Developing and Documenting Your Internal Control System

1

• Welcome to Internal Controls Training
• Brought to you by the
• Division of Internal Audits

2
Internal Controls Training

• Steve Weinberger, CPA.
• Financial Manager
• Division of Internal Audits
• (775) 687-0130
• sweinberger_at_iaudits.nv.gov

3
Department of Administration

• Division of Internal Audits
• Internal Financial Post
• Audits Management Review

4
Why Youre Here

• NAC 353A.100 
• Training for administration of budgetary
  accounts
• Head of each agency
• Employees who administer budgetary accounts
• Shall attend Internal Controls Training every 5
  years

5
Overview

• Training consists of
• Pre-test
• Presentation
• Post Test
• Total time approximately 3 hours

6
Presentation Description

• Internal Control Requirements for the State of
  Nevada
• Internal Control Requirements for the CAFR
• Discuss Issues Concerning Major Fiscal Areas

7
Presentation Objective

• Understand basic design of I/C System
• Evaluate existing internal controls
• Understand basic controls for major fiscal
  processes

8
What are Internal Controls (I/Cs)?

• Prevent and detect fraud
• Protect assets
• Comply with laws
• Reliability of financial reporting
• Accomplish specific goals

9
Whos Responsible for I/Cs

• Management
• Designs
• Implements
• Monitors

10
Internal Controls
Why all the Hoopla ???
11

• Remember these Guys?

12
Kenneth LayEnron

• CEO and chairman of Enron from 1986 until his
  resignation on January 23, 2002
• Convicted of 10 counts of Securities Fraud
• Died of Heart Attack Oct 2006

13
David DuncanPartner at Arthur Andersen R.I.P.

• Auditor In charge of Enron Audit
• Fired for leading a document-shredding brigade
• Which was against company policy

14
Scott Sullivan CFO WorldCom

• Indicted 7 billion accounting fraud at the
  disgraced US telecom giant

15
Dennis Kozlowski Ex Tyco CEO

• Convicted 22 counts Grand Larceny for 150 M in
  unauthorized bonuses
• Convicted of fraud against company shareholders
  for over 400 million
• Serving 8 25 years

16
Thats Enough!

• Pres. Bush signs first in a series of legislation
  requiring
• Management to establish and maintain internal
  controls
• External auditors to report in writing on
  adequacy of internal controls

17
State of Nevada

• Government entities required to have internal
  controls
• External auditors review ours
• Comprehensive Annual Financial Report (CAFR)

18
State of Nevada

• External auditors report in CAFR
• Major control problems
• Major accounting errors
• CAFR available to media

19
Internal Controls - Nevada
20
Internal Controls Nevada

• Internal Control Requirements
• Statutory Requirement
• Uniform System of Internal Controls
• Agencies Written Procedures

21
Internal Controls Nevada

• Statutory Requirement
• NRS 353A Internal Accounting and
  Administrative Control
• Legislates internal control requirements

22
Internal Controls - Nevada

• NRS 353A.020
• Uniform System of Internal Controls
• Segregation of duties
• Limit access to assets
• Authorizations and Record Keeping
• Practices followed in performance of duties
• Effective system of internal review

23
Internal Controls - Nevada

• Uniform System of Internal Controls
• Self Assessment Questionnaire (SAQ)
• Control Activities (COSO)
• Monitoring (COSO)
• SAQ available at
• dintaud.state.nv.us

24
Internal Controls - Nevada

• Self-Assessment Questionnaire
• SAQ Revenues.doc

25
Internal Controls - Nevada

• Agencies Written Procedures
• NRS 353A.020 (3) Requires agencies develop
  written procedures to
• Address control activities on SAQ
• Address monitoring procedures on SAQ

26
Internal Controls - Nevada

• Agencies Written Procedures
• Financial Management Assistance
• Self Assessment Questionnaire
• Templates
• Contact us with any questions
• (775)-687-0120
• Template Revenue.doc

27
Internal Controls - Nevada

• State Monitoring Requirements
• NRS 353A.025 - Agency Self Assessment
• Agencies periodically self-assess internal
  controls
• SAM 2418 (Revised)
• Annually complete SAQ
• Annually test a sample of transactions using
  Testing of Transactions on our website at
• dintaud.state.nv.us.

28
Internal Controls - Nevada

• Biennial Report on Internal Controls
• NRS 353A.025 (2)
• Due July 1 of each even numbered year
• Are actual processes adequate?
• Are written procedures adequate?
• Do written procedures agree with actual
  processes?
• Signed by head of agency
• Report on Internal Controls available at
• dintaud.state.nv.us

29

• Report on Internal Controls
• Report on Internal Controls.doc

30
Internal Controls - Nevada

• NRS 353A.025 (4)
• Submitted first Monday in February every odd
  numbered year
• Report includes
• Did not submit Report on Internal Controls
• Not submitted timely
• No effective method of internal review
• Identification of agencies with weaknesses
• Extent and types of such weaknesses

31
Our Quandary

• How do we create a good I/C system? Is there
  guidance on
• Designing
• Implementing
• Monitoring/evaluating?
• What do external auditors look for?

32
Guidance from COSO

• Committee of Sponsoring Organizations (COSO) of
  the Treadway Commission
• Standard framework
• Common definition of Internal Control

33
COSO Definition of Internal Control

• A Process
• Designed by top management
• Effected by personnel
• To provide reasonable assurance
• Regarding reliability of financial reporting

34
COSO - Reasonable Assurance

• The best system provides only
• Reasonable Assurance
• Not Absolute
• Regarding the
• Reliability of financial reporting
• Effectiveness and efficiency of operations
• Compliance with applicable laws and
  regulations

35
COSO - Cost vs. Benefit of I/Cs

• I/Cs should benefit, not hinder
• I/Cs are not intended to limit
• authority
• rule making
• policy making
• efficiency or productivity

36
COSO I/C Survey

• Internal Control Survey
• Based on COSO framework
• Sent to agencies in May
• Given to external auditors for CAFR audit
• Internal Control Questions for Agencies.doc

37
Five Standards of Internal Control
Monitoring
Information
Control Activities
Risk Assessment
Control Environment
38
Five Standards of Internal Control
Control Environment
39
Control Environment

• Foundation for all components of I/C
• Tone at the top
• Sets the tone of the organization
• Influences the effectiveness of I/Cs
• First thing auditors analyze when evaluating
  internal controls

40
Control Environment

• Control environment is determined by
  managements
• Attitude, Integrity and Ethics
• Commitment to Competence and Human Resource
  Policies and Practices
• Organizational Structure

41
Five Standards of Internal Control
Risk Assessment
Control Environment
42
Risk

• Second COSO component
• Anything that endangers the agency from achieving
  an objective

43
Risk Assessment

• Process to identify and analyze potential risks

44
Risk Assessment

• Identifying Risks by Type
• Fraud
• Efficiency
• Financial Reporting
• Misinformation

45
Risk Assessment

• Analyze the risk
• Things to consider
• amount of misappropriation or error
• Occurrence rate of transactions
• Is it detectible? Will it show up later in audit
  processes?

46
Five Standards of Internal Control
Control Activities
Risk Assessment
Control Environment
47
Control Activities

• Third COSO Component
• Control activities are
• Policies, procedures, techniques, and mechanisms
• Developed to mitigate identified risks

48
Five Standards of Internal Control
Information
Control Activities
Risk Assessment
Control Environment
49
Information and Communication

• Fourth COSO Component
• A system that provides information within the
  agency (meetings,
• e-mails, status reports)
• Must go up and down
• Communicate electronically agency wide e-mail
• Encourages employee involvement

50
Five Standards of Internal Control
Monitoring
Information
Control Activities
Risk Assessment
Control Environment
51
Monitoring

• Fifth COSO Component
• Assess the quality of I/Cs over time
• Ongoing supervisory activities
• Reviews and analyses (Self Assessment)
• Independent reviews and analyses (auditors)
• Follow-up on findings

52
COSO in Conclusion

• Remember that COSO is
• Provided a framework for designing internal
  control systems
• Used by external auditors to evaluate internal
  control systems

53
Major Fiscal Processes

• Risks, Controls, and Other Issues for
• Revenues
• Purchasing Expenditures
• Payroll and Personnel
• Contracts
• Grants

54
Revenues

• Cash, Checks, Money Orders
• Most liquid asset
• Risk Embezzlement
• Things to consider
• amount
• Frequency of occurrence
• Detectible

55
Revenues

• Four Stages
• Receiving
• Depositing
• Recording
• Reconciling

56
Revenues

• Control Activities
• Receiving
• Checks
• Restrictively Endorse Checks
• Numeric must agree with written amount
• No postdated checks
• Record or log Immediately
• Cash
• Pre-numbered multi part receipt
• Large amount 2 people receive

57
Revenues

• Control Activities
• Receiving
• NRS 353.1467  
• Payments of 10,000 or more by electronic
  transfer of money.
• All Agency Memo.pdf

58
Revenues

• Control Activities
• Depositing
• handled by as few people as possible
• Segregate depositing from receiving
• Secure funds until deposit
• Locked file cabinet, safe, etc.
• Change combo, keys, as necessary
• NRS 353.250 Bank Deposits
• Every Thursday
• 10k or more - next working day

59
Revenues

• Control Activities
• Recording
• Post to ledgers (A/R, Sales, Fees, etc.)
• Segregate from receiving the
• Segregate from depositing the

60
Revenues

• Control Activities
• Reconciling
• Segregate from receiving and depositing
• Daily A/R payments, sales, permits issued to
  received
• Daily - Bank deposit to received
• Weekly or Monthly - A/R payments, sales, permits
  issued to BSR
• Monthly Review A/R delinquency reports

61
Purchasing and Expenditures

• Risk of billing schemes
• Purchase non-existent items
• From fake vendors
• Purchase real items for personal use
• Fake claims or reimbursements
• Most expensive employee theft

62
Purchasing and Expenditures

• Control Activities
• Segregate ordering and receiving
• Match - P.O., invoice, receiving document
• Vendor numbers
• Require outside agency approval
• Over 5k
• Weapons
• Computers

63
Purchasing and Expenditures

• Controls for tangible Items
• Verify item received
• Match to P.O. and invoice
• Controls for intangible items
• (membership fees, professional dues)
• ???

64
How to be a millionaire?

• Meet Paul Constantine Orphan
• A 20 year Washoe County employee
• Paul was authorized to purchase water capacity
  for the county
• Paul created 2 fake companies
• Paul supplied fake invoices to support the
  purchases
• He purchased non-existent water capacity from the
  fake companies he created
• Paul became a millionaire! His boss is not happy

65
Purchasing and Expenditures

• Intangibles Assets
• Control Activities
• Receiving doesnt work
• Verify vendor
• Google
• Call them
• Big bucks visit if possible

66
Purchasing and Expenditures

• Address for fake company was a plumbing supply
  storage building
• Control Activities
• Independent verification of companies
• Google
• Verify company address

67
Purchasing and Expenditures

• Claims and Reimbursements
• Victims of Crime Program
• Employee Embezzlement
• Case worker gave 50K to family members
• Case worker verified loss of wages

68
Purchasing and Expenditures

• Claims and Reimbursements
• Controls
• Verify Claim for lost wages
• Involve second person in process

69
Purchasing and Expenditures

• Billing Schemes
• Fictitious Vendors Red Flags
• Vendors address same as employees
• Vendors name matches employees initials
• Checks are written to cash
• Vendors address is a P.O. box
• Missing vendor data
• Illogically formatted vendor data

70
Payroll Personnel

• Risk of
• Fallacious salaries
• Fraudulent reporting of hours
• Ghost employees

71
Payroll Personnel

• Fallacious salaries
• Controls
• Compare ESMT to
• payroll report or HRDW
• Classified or unclassified listing
• Compare CAT 01 budget to actual

72
Payroll Personnel

• Fraudulent reporting of hours
• Controls
• Supervisor approves time sheet
• Maintain documentation for
• Annual Leave
• Comp Leave
• Flex Leave
• Sick Leave

73
Payroll Personnel

• Fraudulent reporting of hours (contd)
• Controls
• Compare time sheets to
• Leave documentation
• Internal time tracking

74
Payroll Personnel

• Ghost employees
• Controls
• Segregate receiving of pay checks from payroll
  audits
• Encourage direct deposit
• Check payroll records for duplicate names,
  employee numbers, or unusual employee numbers
• Check for personnel file

75
Payroll Personnel

• Ghost employees
• Controls
• Look for checks with no FIT deduction
• Compare CAT 01 actual vs. budget
• Occasionally hand deliver checks
• Be a Ghostbuster!

76
Contracts

• Risks
• Bribes and kickbacks
• Undisclosed conflicts of interest
• Accepting illegal gratuities
• Economic extortion

77
Contracts

• Pay to Play
• 25,000 Club
• Wifes real estate commissions

Rod R. Blagojevich
78
Contracts

• Bribes Kickbacks
• Used connections
• Demanded kickbacks
• Companies wanting State contracts

Tony Rezko
79
Contracts

• Controls
• 5,000 limit on direct purchases (SAM)
• Contracts of 5K (2K) Budget Approval (SAM)
• Contracts of (10K) BOE approval (SAM)
• Contracts of 25K RFP (NRS 333.3)

80
Contracts

• Controls (Cont)
• Certified Contract Manager
• Contract Monitor
• Independent of authorizer

81
Grants

• Risks
• Unauthorized use of Federal
• Grant compliance
• Monitoring of sub-recipients
• Misclassify Vendor/contractor as sub-recipient

82
Grants

• Unauthorized use of Federal Funds
• Authorization
• Proposals submitted to Budget and LCB
• Over 100K to IFC

83
Grants

• Grant compliance
• Review expenditures - allowable, unallowable
• Review performance measures

84
Grants

• Monitoring Sub-recipients
• Feds require States
• Communicate basic grant information
• Monitor their performance
• Receive a Single Audit (if necessary)

85
Grants

• Communicate basic grant information to the
  sub-recipient
• Inform that grant includes Federal funds
• Inform of any Federal laws or grant requirements
  imposed on them

86
Grants

• Monitoring Sub-recipient Performance
• Fiscal
• Internal controls
• Allowable expenditures
• Program comply with program requirements
• Progress reports
• Performance Indicators

87
Grants

• Single Audit Requirement
• Non-Federal Entity
• Expend 500K or more in a year of Federal money

88
Grants

• Vendor/contractor vs. Sub-Recipient
• If vendor or contractor follow SAM
• If sub-recipient
• No current SAM requirements for
• Choosing sub-recipient
• Taking bids
• Checking for conflicts of interest
• Must monitor

89
Grants

• Vendor/contractor vs. Sub-recipient
• Distinctions
• Vender/contractor
• Provides goods/services within normal business
  operations
• Provides similar stuff to many different
  purchases
• Operates in a competitive environment
• Goods/services are ancillary to Federal program
• Not subject to Federal program compliance
  requirements

90
Grants

• Vendors/contractors vs. sub-recipients
• Sub-recipients
• Determines eligibility for Federal program
• Subject to program and fiscal monitoring
• Has responsibility for programmatic decision
  making
• Must adhere to Federal program compliance
  requirements
• Carries out the program (steps into our shoes)

91
Grants

• Subrecipient vs vendor.pdf

92
Thank You

• Thank you for taking this class
• Good luck on the test!