people
– Internal control can be expected to provide only
reasonable assurance, not absolute assurance
– Internal control is geared to the achievement of
objectives in one or more separate but
overlapping categories
© Grant Thornton. All rights reserved.
4
Definition Of Internal Control - Simplified
Those processes that management relies
on to make sure things don’t get goofed up
© Grant Thornton. All rights reserved.
5
Internal Controls- Hitting the Target
Internal controls should provide reasonable
assurance that:
• Transactions are properly authorized
• Assets are safeguarded
• Transactions are properly
recorded and reported
• Competency prevails
© Grant Thornton. All rights reserved.
6
Internal Controls - Why Do You Care?
• Fiduciary responsibility as a member of the executive
management team
• How many of you in the audience sign the year-end
representation letter to the external auditors?
• Key representations:
– Responsible for internal control environment
– No known significant deficiencies in the design of or
operation of internal controls
– Acknowledge responsibility for the design and
implementation of programs and controls to prevent and
detect fraud
– No known material instances of fraud
© Grant Thornton. All rights reserved.
7
Control Environment:
The Foundation for Internal Controls
Four interrelated components:
• Risk assessment - identification and analysis of relevant
risks to achievement of organizational objectives, which
form the basis for management decisions regarding the
best means of managing risk
• Control activities - policies and procedures that help ensure
that management directives are carried out
• Information and communication - the identification, capture
and exchange of information in a form and time frame that
enable people to carry out their responsibilities
• Monitoring - the process by which the quality of internal
control performance is assessed over time
© Grant Thornton. All rights reserved.
8
Three basic types of internal controls
1. Operational controls pertain to the effectiveness
and efficiency of an operation
2. Financial controls concentrate on the reliability
and integrity of the financial information
3. Compliance controls apply to the ability of the
organization to continue operations and the
reputation of the entity in the marketplace
© Grant Thornton. All rights reserved.
9
Control Activities
Policies and procedures that help ensure that
management's directions are carried out, which
include a range of activities such as:
– approvals
– authorizations
– verifications
– reconciliations
– reviews of operating performance
– security of assets, and
– segregation of duties
© Grant Thornton. All rights reserved.
10
Common Control Activities
•
•
•
•
•
•
Budgeting and Regular Financial Reporting
Safeguarding of Assets and Physical Controls
Effective Computer Security Measures
Segregation of Duties
Investment Policies and Procedures
Documented Accounting Procedures and Controls
© Grant Thornton. All rights reserved.
11
Controls Over Specific Accounts And
Transactions: Cash and Cash Equivalents
• All cash is received and deposited in a timely manner
• All cash disbursements are for authorized transactions and
for the correct amounts
• All cash accounts are reconciled to the general ledger in a
timely manner
• All cash related transactions are recorded in the correct
account, in the correct amount, and in the proper
accounting period
• Cash not required for operations is invested in a timely
fashion.
© Grant Thornton. All rights reserved.
12
Controls Over Specific Accounts And
Transactions: Cash Receipts
• Incoming mail opened and a listing of cash and/or checks received
should be made under the supervision of a responsible official. This
listing should be compared to the actual deposit made to ensure the
completeness of the deposit
• Checks immediately restrictively endorsed
• Use of a bank lockbox
• Prenumbered tickets or logs when processing cash receipts and require
each person processing a ticket or log to initial it
• Deposit all cash receipts intact daily, if possible, and adequately
safeguard undeposited receipts
• Prompt investigation of checks returned for insufficient funds
© Grant Thornton. All rights reserved.
13
Controls Over Specific Accounts And
Transactions: Cash Disbursements
•
•
•
•
•
•
•
•
•
•
•
Physical access to cash and unissued checks restricted to authorized personnel
Checks and bank transfers prepared only for authorized and documented
transactions by authorized personnel
Supporting documentation such as invoices and check requests initialed by a
responsible individual indicating proper authorization
Policy stating specific dollar limits for checks that require two signatures or one
signature
Disbursement and bank transfers prepared by someone other than the person
who initiated the transaction
Mechanical check signers used sparingly
Payment made from an original invoice
Supporting documents should be stamped “posted” or “paid”
Prenumbered checks issued in numerical sequence
Use of postdated checks, checks payable to bearer or cash, and signatures of
blank checks prohibited
After signature, all checks forwarded directly to the payee
© Grant Thornton. All rights reserved.
14
Controls Over Specific Accounts And
Transactions: Other Cash Controls
• Petty cash funds kept to the minimum amount
practical
• Individuals handling cash included in fidelity bond
coverage
• Number of bank accounts limited to a reasonable
number and unused accounts promptly closed
• Bank accounts reconciled as soon as possible
after receiving the statements and necessary
adjustments made to the general ledger
• Old outstanding checks investigated and resolved
© Grant Thornton. All rights reserved.
15
Controls Over Specific Accounts And
Transactions: Payroll
• Use of an outside payroll service such as ADP
• Payroll and related benefits only paid to bona fide
employees at approved salary and benefit rates
• Payroll transactions properly recorded in the general ledger
and properly allocated to functional areas based on time
and effort reports
• Payroll taxes properly reported and remitted to federal and
state taxing authorities
• Payroll records maintained in accordance with entity and
government policies
• Employee benefit programs maintained in accordance with
applicable laws and regulations
© Grant Thornton. All rights reserved.
16
Controls Over Specific Accounts And
Transactions: Payroll (Cont.)
• Hiring and personnel changes in accordance with entity policy
• Payroll and personnel information kept confidential with access allowed
only to authorized personnel
• Salary levels and salary changes approved by the executive director or
board in conformity with the organization's normal procedures
• Payroll prepared based on properly documented timesheets or other
attendance records
• Payments for overtime pay properly approved
• Vacation, holiday, and sick pay accurately tracked
• Employee names and pay rates verified with each payroll run
• Individual who signs payroll checks different than the person who
prepares the payroll
• Reconcile salary and benefit expenses recorded in the general ledger
with payroll information reported to the IRS
© Grant Thornton. All rights reserved.
17
Controls Over Specific Accounts And
Transactions: Grant or Contract Revenue
• Procedures for the proper review of all grant and contract
proposals
• Accounting system properly designed to capture direct
costs and revenues for each individual grant or contract
• Reasonable and rational method developed for allocating
indirect costs to each award
• Grants and contracts properly supervised to ensure that
expenditures are made only for the purposes stated in the
grant and that compliance with grant requirements is met
• Appropriate revenue recognition criteria must be
established
© Grant Thornton. All rights reserved.
18
Controls Over Specific Accounts And
Transactions: Fixed Assets
• Adequately budgeting for fixed asset acquisitions
• Documented procedure for the sale or disposal of fixed
assets
• Establishing a stated capitalization policy for recording fixed
assets
• Properly accounting for and assigning responsibility for
portable fixed assets such as laptop computers
• Periodically inspecting fixed assets and comparing the
inventory of fixed assets with amounts recorded on the
general ledger and in insurance records
© Grant Thornton. All rights reserved.
19
Three categories of control deficiencies
A control deficiency exists when the
design/operation of a control does not allow
management or employees, in the normal course
of performing their assigned functions, to prevent
or detect and correct misstatements on a timely
basis.
© Grant Thornton. All rights reserved.
20
Three categories of control deficiencies (cont.)
A significant deficiency is a deficiency, or
combination of deficiencies, in internal control, that is
less severe than a material weakness, yet important
enough to merit attention by those charged with
governance.
© Grant Thornton. All rights reserved.
21
Three categories of control deficiencies (cont.)
A material weakness is a deficiency, or a
combination of deficiencies, in internal control, such
that there is a reasonable possibility that a material
misstatement of the entity's financial statements will
not be prevented, or detected and corrected on a
timely basis.
© Grant Thornton. All rights reserved.
22
Auditor Considerations
• Does a control deficiency – or a combination of deficiencies
– constitute a significant deficiency or a material
weakness?
• Would prudent officials with knowledge of the facts and
circumstances agree with the auditor's assessment?
• Are effective compensating or complementary controls in
place?
• What is "material" to the financial statements from a
quantitative and qualitative perspective?
• What is the "potential" error vs. the "actual" error?
© Grant Thornton. All rights reserved.
23
Auditor's Reporting Responsibilities
• Significant deficiencies and material weaknesses
should be communicated, in writing, to
management and those charged with governance
• Includes significant deficiencies and material
weaknesses that were communicated in previous
audits and have not yet been remediated
• Communication should be no later than 60 days
following the report release date
© Grant Thornton. All rights reserved.
24
Sarbanes-Oxley Act of 2002
• Public accounting firms have changed how they
relate to all clients, whether required to do so or
not
• Sarbanes-Oxley created a new public awareness
of issues of accountability and independence that
has "spilled over" into the not-for-profit sector
• NFP board members now model themselves on
corporate governance "best practices" initiated
by Sarbanes-Oxley
© Grant Thornton. All rights reserved.
25
Implications for Not-for-Profit Board
Governance- Best Practices
• The Board should take responsibility and assess
the effectiveness of internal controls over financial
reporting
• Internal controls should provide reasonable
assurance that:
– Transactions are properly authorized
– Assets are safeguarded
– Transactions are properly recorded and reported
© Grant Thornton. All rights reserved.
26
Implications for Not-for-Profit Board
Governance- Best Practices (cont.)
• The CEO and CFO should establish and monitor
effective systems of internal control
• Any known deficiencies in financial reporting and
internal control should be reported to the Board
• Auditor should report to the Board its assessment
of the organization's internal control structure and
procedures
© Grant Thornton. All rights reserved.
27
What is fraud?
• Any intentional or deliberate act to deprive another
of property or money by guile, deception or other
unfair means. The elements of fraud are:
– a false representation about a material fact
– made intentionally
– believed and acted upon by the perpetrator
– to the victim’s damage
© Grant Thornton. All rights reserved.
28
Definition of Fraud
• Fraud is a type of illegal act involving the obtaining of
something of value through willful misrepresentation.
Whether an act is, in fact, fraud is a determination to
be made through the judicial or other adjudicative
system and is beyond auditors' professional
responsibility. (GAO Yellow Book)
• For purposes of the section, fraud is an intentional act
that results in a material misstatement in financial
statements that are the subject of an audit. (AICPA –
SAS No. 99)
© Grant Thornton. All rights reserved.
29
Types of Fraud
• Types of fraud:
– Asset misappropriations
– Corruption
– Fraudulent financial statements
• Asset misappropriation is most common of the
three schemes – 90% plus
• Survey participants estimated that the typical
organization loses 5% of its annual revenue to
fraud.
Source- Association of Certified Fraud Examiners 2010 Report to the Nation Occupational Fraud and Abuse
© Grant Thornton. All rights reserved.
30
Why and How Does Fraud Occur?
The Fraud Triangle
Opportunity is generally provided through
weaknesses in the internal controls, such as
inadequate or no:
• supervision and review
• segregation of duties
• system controls
Pressure can be imposed due to:
• personal financial problems
• personal vices such as gambling, drugs,
extensive debt, etc.
• unrealistic deadlines and performance goals
© Grant Thornton. All rights reserved.
Rationalization occurs when the individual
develops a justification for their fraudulent
activities.
31
Common Causes of Fraud
•
•
•
•
•
•
Weak internal control system
Lack of monitoring of internal controls
Poor or inadequate training
High management turnover
Collusion among employees
Transactions executed without proper authorization
© Grant Thornton. All rights reserved.
32
The "Red Flags" of Fraud
• Not separating functional responsibilities of
authorization, custodianship, and record keeping.
• Unrestricted and unmonitored access to assets or data
• Not recording transactions resulting in lack of
accountability
• Not reconciling assets with the appropriate records
• Unauthorized transactions
• Unimplemented controls because of the lack of or
unqualified personnel
• Employees over whom there is little to no supervision
© Grant Thornton. All rights reserved.
33
Accounting "Red Flags"
•
•
•
•
•
•
•
•
Fictitious/ altered/ photocopied receipts
Missing documents
Stale/ increasing reconciling items
Unusual bank statement items
Excessive voids/ credits
Second endorsements on checks
Duplicate payments
Things that don't make sense
© Grant Thornton. All rights reserved.
34
Not-for-profit organizations are not immune to
scandal and bad publicity
• Recent University ticket scandal $1.3 million
• Veterans cheated for benefit of foundation executives
• Former University President Indicted for Embezzling $1.5
Million
• Former CEO of a not-for-profit was sentenced to 10 years
in prison and ordered to pay $65 million in restitution
• In the same case, a board member was sentenced to 3
years in prison and ordered to pay $1.7 million in restitution
© Grant Thornton. All rights reserved.
35
Measures That Are The Most Helpful in
Preventing Fraud
•
•
•
•
•
•
•
•
Strong internal controls
Background checks on new employees
Regular fraud audits
Established fraud policy
Willingness of entities to prosecute
Ethics training for employees
Anonymous fraud reporting mechanisms
Workplace surveillance
Source- Association of Certified Fraud Examiners 2006 Report to the Nation Occupational Fraud and Abuse
© Grant Thornton. All rights reserved.
36
The very best fraud prevention
mechanism is to put forth the perception
that... if you do something wrong, you will
be caught... and the punishment will be
swift and severe
© Grant Thornton. All rights reserved.
37
Questions, answers, discussion
© Grant Thornton. All rights reserved.
38
Contact information
Dan Barrón
Partner, Audit
T: 214-561-2440
E: Dan.Barron@us.gt.com
Darla Kerico
Senior Manager, National Professional Standards
Group
T: 214-561-2457
E: Darla. Kerico@us.gt.com
© Grant Thornton. All rights reserved.
39