Getting Prepared to Prepare Your Own Financial Statements
Download
Report
Transcript Getting Prepared to Prepare Your Own Financial Statements
Small Government Internal
Controls
Presented by
Donna Collins
Milestone Professional Services
Why are Internal Controls So
Important?
• Accountability
– Citizens
• Approved budget has been followed
• Spending and letting of contracts has been legal
• Appropriate safeguards taken against fraud
– Grantors
• Funds have been used for the purpose given
• Compliance requirements have been met
– Management
• Data is reliable for decision making
Why are Internal Controls So
Important?
• Accurate reporting
– Internal
• Budgeting and planning purposes
• Cash flow management
– External
• Creditors (Bankers, bondholders, etc.)
• Grantors
• Financial statement users
– State and other governments
– Companies moving to our City
Why are Internal Controls So
Important?
• Efficient use of resources
– Eliminating redundancy in our process to
allow for a streamlined workforce
– Protecting against loss due to fraud and
misappropriation
– Communicating clearly internally and
externally so that operations flow smoothly
– Providing for the ability to recognize
excellence within our government
Internal Control - Definition
• Internal Control is a process, affected by
management and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in
the following categories:
– Effectiveness and efficiency of operations
– Reliability of financial reporting
– Compliance with laws and regulations
Internal Control - Definition
• Internal control consists of
five interrelated components
that affect each of the three
categories
Internal Control - Components
•
•
•
•
•
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Internal Control - Components
• Internal control components
interact with operations, financial
reporting and compliance
Control Environment
• Sets the tone for the government
• Influences control consciousness
• Foundation for all other control
components
• Includes: integrity, ethical values,
competency, management’s philosophy,
and the way authority and responsibility is
assigned
Practical Application - Control
Environment
• Establish current policies with regard to
ethical behavior (Code of Conduct),
Conflict of Interest, Nepotism
• Enforce appropriate discipline for failure to
comply with these policies
• Ensure personal adherence to strong
moral code
• Reward competency
Practical Application - Control
Environment
• Place high degree of importance on
maintaining strong internal control
• Provide for a “whistle blower” policy that
allows employees and others to report
fraud or false statements by the
management team
Impact of the Control
Environment
• Don’t underestimate the importance of this
part of the control system. All the great
control activities in the world will not be
effective if employees know that
management is not concerned with strong
internal control, lacks integrity or does not
value their employees.
Control Environment Pitfalls
• Ignoring the tone that management sets or
thinking that the control environment is not
important.
• Inconsistency in treatment of lapses in
ethical conduct.
• Allowing employees to feel devalued.
Risk Assessment
• Risks result from both external and
internal sources
• These change over time based on
economic, regulatory, and operating
conditions
• Risk Assessment must link identified
policy objectives to specific risk factors
Risk Assessment
• Example: a policy of receiving
the highest rate of return on
investments must be linked to
interest rate risk
Risk Assessment
• Example: a policy of allowing
payment from vendor
statements rather than original
invoices only must be linked to
the risk of duplicate payments
Risk Assessment
• Example: a policy of
decentralized cash receipts
must be linked to the risk of
untimely deposit and recording
to the general ledger.
Risk Assessment
• Risk Assessment must also link identified
control objectives to specific risk factors
– All transactions are properly authorized
– Transactions are recorded in the correct
period for the correct amount
– All revenues are received and recorded timely
– Assets are not stolen or lost
Risk Assessment
• Risk factors are created by:
– The nature of particular accounts or
transactions
– Turnover in key employee positions
– Changes in the financial markets
– The expertise of the personnel handling
transactions
– Ineffective or poorly designed control activities
Practical Application - Risk
Assessment
• Be realistic about the true risk with regard
to a particular account or cycle of
transactions
• Consider all types of applicable risk:
inherent, control risk, fraud risk, credit risk,
etc
• Make sure to address IT risk
• Identify “What could go wrong?”
What could go wrong?
Example: Cash Disbursements
• Payments could be made to fictitious
vendors
• Disbursements could be made for the
wrong amount
• Duplicate payments could be made on an
invoice
• Disbursements could be recorded in the
wrong period
What could go wrong?
Example: Investments
• Excessive transaction fees could be
charged to the government.
• Investments held by the government could
be stolen (Certificates of Deposit).
• Investments outside the government’s risk
tolerance could be purchased and result in
loss of principal.
What could go wrong?
Example: Cash Receipts
• Funds received could be credited to the
wrong customer account
• Cash could be stolen by an employee
• Amounts received could be recorded net
rather than gross
• Amounts receivable may never be
collected due to failure to follow on past
due amounts
How to perform an effective risk
assessment
• Use “What could go wrong” scenarios to
identify areas of potential risk.
• Rank the likelihood and impact of each of
these risk factors.
• Identify controls that mitigate risk for the
highest ranked risk factors.
Risk Matrix – Cash Receipts
Impact Probability
Objective
All collections are properly identified,
control totals developed, and collections
promptly deposited intact.
Risk Factors
Ranking
Ranking
5
4
5
3
4
3
3
4
Failure to record cash receipts,
withholding or delaying the recording of
cash receipts.
All bank accounts and cash on hand are
Misappropriated cash or petty cash funds,
subject to effective custodial accountability diverted cash receipts, unauthorized cash
procedures and physical safeguards.
disbursements, loss of funds.
All transactions are properly accumulated, Misstating cash balances, covering
correctly classified and summarized in the unauthorized transactions by falsifying
general ledger; balances are properly and bank reconciliation.
timely reconciled with bank statement
balances.
All transactions are promptly and
accurately recorded in adequate detail
records and appropriate reports are
issued.
Covering unauthorized transactions by
substituting unsupported credits or
fictitious expenditures to cover
misappropriated collections, under or
overestimating cash or receivables.
Practical Application - Risk
Assessments
• Risk Assessments can be documented via
narrative, checklist or matrix
• Tools available include:
– COSO documents available via AICPA
– PPC checklists or other auditor utilized
templates
– Local government websites (perform Google
search for “government internal control”)
Practical Application - Risk
Assessments
• Remember that use of a third party does
not eliminate management’s responsibility
for assessing risks.
– Structure of agreement is important
– Obtain SAS 70
– Reconcile reports to general ledger (as
applicable)
Practical Application - Risk
Assessments
• Remember that IT controls can affect risk
for all cycles of transactions. Well
designed internal controls can be made
ineffective by poor controls over IT.
– System log-in should mirror job
responsibilities
– Passwords
– Remove temporary access granted once no
longer appropriate
Risk Assessment Pitfalls
• Trying to identify a control for every risk
factor.
• Ignoring the possibility of existing
compensating controls.
• Not performing a risk assessment annually
or at least when key factors have changed
(regulatory, employee turnover, etc.)
• Ignoring IT controls.
Control Activities
• The policies and procedures that ensure
management’s directives are followed
• These occur at all levels throughout the
organization
• Include : approvals, authorizations,
verifications, reconciliations, security of
assets, segregation of duties and review of
operating performance
Practical Application - Control
Activities
• Address control objectives: existence or
occurrence, completeness, valuation or
allocation, rights and obligations, accuracy
or classification, cutoff and presentation
and disclosure
• Tie control activities to risks previously
identified and address “What could go
wrong” scenarios
• Balance cost and benefit
Practical Application - Control
Activities
• Identify control objectives and the risks of
what could happen
• For each risk factor identified, evaluate the
potential impact and probability of
occurrence
• Design control activities to address high
impact, high probability concerns
• Evaluate annually
Risk Matrix
• Cash Receipt Example
Objective
All collections are properly identified,
control totals developed, and collections
promptly deposited intact.
Risk Factors
Impact Probability
Ranking Ranking
Failure to record cash receipts,
withholding or delaying the recording of
cash receipts.
5
4
All bank accounts and cash on hand are Misappropriated cash or petty cash funds,
subject to effective custodial accountability diverted cash receipts, unauthorized cash
procedures and physical safeguards.
disbursements, loss of funds.
5
All transactions are properly accumulated, Misstating cash balances, covering
correctly classified and summarized in the unauthorized transactions by falsifying
general ledger; balances are properly and bank reconciliation.
timely reconciled with bank statement
balances.
All transactions are promptly and
accurately recorded in adequate detail
records and appropriate reports are
issued.
3
Control Procedure
Cash receipts are posted daily to the accounts
receivable. The cash receipts are reconciled to daily
bank deposits. Bank reconciliations are performed
timely to reconcile all bank deposits.
Bank reconciliations are performed timely to reconcile
all bank deposits and disbursements to the general
ledger. Petty cash funds and cash receipts deposits
are securely maintained in a safety bag, lockbox, or
safe depending on their location. Bank deposits are
delivered to the bank daily in secure bank bags.
Bank reconciliations are reviewed by management
independent of the individual that prepares them.
4
3
Covering unauthorized transactions by
substituting unsupported credits or
fictitious expenditures to cover
misappropriated collections, under or
overestimating cash or receivables.
Cash receipts are posted daily to the accounts
receivable. The cash receipts are reconciled to daily
bank deposits. Bank reconciliations are performed
timely to reconcile all bank deposits.
3
4
Risk Matrix
• Cash Disbursements Example
Objective
Risk Factors
All checks are prepared on the basis of
adequate and approved documentation,
compared with supporting data and
properly approved, signed and mailed.
Incorrect or duplicate payments, alteration
of checks, disbursement for materials or
services not properly documented or
approved.
All requests for goods and services are
initiated and approved by authorized
individuals, and are in accordance with
budget and appropriation guidelines.
Purchases from unauthorized vendors,
purchases in violation of a conflict of
interest policy, purchases that
demonstrate unfair bidding practices,
purchases are not made timely,
purchases not in accordance with budget
provisions.
All invoices processed for payment
represent goods and services received
and are accurate as to terms, quantities,
prices and extensions; account
distributions are accurate and agree with
established account classifications.
Payment based on improper price or
terms, accounting distribution of cost is
inaccurate.
Impact Probability
Ranking Ranking
5
5
Control Procedure
Cash disbursements are prepared by the Accounts
Payable Clerk and then reviewed with supporting
documentation by the Finance Manager before being
processed for printing and sent out.
Purchases are made in accordance with the City's
purchasing policy and purchase orders are reviewed
for appropriateness by the Accounts Payable Clerk
when matched with incoming invoices. Purchase
orders are entered to the appropriate
expenditure/expense accounts and City budget officer
reviews for budget restrictions on purchase orders.
5
4
The City only processes payment from invoices and
costs are allocated based on the expenditure
accounts on the initiating purchase order.
5
3
Practical Application - Control
Activities
• It is not necessary to address every risk
factor with a specific control activity –
focus on key areas
• Utilize compensating controls where
“textbook approach” is not practical
• Evaluate the benefit of existing monitoring
controls
Risk Matrix
• Cash Disbursements Example
Control Procedure
Compensating Control
Cash disbursements are prepared by the Accounts
Payable Clerk and then reviewed with supporting
documentation by the Finance Manager before being
processed for printing and sent out.
Cash disbursements are prepared by the Accounts
Payable Clerk and then reviewed with supporting
documentation by the City Clerk (City Manager) before
being processed for printing and sent out.
Purchases are made in accordance with the City's
purchasing policy and purchase orders are reviewed
for appropriateness by the Accounts Payable Clerk
when matched with incoming invoices. Purchase
orders are entered to the appropriate
expenditure/expense accounts and City budget officer
reviews for budget restrictions on purchase orders.
Purchases are made in accordance with the City's
purchasing policy and purchase orders are reviewed for
appropriateness by the Accounts Payable Clerk when
matched with incoming invoices. Purchase orders are
entered to the appropriate expenditure/expense accounts
and City Clerk reviews for budget restrictions on purchase
orders.
Key Control Activities
• Address unusual transactions or variance
from expected benchmarks in timely
fashion
• Reconcile accounts per general ledger to
subsidiary ledgers or statements from
trustee/custodian (as applicable)
• Separate initiation and authorization from
recording of transactions
Key Control Activities
• Provide for oversight by interested party
such as Investment Committee (include
trustee activities) , Audit Committee or
Citizens’ Group
• Utilize disclosure checklist to ensure
presentation and disclosure requirements
are met
Control Activities Pitfalls
• Remember that for small governments key
objectives must be identified
– Reducing the risk of theft or fraud
– Providing for accountability
– Ensuring compliance with regulations
• Focus on true effectiveness – not just
cookie cutter approaches
• Ensure benefit justifies the cost
Information and Communication
• Includes both internal and external
interaction
• Requires pertinent information to be
identified, captured and communicated in
a form and timeframe for employees to
carry out their responsibilities
• Reports must contain relevant operational,
financial and compliance information
Practical Application Information and Communication
• System generated reports must include
relevant information
• Statements from outside third parties
(broker/dealers, bank statements, grantor
agency) must be channeled to correct
personnel and provided timely
Information and Communication
Example: Investments
• Communication with Investment
Committee or other oversight body should
include:
– Types of investments held
– Average rate of return for period and YTD
compared with benchmarks
– Average maturity of portfolio
– Compliance with investment policy provisions
Information and Communication
Example: Investments
• Communication with Investment
Committee or other oversight body should
also include:
– Changes in investment strategy (if any)
– Interest rate environment changes
– Discussion of any unusual transaction or
particularly risky investment
Information and Communication
Example: Cash Disbursements
• Communication with Departments
– Budget to Actual Report by budgeted line
– Request to explain certain variances
– Detail of Capital Assets added to subledger
• Communication with Council
– Budget to Actual Comparison by Department
– Explanations for variances over a certain
threshold
Information and Communication
Example: Cash Receipts
Daily Cash reports should show revenue by
major categories such that reconciliation to
the general ledger is facilitated.
The date of receipt and date of deposit should
be included along with the general ledger and
bank account information.
Information and Communication
Pitfalls
• Generating reports that provide
inaccurate, untimely or unnecessary
information
• Providing inappropriate information
outside the organization (SS #, employee
evaluations)
• Failure to verify accuracy of externally
provided reports
Monitoring
• Assessing the quality of the internal
control system and making modifications
as needed
• This process is ongoing through the
normal course of operations and at
separate specific evaluations of a
particular process
Monitoring
COSO Framework
states that “Monitoring
ensures that internal
control continues to
operate effectively.”
The COSO Framework
recognizes that risks
change over time and
that management
needs to “determine
whether the internal
control system
continues to be relevant
and able to address
new risks.”
Monitoring
• The original COSO report on internal
controls was issued in 1992.
• In 2009, COSO issued “Guidance on
Monitoring Internal Control Systems”
• Emphasized importance of monitoring
controls as part of even small government
environments.
Monitoring
• Monitoring is both an on-going process
and can be annual in nature (testing of key
controls)
• Process can be done annually by the
Internal Audit Department (as applicable)
or as an Internal Review by Finance
personnel.
Practical Application – Examples
of Monitoring
• Cash Receipts
– Performing a review of bank reconciliations on
a monthly basis and signing off as having
reviewed these.
– Monthly comparison of actual receipts to
budgeted receipts and investigation of
significant discrepancies.
– Annually selecting a few transactions to
ensure proper recording.
Practical Application – Examples
of Monitoring
• Cash Disbursements
– Performing a review of bank reconciliations on
a monthly basis and signing off as having
reviewed these.
– Monthly comparison of cash disbursements to
budgeted expenditures/expenses and
investigation of significant discrepancies.
Practical Application – Examples
of Monitoring
• Cash Disbursements
– Reconciliation of P-card purchases by
someone other than the card holder
– Annual test of a selection of transactions for
proper recording.
Practical Application – Examples
of Monitoring
• Investments
– Performing investment portfolio review
(including evaluation of concentration and
type of investments) quarterly by person
independent of investment portfolio
management
– Disclosure of Conflict of Interest Statement
annually by portfolio manager
– Obtaining a SAS 70 report from custodian
annually
Practical Application Monitoring
• Controls will change as the makeup of an
account changes
• Controls should be evaluated when there
are changes in key personnel or software
applications
• Be responsive to information requests of
key management personnel
• Review polices and procedures annually
Monitoring Pitfalls
• Failure to perform any monitoring control
activities.
• Overkill for the organizations size. One or
two key data cycles or areas can be
selected each year for testing of controls.
• No attempt to actually test key controls in
some fashion.
• Failure to evaluate controls when
personnel or software changes.
Resources Available
• Where can I find sample policies and
procedures?
• What reference materials are available?
• Where can I find answers to my
questions?
Resources Available
• Professional organization websites:
FGFOA,GFOA, FICPA, AICPA
• Local chapter meetings
• Auditors
• Continuing Education opportunities
• Website searches
• List serves (FGFOA and FICPA)
• Network of other local government officials
Resources Available
• Florida Government Finance Officers
Association
– Sample policies and procedures
– Small Government Resource Manual
– List Serves : Treasury, Accounting and
Auditing, Debt Management, Budgeting and
Financial Administration
– Training (Annual Conference, School of
Government Finance, local chapter meetings,
– Webinars)
Resources Available
• Government Finance Officers Association
– Best Practices
– Training (Annual Conference, webinars and
numerous one day training opportunities)
– Publications
• Elected Officials’ Guide to Internal Controls
• Evaluation Internal Control: A Local Government
Manager’s Guide
Resources Available
• Florida Institute of Certified Public
Accountants
– Training
• Frequent Frauds Found in Governments and Notfor-Profits (Miami 12/1/10)
• Identifying Fraudulent Financial Transactions
(Tampa 12/9/10)
– Publications
– List Serves (A&A, S&LG, Business IT)
Resources Available
• American Institute of Certified Public
Accountants
– Training
– Publications
• COSO documents
• Articles in the Journal of Accountancy
• Controls.Doc For Documenting and Assessing
Internal Controls
– Government Resource Center
A final reminder about I/C Pitfalls
• Don’t focus on areas where risk is low
• Don’t ignore risk factors you become
aware of throughout the year
• Talk to your auditors about areas of
concern they may have and new auditing
standards that will affect your audit.
• Make sure to tailor any “borrowed” P&P to
your organization.
A final reminder about I/C Pitfalls
• Remember that the cost of implementing
the control structure should not outweigh
the benefit.
• Remember to address budget, grant and
IT controls.
Summary
• The control environment establishes the
importance of internal control.
• Risk Assessments must be realistic and
performed when changes to objectives or
policies occur, there is turn over in key
employees or significant changes in the
financial markets.
Summary
• Control Activities should be focused on
areas of highest risk. Monitoring controls
are effective stopgap for smaller entities.
• Information and Communication must
provide relevant information for managing
the assets and liabilities of the entity.
• Monitoring of the internal control system is
an ongoing process.
Questions?