Upload
lengoc
View
217
Download
1
Embed Size (px)
Citation preview
10/20/17
1
InternalControlMelindaAndrewsOctober2017
State and Local Government Finance Division
Law
•WhoseResponsibleforInternalControls?
• DoesanyoneworkinanorganizationweretheFinanceOfficerdoesnotplayaleadroleinInternalControls?
10/20/17
2
State and Local Government Finance Division
ReporttotheNationsonOccupationalFraudandAbuse– 2016GlobalFraudStudy• Analyzed2,410occupationalfraudcasesthatcausedatotallossofmorethan
$6.3Billion
• Medianlossfromasinglecaseofoccupationalfraudwas$150,000
• 23%ofoccupationalfraudresultedinalossofatleast$1million
• IfyoutakemedianlossbyregiontheUSwassecondlowestwith$120,000.MiddleEastandNorthAfricahadthehighestmedianlosseswith$275,000
State and Local Government Finance Division
Characteristicsofthetypicaloccupationalfraudster
10/20/17
3
FraudbyIndustry
State and Local Government Finance Division
TypeofOccupationalFraudforUnitedStates
10/20/17
4
State and Local Government Finance Division
InitialDetectionofFrauds
State and Local Government Finance Division
CasesReferredtoLawEnforcement
10/20/17
5
State and Local Government Finance Division
ResultsofCasesReferredtoLawEnforcement
State and Local Government Finance Division
10/20/17
6
State and Local Government Finance Division
State and Local Government Finance Division
SeveralFraudCasesgoingonNowinNC
• RegisterofDeedsCase$2.3millionmissing• EmployeeinSherriffDepartmentincollusionwithpersonrecordingtime
sheetdatainanotherdepartment• ManagerinvestigatedbyFBIforP-cardfraud• FinanceOfficerremoveseverypennyfromallbankaccounts• Boardmember’sdaughterishigherandissuedadebtcard– makingcash
withdrawals
• Wouldestimatethereareatleast10-20fraudsayearinlocalgovernments
10/20/17
7
State and Local Government Finance Division
WhyDoWeNeedInternalControls?
• AUnitofGovernmentinNChad$300,000takenusingon-linebanking- unitsbankingID,passcodesanddigitalcertificatewereused
• Cashwastakenbyapersoncollectingcash– personissuedreceiptfromreceiptbooktheyboughtatalocalstore
• Personcheckingreceiptnumberingdidn’tfullyunderstandwhattheyweredoing
• Cashtakenfromsafe– safewasnotlocked– itwasn’tconvenienttolocksafe
State and Local Government Finance Division
WhydoWeNeedInternalControls?
• BaringsBankFailurein1995• Britain’soldestMercantileBank• Napoleonicwars,theLouisianapurchase,andtheErieCanal.
BaringswastheQueen'sbank• OnePersonbroughtitdown
• CyberAttackersEmptyBusinessAccountsinMinutes• OfficeofInspectorGeneralrecoveredmorethan$2.4Mduetofuel
fraud
10/20/17
8
State and Local Government Finance Division
CCOOSSOO–– CCoommmmiitttteeeeOOffSSppoonnssoorriinnggOOrrggaanniizzaattiioonnss• 2013– updatedthe1992internalcontrolframework
• Evolutionarynotrevolutionary
• Effectiveinternalcontrolsrequiresthefivecomponentsand17relevantprinciplesbepresentandfunctioning(principlesarenew)
State and Local Government Finance Division
InternalControlDefinition
“process,effectedbyanentity’sboardofdirectors,management,andotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesrelatingtooperations,reporting,andcompliance.”
10/20/17
9
State and Local Government Finance Division
ThreeObjectives- COSO
• OperationsObjective– relatedtotheeffectivenessandefficiencyoftheentity'soperation,includingoperationalandfinancialperformancegoals,andsafeguardingassetsagainstloss.
• ReportingObjective- relatedtointernalandexternalfinancialandnonfinancialreportingtostakeholders,whichwouldencompassreliability,timeliness,transparency,orothertermsasestablishedbyregulators,standardsetter,ortheentity'spolicies.
• ComplianceObjectives- relatedtoadheringtolawsandregulationsthattheentitymustfollow.
State and Local Government Finance Division
FiveComponentsofCOSO
1. ControlEnvironment– setofstandards,processesandstructuresthatprovidethebasisforcarryingoutinternalcontrolacrosstheorganization• Commitmenttointegrityandethicalvalues• Bd.OfDirectorsexercisesoversightindevelopmentandperformanceofIC• Mgmt.establisheswithboardoversight,structures,reportinglinesand
appropriateauthorities• Commitmenttoattract,develop,andretaincompetentindividuals• Holdsindividualsaccountable
10/20/17
10
State and Local Government Finance Division
FiveComponentsofCOSO
2. RiskAssessment– involvesdynamicanditerativeprocessforidentifyingandanalyzingriskstoachievingtheentity’sobjectives,formingabasisfordetermininghowriskshouldbemanaged.Managementconsiderspossiblechangesintheexternalenvironmentandwithinitsownbusinessmodelthatmayimpedeitsabilitytoachieveitsobjectives.• Clearobjectives• Identifiesrisktoachievementofobjectives,analyzesrisk,howtheyshouldbe
managed• Potentialforfraud• IdentifiesandassesseschangesthatcouldimpactsystemofIC
State and Local Government Finance Division
FiveComponentsofCOSO
3. ControlActivities- actionsestablishedbypoliciesandprocedurestohelpensuremgmt.’sdirectivestomitigateriskarecarriedout– performedatalllevelsoftheentity,variousstagesofthebusinessprocess,includethetechnologyenvironment.Activitiesarepreventive,detective,includemanualandautomated,authorizations,approvals,verifications,reconciliations,businessreviews,segregationofduties.• Controlactivitiesthatmitigaterisk• Generalcontrolactivitiesovertechnology• Deployscontrolactivitiesthroughpolicy/procedures
10/20/17
11
State and Local Government Finance Division
FiveComponentsofCOSO
4. InformationandCommunication– Informationisnecessaryfortheentitytocarryoutinternalcontrolresponsibilitiesinsupportofachievementofitsobjectives.Communicationoccursbothinternallyandexternallyandprovidestheorganizationwiththeinformationneededtocarryoutday-to-dayinternalcontrolactivities.Communicationenablespersonneltounderstandinternalcontrolresponsibilitiesandtheirimportancetotheachievementofobjectives.• Relevant,qualityinformationisusedtosupportthefunctioningofinternalcontrol• Internalcommunicationsincludingobjectivesandresponsibilitiesofinternal
controlisnecessarytosupportfunctioningInternalcontrols.• Communicationswithexternalpartiesaboutmattersaffectingfunctioningof
internalcontrols
State and Local Government Finance Division
FiveComponentsofCOSO
5. MonitoringActivities– Ongoingevaluationsand/orseparateevaluations,areusedtoascertainwhethereachofthefivecomponentsofinternalcontrolispresentandfunctioning.Findingareevaluatedanddeficienciesarecommunicatedinatimelymanner,withseriousmattersreportedtoseniormanagementandtotheboard.
10/20/17
12
State and Local Government Finance Division
AreasofRisk
• Developingpolicyandproceduresinaconstantlychangingenvironmentbutyourproceduresdonotcontainaprocessforkeepingupwithnewdevelopments• Rapidchangeintechnologymakesthisdifficult
• ChangingAccountingstandards
• Evaluateeachcashcollectionsite• Eachsiteshouldhaveanindependentwaytotietoexpectedrevenue
State and Local Government Finance Division
AreasofRisk
• Fictitiousvendors• Verifynewadds• MakesureA/Pcan’taddvendors• VerifySSNandTINforeverynewvendor
• Makesurepersonsaccountingandreconcilingcashcannotwritejournalentries
• WeallhavetheaccountthatnoonewouldbeabletotelliftherewereafewinappropriateJE’sintheaccount
10/20/17
13
State and Local Government Finance Division
AreasofRisk
• VerytightcontrolsoverACHbankinginformation
• ACHfraudcontrol
• Positivepayforallcheckingaccounts
• Monitorbankaccountsmoreoftenthanjustthemonthlybankrecon
State and Local Government Finance Division
AreasofRisk
• Whatisthestructureforsendingwires/ACH’sinyouroffice• Twopersonsmustapproveatemplate• Templatescangooutwithoneperson• Templateshaveanottoexceedamt.• Freeformwiresrequiretwoindividuals
• Whatkindofsecuritydoesyoubankhaveovertransactions
10/20/17
14
State and Local Government Finance Division
AreasofRisk
• ContractVendors– internetprovidersforcashcollection– PCI
• Whenandifyouchangebankscouldyoucontactalltheinstitutionsthatdepositmoneyintoyourbankandnotifythemofthebankchange• Stealingfundselectronically• Becausetimeisoftheessenceinbeingsuccessfulingettingbackfundsstolen
electronically,doweneedtohavepersonreviewallnon-checkdisbursementsbeforetheendofeachday?
State and Local Government Finance Division
WhatCanIDo?
• Hireinternalauditstafforperformthefunctionwithexistingstaff
• HotLine-MeetwithfinancialstaffallovertheCountytoinformthemofanumbertocalltoreportanythingtheyarenotcomfortablewith.Don’thavetoleaveyourname.
• Meetwithstafftoevaluatethegreatestareasofriskinyourenvironment
• ChargeallFinancestafftoberesponsibleforinternalcontrol– putontheirworkplans
10/20/17
15
State and Local Government Finance Division
WhatCanIDo?
• Beforeanynewprocessisputintoplaceevaluateinternalcontrols,documentcontrolsandtrain
• Usetokensinsteadofdigitcertificatesforon-linebanking
• Don’tletemployeesperformon-linebankingfromhomeusingtheirpersonalPC’s
• LetthemVPN(VirtualPrivateNetwork)usingworkPCs
State and Local Government Finance Division
WhatCanIDo?• EmbraceyourredflagrulesandPCIcompliance– makethisamanagementissuenotafinanceissue.–
InvolveIT,Attorney,Depts.
• HaveDepartmentHeadsignaninternalcontrolplanfortheirdepartmentandmakethemnameapersonwhoisresponsibleforensuringitisfollowed
• HaveInternalAuditreviewcompliancewithinternalcontrolplan
• Banksnowrequiringthatonlinebankingtransactionsmustuseaseparatemachinethathaslimitedaccess
• EMV(chiptechnology)requiredasof10/1/2015
• Unitofgovernmentcannotactonchangeinpaymentinformationfromavendorwithoutcallingthevendortoverifythechange.
10/20/17
16
State and Local Government Finance Division
I/CthatAffecttheControlEnvironment
• Makesuremanagementisnotoverridingcontrols• SplitPO’s• Unauthorizedp-cardspurchases• Stickthecontractinthemiddleofthepileandmaybefinancewon’tseeit
• OrganizationalChart– Matrixofauthoritywithbackups
• InternalControlsforSmallUnitsofGovernment– Memo2015-15
• Monthlyreportsshouldbegeneratedandunderstoodbymanagement
State and Local Government Finance Division
I/CthatAffecttheControlEnvironment
• EthicalandProfessionalStandards• Whoteachesethicsinyourunit
• Crosstrainemployeestoperformdutieswhenpersonisout.
• Staffmustbeadequatelytrained
• ListentoAuditorsuggestions
10/20/17
17
State and Local Government Finance Division
I/CinAccountingSystem
• Booksshouldbebalancedandtimely
• Timelybankreconciliations
• Controlaccountsshouldbereconciled
• Accountingproceduresshouldbedocumentedandeasilyaccessedbystaff
• Transactionsshouldbepostedtimely
• Alljournalentriesshouldbeapprovedandexplained- notmadebyanyonethatdealswithcash
• Recordsneedtobeinsecureplace/backups
• WhatareyougoingtodowhenBirdflue/floodingprohibitsyouremployeesfromcomingtowork?
State and Local Government Finance Division
I/CforFederalandStateGrants
• Fundsarerecordedandexpendedincompliancewithprogramrequirements
• Distinguishcontractorsfromsub-recipients
• Monitoringandindirectcost
• Documentthefilingofgrantreports
• Makesureyourreviewingsubrecipientauditreports
• Followingprocurementprocedures
10/20/17
18
State and Local Government Finance Division
I/CforCashReceipts
• Recordcashatearliestpossiblepoint• Cashmustbetiedbacktoanindependentsystem– cashreceiptsaloneisnotthe
bestsystem• Personkeyingaccountingentryshouldnotbepersoncollectingcash• Everyoneinvolvedneedstounderstandwhattheyaredoingandwhy• Whoissuesyourdepositslipsandreceiptbooks?• HaveInternalAuditreviewbanking,cashandinvestmentprocedures
State and Local Government Finance Division
InternalControlsOverInvestments
ForPurposesofthisdiscussion,InvestmentsreferstoinvestmentsotherthanNCCMT,CDARS,Finistar,andICS
MusthaveControls• Investmentpolicy
• Typesofinvestments,lengthoftime,diversifiedportfolio,whattypes/amountofmoneycanbeinvested?• Broker/DealerAgreements
• CanonlysellyoulegalinvestmentsforNClocalgovernmentsandinaccordancewithyourinvestmentpolicy• GetReferencesfromotherNClocalgovernments
• CustodialAgreements– InvestmentsresideintheTrustareaofthebank.• SafekeepingAgreements– Investmentsresideinthecommercialsideofthebank• Seememo2013-03CustodyandProperSafekeepingofLGInvestments onStateTreasurer’sweb
sitehttps://www.nctreasurer.com/slg/Memos/2013-03.pdf
10/20/17
19
State and Local Government Finance Division
InternalControlsoverInvestments
Issues1. GeneralFundoperatingfundbalanceisinvestedin15yearagencies2. Investmentsarebeingheldbyacustodian/safekeepingagentthathasno
signedcontractwithalocalgovernmentunit3. Brokershavesoldinvestmentstolocalgovernmentsthatarenot
authorizedbygeneralstatutes.
ThisallhappenedduringthispastfiscalyearItisnotuncommonforbrokerstoapproachthegoverningboardaboutimprovinginterestearnings
State and Local Government Finance Division
InternalControlsoverInvestments
Beforeyousetupaninvestingprogramyouneedtosetupproperinternalcontrolsovertheinvestmentactivities.ContactBeckyDzingeleskiat919-814-4287.
BecomeamemberoftheNCLocalGovernmentInvestmentAssociation• Theycanprovideyouamentortohelpyousetupyourinvestment
programorhelpyouevaluateasuggestionmadebyabroker.
• http://www.nclgia.org/ReviewtheNCStateTreasurerWebsiteforsamplecashandinvestmentpolicyandbroker/dealerquestionnaire.
10/20/17
20
State and Local Government Finance Division
RedFlagRules
• JointCommitteeoftheOCC,FederalReserveBoard,FDIC,OTS,NCUAandtheFederalTradeCommissionpassedthefinallegislationforSection114oftheFairandAccurateCreditTransactionsAct• Aimedtopreventormitigateidentitytheftassociatedwithcustomeraccounts• Coveraccounts- Apersonalaccountthatinvolvesorisdesignedtopermit
multiplepaymentsortransactions- utilities
State and Local Government Finance Division
RedFlagRules– GuideforBusiness
TheRedFlagsRuletellsyouhowtodevelop,implement,andadministeranidentitytheftpreventionprogram.Aprogrammustincludefourbasicelementsthatcreateaframeworktodealwiththethreatofidentitytheft.
1. Aprogrammustincludereasonablepoliciesandprocedurestoidentifytheredflagsofidentitytheftthatmayoccurinyourday-to-dayoperations.RedFlagsaresuspiciouspatternsorpractices,orspecificactivitiesthatindicatethepossibilityofidentitytheft. Forexample,ifacustomerhastoprovidesomeformofidentificationtoopenanaccountwithyourcompany,anIDthatdoesn’tlookgenuineisa“redflag”foryourbusiness.
10/20/17
21
State and Local Government Finance Division
RedFlagRules– GuideforBusiness
2. Aprogrammustbedesignedtodetecttheredflagsyou’veidentified.IfyouhaveidentifiedfakeIDsasaredflag,forexample,youmusthaveprocedurestodetectpossiblefake,forged,oralteredidentification.
3. Aprogrammustspelloutappropriateactionsyou’lltakewhenyoudetectredflags.
4. Aprogrammustdetailhowyou’llkeepitcurrenttoreflectnewthreats.
RedFlagrulesexpireDecember31,2015– FederalTradeCommissionhasproposalouttoextendforthreemoreyears.CommentperiodclosedOctober19,2015
State and Local Government Finance Division
PaymentCardIndustryDataSecurityStandard– PCIDSS
• ALL companiesthatprocess,storeor transmitcreditcardinformationmaintainasecureenvironment.• https://www.pcisecuritystandards.org/security_standards/pci_dss.sht
ml
• Ifyoualreadydocreditcardbusinessyouareawareoftheserules.IfyouarethinkingaboutacceptingcreditcardsmakesureyouunderstandPCIbeforeyoucommittoanyparticularprocess• IfyouneedtohireaconsultanttohelpyouwithPCIcompliancethe
StatehasCoalFireoncontractatastaterate.
10/20/17
22
State and Local Government Finance Division
RecommendedPractices&Roles
• InternalAudit
• AuditCommittees
• DisasterRecoveryPlan
• AccountingPoliciesandProcedures
State and Local Government Finance Division
Who’sResponsibleforIC?
Management(includesgoverningboard)hastheresponsibilityfortheestablishmentandmaintenanceofadequateinternalcontrols.