9 Melinda Cash Investment IC SOG new format · relevant principles be present and functioning...

10/20/17

InternalControlMelindaAndrewsOctober2017

State and Local Government Finance Division

•WhoseResponsibleforInternalControls?

• DoesanyoneworkinanorganizationweretheFinanceOfficerdoesnotplayaleadroleinInternalControls?

10/20/17

ReporttotheNationsonOccupationalFraudandAbuse– 2016GlobalFraudStudy• Analyzed2,410occupationalfraudcasesthatcausedatotallossofmorethan

$6.3Billion

• Medianlossfromasinglecaseofoccupationalfraudwas$150,000

• 23%ofoccupationalfraudresultedinalossofatleast$1million

• IfyoutakemedianlossbyregiontheUSwassecondlowestwith$120,000.MiddleEastandNorthAfricahadthehighestmedianlosseswith$275,000

Characteristicsofthetypicaloccupationalfraudster

10/20/17

FraudbyIndustry

TypeofOccupationalFraudforUnitedStates

10/20/17

InitialDetectionofFrauds

CasesReferredtoLawEnforcement

10/20/17

ResultsofCasesReferredtoLawEnforcement

10/20/17

SeveralFraudCasesgoingonNowinNC

• RegisterofDeedsCase$2.3millionmissing• EmployeeinSherriffDepartmentincollusionwithpersonrecordingtime

sheetdatainanotherdepartment• ManagerinvestigatedbyFBIforP-cardfraud• FinanceOfficerremoveseverypennyfromallbankaccounts• Boardmember’sdaughterishigherandissuedadebtcard– makingcash

withdrawals

• Wouldestimatethereareatleast10-20fraudsayearinlocalgovernments

10/20/17

WhyDoWeNeedInternalControls?

• AUnitofGovernmentinNChad$300,000takenusingon-linebanking- unitsbankingID,passcodesanddigitalcertificatewereused

• Cashwastakenbyapersoncollectingcash– personissuedreceiptfromreceiptbooktheyboughtatalocalstore

• Personcheckingreceiptnumberingdidn’tfullyunderstandwhattheyweredoing

• Cashtakenfromsafe– safewasnotlocked– itwasn’tconvenienttolocksafe

WhydoWeNeedInternalControls?

• BaringsBankFailurein1995• Britain’soldestMercantileBank• Napoleonicwars,theLouisianapurchase,andtheErieCanal.

BaringswastheQueen'sbank• OnePersonbroughtitdown

• CyberAttackersEmptyBusinessAccountsinMinutes• OfficeofInspectorGeneralrecoveredmorethan$2.4Mduetofuel

10/20/17

CCOOSSOO–– CCoommmmiitttteeeeOOffSSppoonnssoorriinnggOOrrggaanniizzaattiioonnss• 2013– updatedthe1992internalcontrolframework

• Evolutionarynotrevolutionary

• Effectiveinternalcontrolsrequiresthefivecomponentsand17relevantprinciplesbepresentandfunctioning(principlesarenew)

InternalControlDefinition

“process,effectedbyanentity’sboardofdirectors,management,andotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesrelatingtooperations,reporting,andcompliance.”

10/20/17

ThreeObjectives- COSO

• OperationsObjective– relatedtotheeffectivenessandefficiencyoftheentity'soperation,includingoperationalandfinancialperformancegoals,andsafeguardingassetsagainstloss.

• ReportingObjective- relatedtointernalandexternalfinancialandnonfinancialreportingtostakeholders,whichwouldencompassreliability,timeliness,transparency,orothertermsasestablishedbyregulators,standardsetter,ortheentity'spolicies.

• ComplianceObjectives- relatedtoadheringtolawsandregulationsthattheentitymustfollow.

FiveComponentsofCOSO

1. ControlEnvironment– setofstandards,processesandstructuresthatprovidethebasisforcarryingoutinternalcontrolacrosstheorganization• Commitmenttointegrityandethicalvalues• Bd.OfDirectorsexercisesoversightindevelopmentandperformanceofIC• Mgmt.establisheswithboardoversight,structures,reportinglinesand

appropriateauthorities• Commitmenttoattract,develop,andretaincompetentindividuals• Holdsindividualsaccountable

10/20/17

2. RiskAssessment– involvesdynamicanditerativeprocessforidentifyingandanalyzingriskstoachievingtheentity’sobjectives,formingabasisfordetermininghowriskshouldbemanaged.Managementconsiderspossiblechangesintheexternalenvironmentandwithinitsownbusinessmodelthatmayimpedeitsabilitytoachieveitsobjectives.• Clearobjectives• Identifiesrisktoachievementofobjectives,analyzesrisk,howtheyshouldbe

managed• Potentialforfraud• IdentifiesandassesseschangesthatcouldimpactsystemofIC

3. ControlActivities- actionsestablishedbypoliciesandprocedurestohelpensuremgmt.’sdirectivestomitigateriskarecarriedout– performedatalllevelsoftheentity,variousstagesofthebusinessprocess,includethetechnologyenvironment.Activitiesarepreventive,detective,includemanualandautomated,authorizations,approvals,verifications,reconciliations,businessreviews,segregationofduties.• Controlactivitiesthatmitigaterisk• Generalcontrolactivitiesovertechnology• Deployscontrolactivitiesthroughpolicy/procedures

10/20/17

4. InformationandCommunication– Informationisnecessaryfortheentitytocarryoutinternalcontrolresponsibilitiesinsupportofachievementofitsobjectives.Communicationoccursbothinternallyandexternallyandprovidestheorganizationwiththeinformationneededtocarryoutday-to-dayinternalcontrolactivities.Communicationenablespersonneltounderstandinternalcontrolresponsibilitiesandtheirimportancetotheachievementofobjectives.• Relevant,qualityinformationisusedtosupportthefunctioningofinternalcontrol• Internalcommunicationsincludingobjectivesandresponsibilitiesofinternal

controlisnecessarytosupportfunctioningInternalcontrols.• Communicationswithexternalpartiesaboutmattersaffectingfunctioningof

internalcontrols

5. MonitoringActivities– Ongoingevaluationsand/orseparateevaluations,areusedtoascertainwhethereachofthefivecomponentsofinternalcontrolispresentandfunctioning.Findingareevaluatedanddeficienciesarecommunicatedinatimelymanner,withseriousmattersreportedtoseniormanagementandtotheboard.

10/20/17

AreasofRisk

• Developingpolicyandproceduresinaconstantlychangingenvironmentbutyourproceduresdonotcontainaprocessforkeepingupwithnewdevelopments• Rapidchangeintechnologymakesthisdifficult

• ChangingAccountingstandards

• Evaluateeachcashcollectionsite• Eachsiteshouldhaveanindependentwaytotietoexpectedrevenue

AreasofRisk

• Fictitiousvendors• Verifynewadds• MakesureA/Pcan’taddvendors• VerifySSNandTINforeverynewvendor

• Makesurepersonsaccountingandreconcilingcashcannotwritejournalentries

• WeallhavetheaccountthatnoonewouldbeabletotelliftherewereafewinappropriateJE’sintheaccount

10/20/17

AreasofRisk

• VerytightcontrolsoverACHbankinginformation

• ACHfraudcontrol

• Positivepayforallcheckingaccounts

• Monitorbankaccountsmoreoftenthanjustthemonthlybankrecon

AreasofRisk

• Whatisthestructureforsendingwires/ACH’sinyouroffice• Twopersonsmustapproveatemplate• Templatescangooutwithoneperson• Templateshaveanottoexceedamt.• Freeformwiresrequiretwoindividuals

• Whatkindofsecuritydoesyoubankhaveovertransactions

10/20/17

AreasofRisk

• ContractVendors– internetprovidersforcashcollection– PCI

• Whenandifyouchangebankscouldyoucontactalltheinstitutionsthatdepositmoneyintoyourbankandnotifythemofthebankchange• Stealingfundselectronically• Becausetimeisoftheessenceinbeingsuccessfulingettingbackfundsstolen

electronically,doweneedtohavepersonreviewallnon-checkdisbursementsbeforetheendofeachday?

WhatCanIDo?

• Hireinternalauditstafforperformthefunctionwithexistingstaff

• HotLine-MeetwithfinancialstaffallovertheCountytoinformthemofanumbertocalltoreportanythingtheyarenotcomfortablewith.Don’thavetoleaveyourname.

• Meetwithstafftoevaluatethegreatestareasofriskinyourenvironment

• ChargeallFinancestafftoberesponsibleforinternalcontrol– putontheirworkplans

10/20/17

WhatCanIDo?

• Beforeanynewprocessisputintoplaceevaluateinternalcontrols,documentcontrolsandtrain

• Usetokensinsteadofdigitcertificatesforon-linebanking

• Don’tletemployeesperformon-linebankingfromhomeusingtheirpersonalPC’s

• LetthemVPN(VirtualPrivateNetwork)usingworkPCs

WhatCanIDo?• EmbraceyourredflagrulesandPCIcompliance– makethisamanagementissuenotafinanceissue.–

InvolveIT,Attorney,Depts.

• HaveDepartmentHeadsignaninternalcontrolplanfortheirdepartmentandmakethemnameapersonwhoisresponsibleforensuringitisfollowed

• HaveInternalAuditreviewcompliancewithinternalcontrolplan

• Banksnowrequiringthatonlinebankingtransactionsmustuseaseparatemachinethathaslimitedaccess

• EMV(chiptechnology)requiredasof10/1/2015

• Unitofgovernmentcannotactonchangeinpaymentinformationfromavendorwithoutcallingthevendortoverifythechange.

10/20/17

I/CthatAffecttheControlEnvironment

• Makesuremanagementisnotoverridingcontrols• SplitPO’s• Unauthorizedp-cardspurchases• Stickthecontractinthemiddleofthepileandmaybefinancewon’tseeit

• OrganizationalChart– Matrixofauthoritywithbackups

• InternalControlsforSmallUnitsofGovernment– Memo2015-15

• Monthlyreportsshouldbegeneratedandunderstoodbymanagement

I/CthatAffecttheControlEnvironment

• EthicalandProfessionalStandards• Whoteachesethicsinyourunit

• Crosstrainemployeestoperformdutieswhenpersonisout.

• Staffmustbeadequatelytrained

• ListentoAuditorsuggestions

10/20/17

I/CinAccountingSystem

• Booksshouldbebalancedandtimely

• Timelybankreconciliations

• Controlaccountsshouldbereconciled

• Accountingproceduresshouldbedocumentedandeasilyaccessedbystaff

• Transactionsshouldbepostedtimely

• Alljournalentriesshouldbeapprovedandexplained- notmadebyanyonethatdealswithcash

• Recordsneedtobeinsecureplace/backups

• WhatareyougoingtodowhenBirdflue/floodingprohibitsyouremployeesfromcomingtowork?

I/CforFederalandStateGrants

• Fundsarerecordedandexpendedincompliancewithprogramrequirements

• Distinguishcontractorsfromsub-recipients

• Monitoringandindirectcost

• Documentthefilingofgrantreports

• Makesureyourreviewingsubrecipientauditreports

• Followingprocurementprocedures

10/20/17

I/CforCashReceipts

• Recordcashatearliestpossiblepoint• Cashmustbetiedbacktoanindependentsystem– cashreceiptsaloneisnotthe

bestsystem• Personkeyingaccountingentryshouldnotbepersoncollectingcash• Everyoneinvolvedneedstounderstandwhattheyaredoingandwhy• Whoissuesyourdepositslipsandreceiptbooks?• HaveInternalAuditreviewbanking,cashandinvestmentprocedures

InternalControlsOverInvestments

ForPurposesofthisdiscussion,InvestmentsreferstoinvestmentsotherthanNCCMT,CDARS,Finistar,andICS

MusthaveControls• Investmentpolicy

• Typesofinvestments,lengthoftime,diversifiedportfolio,whattypes/amountofmoneycanbeinvested?• Broker/DealerAgreements

• CanonlysellyoulegalinvestmentsforNClocalgovernmentsandinaccordancewithyourinvestmentpolicy• GetReferencesfromotherNClocalgovernments

• CustodialAgreements– InvestmentsresideintheTrustareaofthebank.• SafekeepingAgreements– Investmentsresideinthecommercialsideofthebank• Seememo2013-03CustodyandProperSafekeepingofLGInvestments onStateTreasurer’sweb

sitehttps://www.nctreasurer.com/slg/Memos/2013-03.pdf

10/20/17

InternalControlsoverInvestments

Issues1. GeneralFundoperatingfundbalanceisinvestedin15yearagencies2. Investmentsarebeingheldbyacustodian/safekeepingagentthathasno

signedcontractwithalocalgovernmentunit3. Brokershavesoldinvestmentstolocalgovernmentsthatarenot

authorizedbygeneralstatutes.

ThisallhappenedduringthispastfiscalyearItisnotuncommonforbrokerstoapproachthegoverningboardaboutimprovinginterestearnings

InternalControlsoverInvestments

Beforeyousetupaninvestingprogramyouneedtosetupproperinternalcontrolsovertheinvestmentactivities.ContactBeckyDzingeleskiat919-814-4287.

BecomeamemberoftheNCLocalGovernmentInvestmentAssociation• Theycanprovideyouamentortohelpyousetupyourinvestment

programorhelpyouevaluateasuggestionmadebyabroker.

• http://www.nclgia.org/ReviewtheNCStateTreasurerWebsiteforsamplecashandinvestmentpolicyandbroker/dealerquestionnaire.

10/20/17

RedFlagRules

• JointCommitteeoftheOCC,FederalReserveBoard,FDIC,OTS,NCUAandtheFederalTradeCommissionpassedthefinallegislationforSection114oftheFairandAccurateCreditTransactionsAct• Aimedtopreventormitigateidentitytheftassociatedwithcustomeraccounts• Coveraccounts- Apersonalaccountthatinvolvesorisdesignedtopermit

multiplepaymentsortransactions- utilities

RedFlagRules– GuideforBusiness

TheRedFlagsRuletellsyouhowtodevelop,implement,andadministeranidentitytheftpreventionprogram.Aprogrammustincludefourbasicelementsthatcreateaframeworktodealwiththethreatofidentitytheft.

1. Aprogrammustincludereasonablepoliciesandprocedurestoidentifytheredflagsofidentitytheftthatmayoccurinyourday-to-dayoperations.RedFlagsaresuspiciouspatternsorpractices,orspecificactivitiesthatindicatethepossibilityofidentitytheft. Forexample,ifacustomerhastoprovidesomeformofidentificationtoopenanaccountwithyourcompany,anIDthatdoesn’tlookgenuineisa“redflag”foryourbusiness.

10/20/17

RedFlagRules– GuideforBusiness

2. Aprogrammustbedesignedtodetecttheredflagsyou’veidentified.IfyouhaveidentifiedfakeIDsasaredflag,forexample,youmusthaveprocedurestodetectpossiblefake,forged,oralteredidentification.

3. Aprogrammustspelloutappropriateactionsyou’lltakewhenyoudetectredflags.

4. Aprogrammustdetailhowyou’llkeepitcurrenttoreflectnewthreats.

RedFlagrulesexpireDecember31,2015– FederalTradeCommissionhasproposalouttoextendforthreemoreyears.CommentperiodclosedOctober19,2015

PaymentCardIndustryDataSecurityStandard– PCIDSS

• ALL companiesthatprocess,storeor transmitcreditcardinformationmaintainasecureenvironment.• https://www.pcisecuritystandards.org/security_standards/pci_dss.sht

• Ifyoualreadydocreditcardbusinessyouareawareoftheserules.IfyouarethinkingaboutacceptingcreditcardsmakesureyouunderstandPCIbeforeyoucommittoanyparticularprocess• IfyouneedtohireaconsultanttohelpyouwithPCIcompliancethe

StatehasCoalFireoncontractatastaterate.

10/20/17

RecommendedPractices&Roles

• InternalAudit

• AuditCommittees

• DisasterRecoveryPlan

• AccountingPoliciesandProcedures

Who’sResponsibleforIC?

Management(includesgoverningboard)hastheresponsibilityfortheestablishmentandmaintenanceofadequateinternalcontrols.

9 Melinda Cash Investment IC SOG new format · relevant principles be present and functioning...

Documents

SOG Chapter1

SOG-plan 2009

SOG 26 - fr

SOG 0809N141 Evaluaties Geëvalueerd

Micro SOG Cosecha Perpetua

MELINDA MOORE Petal School District MELINDA MOORE Petal School District

Hypoxische Enzefalopathie + sog. Wachkoma

Melinda Lamb

Produkt: SOG GAMBIT FULMATECH OHG · FULMATECH OHG aktualisiert am Montag, 11. April 2016 Feststehende/taktische Messer > SOG GAMBIT SOG GAMBIT Produkt: SOG GAMBIT Hersteller: SOG

Sog Sin Fronteras Programa

SOG 0708N128 Cultuuromslag

CONTADOR MONOFÁSICO SOG-WAVE (+). MANUAL … DE USUARIO. Guia rapida de... · manual de usuario: guÍa rÁpida de visualizaciÓn contador monofÁsico sog-wave (+) sog-wave (+) pág

SOG-ISCryptoWorkingGroup SOG ... SOG-ISCryptoEvaluationScheme AgreedCryptographicMechanisms Documentpurpose:specify the requirements of the SOG-IS Crypto Evaluation ... SOG-ISCryptoWorkingGroup

Das Programmsystem SOG€¦ · SOG ® BAU für die Bauablaufplanung SOG ® BAP für die Betriebsablaufplanung SOG ® SIP für die Sicherungsplanung SOG ® GDM für das Grunddatenmanagement

SOG 0506N102 Tentamenstress

Handboek examinering VCA en SOG - SOG en VCA · Handboek examinering VCA en SOG Van toepassing van 1 januari – 31 december 2018 December 2017 – versie 3.0

SOG 0810N146 Universitaire Gemeenschap

SOG 2009 Catalog

FULLTEXT01[1] Sog Si Review

Bildungsplan Kauffrau / Kaufmann EFZ für die schulisch ... · SOG Schulisch organisierte Grundbildung SOG+ Optionales SOG-spezifisches Angebot der zusätzlichen, allgemeinbildenden