Melinda J. DeCorte, CPA, CFE, CGFM, PMP Melinda DeCorte has over 19 years of accounting, auditing and government financial management experience. She directs, manages and serves in a quality assurance capacity for financial statement audits conducted in accord with government auditing standards. Additionally, she has extensive governmental consulting experience focusing on internal controls and risk assessments, financial statement preparation, financial system implementation, and evaluating agencies for audit readiness and compliance with internal control standards and generally accepted accounting principles. Prior to her career in public accounting, Melinda served as a commissioned officer in the United States Army, Finance Corps. Melinda serves as the Vice Chair of the national AGA Professional Ethics Board and on the advisory council to the GAO in updating the Standards for Internal Control in the Federal Government (Green Book). She is also currently serving as the President of the Dallas chapter of the AGA.
Internal Control Application of GAO s Green Book April 27, 2017 Association of Government Accountants Dallas Chapter Professional Development Training Session Objectives What is internal control and why is it so important? What tools can I leverage to design and implement an effective system of internal control? How do I apply the GAO Green Book? 1
What is internal control? An integral component of an organization s management that provides reasonable assurance that the objectives of the organization are being achieved Objectives and related risks can be broadly classified into three categories: Efficient and effective operations Reliable reporting Compliance with laws and regulations Internal control includes the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, and objectives of the organization Fundamental concepts Geared towards the achievement of objectives - Operations, reporting and compliance A process that is continuously evolving Effected by the organization s people and the actions they take (or fail to take) Provides reasonable, but not absolute, assurance Adaptable and flexible Comprised of the five components working in an integrated manner 2
Why is internal control important? Helps managers achieve desired results Efficient program operations (delivering public services to us - the citizens) Effective stewardship of public resources (our taxpayer dollars) Provides reasonable assurance that the amounts and disclosures reported in the organization s financial statements are materially accurate Necessary in achieving a clean audit opinion with no reportable internal control deficiencies Important in municipal bond ratings (evaluating the credit risk in determining whether to purchase) OK, but why is internal control really important? Serves as the first line of defense in safeguarding assets and preventing fraud Misappropriation of cash and other assets Fraudulent financial reporting (perhaps to cover up misappropriation or to achieve a desired outcome) Helps to deter public corruption Avoid embarrassment, public humiliation and ending up on the front page of the newspaper! 3
The Trusted Treasurer Rita Crundwell Dixon, IL Outcome The Trusted Treasurer was indicated on 60 felony theft counts and was found guilty in Nov 2012 Sentenced to 19 years and 7 months in federal prison (Minnesota) in Feb 2013 She ll be 77 years old upon her release (March 2030) As a result of her fraud City police could not afford to upgrade squad car radios or make new hires Streets could not be resurfaced A waste water treatment facility had to be delayed The city had to issue $3 million in bonds to cover financial obligations 4
Dixon, IL Net Monetary Loss $10 million attorneys fees for investigating the fraud and negotiating settlements with accounting firms and the bank $35.15 million settlement with the CPA firm that assisted Dixon with accounting and financial management $1 million settlement with the CPA firm that performed Dixon s annual audit since 2006 $3.85 million settlement with the bank where Dixon s accounts were maintained and where Crundwell set up the fake account Dixon, IL Net Monetary Loss Amount misappropriated by Crundwell Attorneys fees Loss to Dixon Recovery from sale of Crundwell assets Settlement with CPA firms and bank Dixon s net monetary loss $54 million $10 million $64 million $10 million $40 million $14 million No price can be set for the loss of faith in the city s public officials 5
What could Dixon have done? A study of reported occupational fraud cases in public sector entities published in the Journal of Government Financial Management* noted the following top three internal control weaknesses: Lack of management or independent reviews Abuse of authorizations to access cash, other assets or to information systems Inadequate level of transaction recordkeeping / documentation Dixon could have leveraged the GAO Green Book to design, implement and maintain an effective system of internal control Even on a small ($7-8M) budget, the city could have implemented effective internal control that would have prevented, or at least quickly detected, this fraud *Winter 2014 edition Standards for Internal Control The United States Comptroller General (Government Accountability Office) has issued standards for internal control in the government Green Book effective beginning fiscal year 2016 and for the FMFIA reports covering that year The Green Book is available on GAOʼs website at: www.gao.gov/greenbook 6
Green Book Through the Years 1983 Present Standards for Internal Control The Green Book is written for government - leverages the COSO updated Internal Control Integrated Framework that was released in May 2013 Uses government terms Can be used by management to understand requirements and by auditors to understand criteria Cited in the UGG as an acceptable framework for internal control for state and local governments Five components of internal control, 17 principals, 48 attributes All components and principles are requirements for establishing an effective internal control system The attributes provide further explanation of the requirements 7
Revised Green Book: Standards for Internal Control in the Federal Government Overview Standards Revised Green Book: Overview Explains fundamental concepts of internal control Addresses how components, principles, and attributes relate to an entity s objectives Overview Standards Discusses management evaluation of internal control Discusses additional considerations 8
Fundamental Concepts Internal control is a process to help entities achieve objectives Component, Principle, Attribute 9
Overview: Components and Principles In general, all components and principles are required for an effective internal control system Entity should implement relevant principles Overview Standards If a principle is not relevant, document the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively OV2.05: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. Overview: Attributes Attributes are considerations that can contribute to the design, implementation, and operating effectiveness of principles OV2.07 excerpt: The Green Book contains additional information in the form of attributes... Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity. Overview Standards Page 20 10
Overview: Management Evaluation An effective internal control system requires that each of the five components are: Effectively designed, implemented, and operating Operating together in an integrated manner Overview Standards Overview Standards Management evaluates the effect of deficiencies on the internal control system A component is not effective if related principles are not effective Overview: Additional Considerations The impact of service organizations on an entity s internal control system Discussion of documentation requirements in the Green Book Overview Standards Overview Standards Applicability to state, local, and quasi-governmental entities as well as not-for-profits Cost/Benefit and Large/Small Entity Considerations 11
Revised Green Book: Standards Explains principles for each component Control Environment Risk Assessment Control Activities Information and Communication Monitoring Overview Standards Includes further discussion of considerations for principles in the form of attributes Revised Green Book: Components and Principles 12
Case Study Dixon, IL Control Environment Dixon deficiencies in its system of internal control Principle 2. The oversight body should oversee the entity s internal control system. Dixon s City Council and Mayor did not oversee the design, implementation, and operation of the city s internal control system or provide direction on the remediation of any deficiencies. Few internal controls in place. Crundwell was allowed to make decisions and perform Treasurer duties with virtually no oversight. Principle 3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity s objectives. The assignment of responsibility and delegation of authority did not promote achievement of the city s objectives. No consideration of the overall responsibilities assigned to Crudwell. Excessive level of authority assigned to Crundwell. 13
Control Environment (cont.) Dixon deficiencies in its system of internal control Principle 4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. No succession or contingency plans for the Treasurer role. No identification and training of a succession candidate or at a minimum, an alternate individual. Principle 5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. No accountability for performing assigned internal control responsibilities. No consideration of internal control responsibilities in determining overall performance objectives or in evaluating performance. Risk Assessment Dixon deficiencies in its system of internal control Principle 6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. Dixon did not define objectives. Consequently Dixon was unable to identify risks to achieving its objectives or determine risk tolerances. Principle 7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. Dixon did not perform a risk assessment to identify risks. Consequently it was unable to identify internal controls to mitigate these risks. 14
Risk Assessment (cont.) Dixon deficiencies in its system of internal control Principle 8 Management should consider the potential for fraud when identifying, analyzing and responding to risks. Dixon did not consider the potential for fraud of taxpayer dollars. Dixon did not consider the fraud risk factor of opportunity: lack of internal controls and ultimate trust in Crudwell provided an opportunity to commit fraud. Principle 9 Management should identify, analyze, and respond to significant changes that could impact the internal control system. Dixon did not consider changing conditions that could affect the city and its environment (e.g., reduced state funding resulting in the need for city budget cuts). Dixon did not analyze the effect of changes on the internal control system and determine whether existing controls are effective for meeting objectives or addressing risks under the changed conditions. Control Activities Dixon deficiencies in its system of internal control Principle 10 Management should design control activities to achieve objectives and respond to risks. No comparison of actual performance to expected results and analysis of significant differences. Lack of effective management of the city s workforce. No physical control over vulnerable assets or limits of access to resources and records e.g., control log of check stock, accountability of issued checks) No segregation of duties - authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets Disbursements by check should require the approval and signature of an individual other than the individual recording the transaction and the individual reconciling the bank account. Opening a new bank account should require the approval and signature from someone outside of the transaction processing role. Invoice approvals should require verification of receipt of goods/services No mandatory vacation and/or rotation of duties 15
Control Activities - Continued Dixon deficiencies in its system of internal control Principle 12 Management should implement control activities through policies. No policies documenting the internal control responsibilities. No periodic review of policies, procedures, and related control activities for continued relevance and effectiveness. Information and Communication Dixon deficiencies in its system of internal control Principle 13 Management should use quality information to achieve the entity s objectives. Management or City Council did not identify information that could have been used to inform users as to the achievement of objectives and related risks. Certain data (e.g., bank statements) was obtained from internal sources that in hindsight were not reliable. Data received was not processed into quality information that could be evaluated to make informed decisions. Principle 14 Management should internally communicate the necessary quality information to achieve the entity s objectives. Management and the oversight body did not receive quality information that flows up the reporting lines from internal personnel. Dixon did not have a separate line of communication for internal personnel to report sensitive and/or confidential matters, such as a whistleblower or ethics hotline. Principle 15 Management should externally communicate the necessary quality information to achieve the entity s objectives. Management and the oversight body did not receive quality information that flows up the reporting lines from external personnel. Dixon did not have a separate line of communication for external personnel to report sensitive and/or confidential matters, such as a whistleblower or ethics hotline. 16
Monitoring Dixon deficiencies in its system of internal control Principle 16 Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Dixon did not perform any monitoring of its system of internal control. Consequently Dixon would not have understood if an internal control was not operating effectively or if there was a control gap (i.e., no internal control). Principle 17 Management should remediate identified internal control deficiencies on a timely basis. Since there was no monitoring activities, issues were not evaluated or remediated through corrective actions. The Green Book in Action Relationship between the Green Book and Yellow Book Can be used by management to understand requirements Can be used by auditors to understand criteria 17
The Yellow Book: Framework for Audits Findings are composed of: Condition (What is) Criteria (What should be) Cause Effect (Result) Recommendation (as applicable) Linkage Between Criteria (Yellow Book) and Internal Control (Green Book) Green Book provides criteria for the design, implementation, and operating effectiveness of an effective internal control system 18
The Yellow Book: Framework for Audits Findings are composed of: Condition (What is) Criteria (What should be) Cause Effect (Result) Recommendation (as applicable) Linkage Between Findings (Yellow Book) and Internal Control (Green Book) Findings may have causes that relate to internal control deficiencies 19
Case Study Lessons from an $8 million fraud Background ING acquired Mueller s employer, life insurance company ReliaStar, in 2000. As a part of the changeover team, Mueller became an expert on all aspects of the ERP system including financial reporting, journal entries, checks and wire payment processing. He was mistakenly given the authority to request and approve checks up to $250,000. A co-worker also was accidentally granted the same privileges, while a subordinate was authorized to request checks. Mueller, his subordinate, and the co-worker knew each other s passwords and often logged on as one another to get work done (workaround to accomplish tasks when others were out). Mueller realized that he could log on as his co-worker or subordinate and request a check, then log on as himself and approve the check that he had requested. Mueller and his subordinate were also allowed to physically pick up checks. 20
And so the scheme begins Pressured by personal credit card debt, Mueller began to request and approve checks payable to his credit card company. He paid off $88,000 of credit card debt through this method. A returned check stopped his spree for a few months. He resumed his scheme, with a slightly more sophisticated method. He set up a company (fake vendor to ING), opened a bank account, and began to issue checks to the company. He coordinated his check issuance days with the days that his subordinate was off, thereby allowing him to pick up the checks. He deposited the checks in the bank account of the fake vendor. He recorded the offsetting expense to ledger accounts that he controlled and that had significant reconciliation activity. Mueller told his wife that the extra money was from gambling winnings. After a while, she began to doubt that explanation, and they divorced. Outcome Mueller s fraud netted nearly $8.5 million in four years (2003 until 2007). Mueller bought expensive cars, watches, and nighttime entertainment and paid for numerous trips from Minnesota to Las Vegas. The fraud was uncovered when Mueller s ex-wife expressed her doubts about his income to his co-worker. The co-worker then analyzed company records, spotted questionable transactions, and brought them to management s attention. Mueller was sentenced to 97 months in federal prison after pleading guilty to fraud. He began his term in February 2009 at the Federal Prison Camp in Duluth, MN, and was released in September 2014. Mueller has paid back about $860,000 of the money he stole. He now works as Director of Education for a CPA firm, and gives talks on ethics and business crimes 21
Control Environment ING deficiencies in its system of internal control Principle 2. The oversight body should oversee the entity s internal control system. ING did not appear to have an antifraud strategy to deter and detect employee fraud. At a minimum, fraud awareness training would have alerted Mueller s co-worker that his extravagant lifestyle could be due to fraud. Principle 4. Management should demonstrate a commitment to recruit, develop and retain competent individuals. Mueller s employment with ING was as a result of an acquisition, and effectively bypassed any pre-employment screens (past employment verification, background check, credit check) that ING might have had in place. Principle 5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. Individuals were not held accountable for their internal control responsibilities. AP clerk did not investigate the returned check. Accountants were sharing passwords. Risk Assessment ING deficiencies in its system of internal control Principle 8 Management should consider the potential for fraud when identifying, analyzing and responding to risks. ING did not appear to have performed an assessment of fraud risk. Principle 9 Management should identify, analyze, and respond to significant changes that could impact the internal control system. ING did not perform an assessment of how the business acquisition impacted the system of internal control. 22
Control Activities ING deficiencies in its system of internal control Principle 10 Management should design control activities to achieve objectives and respond to risks. No physical safeguards of assets. Lack of segregation of duties - individuals should not be able to request checks, approve checks and have access to the checks. Minimize the ability to generate free form entries or modify the account to which a transaction can post. Require secondary approval of free form entries (journal vouchers). Untimely or lack of account reconciliation including research and resolution of variances and management review. Control Activities - Continued ING deficiencies in its system of internal control Principle 11 Management should design the entity s information system and related control activities to achieve objectives and respond to risks. Access controls should be implemented to identify and authenticate users. Although passwords were used, users shared their passwords with other users. Consider the use of multiple authentication techniques: passwords, smart cards, tokens, biometrics based on risk. Mask passwords during entry, require frequent password changes, require a minimum number and type of characters, and require account lock outs after unsuccessful password entry attempts. Control user accounts by restricting user access to certain information and capabilities (SoD). Employ the use of roles, aligned with system permissions. Security access changes should be logged and periodically reviewed. Terminate accounts for separated users and/or inactive users. Changes to master data should be logged and reviewed. Define transaction posting logic for ledger entries (e.g. based on transaction codes or posting definitions). 23
Information and Communication ING deficiencies in its system of internal control Principle 13 Management should use quality information to achieve the entity s objectives. Data analytics could have been performed to identify atypical trends. This may have raised alerts to the fake vendor. Principle 14 Management should internally communicate the necessary quality information to achieve the entity s objectives. Reports detailing the results of data analysis should be reviewed and distributed to management. Abnormal interactions with outside parties (e.g. errors, refunds, and overpayments) should be communicated to and reviewed by a risk management person knowledgeable in financial matters. Principle 15 Management should externally communicate the necessary quality information to achieve the entity s objectives. The AP clerk should have called the credit card company to inquire as to why it returned the check, rather than just send the returned check back to Mueller. Monitoring ING deficiencies in its system of internal control Principle 16 Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. ING management was not regularly monitoring roles and permissions within the ERP system and evaluating whether individuals duties were appropriately segregated. Reconciliations results were not reviewed. Principle 17 Management should remediate identified internal control deficiencies on a timely basis. Although an internal company review showed that Mueller and his co-worker had check approval authorities, no further review of transactions appeared to have been conducted. 24
Speaker Contact Information For more information, contact: Melinda J. DeCorte CPA, CFE, CGFM, PMP Direct (703) 725-8559 melindadecorte@gmail.com 25