Small Government Internal Controls

1
Small Government Internal Controls

• Presented by
• Donna Collins
• Milestone Professional Services

2
Why are Internal Controls So Important?

• Accountability
• Citizens
• Approved budget has been followed
• Spending and letting of contracts has been legal
• Appropriate safeguards taken against fraud
• Grantors
• Funds have been used for the purpose given
• Compliance requirements have been met
• Management
• Data is reliable for decision making

3
Why are Internal Controls So Important?

• Accurate reporting
• Internal
• Budgeting and planning purposes
• Cash flow management
• External
• Creditors (Bankers, bondholders, etc.)
• Grantors
• Financial statement users
• State and other governments
• Companies moving to our City

4
Why are Internal Controls So Important?

• Efficient use of resources
• Eliminating redundancy in our process to allow
  for a streamlined workforce
• Protecting against loss due to fraud and
  misappropriation
• Communicating clearly internally and externally
  so that operations flow smoothly
• Providing for the ability to recognize excellence
  within our government

5
Internal Control - Definition

• Internal Control is a process, affected by
  management and other personnel, designed to
  provide reasonable assurance regarding the
  achievement of objectives in the following
  categories
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with laws and regulations

6
Internal Control - Definition

• Internal control consists of five interrelated
  components that affect each of the three
  categories

7
Internal Control - Components

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

8
Internal Control - Components

• Internal control components interact with
  operations, financial reporting and compliance

9
Control Environment

• Sets the tone for the government
• Influences control consciousness
• Foundation for all other control components
• Includes integrity, ethical values, competency,
  managements philosophy, and the way authority
  and responsibility is assigned

10
Practical Application - Control Environment

• Establish current policies with regard to ethical
  behavior (Code of Conduct), Conflict of Interest,
  Nepotism
• Enforce appropriate discipline for failure to
  comply with these policies
• Ensure personal adherence to strong moral code
• Reward competency

11
Practical Application - Control Environment

• Place high degree of importance on maintaining
  strong internal control
• Provide for a whistle blower policy that allows
  employees and others to report fraud or false
  statements by the management team

12
Impact of the Control Environment

• Dont underestimate the importance of this part
  of the control system. All the great control
  activities in the world will not be effective if
  employees know that management is not concerned
  with strong internal control, lacks integrity or
  does not value their employees.

13
Control Environment Pitfalls

• Ignoring the tone that management sets or
  thinking that the control environment is not
  important.
• Inconsistency in treatment of lapses in ethical
  conduct.
• Allowing employees to feel devalued.

14
Risk Assessment

• Risks result from both external and internal
  sources
• These change over time based on economic,
  regulatory, and operating conditions
• Risk Assessment must link identified policy
  objectives to specific risk factors

15
Risk Assessment

• Example a policy of receiving the highest rate
  of return on investments must be linked to
  interest rate risk

16
Risk Assessment

• Example a policy of allowing payment from
  vendor statements rather than original invoices
  only must be linked to the risk of duplicate
  payments

17
Risk Assessment

• Example a policy of decentralized cash receipts
  must be linked to the risk of untimely deposit
  and recording to the general ledger.

18
Risk Assessment

• Risk Assessment must also link identified control
  objectives to specific risk factors
• All transactions are properly authorized
• Transactions are recorded in the correct period
  for the correct amount
• All revenues are received and recorded timely
• Assets are not stolen or lost

19
Risk Assessment

• Risk factors are created by
• The nature of particular accounts or transactions
• Turnover in key employee positions
• Changes in the financial markets
• The expertise of the personnel handling
  transactions
• Ineffective or poorly designed control activities

20
Practical Application - Risk Assessment

• Be realistic about the true risk with regard to a
  particular account or cycle of transactions
• Consider all types of applicable risk inherent,
  control risk, fraud risk, credit risk, etc
• Make sure to address IT risk
• Identify What could go wrong?

21
What could go wrong?Example Cash Disbursements

• Payments could be made to fictitious vendors
• Disbursements could be made for the wrong amount
• Duplicate payments could be made on an invoice
• Disbursements could be recorded in the wrong
  period

22
What could go wrong?Example Investments

• Excessive transaction fees could be charged to
  the government.
• Investments held by the government could be
  stolen (Certificates of Deposit).
• Investments outside the governments risk
  tolerance could be purchased and result in loss
  of principal.

23
What could go wrong?Example Cash Receipts

• Funds received could be credited to the wrong
  customer account
• Cash could be stolen by an employee
• Amounts received could be recorded net rather
  than gross
• Amounts receivable may never be collected due to
  failure to follow on past due amounts

24
How to perform an effective risk assessment

• Use What could go wrong scenarios to identify
  areas of potential risk.
• Rank the likelihood and impact of each of these
  risk factors.
• Identify controls that mitigate risk for the
  highest ranked risk factors.

25
Risk Matrix Cash Receipts
26
Practical Application - Risk Assessments

• Risk Assessments can be documented via narrative,
  checklist or matrix
• Tools available include
• COSO documents available via AICPA
• PPC checklists or other auditor utilized
  templates
• Local government websites (perform Google search
  for government internal control)

27
Practical Application - Risk Assessments

• Remember that use of a third party does not
  eliminate managements responsibility for
  assessing risks.
• Structure of agreement is important
• Obtain SAS 70
• Reconcile reports to general ledger (as
  applicable)

28
Practical Application - Risk Assessments

• Remember that IT controls can affect risk for all
  cycles of transactions. Well designed internal
  controls can be made ineffective by poor controls
  over IT.
• System log-in should mirror job responsibilities
• Passwords
• Remove temporary access granted once no longer
  appropriate

29
Risk Assessment Pitfalls

• Trying to identify a control for every risk
  factor.
• Ignoring the possibility of existing compensating
  controls.
• Not performing a risk assessment annually or at
  least when key factors have changed (regulatory,
  employee turnover, etc.)
• Ignoring IT controls.

30
Control Activities

• The policies and procedures that ensure
  managements directives are followed
• These occur at all levels throughout the
  organization
• Include approvals, authorizations,
  verifications, reconciliations, security of
  assets, segregation of duties and review of
  operating performance

31
Practical Application - Control Activities

• Address control objectives existence or
  occurrence, completeness, valuation or
  allocation, rights and obligations, accuracy or
  classification, cutoff and presentation and
  disclosure
• Tie control activities to risks previously
  identified and address What could go wrong
  scenarios
• Balance cost and benefit

32
Practical Application - Control Activities

• Identify control objectives and the risks of what
  could happen
• For each risk factor identified, evaluate the
  potential impact and probability of occurrence
• Design control activities to address high impact,
  high probability concerns
• Evaluate annually

33
Risk Matrix

• Cash Receipt Example

34
Risk Matrix

• Cash Disbursements Example

35
Practical Application - Control Activities

• It is not necessary to address every risk factor
  with a specific control activity focus on key
  areas
• Utilize compensating controls where textbook
  approach is not practical
• Evaluate the benefit of existing monitoring
  controls

36
Risk Matrix

• Cash Disbursements Example

37
Key Control Activities

• Address unusual transactions or variance from
  expected benchmarks in timely fashion
• Reconcile accounts per general ledger to
  subsidiary ledgers or statements from
  trustee/custodian (as applicable)
• Separate initiation and authorization from
  recording of transactions

38
Key Control Activities

• Provide for oversight by interested party such as
  Investment Committee (include trustee activities)
  , Audit Committee or Citizens Group
• Utilize disclosure checklist to ensure
  presentation and disclosure requirements are met

39
Control Activities Pitfalls

• Remember that for small governments key
  objectives must be identified
• Reducing the risk of theft or fraud
• Providing for accountability
• Ensuring compliance with regulations
• Focus on true effectiveness not just cookie
  cutter approaches
• Ensure benefit justifies the cost

40
Information and Communication

• Includes both internal and external interaction
• Requires pertinent information to be identified,
  captured and communicated in a form and timeframe
  for employees to carry out their responsibilities
• Reports must contain relevant operational,
  financial and compliance information

41
Practical Application - Information and
Communication

• System generated reports must include relevant
  information
• Statements from outside third parties
  (broker/dealers, bank statements, grantor agency)
  must be channeled to correct personnel and
  provided timely

42
Information and CommunicationExample Investments

• Communication with Investment Committee or other
  oversight body should include
• Types of investments held
• Average rate of return for period and YTD
  compared with benchmarks
• Average maturity of portfolio
• Compliance with investment policy provisions

43
Information and CommunicationExample
Investments

• Communication with Investment Committee or other
  oversight body should also include
• Changes in investment strategy (if any)
• Interest rate environment changes
• Discussion of any unusual transaction or
  particularly risky investment

44
Information and CommunicationExample Cash
Disbursements

• Communication with Departments
• Budget to Actual Report by budgeted line
• Request to explain certain variances
• Detail of Capital Assets added to subledger
• Communication with Council
• Budget to Actual Comparison by Department
• Explanations for variances over a certain
  threshold

45
Information and CommunicationExample Cash
Receipts

• Daily Cash reports should show revenue by major
  categories such that reconciliation to the
  general ledger is facilitated.
• The date of receipt and date of deposit should be
  included along with the general ledger and bank
  account information.

46
Information and Communication Pitfalls

• Generating reports that provide inaccurate,
  untimely or unnecessary information
• Providing inappropriate information outside the
  organization (SS , employee evaluations)
• Failure to verify accuracy of externally provided
  reports

47
Monitoring

• Assessing the quality of the internal control
  system and making modifications as needed
• This process is ongoing through the normal course
  of operations and at separate specific
  evaluations of a particular process

48
Monitoring

• COSO Framework states that Monitoring ensures
  that internal control continues to operate
  effectively.
• The COSO Framework recognizes that risks change
  over time and that management needs to determine
  whether the internal control system continues to
  be relevant and able to address new risks.

49
Monitoring

• The original COSO report on internal controls was
  issued in 1992.
• In 2009, COSO issued Guidance on Monitoring
  Internal Control Systems
• Emphasized importance of monitoring controls as
  part of even small government environments.

50
Monitoring

• Monitoring is both an on-going process and can be
  annual in nature (testing of key controls)
• Process can be done annually by the Internal
  Audit Department (as applicable) or as an
  Internal Review by Finance personnel.

51
Practical Application Examples of Monitoring

• Cash Receipts
• Performing a review of bank reconciliations on a
  monthly basis and signing off as having reviewed
  these.
• Monthly comparison of actual receipts to budgeted
  receipts and investigation of significant
  discrepancies.
• Annually selecting a few transactions to ensure
  proper recording.

52
Practical Application Examples of Monitoring

• Cash Disbursements
• Performing a review of bank reconciliations on a
  monthly basis and signing off as having reviewed
  these.
• Monthly comparison of cash disbursements to
  budgeted expenditures/expenses and investigation
  of significant discrepancies.

53
Practical Application Examples of Monitoring

• Cash Disbursements
• Reconciliation of P-card purchases by someone
  other than the card holder
• Annual test of a selection of transactions for
  proper recording.

54
Practical Application Examples of Monitoring

• Investments
• Performing investment portfolio review (including
  evaluation of concentration and type of
  investments) quarterly by person independent of
  investment portfolio management
• Disclosure of Conflict of Interest Statement
  annually by portfolio manager
• Obtaining a SAS 70 report from custodian annually

55
Practical Application - Monitoring

• Controls will change as the makeup of an account
  changes
• Controls should be evaluated when there are
  changes in key personnel or software applications
• Be responsive to information requests of key
  management personnel
• Review polices and procedures annually

56
Monitoring Pitfalls

• Failure to perform any monitoring control
  activities.
• Overkill for the organizations size. One or two
  key data cycles or areas can be selected each
  year for testing of controls.
• No attempt to actually test key controls in some
  fashion.
• Failure to evaluate controls when personnel or
  software changes.

57
Resources Available

• Where can I find sample policies and procedures?
• What reference materials are available?
• Where can I find answers to my questions?

58
Resources Available

• Professional organization websites FGFOA,GFOA,
  FICPA, AICPA
• Local chapter meetings
• Auditors
• Continuing Education opportunities
• Website searches
• List serves (FGFOA and FICPA)
• Network of other local government officials

59
Resources Available

• Florida Government Finance Officers Association
• Sample policies and procedures
• Small Government Resource Manual
• List Serves Treasury, Accounting and Auditing,
  Debt Management, Budgeting and Financial
  Administration
• Training (Annual Conference, School of Government
  Finance, local chapter meetings,
• Webinars)

60
Resources Available

• Government Finance Officers Association
• Best Practices
• Training (Annual Conference, webinars and
  numerous one day training opportunities)
• Publications
• Elected Officials Guide to Internal Controls
• Evaluation Internal Control A Local Government
  Managers Guide

61
Resources Available

• Florida Institute of Certified Public Accountants
  
• Training
• Frequent Frauds Found in Governments and
  Not-for-Profits (Miami 12/1/10)
• Identifying Fraudulent Financial Transactions
  (Tampa 12/9/10)
• Publications
• List Serves (AA, SLG, Business IT)

62
Resources Available

• American Institute of Certified Public
  Accountants
• Training
• Publications
• COSO documents
• Articles in the Journal of Accountancy
• Controls.Doc For Documenting and Assessing
  Internal Controls
• Government Resource Center

63
A final reminder about I/C Pitfalls

• Dont focus on areas where risk is low
• Dont ignore risk factors you become aware of
  throughout the year
• Talk to your auditors about areas of concern they
  may have and new auditing standards that will
  affect your audit.
• Make sure to tailor any borrowed PP to your
  organization.

64
A final reminder about I/C Pitfalls

• Remember that the cost of implementing the
  control structure should not outweigh the
  benefit.
• Remember to address budget, grant and IT
  controls.

65
Summary

• The control environment establishes the
  importance of internal control.
• Risk Assessments must be realistic and performed
  when changes to objectives or policies occur,
  there is turn over in key employees or
  significant changes in the financial markets.

66
Summary

• Control Activities should be focused on areas of
  highest risk. Monitoring controls are effective
  stopgap for smaller entities.
• Information and Communication must provide
  relevant information for managing the assets and
  liabilities of the entity.
• Monitoring of the internal control system is an
  ongoing process.

67
Questions?