GOOD INTERNAL CONTROLS and why they fail CUNY

GOOD INTERNAL CONTROLS … and why they fail CUNY Finance Officers’ Forum Office of Internal Audit and Management Services June 25, 2013 Updated November 2017

Agenda • • Internal Control Framework Winning the Battle Against Fraud Internal Control Case Study Questions and Answers

What Are Internal Controls? A process, effected by an entity’s board of trustees/directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. ” Committee of Sponsoring Organizations of the Treadway Commission

The COSO Organizations

What Are Internal Controls? • A process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself. • Effected by people. It is not merely about policy manuals, systems, and forms, but about people at every level of an organization that impact internal control. • Able to provide reasonable assurance, not absolute assurance, to an entity’s senior management and board. • Geared to the achievement of objectives in one or more separate but overlapping categories. • Adaptable to the entity’s structure.

Internal Control Objectives Operations Objectives —These pertain to effectiveness and efficiency of the entity’s operations, including operations and financial performance goals and safeguarding assets against loss. Reporting Objectives —These pertain to the reliability of reporting. They include internal and external financial and non-financial reporting. Compliance Objectives —These pertain to adherence to laws and regulations to which the entity is subject. (e. g. , NCAA, Clery Act, R 2 T 4, FLSA, ADA, etc. )

COSO Components of Internal Controls A sound system of internal controls comprises the following five components • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring Activities

COSO Components of Internal Controls • Control Environment Ø Tone at the top Ø Commitment to integrity and ethics • Risk Assessment Ø Organization’s objectives are clear enough to enable risk identification Ø Risk is assessed enterprise-wise and risk is analyzed so that risk management plans can be developed Ø Fraud potential is examined as a contributor to risk • Control Activities Ø Consists of actions based on policies and procedures that help ensure that management’s risk mitigation directives are carried out Ø Activities are performed at all levels of entity and within all business processes Ø General control activities are placed over technology to support goal attainment

COSO Components of Internal Controls • Information Ø Ø and Communication Internal and external communications provides management with the information needed to meet objectives Relevant, quality information supports the functioning of other internal control components • Monitoring Activities Ø Ø Continuous and periodic evaluations are conducted to ensure that internal controls are in place and are functioning as intended Control deficiencies are timely communicated to those responsible for taking corrective action

Management’s Responsibility for Internal Controls Management and Administrators are directly responsible for: • Implementing and monitoring internal controls • Documenting policies and procedures to be followed in performance of duties • Periodically assessing risk of errors and irregularities • Regularly testing controls, reporting results, and taking corrective action

Control Activities Framework • Segregation of Duties--no single individual should have control over two or more phases of a transaction or operation (authorization of transactions, custody of assets, recording, processing, reconciliation). Management should ensure a crosscheck of duties. – In smaller units, such as an office with only Department Chairman and an Office Assistant, where segregation of duties is more challenging, a necessary compensating control is increased supervisory oversight.

Control Activities Framework • Proper Authorization for transactions—by a person delegated approval authority • Review and Reconciliation of records—by someone other than the preparer to determine that transactions have been properly processed. • Ensuring that college and university property is physically Secured and accounted for.

Control Activities Framework • Providing employees with appropriate Training and guidance to ensure that they have the knowledge to do their jobs, have appropriate supervision, and know of the channels for reporting suspected improprieties. • Ensuring that University and departmental level Policies and operating Procedures are documented and communicated to employees.

Examples of Control Activities • Check Tampering Controls – Order check stock on controlled check paper stock with security features pre-printed. – Keep Check stock in locked cabinets. If cabinets have combination locks, code should be restricted to a few individuals and should be changed when employees leave department. – Use positive pay or reverse positive pay—Bank only clears checks shown on list received from the college. With reverse positive pay, bank sends list of checks presented and gets permission to clear.

Examples of Control Activities • Billing Fraud Controls – Have written policies and procedures for Purchasing, and Accounts Payable. Include P-card purchases. – Restrict access to vendor database. No temporary employees should have access. – Make payments from original invoices, not statements or emails – Cancel paid invoices by stamp or defacement – Use A-Routing only for emergencies, if at all – Use IRS and state TIN matching services

Examples of Control Activities • General IT Controls – Establishment of procedures for creating, modifying, and deleting user accounts – Providing all users with a unique user name and in a timely manner – Using an authentication system to log on to the network and specific applications. – Granting of user access only to the areas of the applications (including within financial software) and the network needed to perform their job duties

Why Internal Controls Fail • • • Poor tone at the top – Upper management pays lip service to the importance of integrity and ethics or doesn’t adhere to rules others are expected to adhere to – Employees begin to sense that integrity and ethics don’t matter or pay off. Cost or effort exceeds benefit – Excessive or expensive controls are difficult to sustain. – Inefficiencies in processing will lead to workarounds and control gaps Inherent Limitations of internal control systems – These are largely unavoidable, but certain factors make them more likely to develop • Collusion (two or more employees working in concert) – Exacerbated by low employee morale – Failure to take action against other wrongdoers – Lack of clearly stated policies and procedures

Why Internal Controls Fail • Inherent Limitations cont’d • Mistakes of judgment • Lack of employee training • Lack of clearly stated policies and procedures • Inadequate supervision • Carelessness – Lack of employee training – Inadequate review and supervision – Presence of unnecessary workplace distractions • Management Override – Poor system of accountability in organization – High performance expectations – Absence of background checks for key positions – Inadequate controls in IT systems

Warning Signs of Internal Control Weakness • Internal control system focuses more on detective controls for errors and irregularities than on preventive controls • Increased expenditures/ decreased revenues • General ledger account anomalies such as high tuition refunds • Increase in duplicate vendor payments • Invoices submitted for payment lack sufficient detail • Rise in number of internal/external audits and in audit findings • Increase in sanctions, penalties, and fines assessed by regulatory bodies • Increase in complaints alleging fraud, waste, or abuse • Increase in attempts to penetrate systems security • High turnover in key positions • Low employee morale

Internal Controls at CUNY Internal Control Self-Assessment NYC Comptroller Directive #1 for CCs and HCS Internal Audits Risk Management and Internal Controls Committee Employee Assistance Program Chief Compliance Officer Appointed Office of Environmental Health, Safety, and Risk Management Various Councils (e. g. , Administrative, Business Managers, Bursars, Revenue Management, R 2 T 4 Coordinators, Financial Aid Directors, IT Steering Committee ) • Web Resources (e. g. , Manual of General Policy, IT Security Policy, Tuition and Fee Manual, Board • • Minutes, Cash Management and Banking Guidelines, etc. )

Internal Control Self-Assessment Areas Covered Previously Accounting Office (Non-Tax Levy) Accounts Payable Adult and Continuing Education Bursar Financial Aid Human Resources Institutional Advancement Office of Information Technology Payroll Property Management Public Safety Purchasing/Procurement P-Card Receiving New Areas Chief Academic Officer/Provost Registrar Child Care

FRAUD

Fraud Defined The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets. Association of Certified Fraud Examiners

The Cost of Fraud • According to the Association of Certified Fraud Examiners: • The average organization loses 5% of its annual revenues to fraud, or $3. 7 trillion in 2014 Gross World Product. • The median loss from fraud was $150, 000 in the period of January 2014 through October 2015. • Asset misappropriation was the most common fraud scheme, occurring in 83% of cases, but the median loss was only $125, 000. • Financial Statement fraud, although less common, occurring in on 10% of cases, caused a median loss of $975, 000. • Billing schemes and check tampering schemes posed the greatest risk based on relative frequency and median loss. • The perpetrator’s level of authority is strongly correlated with the size of the fraud. The median loss in schemes by executives was $703, 000, four times higher than losses caused by managers ($173, 000), and 11 times higher than losses caused by employees ($65, 000)

Fraud in Government Organizations – Corruption – Billing – Non-cash – Expense Reimbursements – Skimming – Payroll – Cash on Hand – Check Tampering – Cash Larceny – Financial Statement Fraud – Register Disbursements 38. 4% 25. 3% 19. 1% 15. 7% 14. 0% 13. 5% 10. 5% 9. 2% 7. 9% 1. 7% Association of Certified Fraud Examiners 2016 Report to Nations

Fraud in Educational Organizations Billing Corruption Skimming Cash on Hand Non-Cash Expense Reimbursements Cash Larceny Payroll Check Tampering Register Disbursements Financial Statement Fraud 34. 1% 31. 8% 25. 0% 17. 4% 15. 9% 13. 6% 7. 6% 1. 5% 5. 3% Association of Certified Fraud Examiners 2016 Report to Nations

Initial Detection of Fraud Tip Management Review Internal Audit By Accident Account Reconciliation Document Examination External Audit Notified by Police Surveillance/Monitoring Confession IT Controls 43. 3% 14. 6% 14. 4% 7. 0% 4. 8% 4. 1% 3. 3% 3. 0% 1. 9% 1. 5% 1. 1% Association of Certified Fraud Examiners 2016 Report to Nations

Percentage of Victim Organizations that had the Below Anti-fraud Controls in Place External Financial Stmt Audit Code of Conduct Internal Audit Department Management Certification of Fin Stmts External audit of ICOFR* Management Review Independent Audit Committee Hotline Employee Support Programs Fraud Training for Employees Fraud Training for Mgrs/Execs Anti-Fraud Policy Dedicated Fraud Dept, Function, or Team Formal Fraud Risk Assessments Surprise Audits Proactive Data Monitoring/Analysis Job Rotation/Mandatory Vacations Rewards for Whistleblowers * Internal Control Over Financial Reporting Association of Certified Fraud Examiners 2016 Report to Nations 81. 7% 81. 1% 73. 7% 71. 9% 67. 6% 64. 7% 62. 5% 60. 1% 56. 1% 51. 6% 51. 3% 49. 6% 41. 2% 39. 3% 37. 8% 36. 7% 19. 4% 12. 1%

Fraud Triangle* Pressure/ Incentive Opportunity Rationalization *Some theorists are now suggesting a fraud diamond rather than a triangle, adding a fourth factor, “Capability, ” they believe is a necessary, separate element.

Why Universities are Susceptible to Fraud 1 • Salary levels are moderate 2 • Reluctance to prosecute– fear of negative publicity 3 • Budget cuts hamper segregation of duties

CUNY’s Response to Fraud • Fraud allegations reported to OGC, Internal Audit, or University Public Safety are routinely referred by OGC to the State Inspector General. • CUNY has a zero-tolerance policy for handling perpetrators • Internal/Surprise audits • CUNY has updated many of its policies and procedures • CUNY is considering the establishment of a fraud hotline/helpline

Fraud Schemes Seen at CUNY • Secret bank account opened for diverting of tuition and fee revenue • P-Card used to purchase goods for personal benefit including sale on e. Bay • Student housing fees misappropriated by student services accountant • Invoices altered by A/P manager so payment would be made to bank account in another locality • New York check-fraud ring cashing fraudulent CUNY checks at check-cashing establishments • Facilities Rental/Licensing fees misappropriated in billing fraud/skimming scheme • Faculty charging students directly for unauthorized courses and unauthorized certifications

P-Card Case Study Exercise

Internal Control Basics Purchase Card Case Study Assignment: Given the objective, risk, and control activities, identify at least 5 violations of internal control in the example case study below. A small state agency has four employees: an executive director, a deputy director, a fiscal analyst (FA), and an administrative assistant (AA). All employees have been with the agency since it was formed about two years ago. The agency has been using purchase cards for about a year. The FA and AA each have a purchase card that they ordered themselves. They also each set their own spending limits on their cards. They each order goods and services. They are careful to follow the state purchasing rules, and use state contracts whenever possible. The FA and AA each verify that their own goods and services were received, and sign the packing slip or invoice. The FA authorizes payment on both purchase cards. The executive director does not have a purchase card in his name. However, the AA has written the account number for her purchase card in his planner so that he can occasionally order goods and services. He usually does not keep the credit card receipts for his purchases, but he does tell the AA what he purchased and instructs her on what expenditure coding to use. The AA then forwards the bill to the FA for payment.

P-Card Case Study—Cont’d The AA purchases most of the goods and services for the agency with her purchase card. She always keeps her purchase card with her in her purse. She also keeps receipts for all purchases that she has made in a folder in her desk drawer, verifies that the goods and services were received, and reconciles all receipts to her purchase card statement before sending to the FA for payment. The FA has known the AA since high school. Since he has known her for so long, he trusts her and takes her word that she has reconciled all receipts to her statement. He always authorizes and makes payment on her purchase card based on her word, especially since he knows that she keeps all documentation. The FA also purchases goods and services with his purchase card. Most of the charges on his card are for recurring payments, like the lease of office space, agency phone bills, etc. Since these are all agency charges, he authorizes and makes payment on his purchase card. The agency has written policies on purchase cards, but they aren’t specific to the agency yet. They were obtained from a friend at another agency, and the AA is eventually going to make some modifications so that they are specific to the agency. Training is not formally provided since only two people in the agency are primarily using purchase cards. They tell each other when problems are encountered with the cards, so they feel that they are informed enough to be able to use them.

Answers: 1. The FA and AA should not order their own cards. That is the agency program administrator’s role, to order cards, receive them, and then deliver them to card holders. 2. The FA and AA should not be setting their own spending limits on their cards. That should be the approving official’s role. 3. There isn’t an agency program administrator. It seems that would be an appropriate role for either the director or deputy director. (The same position should not act as both the agency program administrator and the approving official. ) 4. There isn’t an approving official. It seems that would be an appropriate role for either the director or deputy director. (The same position should not act as both the agency program administrator and the approving official. ) 5. An approving official should be verifying that the FA and AA did in fact receive the goods and services they ordered, that they have completed timely reconciliations of their card statements, and that they have kept appropriate documentation. This should be done on a routine basis.

P-Card Case Study Answers—Cont’d 6. The FA should not be authorizing payment on his own card. The authorization should come from the approving official, who should also review the FA’s reconciliations before authorizing payment. 7. The security of the AA’s card is compromised by her writing her account number in the director’s planner and keeping the card in her purse. The card should be kept in a locked location when not in use. 8. Since the agency has individually assigned cards, only the person to whom the card has been assigned should be using the card. So the director shouldn’t be making purchases using the AA’s card number. Also, the director usually doesn’t keep the receipts for his purchases. All receipts should be kept. 9. The FA should not be authorizing payment on the AA’s card based solely on her word. An independent person, like an approving official, should be reviewing the AA’s reconciliations and be the one to authorize payment. 10. The agency should update its written policies on purchase cards so that they are specific to the agency.

P-Card Case Study Answers—Cont’d 11. Even though this is a small agency, training should still be provided on the agency and state policies and procedures, and the appropriate use of the purchase card. It should be provided before the cardholders start using the card. 12. There are no signed card user agreements. The agency program administrator should ensure that a card user agreement form has been signed by both the card user and the appropriate approving official before issuing the card.

P-Card Best Practice Process Flow Make purchase with P-card and obtain itemized receipt Enter receipt into procurement transaction log Reconcile monthly statement with transaction log Contact program administrator for disputed items Assemble receipts package— keep a copy Give transaction log and receipts package to supervisor for review for inappropriate purchases Submit to accounts payable for secondary review and processing

P-Card Do’s and Don’ts • Appropriate P-Card Purchases – Preferred sources – OGS Contracts – Maintenance/Repairs of Equipment – Supplies and Materials – Equipment – Printing – Conference/seminars – Freight – Personal Services (non-travel) • Inappropriate P-Card Purchases – Personal Use – Travel/entertainment (e. g. , airline, car rental, lodging) – Rent – Cash Advances – Gas (Fleet Card s/b used) – Cash refunds – Formal contracts (payments may not be used formal contracts or purchase orders approved by OSC, except OGS contracts)

QUESTIONS AND ANSWERS • How do you measure the success of an internal control program? • Would a fraud hotline do more harm than good?

References • Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study, 2016, Austin, TX: Association of Certified Fraud Examiners • Mc. Millan, Edward J. , Policies and Procedures to Prevent Fraud and Embezzlement—Guidance, Internal Controls, and Investigation, New Jersey, Wiley, 2006 • Bragg, Steven M. , Accounting Best Practices (6 th Edition) New Jersey, Wiley, 2010 • Bragg, Steven M. , Accounting Control Best Practices(2 nd Edition), New Jersey, Wiley, 2009 • The Practice of Internal Controls—Local Government Management Guide, Office of the State Comptroller, Division of Local Government and School Accountability, New York, 2010 • Internal Control—Integrated Framework (Draft), 2011, Committee of Sponsoring Organizations of the Treadway Commission • Schwartz, Larson, and Kranacher, Helping to Prevent University Fraud, 2008, Deloitte