Internal Controls and Fraud Protection Board and Management Responsibilities

1
Internal Controls and Fraud ProtectionBoard and
Management Responsibilities

• By
• Gerard M. Zack, CFE, CPA, MBA
• Zack Accounting Consulting, P.C.
• Nonprofit Resource Center, Inc.

2
Agenda

• Part I
• Overview of Board and Management Responsibilities
• Auditor Responsibilities
• Framework of Internal Controls
• Part II
• Overview of an Organization-Wide Model of
  Internal Control
• Best Practices Pertaining to Board and Management
  Oversight

3
Board Responsibilities

• Boards have a legal and ethical responsibility of
  ensuring the exclusive and effective use of all
  corporate assets in furthering the organizations
  charitable mission
• Responsibility includes accountability to
• Department of Veterans Affairs
• Major stakeholders (funding sources, the people
  we serve, etc.)
• The general public
• Other government agencies whose laws we are
  subject to (IRS, States, local authorities, etc.)

4
Internal Controls

• Sound internal controls provide assurance that
  NPCs are meeting these responsibilities
• NPC Boards responsibilities for overseeing these
  internal controls are the focus of this
  presentation

5
Internal Control - Defined

• A process effected by those charged with
  governance, management, and other personnel
  designed to provide reasonable assurance about
  the achievement of an entitys objectives.
• Framework developed by the Committee of
  Sponsoring Organizations of the Treadway
  Commission (COSO), which issued Internal Control
  Integrated Framework (1992)

6
Three Objectives of Internal Control

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

7
Safeguarding of Assets

• Protection of assets from fraud is a subset of
  each of these three objectives
• Internal control should provide assurance that
  assets are safeguarded from
• Ineffective or inefficient use
• Unauthorized acquisition, use, disposal, or theft
  (fraud)
• Illegal use

8
Deficiencies in Internal Control

• Deficiency in the design of internal control
• Deficiency in the application of internal control
• A subset of this may also include deficiencies in
  the documentation of internal controls
• Intentional over-ride of an internal control

9
Management Responsibilities

• Continuous monitoring of internal controls and
  risks
• Assess internal controls and identify
  deficiencies
• Respond to (correct) deficiencies
• Best practices
• Establish senior management team to include CFO,
  COO, CIO, senior procurement officers, and
  managers of other functions and programs

10
Auditor Responsibilities

• In a Financial Statement Audit
• Gain an understanding of the design of internal
  controls sufficient to plan appropriate audit
  procedures designed to provide reasonable
  assurance that the financial statements are free
  of material misstatement
• No requirement to test the operation of internal
  controls
• Required to communicate significant deficiencies
  and material weaknesses, if any are identified
• Required to communicate fraud that is material to
  the financial statements or that involves senior
  management (regardless of materiality)
• Required to communicate illegal acts, unless
  clearly inconsequential

11
Auditor Responsibilities

• In an OMB Circular A-133/Single Audit of NPCs
  Receiving Federal Awards
• The same as those in a financial statement audit,
  plus,
• Test and prepare written report on internal
  controls over financial reporting (GAGAS)
• Test the operation of internal controls (i.e.
  those relating to compliance with applicable laws
  and regulations) over major programs (i.e. those
  selected for testing) to support a low assessed
  level of control risk and issue written report on
  results (Circular A-133, Subpart E, paragraph
  .500(c))

12
AICPA SAS No. 112

• SAS Statement on Auditing Standards
• SAS 112 Lowers the Threshold That Auditors Use
  for Determining Which Internal Control
  Deficiencies Must be Reported to the Audit
  Committee
• Significant deficiencies and material weaknesses
• All Communications Must be in Writing
• Must be Made Within 60 Days of Report Release
  Date
• Effective for Audits of Periods Ending on or
  After December 15, 2006

13
SAS 112 Significant Deficiencies

• Controls Over Selection and Application of
  Accounting Principles That Are in Conformity With
  GAAP (Sufficient Expertise in GAAP)
• Antifraud Programs and Controls
• Controls Over Nonroutine and Nonsystematic
  Transactions
• Controls Over Period-End Financial Reporting
  Process

14
Examples of Significant Deficiencies

• Corrections of Errors in Financial Statements
• Identification of Material Misstatements by
  Auditors
• Ineffective Internal Audit Function or Risk
  Assessment Function (For Large or Complex
  Entities)
• Ineffective Regulatory Compliance Function (For
  Complex Entities in Highly Regulated Industries)
• Identification of Fraud Committed by Senior
  Management (Regardless of Materiality)
• Uncorrected/Unassessed Deficiencies From Prior
  Years
• Ineffective Control Environment

15
Components of Internal Control

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring

16
1. Control Environment

• Integrity ethical values of management
• Commitment to competence
• Board oversight interaction w/auditors
• Management philosophy regarding risk
• Organizational structure
• Assignment of authority responsibility
• Human resource policies

17
2. Risk Assessment

• Organizations identification analysis of
  relevant risks in relation to achievement of
  objectives, such as
• Changes in regulatory environment
• New personnel
• New systems or technology
• Rapid growth or downsizing
• New programs, grants, services

18
3. Control Activities

• Policies procedures to help ensure that
  management directives are carried out
• Physical controls (facilities)
• Information processing (e.g. those that check
  accuracy, completeness authorization of
  transactions)
• Performance reviews (e.g. budget to actual)
• Segregation of duties

19
4. Information Communication

• Methods records used to record, process,
  summarize, report transactions to maintain
  accountability over assets, liabilities, net
  assets
• Accounting records
• Accounting processing
• Financial reporting process
• Communication of employee duties and
  responsibilities
• Disaster recovery

20
5. Monitoring

• Assessing the quality of internal control
  performance over time, including taking
  corrective action, using
• Internal audit
• External audit
• Special assessments of internal controls
• Input from personnel
• Input from third parties (e.g. donors, grantors,
  vendors, etc.)

21
Application of Internal Controls

• Each of the five inter-related components have
  application to each of the three objectives of
  internal control
• Operations
• Financial reporting
• Compliance
• Each of the five components may apply on an
  organization-wide basis or may differ by
• Location
• Function
• Department, division or program (unit)

22
Fraud 2006 ACFE Study

• 652 Billion/Yr Total Estimated Cost in U.S.
• Typical Organization Loses 5 of Annual Revenue
  to Fraud
• Smaller Entities Most Vulnerable
• Reveals Value of Certain Antifraud Measures
• Source 2006 ACFE Report to the Nation on
  Occupational Fraud and Abuse

23
Victims of Fraud - 2006 Study

• Private Company (36.8 of cases)
• Median loss 210,000
• Public Company (31.7)
• Median loss 200,000
• Government Agency (17.6)
• Median loss 100,000
• Not-for-Profit Organization (13.9)
• Median loss 100,000
• Source 2006 ACFE Report to the Nation on
  Occupational Fraud and Abuse

24
Categories of Fraud

• Asset Misappropriations (91.5 of cases)
• Theft or misuse of cash or non-cash assets
• Corruption (30.8 of total cases, 29.3 of NPO
  cases)
• Person uses their influence to obtain
  unauthorized benefit (bribes, kickbacks,
  conflicts of interest, etc.)
• Fraudulent Statements (10.6 of total cases, 5.4
  of NPO cases)
• Falsification of financial statements
• Source 2006 ACFE Report to the Nation

25
Asset Misappropriations

• Billing Schemes (28.3 of A.M. Cases)
• Expense Reimbursements (19.5)
• Skimming (18.9)
• Check Tampering (17.1)
• Inventory Misappropriation (16.6)
• Cash Larceny (14.2)
• Payroll Schemes (13.2)
• Wire Transfers (6.5)
• Information Misappropriation (3.6)
• Register Disbursements (1.7)

26
Trends in Nonprofit Fraud (1)

• While traditional check tampering and
  disbursements frauds continue to be prevalent in
  nonprofits, certain trends have become apparent
• Significant increase in cases involving
  corruption
• Kickbacks, bribes, and undisclosed conflicts of
  interest
• Increase in cases involving electronic access to
  or theft of data
• While employees working off-site, hacking into
  networks, etc. to access sensitive data

27
Trends in Nonprofit Fraud (2)

• Increase in external attempts at check tampering
  and electronic transfers from NPO accounts
• Increase in frauds perpetrated by agents of
  nonprofits as certain functions become
  increasingly outsourced without proper oversight
• Increase in cases where nonprofit is held liable
  for frauds perpetrated by their employees or
  agents against others
• e.g. employee steals credit card information of a
  patient, donor, member, etc.

28
Goals of Fraud Protection

• Prevent as much as possible
• Utilize detective controls to catch what cannot
  be prevented
• Insure against acts that are not prevented or
  detected
• Accept a certain, minimal level of risk
• Continually update our understanding of fraud
  risks and manage those risks
• Utilize EVERYONE in an ongoing system of fraud
  deterrence

29
Elements of an Organizational System of Internal
Control

• Financial Controls
• Preventive controls
• Detective controls
• Non-Financial Systems
• Management Oversight and Behavior

30
I. Financial Controls

• Preventive
• Designed to prevent errors, fraud, or illegal
  acts from being committed
• Distinguish preventive policies from preventive
  controls (e.g. requiring two signatures on
  checks)
• Detective
• Designed to detect errors, frauds, or illegal
  acts and allow for corrective action
• Example bank account reconciliation

31
Financial Controls

• These are the controls over Individual
  Transactions (authorizations and approvals,
  check-writing, bank reconciliations, etc.)
• Maintain in Written Form (i.e. a Current Policies
  and Procedures Manual)
• Certain Elements are Applicable to All Accounting
  Cycles
• Segregation of Duties
• Data Access Controls (IT, Physical Security)
• Timely Reconciliations
• Use of Analytical Techniques

32
Segregation of Duties

• One Important Goal Make it Impossible to Commit
  and Conceal a Fraud
• Example Separate Functions Involved in Handling
  Funds From Those Involved With Recording

33
Contact Information

• Gerard M. Zack, CPA, CFE
• Zack Accounting Consulting. P.C.
• 1700 Rockville Pike, Suite 400
• Rockville, MD 20852
• E-mail zackaccounting_at_earthlink.net