Internal Controls and Effective Report Writing - sent to MSCPA

Internal Controls and Effective
Report Writing
May 18, 2016
Ron P. Steinkamp, CPA, CIA, CRMA, CGMA,
CFE
Partner, Advisory Services
Brown Smith Wallace, LLP
rsteinkamp@bswllc.com
314-983-1238
Adam C. Rouse, CFE, CCA, CCP
Senior, Advisory Services
arouse@bswllc.com
314-983-1266
Governmental Accounting
Conference

• Discussion of key internal controls and
common areas of abuse
• Effective internal control monitoring
• Reporting on the effectiveness of key
controls
2
Presentation Objectives
© 2016 All Rights Reserved
Brown Smith Wallace LLP

Internal Control Considerations
3

True/False
1. Internal control starts with a
strong set of policies and
procedures.
FALSE!
Internal control starts with a strong
control environment.

2. We have controls for auditors.
True/False
Auditors appreciate controls;
however, management is the
primary owner of internal controls.
FALSE!

3. Only certain departments use internal
controls.
True/False
FALSE!
Internal control is integral to each
department.

Internal control is a process designed to provide
reasonable assurance regarding the achievement
of objectives in the following categories:
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with applicable laws and
regulations
7
What are Internal Controls?

• Promote orderly, economical, efficient and
effective operations
• Safeguard resources against loss due to waste,
abuse, mismanagement, errors and fraud
• Promote adherence to laws, regulations,
contracts and management directives
• Develop and maintain reliable financial and
management data, and accurately present data
in timely reports
8
Internal Control Purpose

• Board of Directors/Elected Officials
• Management
• Internal Audit or similar function
• External Audit
• Other personnel/everyone else
9
Control Roles and Responsibilities

• Control override “The policy says it’s supposed to be
done this way, but it’s easier to do things my way.”
• Lack of knowledge “I did not know that!”
• Too much trust in key employees “We trust
‘Susie’ who handles all of those tasks.” Or, “He has been here
longer than I have; he must be honest.”
• Inappropriate access “I don’t have access, so I use
my manager’s password for posting payments.”
• Outdated controls – Processes change; therefore,
procedure doesn’t apply.
10
Why Internal Controls Fail

Top 10 Risks
&
Recommended Practices
11

• A fraud & ethics policy
• Fraud risk assessment
• An audit committee
• Whistle blower hotline/fraud hotline
• Internal audit or similar function
12
General Controls

• Inappropriate employee access and levels;
no approval, review or monitoring of use
– Risks
• Public awareness
• Misappropriation, losses, liability
13
10. Procurement Card Risks

• Develop policies and monitor compliance
• Centralize request process
• Use analytics software to track spending
by card, category, merchant, etc.
• Set spending limits (max per
day/week/month per user)
• Monitor cards to ensure they are not used
to circumvent purchasing
procedures/policies
14
Procurement Card Recommendations

• No internal audit function
– Risks
• Improper control monitoring
• Redundancies in operational and control
procedures are not identified
• The Early Warning System is not utilized
15
9. Risks of No Internal Audit Function

• Develop IA within your organization or….
– Co-source
– Out-source
With a properly staffed internal audit function,
management would have, at its fingertips: an advocate,
a risk manager, a controls expert, an efficiency
specialist, a problem solving partner, and safety net.
16
Internal Audit Recommendations
Internal Audit…adds value to the internal control system by bringing a systematic,
disciplined approach to the evaluation of risk and by making recommendations to
increase the effectiveness of risk management efforts, improve internal control
structure and promote good governance.

• Cash deposits were not always made in a
timely manner; bank accounts not
reconciled
– Risks
• Fraud
• Errors
• Timeliness
17
8. Cash Control Risks

• Reconcile monthly
• Ideally, checks should be sent to lockbox
• Checks and payments should be physically
secured, documented, and custody tracked
• Segregation of duties
• Documentation and procedures are sufficient
so that loss or misappropriation of funds can
be traced to the responsible individual(s)
18
Cash Control Recommendations

• Lack of controls over password
requirements and login attempts
– Risks
• Unauthorized access to system
– Internal & external
• Financial losses and liability
19
7. Computer Control Risks

• Strong Policies (make sure these are reviewed
annually)
– Passwords should contain complexity requirements
– Lock out accounts after 3 consecutive log-on attempts
– Require employees to sign a computer use policy
– Screen saver require password
• Monitoring access attempts, both externally and
internally
20
Computer Control Recommendations

• Lack of policies surrounding vehicle and
fuel use
– Risks
• Overpayment
• Private inurement
• Lack of reporting/level of detail
• Lack of policies and procedures
• Little to no oversight on fuel dispensed
21
6. Fuel Use Risks

• Reconcile usage to invoices
• Develop policies & monitor compliance
• Track fuel usage by vehicle, driver,
location, fuel type, etc.
• Monitor system overrides
• If fuel purchasing cards are used, perform
analytics around that program
22
Fuel Use Recommendations

• No capital inventory periodically performed
– Risks
• Resources wasted
• Misstatements in financial reporting
• Resources lost/stolen
23
5. Capital Asset Risks

• Equipment purchases are made in accordance with
purchasing guidelines, properly authorized and
recorded
• All equipment has an asset tag that is easily visible
• Asset management are notified of:
– Donations, transfers or fabrication of equipment
– Equipment lost, stolen, salvaged or scrapped
– Equipment moved to an off-site location
• An annual departmental inventory report is completed
and returned to asset management by a specified date
24
Capital Asset Recommendations

• Lack of proper segregation between cash
collected and recording in financial records
– Risks
• Misappropriation of assets
• Reputation
• Funding loss
• Opportunity for fraud
25
4. Segregation of Duties Risks

• Develop policies and review annually
• Properly segregate custody, recording and
authorization
• Identify access control conflicts annually
• Identify risks associated with each conflict
• Identify & analyze mitigating controls related
to each risk
• Discuss risks with management
• Document remediation steps for unmitigated
risks
26
Segregation of Duties Recommendations

• Charged to wrong year, expense report
errors and lack of review
– Risks
• Financial misstatements
• Noncompliance with IRS rules
• Opportunity for fraud
• Hard to develop and analyze budgets
27
3. Expenditure Risks

• Transactions are properly
approved and the stated purpose
is reasonable
• Vendors are added to the system
by approved individuals
• Account status reports are
independently reviewed for
accuracy of charges
28
Expenditure Control Recommendations

• The IT department does not have strong
controls around:
– reviewing users & user permissions
– monitoring network traffic for unauthorized
access
– ensuring all software is licensed and up-to-
date
– purchasing software
29
2. IT Risks

• Audit IT security annually (including cyber security risks)
• Employees with access to computer systems have an
established need for the access
• Procedures are in place to prevent unauthorized use or
transmission of information
• Access to the system is removed for terminated or
transferred staff, timely
• Each computer software package is licensed for the current
user
• Computer files are backed up on a regular basis. Backup
data is stored in a location away from the originals
30
IT Control Recommendations

• IT should approve all new
hardware/software purchases
• Establish procedures for creating,
modifying and deleting user accounts
• IT should only add users to network after
notified by HR
31
IT Control Recommendations

This will not happen to us!
We have…
– Annual external audit
– Good purchasing controls
– A Board that reviews contracts
– A firewall (IT)
32
1. Failure to get help / denial / status quo Risk

Tips on What You DON’T Know!
5 Best Practices You
May be Missing
33

• Pre-Construction audit services
• Contract review
• Periodic and/or Post Closeout Audits
• Energy studies
• Utility usage reviews
Construction
Audit
34

35
• Identify cost savings with insurance plans (plan
adequacy, coverage limits, etc.)
• Workers compensation, business interruption,
directors liability
• Know self insurance and insurance pool risks
Insurance
Review
Hire an independent expert to perform an
independent insurance review for your
organization.

36
• Maintain proper controls around electronic data
• Keep your organization out of the news for data
breaches
• Perform annual IT risk assessment
• Review website and system security frequently
• Do not strictly rely on firewalls and anti virus
protection
Data
Security
&
Privacy

37
• Ensure the Organization
meets requirements for
adoption and
implementation of the
Reform
• Assist with implementation
and requirements
Healthcare

• Ensure your Organization is in compliance with PCI (credit
card) standards
• Avoid credit card fraud and hefty fines for non compliance
• Ensure you are in compliance with merchant agreement
• Perform analysis to determine where you accept credit and
how you accept credit cards (online, in person, via mail…)
PCI
Compliance
38
Requirements apply to any
organization/vendor that stores,
processes, or transmits credit card
data.

Reporting
39

•Reports should achieve our purpose to:
– Add value
– Improve operations
– Improve effectiveness of risk management, control,
and governance processes.
• We are not trying to:
– “Tell on” anyone
– Report a “gotcha”
40
Report Objectives

•What is the objective of the audit report?
•Who should and who is reading the report?
–Analyze the audience
•How do they plan on using the report?
•What kind of reaction are you looking for?
41
Report Objectives > Key Considerations

Stick to the Facts
• Sufficient factual evidence
• No room for error in factual accuracy
• Watch level of detail – include only what is
necessary to persuade
– Does it directly support your key point?
– Does it show the significance?
– Does it lead to your recommendation?
42
Report Objectives > Effectiveness

The most effective reports have:
• Clearly defined project objectives.
• An audit plan that will provide necessary
report information.
• Knowledge of what the reader will find
pertinent.
43
Report Objectives > Effectiveness
Begin With the End in Mind

• Fix the problem
• Focus on Cause
• Keep it measurable and practical
• Assign accountability
• Give the benefit
• Focus on key actions
• Set a date
44
Get Management Commitment

To inform, persuade, and get results
• Condition – what is the problem?
• Criteria – what policy can be adopted?
• Cause – what led to the problem?
• Consequence – what is the risk of
noncompliance?
• Corrective Action – what should be done.
45
The 5 C’s

46
The 5 C’s – Issue Log Example
Theme WP
Ref
Priority
(H/M/L)
Condition Criteria Consequence Cause Quantified Corrective Action
Segregation
of Duties
A101 H The
accounting
clerk sets up
new vendors,
issues checks,
and performs
bank
reconciliations
.
Duties
should be
segregated
to identify
errors and
protect
assets.
Errors in
cash
disbursement
s would be
difficult to
detect and
The
accounting
manager is
overwhelmed
with office
manager
duties and
was not
performing
the bank
reconciliation
s timely.
No errors
detected.
An office
manager should
be hired so the
accounting
manager will
have time to
perform
necessary
accounting
functions. The
accounting
manager should
list all duties
performed and
document job
responsibilities.

• Executive Summary conveys the complete
message.
• Prioritize issues with headings that make
your point.
• Recommendations that correct the root
cause.
• Documented commitment from
Management.
47
Report Organization

• Place issues in order of importance.
• Put the key point first.
• Be helpful to the reader – don’t bury your
message.
• Consider action headings.
48
Report Organization > Impact

Old newspaper rule:
If they don’t care about the first sentence,
they won’t read the second sentence.
• Your opening line is key.
• Stick to the “one sentence rule.”
• Don’t make them search for the issue.
• Be absolutely clear.
49
Write Your Lead

• Find out what managements expectations
are.
• What level of detail is expected to be
reported?
• Factor in amount of time allocated to
Internal Audit.
50
Communicating to Management & Board

• Headings
• White Space – 1.5 – 2” blocks
• Bullets
• Charts/Graphs
51
Report Organization > Format

1. Practice
2. Open with your conclusions
3. Describe the benefits if your recommendation
is accepted
4. Describe the costs or savings
5. List specific recommendations
6. Look at everyone when you talk
7. Be brief
52
Communicating > 7 Do’s

53
Questions
Ron P. Steinkamp
rsteinkamp@bswllc.com
314-983-1238

Internal Controls and Effective Report Writing - sent to MSCPA

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (10)

Similar to Internal Controls and Effective Report Writing - sent to MSCPA

Similar to Internal Controls and Effective Report Writing - sent to MSCPA (20)

More from Ron Steinkamp

More from Ron Steinkamp (20)

Internal Controls and Effective Report Writing - sent to MSCPA