Internal Controls Angie Ziegler CPP Manager Eide Bailly
Internal Controls Angie Ziegler, CPP – Manager, Eide Bailly Joel Stencel, CPA – Manager, Eide Bailly www. eidebailly. com
www. eidebailly. com
Internal Controls www. eidebailly. com
Question: What size company has the most employee embezzlements? A. Less than 150 employees B. 150 – 250 employees C. 250 – 500 employees D. More than 500 employees www. eidebailly. com
Answer: What size company has the most employee embezzlements? A. Less than 150 employees B. 150 – 250 employees C. 250 – 500 employees D. More than 500 employees www. eidebailly. com
What are Internal Controls? • Institute of Internal Auditors Definition: A process, effected by an entity's board of directors (governing board), management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives • Includes • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with laws and regulations www. eidebailly. com
What Internal Controls Can Do? • Help achieve performance goals and objectives • Help prevent loss and resources • Help ensure reliable reporting • Help ensure compliance with laws and regulations www. eidebailly. com
More Examples of Control Activities • Change computer passwords • Periodic analysis • Require vacations • Cross train employees • Budget vs. actual review www. eidebailly. com
What Internal Controls Cannot Do • Internal Controls can only help an entity achieve its goals and objectives • • They cannot change inherently poor management or shifts in government policy They cannot provide absolute assurance, only reasonable assurance They cannot prevent simple errors and mistakes The can be circumvented www. eidebailly. com
Don’ts • Subordinates approve boss’ travel or expense reimbursements • Too many controls (causes people to circumvent) • Inversely – not enough controls • No reconciliations • Too much trust in one person www. eidebailly. com
Someone Is Up To No Good • What is the estimated annual loss of revenue to fraud for a typical organization? A. B. C. D. 2% 5% 15% 25% www. eidebailly. com
Types of Fraud • Misappropriation of assets • 85% of fraud causing a median loss of $130, 000 • Misrepresentation in financial statements • 9% of fraud causing a median loss of $1 million • Corruption schemes • 6% of fraud causing a median loss of $200, 000 www. eidebailly. com
Someone Is Up To No Good • More than 80% of all corporate frauds were committed by employees in six departments. Which department topped the list, with 17% of the crimes? A. B. C. D. Sales Accounting Senior management Purchasing www. eidebailly. com
Higher Risk Organizations • Three highest organizations for fraud • • • Governments (15%, with a median loss of $90, 000) Banking Manufacturing www. eidebailly. com
Components and Principles of Effective Internal Control Principles Components Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. 2. 3. 4. 5. 6. 7. 8. 9. Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies www. eidebailly. com
Drilling down on one aspect Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. Points of Focus: • Sets the Tone at the Top • Establishes Standards of Conduct • Evaluates Adherence to Standards of Conduct • Addresses Deviations in a Timely Manner • • • Points of focus may not be suitable or relevant, and others may be identified Points of focus may facilitate designing, implementing, and conducting internal control There is no requirement to separately assess whether points of focus are in place www. eidebailly. com
How Various Controls Affect Principles, e. g. , Control Environment Component Principle Controls embedded in other components may affect this principle 1. An Organization demonstrates a commitment to integrity and ethical values Information Technology staff tests for data breaches of personally identifiable information continuously Control Environment Management obtains and reviews data and information underlying potential deviations captured in reports generated immediately upon occurrence Information & Communication www. eidebailly. com Risk manager separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon Monitoring Activities
Control Objective 1 Control Environment How Does Your County: 1. 2. 3. 4. 5. Demonstrate commitment to integrity and ethical values Exercise oversight responsibility Establish structure, authority and responsibility Demonstrate commitment to competence Enforce accountability www. eidebailly. com
Components and Principles of Effective Internal Control Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. www. eidebailly. com
How Various Controls Affect Principles, e. g. , Component Principle Risk Assessment The Controller identifies risks to the achievement of the objectives across the office and analyzes risks as a basis for determining how the risks should be managed. As part of the Controls meetings with senior embedded staff on goals and objectives, risks are in other component noted and potential controls against those s may risks are brainstormed affect this and initiated if principle approved by the audit committee. Risk Assessment The result of the brainstorming is communicated to staff as part of semiannual reviews Information & Communication www. eidebailly. com A dashboard of risks is established and is updated with each batch cycle. Employee reviews are completed timely. Monitoring Activities
Control Objective 2 Risk Assessment How Does Your Organization: 6. 7. 8. 9. Specify suitable objectives Identify and analyze risk Assess fraud risk Identify and analyze significant change www. eidebailly. com
Components and Principles of Effective Internal Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place. www. eidebailly. com
How Various Controls Affect Principles, e. g. Compone nt Control Activities The Controller selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Principle Controls embedded in other componen ts may affect this principle Every two years, the Controller rotates duties among the divisional managers not only to provide them with a broader experience but also to lower the risk of financial reporting fraud. Staff enjoys the rotation as they are not working the same job repeatedly. Control Activity A report is developed predicting payables over the next 30 days and disseminated to fiscal officers. The payables are compared to encumbrances. Information & Communication www. eidebailly. com The Controller reviews payables that are unusual, or above $5, 000 or infrequent. Monitoring Activities
Control Objective 3 Control Activities How Does Your Organization: 10. Select and develop control activities 11. Select and develop general controls over technology 12. Deploy through policies and procedures www. eidebailly. com
Components and Principles of Effective Internal Control Information & Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. www. eidebailly. com
How Various Controls Affect Principles, e. g. Component Principle Controls embedded in other components may affect this principle Information & Communication The operator of a gas station obtains or generates and uses relevant, quality information to support the functioning of internal control. With each credit card transaction, if the transaction is unauthorized, an error is generated and the attendant is notified. Gas pumps do not work unless cash is paid. Instances of fraudulent credit cards are notified immediately to local police via a push button or tie in Information & Communication Control Activity www. eidebailly. com Video surveillance is used on all transactions and is monitored by the station owner. Tapes are stored for a minimum of 60 days and are timestamped Monitoring Activities
Control Objective 4 Information and Communication How Does Your Organization: 13. Use relevant information 14. Communicate internally 15. Communicate externally www. eidebailly. com
Components and Principles of Effective Internal Control Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and those charged with governance, as appropriate. www. eidebailly. com
How Various Controls Affect Principles, e. g. Componen t Principle Controls embedded in other componen ts may affect this principle Monitoring Activities The Controller selects, develops, and performs ongoing and / or separate evaluations to ascertain whether the components of internal control are present and functioning. The quality assurance division reports are also transmitted to the division where the problem occurred. Corrective action is taken. If no corrective action is accomplished, the employee’s personnel file contains the issue and if repeated, could be grounds for termination. Control Activity Statistical reports on uses of personally identifiable activity are reported to employees on a monthly basis. All employees are trained semi-annually on when / how / who can access PII Information & Communication www. eidebailly. com Reports on detections of improper use of personally identifiable information by employees are escalated to a senior review board that investigates all activities and reacts to breaks in accordance with state law. Monitoring Activities
Control Objective 5 Monitoring How Does Your Organization: 16. Conduct ongoing and/or separate evaluations 17. Evaluate and communicate deficiencies www. eidebailly. com
Payroll Schemes • Basic Components of a solid system • • • Segregation of job duties Rotation of job duties Payroll distribution Ghost or Phantom Employees Manipulated time records www. eidebailly. com
Payroll Schemes • Continued…. • • • Unclaimed payroll checks Writing extra payroll or bonus checks Leave time manipulation Withholding fraud W-2 fraud Computer Edits or Negative deductions www. eidebailly. com
Segregation of Job Duties • Large Company/Small Company • One person department • Have the accounting department complete all payroll bank account reconciliations • Department heads are asked to check employee list against the list of employees who received paychecks • Store paychecks outside the payroll department, but keep the key in the payroll department. www. eidebailly. com
Rotation of Job Duties • Training manuals • Short cuts can develop • Efficiencies • Take a vacation • Penalties of taxes if only one person knows the due dates • Have a third party step in www. eidebailly. com
Payroll Distribution • Paycheck, Direct Deposit, or electronic paycards • Who is allowed to receive the paycheck? • Security of paychecks • Should never be left in an unlocked cabinet • Paychecks that cannot be delivered to employee should be returned to the payroll department • Employee’s private information is on paychecks • Unclaimed Paychecks • When do you turn this into the state? • Don’t put this back into your cash accounts! www. eidebailly. com
Phantom Employees • What are Phantom employees? • Remote Locations • False information • Name • Social security number • Direct deposit account • How do you catch this? • Payroll Department/Auditor delivers all checks and stubs (show ID) • Run a report for matching direct deposit numbers • SSA can run a match on social security numbers www. eidebailly. com
Negative Deductions/Computer Edits • Negative pay deductions • Over withheld deductions • Employee reimbursement for business expense • Flex Spending accounts • Computer system edits • Manager should run an edit log to review any changes • Review new hires, term employees, negative deductions www. eidebailly. com
Blank Checks • This is the largest source of potential exposure in a payroll department • Signature Stamps • Store check stock not in the payroll department • Computer systems that print signature on have a check off sheet • Document support for the check should be reviewed before signature • Payroll bank account • Balance and reconciliation of the payroll bank account with the general ledger should be segregated from the payroll department www. eidebailly. com
Time Reporting • Over reporting of hours worked and incorrect classification of paid time • Review of timesheets • Supervisor of employee should review • Payroll department should check for sign off of supervisor • Do they have enough vacation or sick • Reconcile the regular hours, overtime hours and paid time off www. eidebailly. com
Time Reporting • Timeclock systems • Do you have hourly and Salary clocking in? • Out with the old • Badge swiping “for friends” • Hand written timesheets/excel sheets • In with the new • • Picture taking timeclocks Finger print timeclocks Cell phone apps Eye scans www. eidebailly. com
W 2 Fraud and withholding • Withholding Fraud • Depositing a large sum of money in at yearend • Filling out your W 4 form • W 2 Fraud www. eidebailly. com
Accounts Payable & Purchasing Schemes • Personal bills • Fictitious suppliers • Kickbacks • Ordering personal items • Petty cash funds • Employee expense accounts • Credit Cards www. eidebailly. com
Vendor Payments • Make sure to have an W-9 • Follow up with vendor • Call Vendor • Ask for last invoice • Review Vendor list • Employee expense reimbursement policy • Receipts • Dollar Value www. eidebailly. com
Prevention • Don’t hire criminals (i. e. do a thorough background check) • Scrutinize the expense accounts of executives • Conduct routine audits • Regular audits by independent CPAs go a long way toward preventing fraud at all levels • Ensure the Board of Directors does its job of oversight of the executives www. eidebailly. com
The “Fraud Triangle” www. eidebailly. com
The “Fraud Triangle” Motive www. eidebailly. com
The “Fraud Triangle” Motive Rationalization www. eidebailly. com
The “Fraud Triangle” Motive Perceived Opportunity Rationalization www. eidebailly. com
PERSPECTIVE • You will not prevent all losses. • You are trying to prevent large losses. www. eidebailly. com
Keep this in Mind. . . • Few things are more devastating, demoralizing, and tragic than the discovery that someone you trusted has committed fraud. • There is, however, one thing that is considerably more devastating, demoralizing, and tragic. . . • When a totally innocent and honest employee falls under suspicion simply because the lack of internal control created the appearance of an opportunity to commit fraud. www. eidebailly. com
Vulnerable Items • Cash or the equivalent • High value, small size • Items in high demand • Big impact if taken www. eidebailly. com
Internal Controls • Where is your biggest exposure in your company? • Are you paying more than just your employees? • Segregation of your job duties…. Do you pass? www. eidebailly. com
How Update Clarifies Requirements for Effective Internal Control – a final word before we go • Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that: • Each component and each relevant principle is present and functioning • The five components are operating together in an integrated manner • Each principle is suitable to all entities; all principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component (e. g. , governance, technology). • Components operate together when all components are www. eidebailly. com
Closing Statement www. eidebailly. com
Thank You! Angie Ziegler – aziegler@eidebailly. com Joel Stencel – jstencel@eidebailly. com www. eidebailly. com
- Slides: 55