Internal Controls and Effective Report Writing - sent to MSCPA

Internal Controls and Effective Report Writing

May 18, 2016

Ron P. Steinkamp, CPA, CIA, CRMA, CGMA, CFEPartner, Advisory ServicesBrown Smith Wallace, [email protected]

Adam C. Rouse, CFE, CCA, CCPSenior, Advisory ServicesBrown Smith Wallace, [email protected] 314-983-1266

Governmental Accounting Conference

mailto:[email protected]


• Discussion of key internal controls and common areas of abuse

• Effective internal control monitoring• Reporting on the effectiveness of key

controls

2 Client Logo

Presentation Objectives

© 2016 All Rights Reserved Brown Smith Wallace LLP

3

Internal Control Considerations



True/False

1. Internal control starts with a strong set of policies and procedures.

FALSE!

Internal control starts with a strong control environment.

2. We have controls for auditors.


True/False

Auditors appreciate controls; however, management is the primary owner of internal controls.

FALSE!

3. Only certain departments use internal controls.


True/False

FALSE!

Internal control is integral to each department.

7

Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

1. Effectiveness and efficiency of operations2. Reliability of financial reporting3. Compliance with applicable laws and regulations

What are Internal Controls?


8

• Promote orderly, economical, efficient and effective operations

• Safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud

• Promote adherence to laws, regulations, contracts and management directives

• Develop and maintain reliable financial and management data, and accurately present data in timely reports

Internal Control Purpose


9

• Board of Directors/Elected Officials

• Management

• Internal Audit or similar function

• External Audit

• Other personnel/everyone else

Control Roles and Responsibilities


10

• Control override “The policy says it’s supposed to be done this way, but it’s easier to do things my way.”

• Lack of knowledge “I did not know that!”

• Too much trust in key employees “We trust ‘Susie’ who handles all of those tasks.” Or, “He has been here longer than I have; he must be honest.”

• Inappropriate access “I don’t have access, so I use my manager’s password for posting payments.”

• Outdated controls – Processes change; therefore, procedure doesn’t apply.

Why Internal Controls Fail


11

Top 10 Risks&

Recommended Practices


12

• A fraud & ethics policy• Fraud risk assessment• An audit committee• Whistle blower hotline/fraud hotline• Internal audit or similar function

General Controls


13

• Inappropriate employee access and levels; no approval, review or monitoring of use– Risks

• Public awareness• Misappropriation, losses, liability

10. Procurement Card Risks


• Develop policies and monitor compliance• Centralize request process• Use analytics software to track spending

by card, category, merchant, etc.• Set spending limits (max per

day/week/month per user)• Monitor cards to ensure they are not used

to circumvent purchasing procedures/policies

14 Client Logo

Procurement Card Recommendations


15

• No internal audit function– Risks

• Improper control monitoring• Redundancies in operational and control

procedures are not identified• The Early Warning System is not utilized

9. Risks of No Internal Audit Function


16

• Develop IA within your organization or….– Co-source– Out-sourceWith a properly staffed internal audit function, management would have, at its fingertips: an advocate, a risk manager, a controls expert, an efficiency specialist, a problem solving partner, and safety net.

Internal Audit Recommendations


Internal Audit…adds value to the internal control system by bringing a systematic, disciplined approach to the evaluation of risk and by making recommendations to increase the effectiveness of risk management efforts, improve internal control structure and promote good governance.

17

• Cash deposits were not always made in a timely manner; bank accounts not reconciled– Risks

• Fraud• Errors• Timeliness

8. Cash Control Risks


18

• Reconcile monthly• Ideally, checks should be sent to lockbox• Checks and payments should be physically

secured, documented, and custody tracked • Segregation of duties• Documentation and procedures are sufficient

so that loss or misappropriation of funds can be traced to the responsible individual(s)

Cash Control Recommendations


19

• Lack of controls over password requirements and login attempts – Risks

• Unauthorized access to system– Internal & external

• Financial losses and liability

7. Computer Control Risks


• Strong Policies (make sure these are reviewed annually)– Passwords should contain complexity requirements– Lock out accounts after 3 consecutive log-on attempts– Require employees to sign a computer use policy– Screen saver require password

• Monitoring access attempts, both externally and internally

20 Client Logo

Computer Control Recommendations


21

• Lack of policies surrounding vehicle and fuel use– Risks

• Overpayment• Private inurement• Lack of reporting/level of detail• Lack of policies and procedures• Little to no oversight on fuel dispensed

6. Fuel Use Risks


• Reconcile usage to invoices• Develop policies & monitor compliance• Track fuel usage by vehicle, driver,

location, fuel type, etc.• Monitor system overrides• If fuel purchasing cards are used, perform

analytics around that program

22 Client Logo

Fuel Use Recommendations


23

• No capital inventory periodically performed– Risks

• Resources wasted• Misstatements in financial reporting• Resources lost/stolen

5. Capital Asset Risks


24

• Equipment purchases are made in accordance with purchasing guidelines, properly authorized and recorded

• All equipment has an asset tag that is easily visible• Asset management are notified of:

– Donations, transfers or fabrication of equipment– Equipment lost, stolen, salvaged or scrapped– Equipment moved to an off-site location

• An annual departmental inventory report is completed and returned to asset management by a specified date

Capital Asset Recommendations


25

• Lack of proper segregation between cash collected and recording in financial records– Risks

• Misappropriation of assets• Reputation• Funding loss• Opportunity for fraud

4. Segregation of Duties Risks


• Develop policies and review annually• Properly segregate custody, recording and

authorization• Identify access control conflicts annually• Identify risks associated with each conflict• Identify & analyze mitigating controls related

to each risk• Discuss risks with management• Document remediation steps for unmitigated

risks26 Client Logo

Segregation of Duties Recommendations


27

• Charged to wrong year, expense report errors and lack of review– Risks

• Financial misstatements• Noncompliance with IRS rules• Opportunity for fraud• Hard to develop and analyze budgets

3. Expenditure Risks


28

• Transactions are properly approved and the stated purpose is reasonable

• Vendors are added to the system by approved individuals

• Account status reports are independently reviewed for accuracy of charges

Expenditure Control Recommendations


29

• The IT department does not have strong controls around:– reviewing users & user permissions – monitoring network traffic for unauthorized

access– ensuring all software is licensed and up-to-

date– purchasing software

2. IT Risks


30

• Audit IT security annually (including cyber security risks)• Employees with access to computer systems have an

established need for the access• Procedures are in place to prevent unauthorized use or

transmission of information• Access to the system is removed for terminated or

transferred staff, timely• Each computer software package is licensed for the

current user• Computer files are backed up on a regular basis. Backup

data is stored in a location away from the originals

IT Control Recommendations


31

• IT should approve all new hardware/software purchases

• Establish procedures for creating, modifying and deleting user accounts

• IT should only add users to network after notified by HR

IT Control Recommendations


32

This will not happen to us! We have…

– Annual external audit– Good purchasing controls– A Board that reviews contracts– A firewall (IT)

1. Failure to get help / denial / status quo Risk


33

Tips on What You DON’T Know!5 Best Practices You

May be Missing


34

•Pre-Construction audit services•Contract review•Periodic and/or Post Closeout Audits•Energy studies•Utility usage reviews

Construction Audit


35 Client Logo© 2016 All Rights Reserved Brown Smith Wallace LLP

•Identify cost savings with insurance plans (plan adequacy, coverage limits, etc.)•Workers compensation, business interruption, directors liability

•Know self insurance and insurance pool risks

Insurance Review

Hire an independent expert to perform an independent insurance review for your

organization.


•Maintain proper controls around electronic data•Keep your organization out of the news for data breaches•Perform annual IT risk assessment•Review website and system security frequently•Do not strictly rely on firewalls and anti virus protection

Data Security

& Privacy


•Ensure the Organization meets requirements for adoption and implementation of the Reform•Assist with implementation and requirements

Healthcare

38

•Ensure your Organization is in compliance with PCI (credit card) standards•Avoid credit card fraud and hefty fines for non compliance•Ensure you are in compliance with merchant agreement•Perform analysis to determine where you accept credit and how you accept credit cards (online, in person, via mail…)

PCI Complian

ce


Requirements apply to any organization/vendor that stores,

processes, or transmits credit card data.

Reporting


40

•Reports should achieve our purpose to:– Add value– Improve operations– Improve effectiveness of risk management, control,

and governance processes.• We are not trying to:

– “Tell on” anyone– Report a “gotcha”

Client Logo

Report Objectives


41

•What is the objective of the audit report?•Who should and who is reading the report?

–Analyze the audience•How do they plan on using the report?•What kind of reaction are you looking for?

Client Logo

Report Objectives > Key Considerations


42

Stick to the Facts• Sufficient factual evidence• No room for error in factual accuracy• Watch level of detail – include only what is

necessary to persuade– Does it directly support your key point?– Does it show the significance?– Does it lead to your recommendation?

Client Logo

Report Objectives > Effectiveness


43

The most effective reports have:• Clearly defined project objectives.• An audit plan that will provide necessary

report information.• Knowledge of what the reader will find

pertinent.

Report Objectives > Effectiveness


Begin With the End in Mind

44

• Fix the problem• Focus on Cause• Keep it measurable and practical• Assign accountability• Give the benefit• Focus on key actions• Set a date

Client Logo

Get Management Commitment


45

To inform, persuade, and get results

• Condition – what is the problem?• Criteria – what policy can be adopted?• Cause – what led to the problem?• Consequence – what is the risk of

noncompliance? • Corrective Action – what should be done.

Client Logo

The 5 C’s


46 Client Logo

The 5 C’s – Issue Log Example


Theme WP Ref

Priority (H/M/L)

Condition Criteria Consequence Cause Quantified Corrective Action

Segregation of Duties

A101 H The accounting clerk sets up new vendors, issues checks, and performs bank reconciliations.

Duties should be segregated to identify errors and protect assets.

Errors in cash disbursements would be difficult to detect and

The accounting manager is overwhelmed with office manager duties and was not performing the bank reconciliations timely.

No errors detected.

An office manager should be hired so the accounting manager will have time to perform necessary accounting functions. The accounting manager should list all duties performed and document job responsibilities.

47

• Executive Summary conveys the complete message.

• Prioritize issues with headings that make your point.

• Recommendations that correct the root cause.

• Documented commitment from Management.

Client Logo

Report Organization


48

• Place issues in order of importance.• Put the key point first.• Be helpful to the reader – don’t bury your

message.• Consider action headings.

Client Logo

Report Organization > Impact


IMPACT

49

Old newspaper rule: If they don’t care about the first sentence, they won’t read the second sentence.• Your opening line is key.• Stick to the “one sentence rule.”• Don’t make them search for the issue.• Be absolutely clear.

Client Logo

Write Your Lead


50

• Find out what managements expectations are.

• What level of detail is expected to be reported?

• Factor in amount of time allocated to Internal Audit.

Client Logo

Communicating to Management & Board


51

• Headings• White Space – 1.5 – 2” blocks• Bullets• Charts/Graphs

Client Logo

Report Organization > Format


52

1. Practice2. Open with your conclusions3. Describe the benefits if your recommendation

is accepted4. Describe the costs or savings5. List specific recommendations6. Look at everyone when you talk7. Be brief

Client Logo

Communicating > 7 Do’s


53

Questions


Ron P. SteinkampBrown Smith Wallace, [email protected]


Documents

Internal Controls and Effective Report Writing - sent to MSCPA