Internal Controls - Villanova University
Download
Report
Transcript Internal Controls - Villanova University
Internal Controls
Definition of Internal Control
Internal control is a process, effected by an entity's board of
directors, management, and other personnel, designed
to provide reasonable assurance regarding the
achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations.
Benefits of Internal Control
Having controls in place minimizes embezzlement and/or
misappropriation of funds. The temptation to steal assets from
the church is lessened once steps have been taken to put
checks and balances in place. These controls would help to
promote ethical behavior.
There is also a reduction in the need to accuse and confront
employees. The internal controls would provide accurate
information that would be used to detect illegal behavior and
also to make reporting easier.
The internal controls minimize the embarrassment of the
church because of negative publicity from the media should
inappropriate behavior occurs. It is a good practice to try and
prevent the image of the church from being damaged in any
way. Fraud in the headlines is a strike against any organization.
External/regulatory oversight
Unlike corporations which provide quarterly financial
statements to the SEC and hold quarterly conference
calls with outside analysts, the church is subject to almost
no recurring outside financial scrutiny
Since many churches and dioceses are not required by
law to be transparent and accountable in their finances,
they choose to keep their finances private.
Canon Law and Other Guidelines
Canon law contains a number of provisions directed at
good management and financial practices.
The primary diocesan institution to monitor diocesan finances
is the diocesan finance council (DFC). According to canon law,
each diocese is required to establish a DFC, to be presided
over by the bishop or his delegate.
In addition to canon law, the United States Conference of
Catholic Bishops (USCCB) has established recommended
guidelines for diocesan financial management.
But they are just that - guidelines
5 Elements of the IC Process
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Control Environment
The core of any business is its people - their individual
attributes, including integrity, ethical values, and
competence and the environment in which they operate.
Clear lines of authority and accountability that emphasize the
importance of internal controls
A documented code of conduct/ethical standards
A formal budget process and prompt variance analysis.
A plan to attract and retain competent personnel.
An effective audit committee and internal audit functions.
More on the Control Environment later
Risk Assessment
The entity must be aware of and deal with the risks it
faces. It must set objectives, integrated with the sales,
production, marketing, financial, and other activities so
that the organization is operating in concert. It also must
establish mechanisms to identify, analyze, and manage the
related risks.
Clear objectives regarding operating, financial reporting, and
law compliance functions.
An entity-wide review to assess and evaluate risk (discussed
later)
Control Activities
Control policies and procedures must be established to
ensure that management's responses to risks are
effectively carried out.
Segregation of duties: collections of cash contributions counted
by two or more people.
Independent counting and/or confirmation of investments.
Controlled access to electronic data processing operations and
adequate back-up (disaster recovery) in place.
Information and Communication
Information and communication systems surround all of
these activities. They enable people to capture and share
the information needed to conduct, manage, and control
operations.
Management support for developing and maintaining effective
financial management information systems.
The sharing of information on emerging risk issues with other
dioceses.
Channels of communication for employees and church
workers to report suspected irregularities or illegal acts.
Monitoring.
The entire process must be monitored, and modifications
must be made as necessary. In this way, the system can
react dynamically, changing as conditions warrant.
Regular receipt and prompt acting on reports of problems in
internal controls (from external/internal auditors, etc.).
Prompt follow-up on unusual variances from budget.
Periodic comparison of physical inventories of saleable items
(textbooks, cemetery lots, etc.) and permanent assets (sacred
vessels, historical treasures, office equipment) to accounting
records and the reconciliation of differences.
Limitations of IC
Mistakes and human errors in applying the established
policies and procedures.
Circumvention of controls by collusion of two or more
people (e.g., an employee and a vendor).
Intentional disregard of controls (e.g., management
override, falsifying documents, forgery, etc.).
Discussed in more detail later
People and IC
Bishop
Finance Officers
Internal Auditors
Other Diocesan Personnel
Volunteers
Committees
Finance Council
Audit committee
Financial/project review committee
Properties committee
Investments committee
External Auditors
Key Business Cycles
Financial planning and control
Cash management (includes the revenue cycle)
Payroll
Purchasing
Elements of IC
Honest Employees
Separation of duties
Require vacations
Bonding when appropriate
Awareness of conflict of interest policies
“know” your employees
Background checks on all potential hires
Recordkeeping, custodianship, authorization
Appropriate policies and procedures over transactions
Suitable documents and accounting records
Physical control over assets
Independent verification of performance
Financial Planning and Control Cycle
Monthly Comparative Financial Statements
Chart of Accounts
Policy and Procedures Manuals.
Cash Management Cycle
Proper Control over:
Bank accounts
Cash disbursements
Cash receipts
Petty cash
Marketable securities
Receivables
Payables
Payroll
Payroll Cycle
Personnel Administration and Employment File
Maintenance
Timekeeping and Payroll Preparation
Payment of Payroll
Preparation of Payroll Tax Returns and Payment of
Taxes
Purchasing Cycle
Authorization of Purchase
Processing Purchase Orders
Receiving Goods and Services
Recognizing the Liability
Processing and Recording Cash Disbursements
Guidelines for an IC Review
Risk Assessment and Evaluation
Suggested Steps
A project committee should be established (perhaps a subcommittee of the diocese's finance council)
composed of, at a minimum:
The committee should be charged with undertaking and documenting a study of the diocesan internal
control process and making recommendations for improvement. Its chair should regularly report to the
bishop on progress. (Items 3-8 refer to the study/review.)
The committee should assess the overall control environment
The committee should divide the entity into natural business cycles
The committee should review the flow of transactions through these cycles to understand each
processing system and its controls.
The committee should determine whether control techniques in place in each cycle achieve the defined
internal control objectives
Where objectives are not met, the committee should assess the resultant risks and make specific
recommendations to improve internal controls at a cost below the value of the related benefit to be
attained.
The committee should draft a report summarizing the project and detailing the recommendations.
The implementation of the recommendations should be periodically reviewed to ensure the desired
results are achieved and to promote the diocesan culture of appreciating and embracing the value of
internal controls.
Ongoing Commitment
Fraud and Irregularities
The fraud triangle
Opportunity, rationalization, pressure
Types of fraud
Management override
Collusion
Lapping
Theft
Accounts Payable Fraud
Payroll Ghosts and Unauthorized Pay Charges
Kickbacks
Supplies or Inventory Fraud
Detecting Fraud
Changes in employee's lifestyle, spending habits, or behavior
Inventory shortages
Ignoring of internal/external policies or audit
recommendations
Unusual banking activities
Decline in employee morale/attendance
Exceedingly high expenses/purchases
Unexplained budget variances
Zech & West:
Control environment
The organizational structure of the firm (in the Catholic
Church, this involves questions such as is the diocese
organized as a corporation sole?)
Oversight by the board (in the Catholic Church, this is
the diocesan finance council, or DFC)
Management's philosophy and operating style
Procedures for delegating responsibility and authority
Management's methods for evaluating performance
External influences (e.g., regulatory oversight)
Results of Zech and West Study: Part 1:
Risk Factors (as cited by CFOs)
CFO’s ranked the following risk factors in this order
(highest risk to lowest risk):
Lack of expertise at the parish level
Parish finances and controls
Litigation
Adequacy of insurance coverage
Property management
Results of Zech and West Study: Part 2:
Importance of DFC
If the Diocesan Finance Council (or one of its
committees) is involved in reviewing the diocesan budget,
there is less fraud detected (better prevention). The more
frequently the DFC meets, the greater the amount of
fraud detected (better detection)
Results of Zech and West Study: Part 3:
Importance of CFO
the tenure (years of the experience on the job) of the
CFO, whether the CFO had an accounting background,
and if the CFO selects the auditors all seemed to imply
better fraud prevention
However, in cases where the bishop or DFC feels
capable of making the auditor selection, it seems
appropriate that they do so, from at least an
independence viewpoint
Results of Zech and West Study: Part 4:
Internal Control Variables
Those dioceses with formal, written fraud policies experienced
less embezzlement, presumably the result of better prevention.
A second variable that had a positive impact on fraud
detection was the frequency with which parishes submit their
financial data.
A third internal control variable that was significant is difficult
to interpret. Dioceses that presented comparative financial
data in their monthly budget versus actual reports
experienced more embezzlement. This control is really a
financial reporting control. It is not a control that would
typically be used to detect embezzlements. It is a control that
would more likely be used to detect errors in financial
reporting.
Results of Zech and West Study: Part 5:
Audit Category
the frequency of internal audits of parishes was significant
and positive, and, based on the value of the standardized
coefficient, the most important factor in explaining the
level of diocesan fraud. This seems logical in that more
frequent internal audits result in more detected
embezzlements. On the other hand, one could argue that
more internal audits would be a deterrent to employees
and less fraud and embezzlements should occur.
Recommended environment
control policies (Zech and West)
Implementation in every Catholic diocese of the policies
prescribed in the USCCB handbook Diocesan Financial
Issues
The establishment of fraud policies in every diocese
Annual internal audits of parishes supplemented by
external audits conducted at east every three years
Public disclosure of the names and professions of every
member of the Diocesan Finance Council, along with
their conflict of interest guidelines
Continued - Recommendations
At a minimum, quarterly meetings of the DFC (or one of
its subcommittees) to monitor diocesan office, parish, and
school financial reports
Selection of the diocesan auditor by someone (bishop or
DFC) other than the diocesan CFO
At least annual (and preferably more frequent) submission
of financial data by all parishes and high schools
Establishment of a uniform budgeting process and
standardized software for all diocesan entities
Establishment of communication channels for church
workers to report suspected irregularities or fraudulent
activities while protecting their anonymity.
Recommendations from USCCB
An annual letter from the parish to the bishop containing
The names and professional titles of the parish finance council members,
Dates when the council met in the preceding fiscal year and since the end of the
fiscal year,
Date(s) when the approved (i.e. by the parish finance council) parish financial
statements/budgets were made available to the parishioners during the preceding
fiscal year and since the end of the fiscal year. A copy of the published financial
statements/budgets should be provided to the bishop, it added.
A statement signed by the parish priest and the finance council members
that they have met, developed, and discussed the financial statements and
budget of the parish.
Thorough diocesan training for parish finance council members relative to
their roles and responsibilities.
Establishment of diocesan policies to cover conflicts of interest, protection
of whistleblowers, and a fraud policy which would include prosecution of all
fraud cases in the diocese.
Completion of an annual internal control questionnaire by each parish with
proper review and follow-up made by qualified diocesan personnel.
USCCB Recommendations - continued
In longer-term recommendations, the committee urged
Development of a parish best practices manual, similar to the
Diocesan Financial Issues document, which has been developed
for dioceses.
Integration of financial training into seminarian programs so
students will be better prepared to handle parish financial
matters.
Other General Recommendations
A full audit
Expensive and time consuming, but very thorough
“Agreed upon procedures” in which an outside firm will look at specific areas of the church’s
finances and then make a report with recommendations.
firm can perform an internal control review or they can assist in the compilation of the
church’s financial statements
Have a certified public accountant (CPA) review the church’s financial procedures and issue
a management letter noting weaknesses of the system and offering recommendations.
An “inside audit” done by a committee comprised by members of the church who have
expertise in accounting and finance.
These can be effective, but they do have limitations because they do not have the
independence of an outside auditor
If churches have good financial policies and procedures in place, a full audit may not be
necessary.
It is important to report the finances of a church on a regular basis in a manner that can
be understood easily; in a nutshell, be forthright about the church’s finances
Have a time for members to ask questions and to have someone on hand who can answer
those questions
Use of an internal control checklist