More Related Content Similar to Internal Controls and Effective Report Writing - sent to MSCPA Similar to Internal Controls and Effective Report Writing - sent to MSCPA (20) More from Ron Steinkamp (20) Internal Controls and Effective Report Writing - sent to MSCPA1. Internal Controls and Effective
Report Writing
May 18, 2016
Ron P. Steinkamp, CPA, CIA, CRMA, CGMA,
CFE
Partner, Advisory Services
Brown Smith Wallace, LLP
rsteinkamp@bswllc.com
314-983-1238
Adam C. Rouse, CFE, CCA, CCP
Senior, Advisory Services
Brown Smith Wallace, LLP
arouse@bswllc.com
314-983-1266
Governmental Accounting
Conference
2. • Discussion of key internal controls and
common areas of abuse
• Effective internal control monitoring
• Reporting on the effectiveness of key
controls
2
Presentation Objectives
© 2016 All Rights Reserved
Brown Smith Wallace LLP
4. © 2016 All Rights Reserved
Brown Smith Wallace LLP
True/False
1. Internal control starts with a
strong set of policies and
procedures.
FALSE!
Internal control starts with a strong
control environment.
5. 2. We have controls for auditors.
© 2016 All Rights Reserved
Brown Smith Wallace LLP
True/False
Auditors appreciate controls;
however, management is the
primary owner of internal controls.
FALSE!
6. 3. Only certain departments use internal
controls.
© 2016 All Rights Reserved
Brown Smith Wallace LLP
True/False
FALSE!
Internal control is integral to each
department.
7. Internal control is a process designed to provide
reasonable assurance regarding the achievement
of objectives in the following categories:
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with applicable laws and
regulations
7
What are Internal Controls?
© 2016 All Rights Reserved
Brown Smith Wallace LLP
8. • Promote orderly, economical, efficient and
effective operations
• Safeguard resources against loss due to waste,
abuse, mismanagement, errors and fraud
• Promote adherence to laws, regulations,
contracts and management directives
• Develop and maintain reliable financial and
management data, and accurately present data
in timely reports
8
Internal Control Purpose
© 2016 All Rights Reserved
Brown Smith Wallace LLP
9. • Board of Directors/Elected Officials
• Management
• Internal Audit or similar function
• External Audit
• Other personnel/everyone else
9
Control Roles and Responsibilities
© 2016 All Rights Reserved
Brown Smith Wallace LLP
10. • Control override “The policy says it’s supposed to be
done this way, but it’s easier to do things my way.”
• Lack of knowledge “I did not know that!”
• Too much trust in key employees “We trust
‘Susie’ who handles all of those tasks.” Or, “He has been here
longer than I have; he must be honest.”
• Inappropriate access “I don’t have access, so I use
my manager’s password for posting payments.”
• Outdated controls – Processes change; therefore,
procedure doesn’t apply.
10
Why Internal Controls Fail
© 2016 All Rights Reserved
Brown Smith Wallace LLP
12. • A fraud & ethics policy
• Fraud risk assessment
• An audit committee
• Whistle blower hotline/fraud hotline
• Internal audit or similar function
12
General Controls
© 2016 All Rights Reserved
Brown Smith Wallace LLP
13. • Inappropriate employee access and levels;
no approval, review or monitoring of use
– Risks
• Public awareness
• Misappropriation, losses, liability
13
10. Procurement Card Risks
© 2016 All Rights Reserved
Brown Smith Wallace LLP
14. • Develop policies and monitor compliance
• Centralize request process
• Use analytics software to track spending
by card, category, merchant, etc.
• Set spending limits (max per
day/week/month per user)
• Monitor cards to ensure they are not used
to circumvent purchasing
procedures/policies
14
Procurement Card Recommendations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
15. • No internal audit function
– Risks
• Improper control monitoring
• Redundancies in operational and control
procedures are not identified
• The Early Warning System is not utilized
15
9. Risks of No Internal Audit Function
© 2016 All Rights Reserved
Brown Smith Wallace LLP
16. • Develop IA within your organization or….
– Co-source
– Out-source
With a properly staffed internal audit function,
management would have, at its fingertips: an advocate,
a risk manager, a controls expert, an efficiency
specialist, a problem solving partner, and safety net.
16
Internal Audit Recommendations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
Internal Audit…adds value to the internal control system by bringing a systematic,
disciplined approach to the evaluation of risk and by making recommendations to
increase the effectiveness of risk management efforts, improve internal control
structure and promote good governance.
17. • Cash deposits were not always made in a
timely manner; bank accounts not
reconciled
– Risks
• Fraud
• Errors
• Timeliness
17
8. Cash Control Risks
© 2016 All Rights Reserved
Brown Smith Wallace LLP
18. • Reconcile monthly
• Ideally, checks should be sent to lockbox
• Checks and payments should be physically
secured, documented, and custody tracked
• Segregation of duties
• Documentation and procedures are sufficient
so that loss or misappropriation of funds can
be traced to the responsible individual(s)
18
Cash Control Recommendations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
19. • Lack of controls over password
requirements and login attempts
– Risks
• Unauthorized access to system
– Internal & external
• Financial losses and liability
19
7. Computer Control Risks
© 2016 All Rights Reserved
Brown Smith Wallace LLP
20. • Strong Policies (make sure these are reviewed
annually)
– Passwords should contain complexity requirements
– Lock out accounts after 3 consecutive log-on attempts
– Require employees to sign a computer use policy
– Screen saver require password
• Monitoring access attempts, both externally and
internally
20
Computer Control Recommendations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
21. • Lack of policies surrounding vehicle and
fuel use
– Risks
• Overpayment
• Private inurement
• Lack of reporting/level of detail
• Lack of policies and procedures
• Little to no oversight on fuel dispensed
21
6. Fuel Use Risks
© 2016 All Rights Reserved
Brown Smith Wallace LLP
22. • Reconcile usage to invoices
• Develop policies & monitor compliance
• Track fuel usage by vehicle, driver,
location, fuel type, etc.
• Monitor system overrides
• If fuel purchasing cards are used, perform
analytics around that program
22
Fuel Use Recommendations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
23. • No capital inventory periodically performed
– Risks
• Resources wasted
• Misstatements in financial reporting
• Resources lost/stolen
23
5. Capital Asset Risks
© 2016 All Rights Reserved
Brown Smith Wallace LLP
24. • Equipment purchases are made in accordance with
purchasing guidelines, properly authorized and
recorded
• All equipment has an asset tag that is easily visible
• Asset management are notified of:
– Donations, transfers or fabrication of equipment
– Equipment lost, stolen, salvaged or scrapped
– Equipment moved to an off-site location
• An annual departmental inventory report is completed
and returned to asset management by a specified date
24
Capital Asset Recommendations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
25. • Lack of proper segregation between cash
collected and recording in financial records
– Risks
• Misappropriation of assets
• Reputation
• Funding loss
• Opportunity for fraud
25
4. Segregation of Duties Risks
© 2016 All Rights Reserved
Brown Smith Wallace LLP
26. • Develop policies and review annually
• Properly segregate custody, recording and
authorization
• Identify access control conflicts annually
• Identify risks associated with each conflict
• Identify & analyze mitigating controls related
to each risk
• Discuss risks with management
• Document remediation steps for unmitigated
risks
26
Segregation of Duties Recommendations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
27. • Charged to wrong year, expense report
errors and lack of review
– Risks
• Financial misstatements
• Noncompliance with IRS rules
• Opportunity for fraud
• Hard to develop and analyze budgets
27
3. Expenditure Risks
© 2016 All Rights Reserved
Brown Smith Wallace LLP
28. • Transactions are properly
approved and the stated purpose
is reasonable
• Vendors are added to the system
by approved individuals
• Account status reports are
independently reviewed for
accuracy of charges
28
Expenditure Control Recommendations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
29. • The IT department does not have strong
controls around:
– reviewing users & user permissions
– monitoring network traffic for unauthorized
access
– ensuring all software is licensed and up-to-
date
– purchasing software
29
2. IT Risks
© 2016 All Rights Reserved
Brown Smith Wallace LLP
30. • Audit IT security annually (including cyber security risks)
• Employees with access to computer systems have an
established need for the access
• Procedures are in place to prevent unauthorized use or
transmission of information
• Access to the system is removed for terminated or
transferred staff, timely
• Each computer software package is licensed for the current
user
• Computer files are backed up on a regular basis. Backup
data is stored in a location away from the originals
30
IT Control Recommendations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
31. • IT should approve all new
hardware/software purchases
• Establish procedures for creating,
modifying and deleting user accounts
• IT should only add users to network after
notified by HR
31
IT Control Recommendations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
32. This will not happen to us!
We have…
– Annual external audit
– Good purchasing controls
– A Board that reviews contracts
– A firewall (IT)
32
1. Failure to get help / denial / status quo Risk
© 2016 All Rights Reserved
Brown Smith Wallace LLP
33. Tips on What You DON’T Know!
5 Best Practices You
May be Missing
33
© 2016 All Rights Reserved
Brown Smith Wallace LLP
34. • Pre-Construction audit services
• Contract review
• Periodic and/or Post Closeout Audits
• Energy studies
• Utility usage reviews
Construction
Audit
34
© 2016 All Rights Reserved
Brown Smith Wallace LLP
35. 35
© 2016 All Rights Reserved
Brown Smith Wallace LLP
• Identify cost savings with insurance plans (plan
adequacy, coverage limits, etc.)
• Workers compensation, business interruption,
directors liability
• Know self insurance and insurance pool risks
Insurance
Review
Hire an independent expert to perform an
independent insurance review for your
organization.
36. 36
© 2016 All Rights Reserved
Brown Smith Wallace LLP
• Maintain proper controls around electronic data
• Keep your organization out of the news for data
breaches
• Perform annual IT risk assessment
• Review website and system security frequently
• Do not strictly rely on firewalls and anti virus
protection
Data
Security
&
Privacy
37. 37
© 2016 All Rights Reserved
Brown Smith Wallace LLP
• Ensure the Organization
meets requirements for
adoption and
implementation of the
Reform
• Assist with implementation
and requirements
Healthcare
38. • Ensure your Organization is in compliance with PCI (credit
card) standards
• Avoid credit card fraud and hefty fines for non compliance
• Ensure you are in compliance with merchant agreement
• Perform analysis to determine where you accept credit and
how you accept credit cards (online, in person, via mail…)
PCI
Compliance
38
© 2016 All Rights Reserved
Brown Smith Wallace LLP
Requirements apply to any
organization/vendor that stores,
processes, or transmits credit card
data.
40. •Reports should achieve our purpose to:
– Add value
– Improve operations
– Improve effectiveness of risk management, control,
and governance processes.
• We are not trying to:
– “Tell on” anyone
– Report a “gotcha”
40
Report Objectives
© 2016 All Rights Reserved
Brown Smith Wallace LLP
41. •What is the objective of the audit report?
•Who should and who is reading the report?
–Analyze the audience
•How do they plan on using the report?
•What kind of reaction are you looking for?
41
Report Objectives > Key Considerations
© 2016 All Rights Reserved
Brown Smith Wallace LLP
42. Stick to the Facts
• Sufficient factual evidence
• No room for error in factual accuracy
• Watch level of detail – include only what is
necessary to persuade
– Does it directly support your key point?
– Does it show the significance?
– Does it lead to your recommendation?
42
Report Objectives > Effectiveness
© 2016 All Rights Reserved
Brown Smith Wallace LLP
43. The most effective reports have:
• Clearly defined project objectives.
• An audit plan that will provide necessary
report information.
• Knowledge of what the reader will find
pertinent.
43
Report Objectives > Effectiveness
© 2016 All Rights Reserved
Brown Smith Wallace LLP
Begin With the End in Mind
44. • Fix the problem
• Focus on Cause
• Keep it measurable and practical
• Assign accountability
• Give the benefit
• Focus on key actions
• Set a date
44
Get Management Commitment
© 2016 All Rights Reserved
Brown Smith Wallace LLP
45. To inform, persuade, and get results
• Condition – what is the problem?
• Criteria – what policy can be adopted?
• Cause – what led to the problem?
• Consequence – what is the risk of
noncompliance?
• Corrective Action – what should be done.
45
The 5 C’s
© 2016 All Rights Reserved
Brown Smith Wallace LLP
46. 46
The 5 C’s – Issue Log Example
© 2016 All Rights Reserved
Brown Smith Wallace LLP
Theme WP
Ref
Priority
(H/M/L)
Condition Criteria Consequence Cause Quantified Corrective Action
Segregation
of Duties
A101 H The
accounting
clerk sets up
new vendors,
issues checks,
and performs
bank
reconciliations
.
Duties
should be
segregated
to identify
errors and
protect
assets.
Errors in
cash
disbursement
s would be
difficult to
detect and
The
accounting
manager is
overwhelmed
with office
manager
duties and
was not
performing
the bank
reconciliation
s timely.
No errors
detected.
An office
manager should
be hired so the
accounting
manager will
have time to
perform
necessary
accounting
functions. The
accounting
manager should
list all duties
performed and
document job
responsibilities.
47. • Executive Summary conveys the complete
message.
• Prioritize issues with headings that make
your point.
• Recommendations that correct the root
cause.
• Documented commitment from
Management.
47
Report Organization
© 2016 All Rights Reserved
Brown Smith Wallace LLP
48. • Place issues in order of importance.
• Put the key point first.
• Be helpful to the reader – don’t bury your
message.
• Consider action headings.
48
Report Organization > Impact
© 2016 All Rights Reserved
Brown Smith Wallace LLP
49. Old newspaper rule:
If they don’t care about the first sentence,
they won’t read the second sentence.
• Your opening line is key.
• Stick to the “one sentence rule.”
• Don’t make them search for the issue.
• Be absolutely clear.
49
Write Your Lead
© 2016 All Rights Reserved
Brown Smith Wallace LLP
50. • Find out what managements expectations
are.
• What level of detail is expected to be
reported?
• Factor in amount of time allocated to
Internal Audit.
50
Communicating to Management & Board
© 2016 All Rights Reserved
Brown Smith Wallace LLP
51. • Headings
• White Space – 1.5 – 2” blocks
• Bullets
• Charts/Graphs
51
Report Organization > Format
© 2016 All Rights Reserved
Brown Smith Wallace LLP
52. 1. Practice
2. Open with your conclusions
3. Describe the benefits if your recommendation
is accepted
4. Describe the costs or savings
5. List specific recommendations
6. Look at everyone when you talk
7. Be brief
52
Communicating > 7 Do’s
© 2016 All Rights Reserved
Brown Smith Wallace LLP
53. 53
Questions
© 2016 All Rights Reserved
Brown Smith Wallace LLP
Ron P. Steinkamp
Brown Smith Wallace, LLP
rsteinkamp@bswllc.com
314-983-1238