Welcome to Internal Controls Training VITA OZOUDE CGMA

Welcome to Internal Controls Training VITA OZOUDE, CGMA, CMA, cpa, MBA Executive Branch Audit Manager 775. 687. 0136 vcozoude@finance. nv. gov 1

Governor’s Finance Office Division of Internal Audits (Perf. Audits) Compliance Review 2

Class Structure Class consists of: Pre-Test Presentation Post-Test Ø Ø Studies have shown that simply listening and watching a seminar will result in anywhere from 70%-90% information loss within 30 days! Test results are used as part of class performance evaluation for presenter 3

Presentation Internal Controls - Overview Internal Controls Statutory Requirements - State of Nevada Controls for Major Fiscal Areas Contracts Performance Measures Current Issues for the State 4

Pre-Test Time 5

Internal Controls Overview NAC 353 A. 100 (PRIOR VERSION) “Training for administration of budgetary accounts” Head of each Agency Employees who administer budgetary accounts “Shall attend Internal Controls Training every 5 years” 6

Internal Controls Overview NAC 353 A. 100 MODIFIED “Training for administration of budgetary accounts” Head of each Agency and Employees who administer budgetary accounts will attend training within 90 days of hire/promotion/transfer; Provided by Division of Internal Audits; Each Agency is responsible for the attendance of employees required to attend training. 7

Internal Controls Overview NAC 353 A. 100 “The Training Must Include: ” Systems of Internal Accounting and Administrative Controls; Methods for documenting the systems of internal accounting and administrative controls; Methods for evaluating the effectiveness of a system of internal accounting and administrative controls; ……. 8

Internal Controls Overview What is an Internal Control System? It is a method in which the agency’s resources are directed, monitored and measured. It is any method in which the operating and/or recording function can be broken down into different elements that are done by different people; With each checking the work of the others. 9

Internal Controls Overview Internal Controls: Affect every aspect of an agency; Are not stand-alone practices; they should be incorporated into day-to-day responsibilities; Must make sense within each agency’s unique operating environment; Provide a level of assurance but does NOT guarantee success of the agency’s missions 10

Internal Controls Overview Responsibility of Internal Controls ALL employees Internal Controls are people-dependent Developed by people Guides people actions Provides people with a means of accountability People have to carry it out 11

Internal Controls Overview Some of the ways an effective Internal Controls system helps an agency: Protect the Department’s Assets Ensure Records Are Accurate Promote Operational Efficiency and Effectiveness Encourage Adherence to Policies 12

Internal Controls Overview Strong Internal Controls may limit Fraud 13

Internal Controls Overview Detection of fraud Can come from a variety of sources, including an internal audit, an internal or external whistleblower, surveillance, or even by accident. Most common source is usually from a whistleblower tip by fellow employee. 14

Internal Controls Overview HOWEVER: Fraud detected by internal controls or internal audits generally result in less money lost. 15

Question 1 When were the first recorded evidence of internal controls discovered: A. Ancient Egyptian times B. Aztec Civilization C. Industrial Revolution D. They haven’t been discovered yet 16

Internal Controls Overview Association of Certified Fraud Examiners researches Occupational Fraud - 2016 Report to the Nations: Report to the Nations Small organizations, especially those in financial and public/government sectors are most likely to be at risk They often have fewer anti-fraud controls than larger organizations. Typical organization loses _____ of its revenues to fraud each year 17

Internal Controls Overview How did current Internal Controls develop? 18

Internal Controls Overview History Early and mid-1980 s saw spectacular failures in the financial markets such as the failure of Drysdale Government securities and Washington Public Power Supply Systems to name a few. Congress wanted to know if these failures could have been avoided by better audit practices among other measures. In June 1985, the National Commission on Fraudulent Financial Reporting was established under the chairmanship of James C. Treadway Jr. former SEC commissioner. The Commission was sponsored and funded by five private accounting organizations: American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executive Institute (FEI), Institute of Internal Auditors (IIA), and National Accounting Association (NAA). 19

Internal Controls Overview History The Commission which later became known as the Treadway Commission on Sponsoring Organizations (COSO) issued its reports on fraudulent financial reporting in October 1987. The Commission noted that fraudulent financial reporting can take many forms such as deliberate distortions of records, falsified transactions (fictitious sales) and misapplication of accounting principles. The Commission issued recommendations to help prevent, detect and deter fraudulent financial reporting. 20

Internal Controls Overview History The Commission directed the bulk of their recommendations to the three participants in the financial reporting process: Public Companies: Tone at the top, internal accounting and audit functions, audit committees, seeking second opinion from CPAs and quarterly reporting of financial results. Independent Public Accountants: Changes in auditing standards, changes in audit procedures, communication of their roles and setting audit standards. 21

Internal Controls Overview History Securities and Exchange Commission (SEC): New sanctions, greater criminal prosecution, improved regulation of public accounting profession, improved regulation of financial institutions, and improved oversight of the state boards of accountancy. Role of Education The Commission also recognized the role of education in providing knowledge, skills and ethical values that may help prevent, detect, and deter fraudulent financial reporting. 22

Internal Controls Overview Internal Control Concepts § COSO created Internal Control framework of 5 interrelated components: § § § Control Environment Risk Assessment Control Activities Information & Communication Monitoring 23

Internal Controls Overview Control Environment Tone of the Organization at all levels which must include: Integrity, Ethical Values and Competence. Management’s Philosophy and Operating Style. Methods for assigning authority and responsibility Providing the structure of the organization as well as staff development. Conclusion: Upper management must set the proper tone for the organization “tone at the top”. 24

Internal Controls Overview What Happens When the “Tone at the Top” fails? 25

Internal Controls Overview Financial Fraud Enron - overstated revenues and hid debt on Enron their financial statements World. Com - overstated revenues on their World. Com financial statements Tyco – CEO gave himself $81 million in Tyco unauthorized bonuses 26

Internal Controls Overview Risk Assessment Management should identify and analyze risks relevant to the achievement of the organization’s objectives, and Determine how to manage the risks including the risks associated with change. 27

Internal Controls Overview Control Activities Policies and Procedures relating to: Proper approvals Proper Authorizations Verifications Reconciliations Reviews of operations Security of assets, and Segregation of duties 28

Internal Controls Overview Information and Communication Communicate relevant information to individuals performing the functions In addition, relevant information should be shared with customers, vendors, other applicable agencies and stakeholders. 29

Internal Controls Overview Monitoring Management must monitor the control system to determine the quality of performance. Is the system performing as designed, if not, make the appropriate changes. 30

Internal Controls Overview In order to identify and establish effective controls, management must continually assess the risk, monitor continually control implementation, and modify controls as needed. Internal Controls is a process – a means to an end; not an end itself. 31

Internal Controls - Nevada Internal Controls – Guiding Authority State of Nevada’s Internal Controls are derived from the following: Statutory – Nevada Revised Statute (NRS) Regulations – Nevada Administrative Code (NAC) State Administrative Manuals (SAM) Self Assessment Questionnaires (SAQ) Agencies’ Written Procedures (agency specific guidelines) 32

Internal Controls - Nevada Statutory Requirement - NRS 353 A. 020 Mandates a Uniform System of Internal Controls Segregation of duties Limit access to assets Authorizations and Record Keeping Practices followed in performance of duties Effective system of internal review 33

Internal Controls - Nevada Uniform System of Internal Controls Self Assessment Questionnaire (SAQ) Control Activities ______ Procedures SAQ’s available at Iaudits. nv. gov 34

Internal Controls - Nevada Self-Assessment Questionnaire Example Purchasing 35

Internal Controls - Nevada Templates based on the SAQ’s Financial Management Assistance Self Assessment Questionnaire Contact us with any questions (775)-684 -0222 36

Internal Controls - Nevada Agencies’ Written Procedures Defines how the specific agency will address the Internal Controls NRS 353 A. 020 (3) Requires ______ to develop written procedures to: Address control activities in SAQ Address monitoring procedures in SAQ 37

Internal Controls - Nevada Responsibility of Internal Controls falls on _________ of the agency: Design Implement Monitor 38

Internal Controls - Nevada External Monitoring Requirements: External auditors review certain Department’s Internal Controls Included in Comprehensive Annual Financial Report (CAFR) 39

Internal Controls - Nevada Internal Monitoring Requirements: NRS 353 A. 025 - Agency Self Assessment SAM 2418 Agencies periodically self-assess internal controls Annually complete SAQ’s Annually complete the Testing of Transactions Review: Written procedures Actual processes 40

Internal Controls - Nevada Biennial Report (BR) on Internal Controls NRS 353 A. 025 (2) Due On ______ _ each even numbered year Signed by head of agency Check box Templates for “Biennial Report on Internal Controls” and “Transaction Testing Checklist” available at Iaudits. nv. gov 41

Internal Controls - Nevada Biennial Report on Internal Controls NRS 353 A. 025 (4) On first Monday in February of every odd numbered year, the Director of GFO submits the BR to the Director of the Legislative Counsel Bureau for transmittal to stakeholders noted in statute. Report includes: Did not submit “Report on Internal Controls” Not submitted _______ Extent and types of noted weaknesses 42

QUESTION 2 According to ACFE 2016 report, what is the longest median duration for management review of an active fraud detection method: A. 12 months B. 18 months C. 24 months 43

Questions? 44

Types of Internal Controls Fraud Detection Methods There are two types of Fraud Detection Methods, both are essential for an effective system: Active (Preventative) - Before Deliberate search for misconduct directed by someone inside the organization or an internal control or process that is put in place to search for misconduct. Minimize opportunities for unintentional errors or intentional fraud 45

Types of Internal Controls Fraud Detection Methods There are two types of Fraud Detection Methods, both are essential for an effective system: Passive (Detective) - After The fraud is discovered by accident, confession, tips by third parties, audits (internal and external). Tips can be both passive and active. If the organization encourages and promotes an effective reporting mechanism for such information, tips can be active detection method. 46

Preventative Internal Controls Active Method Segregation of Duties Segregation of the Authorization of transaction from the Recording of transaction from the Custody of assets TRUST alone is not a Control 47

Preventative Internal Controls Segregation of Duties § Revenues - Receipting of Funds and Depositing of Funds; § Purchasing - Ordering of goods and receiving of goods. 48

Preventative Internal Controls • Approvals • Authorizations • Custody and Security of Assets 49

Detective Internal Controls Passive Method • Review of current performance to budget, forecasts, etc. ; • Reconciliation of bank accounts/BSR; • Conducting physical inventories; • Review and verification of refunds/voids; • Audits (internal and external) • Tips (may sometimes be active) 50

Major Fiscal Processes Risks, Controls, and Other Issues for: Revenue Purchasing & Expenditures Travel Reimbursements Payroll Internal controls provide reasonable, but not absolute, assurance that the organization's objectives will be achieved. 51

Major Fiscal Processes Revenue Risk -Embezzlement 52

Rita Crundwell, Comptroller Dixon, Illinois 53

Major Fiscal Process Breakdown Rita Crundwell – Comptroller for City of Dixon, Illinois Sole control of city finances Opened secret bank account Discovered during extended vacation Scheme covered 20 years; $53 million Arrested 4/2012 54

Rita’s Trophies 55

Rita’s Show Horses 56

Rita Leaving Court Crime and Punishment 57

Major Fiscal Processes Revenue: Controls Four Stages Receiving Depositing _____ Reconciling Modern internal controls emerged with the Industrial Revolution to help prevent activities like price fixing, and stock manipulations. 58

Major Fiscal Processes Revenue: Receiving Cash Record cash immediately Give receipts to each customer Give each cashier a separate cash drawer Supervisors approve all voided/refunded transactions 59

Major Fiscal Processes Refund/Voids Scam: Tina Graham processed apps for birth/death certificates: Void receipts, keep funds Remove all copies from book, keep funds No receipts, keep funds Embezzled nearly $10, 000 60

Major Fiscal Processes Revenue: Receiving Checks in Person Checks in Mail Numeric should agree with written amount No postdated checks, no foreign checks Open in secure area as soon as mail arrives Two people under supervision or surveillance All Checks Record or log immediately 61

Major Fiscal Processes Revenue: Depositing Segregate depositing from receiving Prepare in secure area Secure funds until deposit Locked file cabinet, safe, etc. Safeguard combo, keys, NRS 353. 250 - Bank Deposits Deposit funds at least ______ _ $10 k or more - next working day 62

Major Fiscal Processes Revenue: Recording CRs (Credit Receipts) should be keyed into Advantage the same day of deposit Never later than 2 days after deposit Date of deposit is the date of record Post to ledgers (A/R, Sales, Fees, Deposits) Segregate from receiving the $$$ Segregate from depositing the $$$ 63

Major Fiscal Processes Revenue: Reconciling Segregate from receiving and depositing Daily – Deposit ledger increase to $$$ received Daily - Bank deposit to $$$ received Weekly or Monthly - A/R payments, fees, deposit ledger increase to BSR Monthly – Review A/R delinquency reports Payments, sales, permits need controls Sales – secure inventory A/R payments – limit access to ledger Permits issues – secure inventory, use pre-numbered forms 64

Major Fiscal Processes Revenue: Scam – Rpt. 2/2010 Sandra K Hunter of Carson City Misdirected rental payments at a rental property management company Over 2 year period - $100, 000 Had prior embezzlement conviction of $44, 000 Sentenced to 1 year in prison 65

Break Time! 66

Major Fiscal Processes Purchasing and Expenditures Risk - Billing schemes Purchase real items for personal use Purchase non-existent items from fake vendors Fake claims or reimbursements Most expensive type of employee theft 67

Major Fiscal Processes Purchasing and Expenditures -Billing Schemes Purchase real items for personal use Bob Gilbert – 8/2010 Construction Chief at College of Southern NV Re-directed pallets of cinder blocks to his personal home Utilized State workers at his personal home Erika M Carlton – 8/2012 HR Manager at Casino Bought gift cards and electronics with Casino Credit Admitted to embezzling up to $400, 000 68

Major Fiscal Processes Purchasing & Expenditures: Control Procedures Controls for Tangible Assets Tangible _____ ordering from receiving Match - P. O. , invoice, receiving document Minimum of 2 different employees involved Ensure approval to order Verify items received Pay only what was received Verify actual expenditures to Budget (DAWN) 69

Major Fiscal Processes Purchasing & Expenditures: Control Procedures Controls for Tangible Assets Tangible Require outside agency approval Over $5 k New/Used vehicles Computers 70

Major Fiscal Processes Purchasing & Expenditures: Control Procedures Controls for Intangible Assets Intangible How to verify asset exists- Receiving doesn’t work Verify vendor is legitimate ____ for information Check Facebook, Linked In, other sites Mapquest for physical location Call them Big bucks – visit if possible 71

Major Fiscal Processes Purchasing & Expenditures: Purchase Non. Existent items from fake vendors A 20 year Washoe County employee Authorized to purchase water capacity for the county Created 2 fake companies Supplied fake invoices to support the purchases Purchased non-existent water capacity from the fake companies he created 72

Major Fiscal Processes Purchasing & Expenditures - Billing Schemes Red Flags High volume of purchases from a new vendor Purchases that bypass the normal procedures Vendor’s address same as employee’s Invoices for unspecified consulting or poorly defined services Out of state billing address is not a red flag 73

Question 3 According to the ACFE 2016 report, for employee fraud discovered 2012 thru 2016, what percentage of companies had NOT recovered any monies: A. 13% B. 29% C. 58% 74

Major Fiscal Processes Procurement Cards (p-cards) Timeframe is reduced; Possible Rebates Requires greater oversight by supervisors, PCA’s and/or fiscal Any CHANGE in practices require modification in controls and processes 75

Major Fiscal Processes Use of p-cards: A method of payment; Must follow Purchases processes Approval to purchase; RECEIVING of goods/services; Approval to pay 76

Major Fiscal Processes Procurement Card Purchases Agency determines if PO’s are required and if so, at what $ amount (up to $4, 999. 99) Should be documented in P&P’s Tax exempt purchases only Independent verification of receipt of merchandise Only cardholder may utilize card 77

Fraud Can Happen Here! • Tal “Pete” Smith a former NDOT employee pled guilty to fraud after an investigation found he made more than $250, 000 in illegal purchases. Mr. Smith, was sentenced to 18 to 48 months in prison and was ordered to repay $250, 639 to NDOT as part of a plea agreement.

Major Fiscal Processes Procurement Card Purchases – Monthly Review: Review statement for “split” transactions Review statement for recurring purchases (covering multiple months) Periodic Review: Review a sample of transactions from beginning to end (follow documents and goods) 79

Major Fiscal Processes Travel Reimbursement: Insure P&P’s are clear and complete When are Incidentals reimbursed? What is process if documentation is missing? Are GSA rates to destination required to be attached to claim? If mileage is requested, is an independent verification of miles performed (ie, mapquest attached to claim? ) 80

Major Fiscal Processes Travel Reimbursement: EXCEPTIONS SHOULD BE DOCUMENTED Question expenditures If looks extraordinary, abnormal or too frequent At least annually, audit a sample of employee’s claims to ensure P&P’s are being followed; Claims are mathematically correct; Sufficient documentation exists. 81

Major Fiscal Processes Corporate Travel Card (Ghost) must only be used for airfare; Individual Travel Cards must only be used for travel related items normally reimbursed by the state; Both cards’ activities can and should be reviewed in WORKS or via the statement 82

Major Fiscal Processes Travel Reimbursement: California State University employee: Spent almost $160, 000 in a two year period in travel expenses Kenya sightseeing trips 80 overnight trips to San Francisco Higher expense reimbursement requests than other employees on trips outside of the US George Washington submitted a reimbursement request to Congress at the end of his presidency for eight years of out-of pocket expenses. His request was audited and the results was a discrepancy of one dollar. 83

Major Fiscal Processes Ways to limit fiscal employee fraud: Employee screening - background checks, credit report Rotate job duties between same classified employees ________ audits of employee’s work 84

Major Fiscal Processes Payroll: Risk: Erroneous salaries _ ____ reporting of hours (Biggest Risk) 85

Major Fiscal Processes Payroll Erroneous Salaries - Controls Compare ESMT to Payroll report or HRDW Compare CAT 01 budget to actual 86

Major Fiscal Processes Payroll Fraudulent Reporting of Hours - Controls Supervisor approves time sheet (NEATS) Compare time sheet to leave documentation 87

Major Fiscal Processes Payroll/Travel fraud: John Beale – one of highest paid non-elected Federal employees; EPA Deputy Asst Administrator Claimed to be a CIA spy Claimed to be working on EPA projects that didn’t exist Had retirement party in 5/11, but didn’t submit paperwork; 11/12 – Supervisor realized he was still receiving paycheck 88

Major Fiscal Processes Payroll/Travel fraud (cont): Beale was paid for approximately 2 ½ YEARS of nonworking time from 2000 -2011 Beale was sentenced to 32 months in prison 2 of his supervisors are being investigated for not performing “due diligence” when approving 89

Major Fiscal Processes Report fraud to: Supervisor Division of Internal Audits State Phone Fraud, Abuse & Waste Hotline Controller’s Office Website Attorney General’s Office Website 90

Question 4 According to the ACFE 2016 report, what percentage of fraud cases were detected due to a tip: A. 40% B. 55% C. 80% 91

Questions? 92

Grants Overview Procuring Receiving Funds Expending Funds Monitoring Reporting 93

Procuring Grants Grant Office http: //grant. nv. gov/ Contact Information Connie Lucido Chief, Office of Grant Procurement, Coordination and Management (775) 684 -0222 – General Phone number 94

Receiving Grants Separation of Duties Documentation Recording/Coding http: //intra. ktl. nv. gov/IFS_Files/Acctg_Policies_&_Procedure s. pdf 95

Expending Grants Draw downs vs lump sums Allowable vs Nonallowable Costs Indirect Costs Separation of Duties Documentation Timing Recording/Coding Returning Funds 96

Monitoring Grants Monitoring does not stop – it is an ongoing process through out the life of the grant. Monitoring includes: Verifying invoices for all proper costs Ensuring funds are available in the correct budget category Separation of Duties/Internal Control are working effectively Reconciling grant reports and expenditures to the accounting system and bank account. Following up on any irregularities Physical site visits Board Review of information and Audits 97

Reporting Grants Agencies are required to provide reports to their funding sources Federal Reporting FFATA (Federal Funding Accountability and Transparency Act) Single Audit Reporting SEFA (Schedule of Expenditures of Federal Awards) Sub-recipient reporting to the agency Reporting information within the state to other departments (controller’s office/treasurer’s office) 98

Question 5 How many of the 48 findings in the 2016 Single Audit report cited issues with internal controls: A. 1 B. 24 C. 47 99

Grants Single Audit Report FY 2016: Issues Repeat Findings Current Prior 100

Contracts Services: ALL on-site services fall under the contract requirements (SAM 0320. 1) 101

Contracts Services: Services under $2, 000 Contract template on Purchasing website Approved by Agency Head and DAG Services $2, 000 + Same as above, AND, Entered into CETS Sent to BOE for approval Clerk will sign for $2, 000 -$49, 999 Agency maintains log for each contract 102

Contracts Exception: “Good of the State” (MSA) contracts do not require: A separate contract To be entered into CETS To have a Contract Log maintained 103

Contracts Maintenance contracts Even if using vendor forms Approval by agency’s DAG even if they don’t need approval by BOE. 104

Contracts Contract Manager Every agency should have one Must be certified through State Purchasing class: Contract Management Certification Assists with RFP, contract negotiations Contract payment spec’s should match how vendor will invoice 105

Contracts Contract Monitor Can be same as Contract Manager Knowledgeable regarding contract Approve invoice(s) based on terms of contract 106

Performance Measures: What are they? Measures that show results about our operations and our achievements What are they used for? _____ how well we are achieving our goals Government’s goals are to provide for private sector Not here to make a profit Help us improve effectiveness of operations 107

Performance Measures Types of Measures Inputs – resources used to make a product or Inputs provide a service Outputs – products or services delivered Outputs Efficiency – output against input Efficiency Quality – effectiveness in meeting expectations Quality _____ – results of our efforts 108

Performance Measures SAM 2512 requires: Data computed same way every year _____ of how calculated Can be reconstructed by an auditor Can be recalculated consistently every year Include formulas, names of reports used, etc Document how measure is computed Data used Reports, DAWN printouts, invoices, etc If data is in an updated data base, print out data used to compute the performance measure 109

Performance Measures SAM 2512 requires (cont. ’d): Assign fiscal and program staff to monitor measure Management should periodically review Document review and any actions taken as a result of measures Retain records used to compute measure 3 fiscal years 110

Current Issues Personal Identifying Information (PII) NRS 603 A defines PII as person’s First and Last Name along with unencrypted: SS #, DL #, Driver Authorization Card #, or ID # Medical Information #/ Health Ins. Identification # Account #, CC #, DC # in combo with security code, access code, or password User name/unique identifier/ or e-mail address in combination with a password, access code, or security question answer 111

Where to Find Information State of Nevada requirements/info: State Administrative Manual (SAM) Office of the State Controller P&P http: //intra. ktl. nv. gov/ Self Assessment Questionnaires (SAQ’s) Budget website Division of Internal Audits website Agency’s Policies & Procedures 112

Where to Find Information State of Nevada requirements/info: Governor’s Finance Office Website Budget Division Policy Directives (All Agency Memos) Purchasing Website All Agency memos Contract Information 113

Questions? 114

Wrap-Up TAKE POST TEST 115

Internal Controls Training Thank you for taking this class Good luck on the test! If you would like your test results, please send Vita Ozoude an email request at vcozoude@finance. nv. gov 116