Melinda J. DeCorte, CPA, CFE, CGFM, PMP

Similar documents
Eric Kinsherf, CPA MMAAA Conference June 12, 2018

What s New in Government Internal Control Standards? Going Green

Internal Control in Higher Education

FRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS

Fraud Prevention, Detection, and Internal Controls

2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda

Ten Payment Fraud Protections

What Happens When Internal Controls Fail

38 Years of Excellent Client Service New COSO Model and How Internal Controls Help to Reduce Opportunity for Fraud

Alyssa G. Martin, CPA Brandon Tanous, CIA, Using the COSO CFE, CGAP, CRMA Framework to Develop a Strong and Preventive Control Environment

My experiences with Employee Fraud

Fraud Prevention: How to Identify and Protect Your Higher Ed Institution

Virginia Association of School Business Officers Getting Reacquainted with Internal Controls Presented by John S. Aldridge, CPA

This Questionnaire/Guide is intended to assist you in decision making, as well as in day-to-day operations. Best Regards,

Diocese of Covington Policies & Procedures Manual Section: Compliance Accounting Policy: Internal Control & Segregation of Duties

Innovation and Internal Controls

Single Audit Update: Internal Control over Compliance and the GAO s Green Book. MSBO s 80 th Annual Conference April 19, 2018

FRAUD AWARENESS UPDATE

Internal Controls for Deans, Directors and Chairs

Fraud Detection and Prevention

Internal Control 2015 Training

OCCUPATIONAL FRAUD IN GOVERNMENT AND STEPS TO PREVENT AND DETECT IT

GBAS Business Administrator Institute: Presenter: Brian Mikell, Chief Audit Executive Office of Audit and Compliance Review

Compliance at the Point of Sale

Annual Audit and Other Financial Matters

OVERVIEW 4/19/10. Internal Controls and the Audit Process May 4, 2010 OVERVIEW. Definition and historical perspective of internal auditing

CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS

STATE OF LOUISIANA LEGISLATIVE AUDITOR

Review and Implementation. Of Practice Internal Controls

INTERNAL CONTROLS 101

Karen L. Mosteller, CPA, CHBC

The definition of a deficiency is also set forth in the attached Appendix I.

Pima County Community College District Year Ended June 30, 2008

2010 Joint Chairmen s Report. UMB Progress to Address Audit Findings. (R30B/R75T), pages 133/ Release of Restricted Funds

INTERNAL CONTROLS FOR NONPROFITS

Fiscal Oversight Fundamentals

Internal Control Evaluation

Chapter 7 Internal Controls

Internal Control: The Human Risk Factor

Internal Control: The Human Risk Factor

Guide to Internal Controls

Employee Dishonesty: Prevention and Detection

Internal Control: The Human Risk Factor

Office of the City Manager

DOCUMENTATION OF THE ENTITY AND ITS ENVIRONMENT INCLUDING INTERNAL CONTROLS. Completed by: Date: Telephone number: Fax number: address:

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA

Understanding Internal Controls. Federal Highway Administration New Mexico Division

INTERNAL CONTROLS FOR NONPROFITS

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

INTERNAL CONTROLS FOR NONPROFITS

OFFICE OF THE AUDITOR

Office of the Auditor-Controller

Minneapolis Public Schools Special School District No. 1 Minneapolis, Minnesota. Communications Letter of the Student Activity Accounts.

Fraud Risk Management

AGA Gulf Region PDT COSO and the Green Book: An Enhanced Internal Control Framework

INTERNAL CONTROLS REVIEW PROGRESS REPORT Yellow highlighted items have been completed/validated since last report in August 2016

VERSION #1 WRITE ON YOUR SCANTRON!!!

With Jodi Kippe, CPA & Partner Retail Dealer Practice at Crowe Horwath LLP. Moderated by Mike Bowers, Executive Editor at DealersEdge

FUNCTION: To Protect and Enhance the Nonprofit Organization s Capacity to Serve the Community.

Internal Audit Report Accounts Payable September 2017

Fraud Detection and Prevention

Financial Controls Checklist

The Episcopal Diocese of Kentucky


EMPLOYEE FRAUD OPPORTUNITIES CHECKLIST

With Jodi Kippe, CPA & Partner Retail Dealer Practice at Crowe Horwath LLP. Moderated by Mike Bowers, Executive Editor at DealersEdge

INTERNAL CONTROLS REVIEW PROGRESS REPORT Highlighted items have been completed since last report in January 2016

The Basics of Internal Controls & Segregation of Duties

1/12/2016. Standards for Internal Control in the Federal Government. Standards for Internal Control in the Government

CHAPTER 2 THEORETICAL FOUNDATIONS. organization which responsible to record and employs physical resources and other

STATE OF NORTH CAROLINA

Internal Controls: Providing an Effective Control Environment. Why This Session Is Needed. Lesson Overview & Module Objectives

General Government and Gainesville Regional Utilities Vendor Master File Audit

Inventory Controls for Water and Sanitary Sewer Line Repairs

Internal Control Checklist

Mecklenburg County Department of Internal Audit

Financial Statement Close Process

AUDIT COMMITTEE CHARTER AS AMENDED AS OF MAY 6, 2015

Presented by Ed Williamson and Erica Bailey

Bookkeeping Foundations: Best Practices Church Accounting: Getting Off On the Right Foot E922

STUDY UNIT TEN INTERNAL AUDIT RESPONSIBILITIES FOR FRAUD

Why internal controls matter?

Fraud & Internal Controls

Internal Controls: Need Them, Have Them, Love Them

Cost Control Systems. Conclusion. Is the District Using the Cost Control Systems Best Practices? Internal Auditing. Financial Auditing

Internal Controls Integrating COSO

Office of Financial Services June 30, 2017

Cash Reconciliations and Cash Handling

The definition of a deficiency is also set forth in the attached Appendix I.

CHAPTER 9 TESTS OF CONTROLS

9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in

Fraud in Today s Economic Environment

PRIVY COUNCIL OFFICE. Audit of PCO s Accounts Payable Function. Final Report

Fire Department Inventory Management Audit

Sheena Tran, CPA May 19, 2014

CORP Appendix A CORPORATE POLICY. Attachments: Related Documents/Legislation: Revenue Administrative Policy

Fraud Prevention Training

Fraud Awareness and Prevention

Wire Transfer Audit. Craig Hametner, CPA, CIA, CMA, CFE City Auditor. Prepared By: Jed Johnson Senior Audit Analyst. Michelle Taylor Audit Analyst

Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques

Transcription:

Melinda J. DeCorte, CPA, CFE, CGFM, PMP Melinda DeCorte has over 19 years of accounting, auditing and government financial management experience. She directs, manages and serves in a quality assurance capacity for financial statement audits conducted in accord with government auditing standards. Additionally, she has extensive governmental consulting experience focusing on internal controls and risk assessments, financial statement preparation, financial system implementation, and evaluating agencies for audit readiness and compliance with internal control standards and generally accepted accounting principles. Prior to her career in public accounting, Melinda served as a commissioned officer in the United States Army, Finance Corps. Melinda serves as the Vice Chair of the national AGA Professional Ethics Board and on the advisory council to the GAO in updating the Standards for Internal Control in the Federal Government (Green Book). She is also currently serving as the President of the Dallas chapter of the AGA.

Internal Control Application of GAO s Green Book April 27, 2017 Association of Government Accountants Dallas Chapter Professional Development Training Session Objectives What is internal control and why is it so important? What tools can I leverage to design and implement an effective system of internal control? How do I apply the GAO Green Book? 1

What is internal control? An integral component of an organization s management that provides reasonable assurance that the objectives of the organization are being achieved Objectives and related risks can be broadly classified into three categories: Efficient and effective operations Reliable reporting Compliance with laws and regulations Internal control includes the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, and objectives of the organization Fundamental concepts Geared towards the achievement of objectives - Operations, reporting and compliance A process that is continuously evolving Effected by the organization s people and the actions they take (or fail to take) Provides reasonable, but not absolute, assurance Adaptable and flexible Comprised of the five components working in an integrated manner 2

Why is internal control important? Helps managers achieve desired results Efficient program operations (delivering public services to us - the citizens) Effective stewardship of public resources (our taxpayer dollars) Provides reasonable assurance that the amounts and disclosures reported in the organization s financial statements are materially accurate Necessary in achieving a clean audit opinion with no reportable internal control deficiencies Important in municipal bond ratings (evaluating the credit risk in determining whether to purchase) OK, but why is internal control really important? Serves as the first line of defense in safeguarding assets and preventing fraud Misappropriation of cash and other assets Fraudulent financial reporting (perhaps to cover up misappropriation or to achieve a desired outcome) Helps to deter public corruption Avoid embarrassment, public humiliation and ending up on the front page of the newspaper! 3

The Trusted Treasurer Rita Crundwell Dixon, IL Outcome The Trusted Treasurer was indicated on 60 felony theft counts and was found guilty in Nov 2012 Sentenced to 19 years and 7 months in federal prison (Minnesota) in Feb 2013 She ll be 77 years old upon her release (March 2030) As a result of her fraud City police could not afford to upgrade squad car radios or make new hires Streets could not be resurfaced A waste water treatment facility had to be delayed The city had to issue $3 million in bonds to cover financial obligations 4

Dixon, IL Net Monetary Loss $10 million attorneys fees for investigating the fraud and negotiating settlements with accounting firms and the bank $35.15 million settlement with the CPA firm that assisted Dixon with accounting and financial management $1 million settlement with the CPA firm that performed Dixon s annual audit since 2006 $3.85 million settlement with the bank where Dixon s accounts were maintained and where Crundwell set up the fake account Dixon, IL Net Monetary Loss Amount misappropriated by Crundwell Attorneys fees Loss to Dixon Recovery from sale of Crundwell assets Settlement with CPA firms and bank Dixon s net monetary loss $54 million $10 million $64 million $10 million $40 million $14 million No price can be set for the loss of faith in the city s public officials 5

What could Dixon have done? A study of reported occupational fraud cases in public sector entities published in the Journal of Government Financial Management* noted the following top three internal control weaknesses: Lack of management or independent reviews Abuse of authorizations to access cash, other assets or to information systems Inadequate level of transaction recordkeeping / documentation Dixon could have leveraged the GAO Green Book to design, implement and maintain an effective system of internal control Even on a small ($7-8M) budget, the city could have implemented effective internal control that would have prevented, or at least quickly detected, this fraud *Winter 2014 edition Standards for Internal Control The United States Comptroller General (Government Accountability Office) has issued standards for internal control in the government Green Book effective beginning fiscal year 2016 and for the FMFIA reports covering that year The Green Book is available on GAOʼs website at: www.gao.gov/greenbook 6

Green Book Through the Years 1983 Present Standards for Internal Control The Green Book is written for government - leverages the COSO updated Internal Control Integrated Framework that was released in May 2013 Uses government terms Can be used by management to understand requirements and by auditors to understand criteria Cited in the UGG as an acceptable framework for internal control for state and local governments Five components of internal control, 17 principals, 48 attributes All components and principles are requirements for establishing an effective internal control system The attributes provide further explanation of the requirements 7

Revised Green Book: Standards for Internal Control in the Federal Government Overview Standards Revised Green Book: Overview Explains fundamental concepts of internal control Addresses how components, principles, and attributes relate to an entity s objectives Overview Standards Discusses management evaluation of internal control Discusses additional considerations 8

Fundamental Concepts Internal control is a process to help entities achieve objectives Component, Principle, Attribute 9

Overview: Components and Principles In general, all components and principles are required for an effective internal control system Entity should implement relevant principles Overview Standards If a principle is not relevant, document the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively OV2.05: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. Overview: Attributes Attributes are considerations that can contribute to the design, implementation, and operating effectiveness of principles OV2.07 excerpt: The Green Book contains additional information in the form of attributes... Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity. Overview Standards Page 20 10

Overview: Management Evaluation An effective internal control system requires that each of the five components are: Effectively designed, implemented, and operating Operating together in an integrated manner Overview Standards Overview Standards Management evaluates the effect of deficiencies on the internal control system A component is not effective if related principles are not effective Overview: Additional Considerations The impact of service organizations on an entity s internal control system Discussion of documentation requirements in the Green Book Overview Standards Overview Standards Applicability to state, local, and quasi-governmental entities as well as not-for-profits Cost/Benefit and Large/Small Entity Considerations 11

Revised Green Book: Standards Explains principles for each component Control Environment Risk Assessment Control Activities Information and Communication Monitoring Overview Standards Includes further discussion of considerations for principles in the form of attributes Revised Green Book: Components and Principles 12

Case Study Dixon, IL Control Environment Dixon deficiencies in its system of internal control Principle 2. The oversight body should oversee the entity s internal control system. Dixon s City Council and Mayor did not oversee the design, implementation, and operation of the city s internal control system or provide direction on the remediation of any deficiencies. Few internal controls in place. Crundwell was allowed to make decisions and perform Treasurer duties with virtually no oversight. Principle 3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity s objectives. The assignment of responsibility and delegation of authority did not promote achievement of the city s objectives. No consideration of the overall responsibilities assigned to Crudwell. Excessive level of authority assigned to Crundwell. 13

Control Environment (cont.) Dixon deficiencies in its system of internal control Principle 4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. No succession or contingency plans for the Treasurer role. No identification and training of a succession candidate or at a minimum, an alternate individual. Principle 5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. No accountability for performing assigned internal control responsibilities. No consideration of internal control responsibilities in determining overall performance objectives or in evaluating performance. Risk Assessment Dixon deficiencies in its system of internal control Principle 6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. Dixon did not define objectives. Consequently Dixon was unable to identify risks to achieving its objectives or determine risk tolerances. Principle 7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. Dixon did not perform a risk assessment to identify risks. Consequently it was unable to identify internal controls to mitigate these risks. 14

Risk Assessment (cont.) Dixon deficiencies in its system of internal control Principle 8 Management should consider the potential for fraud when identifying, analyzing and responding to risks. Dixon did not consider the potential for fraud of taxpayer dollars. Dixon did not consider the fraud risk factor of opportunity: lack of internal controls and ultimate trust in Crudwell provided an opportunity to commit fraud. Principle 9 Management should identify, analyze, and respond to significant changes that could impact the internal control system. Dixon did not consider changing conditions that could affect the city and its environment (e.g., reduced state funding resulting in the need for city budget cuts). Dixon did not analyze the effect of changes on the internal control system and determine whether existing controls are effective for meeting objectives or addressing risks under the changed conditions. Control Activities Dixon deficiencies in its system of internal control Principle 10 Management should design control activities to achieve objectives and respond to risks. No comparison of actual performance to expected results and analysis of significant differences. Lack of effective management of the city s workforce. No physical control over vulnerable assets or limits of access to resources and records e.g., control log of check stock, accountability of issued checks) No segregation of duties - authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets Disbursements by check should require the approval and signature of an individual other than the individual recording the transaction and the individual reconciling the bank account. Opening a new bank account should require the approval and signature from someone outside of the transaction processing role. Invoice approvals should require verification of receipt of goods/services No mandatory vacation and/or rotation of duties 15

Control Activities - Continued Dixon deficiencies in its system of internal control Principle 12 Management should implement control activities through policies. No policies documenting the internal control responsibilities. No periodic review of policies, procedures, and related control activities for continued relevance and effectiveness. Information and Communication Dixon deficiencies in its system of internal control Principle 13 Management should use quality information to achieve the entity s objectives. Management or City Council did not identify information that could have been used to inform users as to the achievement of objectives and related risks. Certain data (e.g., bank statements) was obtained from internal sources that in hindsight were not reliable. Data received was not processed into quality information that could be evaluated to make informed decisions. Principle 14 Management should internally communicate the necessary quality information to achieve the entity s objectives. Management and the oversight body did not receive quality information that flows up the reporting lines from internal personnel. Dixon did not have a separate line of communication for internal personnel to report sensitive and/or confidential matters, such as a whistleblower or ethics hotline. Principle 15 Management should externally communicate the necessary quality information to achieve the entity s objectives. Management and the oversight body did not receive quality information that flows up the reporting lines from external personnel. Dixon did not have a separate line of communication for external personnel to report sensitive and/or confidential matters, such as a whistleblower or ethics hotline. 16

Monitoring Dixon deficiencies in its system of internal control Principle 16 Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Dixon did not perform any monitoring of its system of internal control. Consequently Dixon would not have understood if an internal control was not operating effectively or if there was a control gap (i.e., no internal control). Principle 17 Management should remediate identified internal control deficiencies on a timely basis. Since there was no monitoring activities, issues were not evaluated or remediated through corrective actions. The Green Book in Action Relationship between the Green Book and Yellow Book Can be used by management to understand requirements Can be used by auditors to understand criteria 17

The Yellow Book: Framework for Audits Findings are composed of: Condition (What is) Criteria (What should be) Cause Effect (Result) Recommendation (as applicable) Linkage Between Criteria (Yellow Book) and Internal Control (Green Book) Green Book provides criteria for the design, implementation, and operating effectiveness of an effective internal control system 18

The Yellow Book: Framework for Audits Findings are composed of: Condition (What is) Criteria (What should be) Cause Effect (Result) Recommendation (as applicable) Linkage Between Findings (Yellow Book) and Internal Control (Green Book) Findings may have causes that relate to internal control deficiencies 19

Case Study Lessons from an $8 million fraud Background ING acquired Mueller s employer, life insurance company ReliaStar, in 2000. As a part of the changeover team, Mueller became an expert on all aspects of the ERP system including financial reporting, journal entries, checks and wire payment processing. He was mistakenly given the authority to request and approve checks up to $250,000. A co-worker also was accidentally granted the same privileges, while a subordinate was authorized to request checks. Mueller, his subordinate, and the co-worker knew each other s passwords and often logged on as one another to get work done (workaround to accomplish tasks when others were out). Mueller realized that he could log on as his co-worker or subordinate and request a check, then log on as himself and approve the check that he had requested. Mueller and his subordinate were also allowed to physically pick up checks. 20

And so the scheme begins Pressured by personal credit card debt, Mueller began to request and approve checks payable to his credit card company. He paid off $88,000 of credit card debt through this method. A returned check stopped his spree for a few months. He resumed his scheme, with a slightly more sophisticated method. He set up a company (fake vendor to ING), opened a bank account, and began to issue checks to the company. He coordinated his check issuance days with the days that his subordinate was off, thereby allowing him to pick up the checks. He deposited the checks in the bank account of the fake vendor. He recorded the offsetting expense to ledger accounts that he controlled and that had significant reconciliation activity. Mueller told his wife that the extra money was from gambling winnings. After a while, she began to doubt that explanation, and they divorced. Outcome Mueller s fraud netted nearly $8.5 million in four years (2003 until 2007). Mueller bought expensive cars, watches, and nighttime entertainment and paid for numerous trips from Minnesota to Las Vegas. The fraud was uncovered when Mueller s ex-wife expressed her doubts about his income to his co-worker. The co-worker then analyzed company records, spotted questionable transactions, and brought them to management s attention. Mueller was sentenced to 97 months in federal prison after pleading guilty to fraud. He began his term in February 2009 at the Federal Prison Camp in Duluth, MN, and was released in September 2014. Mueller has paid back about $860,000 of the money he stole. He now works as Director of Education for a CPA firm, and gives talks on ethics and business crimes 21

Control Environment ING deficiencies in its system of internal control Principle 2. The oversight body should oversee the entity s internal control system. ING did not appear to have an antifraud strategy to deter and detect employee fraud. At a minimum, fraud awareness training would have alerted Mueller s co-worker that his extravagant lifestyle could be due to fraud. Principle 4. Management should demonstrate a commitment to recruit, develop and retain competent individuals. Mueller s employment with ING was as a result of an acquisition, and effectively bypassed any pre-employment screens (past employment verification, background check, credit check) that ING might have had in place. Principle 5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. Individuals were not held accountable for their internal control responsibilities. AP clerk did not investigate the returned check. Accountants were sharing passwords. Risk Assessment ING deficiencies in its system of internal control Principle 8 Management should consider the potential for fraud when identifying, analyzing and responding to risks. ING did not appear to have performed an assessment of fraud risk. Principle 9 Management should identify, analyze, and respond to significant changes that could impact the internal control system. ING did not perform an assessment of how the business acquisition impacted the system of internal control. 22

Control Activities ING deficiencies in its system of internal control Principle 10 Management should design control activities to achieve objectives and respond to risks. No physical safeguards of assets. Lack of segregation of duties - individuals should not be able to request checks, approve checks and have access to the checks. Minimize the ability to generate free form entries or modify the account to which a transaction can post. Require secondary approval of free form entries (journal vouchers). Untimely or lack of account reconciliation including research and resolution of variances and management review. Control Activities - Continued ING deficiencies in its system of internal control Principle 11 Management should design the entity s information system and related control activities to achieve objectives and respond to risks. Access controls should be implemented to identify and authenticate users. Although passwords were used, users shared their passwords with other users. Consider the use of multiple authentication techniques: passwords, smart cards, tokens, biometrics based on risk. Mask passwords during entry, require frequent password changes, require a minimum number and type of characters, and require account lock outs after unsuccessful password entry attempts. Control user accounts by restricting user access to certain information and capabilities (SoD). Employ the use of roles, aligned with system permissions. Security access changes should be logged and periodically reviewed. Terminate accounts for separated users and/or inactive users. Changes to master data should be logged and reviewed. Define transaction posting logic for ledger entries (e.g. based on transaction codes or posting definitions). 23

Information and Communication ING deficiencies in its system of internal control Principle 13 Management should use quality information to achieve the entity s objectives. Data analytics could have been performed to identify atypical trends. This may have raised alerts to the fake vendor. Principle 14 Management should internally communicate the necessary quality information to achieve the entity s objectives. Reports detailing the results of data analysis should be reviewed and distributed to management. Abnormal interactions with outside parties (e.g. errors, refunds, and overpayments) should be communicated to and reviewed by a risk management person knowledgeable in financial matters. Principle 15 Management should externally communicate the necessary quality information to achieve the entity s objectives. The AP clerk should have called the credit card company to inquire as to why it returned the check, rather than just send the returned check back to Mueller. Monitoring ING deficiencies in its system of internal control Principle 16 Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. ING management was not regularly monitoring roles and permissions within the ERP system and evaluating whether individuals duties were appropriately segregated. Reconciliations results were not reviewed. Principle 17 Management should remediate identified internal control deficiencies on a timely basis. Although an internal company review showed that Mueller and his co-worker had check approval authorities, no further review of transactions appeared to have been conducted. 24

Speaker Contact Information For more information, contact: Melinda J. DeCorte CPA, CFE, CGFM, PMP Direct (703) 725-8559 melindadecorte@gmail.com 25

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback