FRAUD IN GOVERNMENT AN OPEN DISCUSSION. Presented By William Blend, CPA, CFE

Similar documents
FRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS

Fraud Prevention, Detection, and Internal Controls

STUDY UNIT TEN INTERNAL AUDIT RESPONSIBILITIES FOR FRAUD

Can You Spot Fraudsters?

Eric Kinsherf, CPA MMAAA Conference June 12, 2018

ISSUES IMPACTING GOVERNMENTS: FRAUD, DATA MINING AND SINGLE AUDIT Presented By: William Blend, CPA, CFE

Fraud Prevention Training

OCCUPATIONAL FRAUD IN GOVERNMENT AND STEPS TO PREVENT AND DETECT IT

Presented by Ed Williamson and Erica Bailey

Single Audit and Yellow Book / Govt. Audit Standards Update Presented by: William Blend, CPA, CFE

FRAUD AWARENESS UPDATE

38 Years of Excellent Client Service New COSO Model and How Internal Controls Help to Reduce Opportunity for Fraud

Fraud Prevention and Detection Michael Schulstad, CPA/CFF/CGMA/FBI (ret)

AUDIT RISK ASSESSMENT AND RESPONSES TO ASSESSED RISK BY Geoffrey Byamugisha Partner, Ernst & Young. Lessons on Audit Risk. Responding to fraud risk

Protecting Your Organization Against Fraud

Common Frauds Found in Not-for- Profit Organizations

Contract and Procurement Fraud

2/20/15. Trevor Stewart, CPA Director of Business Services Source documentation includes CCIA and FCMAT

2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda

Contract and Procurement Fraud

Internal Controls. They Are Everyone s Business. Valdosta State University Office of Internal Audits June 2016

Virginia Association of School Business Officers Getting Reacquainted with Internal Controls Presented by John S. Aldridge, CPA

Information and and training provid v ed by Smith Elliott Elliott Kearns & Compan

INTERNAL AUDIT EFFECTIVENESS. Conducting Fraud Investigations Conducting Internal Audit

Internal Control 2015 Training

Contract and Procurement Fraud. Fraud in Procurement without Competition

Chapter 7 Internal Controls

OUTSMART FRAUD. Strategic Internal Controls to Prevent Business Fraud

Office of the Utah Legislative Auditor General. Fraud Prevention. Utah Government Finance Officers Association. Spring 2017 Conference

MANAGING FRAUD RISK. Teresa D. Thamer, CPA, CFE Brenau University

Week 3: Fraud, Procure to Pay Process Controls

Fraud Detection and Prevention

Internal Controls for Deans, Directors and Chairs

Managing Fraud Risks. Procurement & Contacting. John J. Hall, CPA (970)

SMALL BUSINESS FRAUD ASSESSMENT INTERNAL CONTROL QUESTIONNAIRE Download your risk assessment form at

Karen L. Mosteller, CPA, CHBC

Laurie Beets. PDG 27 th National College & University Bursars & SFS Conference

ACFE FRAUD PREVENTION CHECK-UP ASSOCIATION OF CERTIFIED FRAUD EXAMINERS

Module 1: Safeguarding District Resources: Roles & Responsibilities

OVERVIEW. Common Personality Traits of Fraudsters. Common Sources of Pressure. Changes in Behavior

Fraud Prevention: How to Identify and Protect Your Higher Ed Institution

FRAUD RISK FACTORS CHECKLIST (Source: New AU Section 240, Appendix A)

Alyssa G. Martin, CPA Brandon Tanous, CIA, Using the COSO CFE, CGAP, CRMA Framework to Develop a Strong and Preventive Control Environment

ACCTG 533: Module 14: Asset Misappropriation Fraud. [Slide Content]: Asset Misappropriation Fraud. [Jeanne H. Yamamura]: Asset Misappropriation Fraud

Fraud in the Insurance Industry How it Can Impact Your Agency

Seminar Internal Control Identification and Filtering

Fraud Prevention, Detection and Control. Elizabeth Coles, CPA Aldrich CPAs + Advisors LLP

The Basics of Internal Controls & Segregation of Duties

Fraud Risk Management

Name: Chapter 12 Revenue- and Inventory-Related Financial Statement Frauds MULTIPLE CHOICE

Internal Fraud Monitoring & Investigation Best Practices. By Tom Holland, CFE

Internal Controls: Providing an Effective Control Environment. Why This Session Is Needed. Lesson Overview & Module Objectives

Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques

Using Transactional Analysis for

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

IAASB Main Agenda (December 2008) Page Agenda Item

PART 6 - INTERNAL CONTROL

SA 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL

Community College Audit and Compliance Workshop. VAVRINEK, TRINE, DAY & CO., LLP April 15, 2014

What s New in Government Internal Control Standards? Going Green

Internal Controls. Presented by: Mark Payne, CPA Partner Rae Kerr, CPA Senior Manager. March 5, 2014

Prince William County Public Schools Annual Audit Plan

Committee for Senior Business Administrators. Segregation of Duties

Moving the Needle: Fighting Fraud from the Inside Through Audit. Mary Breslin, CFE, CIA President Empower Audit Training and Consulting

FRAUD DETERRENCE AND DETECTION

Ten Payment Fraud Protections

This Questionnaire/Guide is intended to assist you in decision making, as well as in day-to-day operations. Best Regards,

What Happens When Internal Controls Fail

Fraud in Today s Economic Environment

CHAPTER 6 GOVERNMENT ACCOUNTABILITY

AUDIT RESPONSIBILITIES AND OBJECTIVES

Standards for Internal Control in New York State Government 2016 Update

FEDERAL AWARD PROGRAMS INTERNAL CONTROL EVALUATION. Cross-cutting characteristics (generally applicable to all fourteen requirements)

Internal Control Questionnaire and Assessment

Protecting your private business from fraud

MIS 5208 Week 2 Fraud Detection & Prevention

Fraud Awareness Jennifer Murtha Clara Ewing

(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS

Fraud Detection and Prevention

Fraud Risk Management

McGraw-Hill/Irwin. Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Contracting Internal Controls and Risks. Contract Auditing v Contract Monitoring

Going on the Offensive: Blocking and Tackling to Minimize Fraud

Internal Control in Higher Education

My experiences with Employee Fraud

WATCH WORDS FROM THE PEER REVIEW PROCESS

Internal Control Questionnaire and Assessment

Final Report. Project (b)

SRI LANKA AUDITING STANDARD 315 (REVISED)

Chapter 6 Field Work Standards for Performance Audits

Auditing for Fraud. Planning & Approaches

What Are Your Auditors Doing? Presented by Carrie Kennedy, Partner Travis Smith, Partner Moss Adams LLP

INTERNAL CONTROLS 101

1/12/2016. Standards for Internal Control in the Federal Government. Standards for Internal Control in the Government

Guide to Internal Controls

CODE OF BUSINESS CONDUCT AND ETHICS. FRONTIER AIRLINES, INC. Adopted May 27, 2004

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

13-A. Fraud Phase II Issues Paper

Internal Controls and the Internal Auditor. Presented By: Richard Kudlik, CPA

Fraud Risk in Difficult Economic Times - questions for directors to ask

Transcription:

FRAUD IN GOVERNMENT AN OPEN DISCUSSION Presented By William Blend, CPA, CFE

AGENDA Fraud and Ethics Discussion Fraud Triangle and Beyond Data from 2016 ACFE Report to the Nations Recent Fraud Investigations Government Audit Expectation GAP Red Flags Internal Controls 2

FRAUD AND ETHICS DISCUSSION

How is Ethics Related to Fraud? Because Ethics is a discipline dealing with what is good and bad with moral duty and obligation. 4

What is Ethics? Ethics is: A set of moral principles or values A theory or system of moral values The principles of conduct governing an individual or a group A guiding philosophy 5

Ethical Conflicts Personal Values vs. Social Values Self Interests vs. Benefits to Others Personal Values vs. Organizational Rules Ethical Codes vs. Benefits to Others Honesty vs. Benefits to Others Personal Values vs. Social Norms 6

FRAUD DISCUSSION

Fraud Triangle The capability to commit the fraud Opportunity 8

The Fraud Environment OPPORTUNITY I ll take the cash from the deposit, write-off the A/R as bad debt.i can work around the controls INCENTIVE How will I pay my bills? Kids need. I want. Casino night. Drugs RATIONALIZATION I deserve a raise... I work long hours.. I should have been promoted.. I ll pay it back 9

Fraud Motivation Money Ideology MICE Coercion Ego/Entitlement 10

The Fraud Diamond Considers Two Types of Fraudsters The capability to commit the fraud 11

Fraudsters More Details Accidental Fraudster Predator Fraudster Focus of Fraud Triangle First-Time Offender Well-Educated, Male, Middle Class, Good Person Pressure Occurs Rationalization Deliberate, Arrogant Seeks Opportunities No Pressure or Rationalization May Begin as Accidental Criminal Mindset 12

Fraud, Waste and Abuse Fraud as defined by Generally Accepted Government Auditing Standards: A type of illegal act involving the obtaining of something of value through willful misrepresentation. Whether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond the auditor s professional responsibility. 13

Fraud, Waste and Abuse (Cont.) Waste involves the taxpayers/public not receiving reasonable value for money in connection with any government-funded activities due to an inappropriate act or omission by individuals with control over or access to government resources (e.g., executive, judicial or legislative branch employees, grantees or other recipients). Waste goes beyond fraud and abuse and most waste does not involve a violation of law. Rather, waste relates primarily to mismanagement, inappropriate actions and inadequate oversight. 14

Fraud, Waste and Abuse (Cont.) Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement. 15

DATA FROM 2016 ACFE REPORT TO THE NATIONS

Victim Organizations - Government 17

How Occupational Fraud is Committed Duration of Fraud Based on Scheme Type 18

Detection of Fraud Schemes Initial Detection of Occupational Frauds 19

Detection of Fraud Schemes (Cont.) Source of Tips 20

Perpetrators Position of Perpetrator Frequency and Median Loss 21

Perpetrators (Cont.) Gender of Perpetrator Frequency 22

Perpetrators (Cont.) Age of Perpetrator Frequency & Median Loss 23

Perpetrators (Cont.) Tenure of Perpetrator Frequency and Median Loss 24

Perpetrators (Cont.) Behavioral Red Flags of Perpetrators 25

REAL LIFE CASES

Dixon Illinois Lessons Learned Source ACFE Article The horses take a nasty fall, Part 2 of 2 Crundwell on a govt. salary of $80k per year was living a lavish horse show lifestyle. If she was making that kind of money riding horses, why would she work for a government? We have all heard it before, segregation of duties and internal controls (often touted, seldom followed) are absolutely necessary. 27

Dixon Illinois Lessons Learned (Cont.) Crundwell was able to authorize and open accounts, make payments, write checks, do transfers, etc. Excuses that the State owed the City money should have been questioned and followed up on. As City Comptroller, she was responsible for picking up and distributing mail. Trust of this employee clouded the judgment of officials and lead to a lack of controls and the important role of oversight. 28

Dixon Illinois Lessons Learned (Cont.) Segregate duties throughout the structure of Dixon. The City is reviewing possible actions. Examples of possible actions: A CFE should be added to the staff of the City. The external auditor should be a CPA who s also a CFE. The mayor and all council members should approve new bank accounts. Two responsible members of management (possibly the mayor and a council member) should review and approve all invoices. All payments exceeding a set amount based on operational budget should have two signatures for approval. The City council should review and approve all transfers of funds between accounts, including wire transfers. 29

Dixon Illinois Lessons Learned (Cont.) The mayor and/or council should provide initial anti-fraud orientations for new employees and mandatory, annual anti-fraud reorientations, which would include: The City s fraud prevention policies. A statement of zero tolerance of fraudulent activities. A discussion of red flags that employees have to report and how to report them. These three previous items have to be included in the annually updated employee handbook. 30

Dixon Illinois Lessons Learned (Cont.) The mayor and/or council should provide initial anti-fraud orientations for new employees and mandatory annual anti-fraud reorientations, which would include (Cont.): Establish an anonymous fraud hotline. Implement mandatory job rotation. Fully explain the vacation policy, which includes mandatory vacations. A designated official mayor or council member would initiate surprise audits by internal auditors or audit teams to review all or select transactions, accounts and financial statements. 31

Recent Fraud Investigations The Parks and Recreation $88K The Landfill Employee The Bookkeeper and the Corporate Credit Card $20K The Team CEO + CFO - $305k 32

Parks and Recreation Customer receipts submitted with daily deposits did not match checks and/or money orders actually deposited. Customer receipts found which were never deposited. Cash receipts found which were never matched to corresponding deposits. Missing receipt numbers discovered indicating additional missing deposits. Ticket sales did not reconcile to deposits. Instructor receipts marked void but corresponding payroll paid to instructors. 33

Bookkeeper and Corp. Cr. Card Unsupported credit card transactions Checks written supported by invoice copies attached as support Checks written supported by receipt cutoff before tax amount No supporting documentation of credit card transactions Payments to family members 34

The Team CEO + CFO Falsified healthcare reimbursement plan payments Personal transactions on corporate credit card Auto lease 35

ORGANIZATION S ANTI-FRAUD SCORE? FOOD FOR THOUGHT

Organizational Fraud Checkup Purpose potential clients think about possible issues that could impact their organization. Consider offering this as a service to clients but remember, they should have legal representation involved. 37

Organizational Fraud Checkup (Cont.) Fraud risk oversight to what extent has the organization established a process for oversight of fraud risk by its governance? Fraud risk ownership how has the organization created ownership of fraud risk by identification of parties having responsibilities for fraud risk and communication to others in the organization of responsible parties? Fraud risk assessment to what extent has the organization implemented an ongoing process to evaluate the risk of fraud in the organization? 38

Organizational Fraud Checkup (Cont.) Fraud risk tolerance and risk management policy does the organization have an approved fraud risk tolerance and risk management policy which includes a fraud risk component? Process-level anti-fraud controls / re-engineering how has the organization implemented measures to reduce each of the significant fraud risks identified through the fraud risk assessment? 39

Organizational Fraud Checkup (Cont.) Environment-level anti-fraud controls to what extent has the organization implemented a process to promote ethical behavior, deter wrongdoing and promote two-way communication on difficult issues? Proactive fraud detection to what extent has the organization established a process to detect, investigate and resolve potentially significant fraud? 40

GOVERNMENT AUDIT EXPECTATION GAP

Types of Audits Financial statement audits Focuses on looking for misstatements in the financial statements OMB Circular A-133 Compliance Audits (or Single Audits) Focuses on compliance with federal programs requirements and internal control over federal expenditures Forensic (Fraud) Audits Focuses on identification of fraud. Usually, narrowly focuses on specific allegation or suspected fraudulent activity 42

Role of Financial Statement Audit Primarily for an opinion about the fair presentation of the financial statements Provide only reasonable assurance that the financial statements are free from material misstatement, regardless of cause, but reasonable is defined as a high level of assurance However, the role shouldn t be taken for granted, as many analytical relationships among the financial statements, when performed by the auditor, can expose the potential issue 43

Financial Statement Audits Only a small percentage of fraud detected by financial statement audit Financial statement audits are not fraud or forensic audits Objective is issuing an opinion of financial statements The auditor s report only gives reasonable assurance that there are no material misstatements in the financial statements Auditors are not required to detect fraud 44

Financial Statement Audits (Cont.) Auditor s consideration of fraud risk is limited to material misstatements in the financial statements Auditors obtain an understanding of internal control over financial reporting when planning the audit A financial statement audit can provide valuable insight into adequacy of internal controls Control weaknesses could be key indicator of a fraud opportunity Auditors must exercise professional skepticism during the audit 45

AU-C Section 240 Consideration of Fraud in a Financial Statement Audit The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by error or fraud. Professional skepticism Discussion among engagement personnel Identify risks of material misstatement Assess the risk Respond to the results Evaluate audit evidence Communicate with management those charged with governance Document consideration of fraud 46

Government Auditing Standards Reporting Fraud in a Financial Statement Audit In an audit performed in accordance with Government Auditing Standards the auditor has additional responsibilities related to reporting fraud above what is required in AU-C 240. If the auditor concludes that fraud has occurred or is likely to have occurred: Include in the report on internal control over financial reporting and on compliance and other matters. Information about fraud with material effect on the financial statements that warrant the attention of those charged with governance. Information that does not warrant the attention of those charged with governance, the auditor s determination of whether and how to communicate such instances to auditee officials is a matter of professional judgment. 47

OMB A-133, Single Audit Assessing Risk of Material Noncompliance Due to Fraud AU-C 240 also applies to a compliance audit In a Circular A-133 audit, the assessment of fraud risk relates to fraudulent acts that may result in a material noncompliance with a major federal program s compliance requirements or the misappropriation of federal funds 48

OMB A-133, Single Audit Assessing Risk of Material Noncompliance Due to Fraud (Cont.) As part of the risk-assessment process in a Single Audit, the auditor should: Specifically assess the risk of material noncompliance with a major program's compliance requirements occurring due to fraud (fraud risk) Consider that assessment in designing the audit procedures to be performed The assessment of fraud risk should be ongoing throughout the audit Use Professional Judgment in adapting AU-C 240 to the objectives of a Single Audit 49

OMB A-133, Single Audit Assessing Risk of Material Noncompliance Due to Fraud (Cont.) Suggested Single Audit risk assessment fraud procedures: Conducting a meeting of audit team members to discuss the risks of material noncompliance due to fraud Gathering information necessary to assess fraud risk factors for major programs Documenting entity-wide programs and controls in place to prevent, detect, and deter fraud Inquiring of management, those charged with governance, internal audit, and others about the risks of fraud related to major programs 50

RED FLAGS

Behavioral Red Flags Providing unreasonable responses to questions Bragging about significant new purchases Refusing promotions Easily annoyed at inquiries Refusing to take vacations 52

Behavioral Red Flags (Cont.) Borrowing money from co-workers Gambling, drug use Excessive drinking Creditors or collectors appearing at workplace Change in normal behavior 53

Procurement Fraud and Red Flags Unjustified Sole Source: Unjustified sole source is defined as a fraudulent act involving procurement personnel who, in collusion with a supplier, improperly award a contract without competition or prior review. 54

Procurement Fraud and Red Flags (Cont.) Unjustified Sole Source red flags: Sole source award above or just below competitive bidding limit. Previously competitive procurements become noncompetitive. Vague justification or documentation requesting a non-competitive award. Split purchases to avoid competitive bidding limits. 55

Procurement Fraud and Red Flags (Cont.) Unjustified Sole Source red flags (Cont.): Contract requirements were not reviewed and validated by management. Contract requirements appear to be tailored to a specific contractor. Awards made below the competitive bid limits that are followed by change orders that exceed such limits. 56

Procurement Fraud and Red Flags (Cont.) Change Order Abuse: Contractor acting alone or in collusion with contract personnel, can submit unjustified or inflated change order requests to increase profits, or, as a result of corruption, use the change order process to extend a contract that should be re-bid. 57

Procurement Fraud and Red Flags (Cont.) Change Order Abuse red flags: Weak internal controls and procedures regarding review or need for change orders. Numerous, unusual or unexplained change orders for a specific contractor approved by the same employee. Pattern of low-bid award followed by change orders that increase the price or scope of the contract, or extend the contract period. Vague contract specifications followed by change orders. 58

Procurement Fraud and Red Flags (Cont.) Change Order Abuse red flags (Cont.): Poorly documented change orders, or change order requests in round number amounts, if that is unusual for the job. Pattern of change orders just below upper-level approval limit. High-level personnel involved in change order decisions, especially for specific contractors. Purchase orders of contracts extended by change order, rather then re-bidding of contract. 59

Procurement Fraud and Red Flags (Cont.) Split Purchases: A single procurement can be split into two or more purchase orders or contracts, each below upper-level review or competitive bidding thresholds, to avoid review or competitive selection. Repetition of this scheme, favoring the same parties, can be a strong indicator of corruption. 60

Procurement Fraud and Red Flags (Cont.) Split Purchase red flags: Two or more similar procurements from the same supplier in amounts just under competitive bidding or upper-level review limits. Unjustified separation of purchases, e.g., separate contracts for labor and materials, each of which is below competitive bidding limits, but when combined is over such limits. Sequential purchase orders or invoices under upper-level review or competitive bidding limits. Contracts under the competitive bid limit followed by change orders that increase amount of the contract. 61

Procurement Fraud and Red Flags (Cont.) Fictitious Vendor: an employee with procurement responsibilities, or in accounts payable, or an outsider, submit bills from a non-existent vendor. Normally, fictitious vendors claim to provide services or consumables, rather than goods or work that can be verified. Dishonest bidders also can submit bids from fictitious bidders as part of bid-rigging schemes. 62

Procurement Fraud and Red Flags (Cont.) Fictitious Vendor red flags: Paid vendors are not on the approved vendor list or listed in business or telephone directories. Invoiced goods or services cannot be located or verified. Inadequate vendor identification information. Incorrect or non-existent address or phone number. Vendor address or telephone number is the same as an employee s. 63

Procurement Fraud and Red Flags (Cont.) Fictitious Vendor red flags (Cont.): Small initial purchase from vendor, followed by much larger purchases. Payment provided without an invoice. Copied or unusual supporting documents, such as purchase order or receiving document submitted with invoice. Multiple companies that have the same address/telephone numbers. 64

Cash Collection Fraud and Red Flags Cash Collection Environment Fraud: when employees manipulate cash register transactions or operations to steal cash, inventory items, or non-cash assets. In governments, this often happens at locations such as recreation departments, offsite inventory locations, special events, golf course pro-shop, etc. 65

Cash Collection Fraud and Red Flags (Cont.) Cash Collection Fraud red flags: Insufficient supervisory review of cashiers daily activities. Cashiers working out of open cash drawers/boxes. Cashiers have access to register Read and Reset keys. Cashier can then clear registers, determine sales figures for the day, and accumulate/remove overages at the end of day. Cash register "Read Window" blocked from patron s view allowing cashier to not ring or under-ring sales. 66

Cash Collection Fraud and Red Flags (Cont.) Cash Collection Fraud red flags (Cont.): Advance approval for voided transactions, refunds, and over-rings are not required. Excessive use of the no sale key. Cash deposits not received by the bank. Excessive use of coupons and discounts. Weak cash handling procedures and cash accounting records. Significant inventory adjustments; generally write offs. Significant/unexpected changes in sales without reasonable explanation. 67

Credit Card Fraud and Red Flags Credit Card Fraud: Employees use an organization s credit card to make unauthorized purchases. Credit cards are sometimes used to circumvent procurement policies. 68

Credit Card Fraud and Red Flags (Cont.) Credit Card Fraud red flags: Unreasonable or unexplained high volume of purchases from a particular vendor. Split purchases without purchase order to avoid upperlevel review or to circumvent the purchasing policy. Receipts or invoices supporting purchases are missing or photocopied, which may indicate they were altered. Receipts or invoices are not sufficiently detailed to document actual purchases. 69

Credit Card Fraud and Red Flags (Cont.) Credit Card Fraud red flags (Cont.): Lack of proper approvals and/or separation of functions, such as requiring manager approval prior to purchase, cardholder makes the purchase, and an independent person receives the purchase. Vendor used excessively by only one cardholder. Purchases made during weekends or holidays which are outside of cardholder s or organization s work schedule period. 70

CONTROLS ARE THE KEY

Types of Controls Preventive Detective Corrective Manual and Automated 72

The COSO Framework Relationship of Objectives and Components Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives) COSO depicts the relationship in the form of a cube: The three objectives are represented by the columns The five components are represented by the rows The entity s organizational structure is represented by the third dimension Source: COSO 73

Standards: COSO vs. Green Book Component COSO Green Book Control Environment 5 Principles 20 Points of Focus 5 Principles 13 Attributes Risk Assessment Control Activities Information & Communication Monitoring 4 Principles 27 Points of Focus 3 Principles 16 Points of Focus 3 Principles 14 Points of Focus 2 Principles 10 Points of Focus 4 Principles 10 Attributes 3 Principles 11 Attributes 3 Principles 7 Attributes 2 Principles 6 Attributes Note: GAO combined COSO s points of focus into attributes 74

What Are the Five Standards for Internal Control? The five standards for internal control are: Control Environment Risk Assessment Control Activities Information and Communications Monitoring 75

Control Environment Control Environment sets the tone of an organization, influencing staff awareness of good controls, procedures, accountability, and program management. It is the foundation for all other components of internal control, providing discipline and structure. Red Flags The agency or program has recently undergone major change e.g., new responsibilities, reorganization, cuts in funding, expansion of programs, changes in management. Employees are generally disgruntled. Top management is unaware of actions taken at the lower level of the organization. The organizational structure is inefficient or dysfunctional. 76

Risk Assessment Risk Assessment is the identification and analysis of relevant risks associated with achieving program or agency objectives, such as those defined in strategic and annual performance plans, and forming a basis for determining how risks should be managed. Red Flags The agency or program does not have well-defined objectives. (If the agency does not know what it is trying to accomplish, it will not be able to adequately assess risks). The agency or program does not have adequate performance measures. (If you don t know how to measure success or whether the program is successful, you will not be able to adequately assess risks). The agency or program does not have an adequate strategic plan. 77

Control Activities Control Activities are the policies and procedures established to achieve the entity s objectives. They help ensure that management s directives are carried out in daily program operations. Red Flags Agency or program is understaffed and/or workload has drastically increased, and staff are having difficulties handling operational workload. There have been previous issues with fraud, waste, or abuse. Employees are unaware of policies and procedures, but do things the way they have always been done. Key documentation is often lacking or does nonexist. 78

Information and Communication Information and Communication is needed by management and employees to monitor progress in meeting the organization s mission and objectives while maintaining proper accountability and internal control. Red Flags When top management needs information, there is a mad scramble to assemble the information, or the process is handled through ad hoc mechanisms (e.g., the information was not readily available). Staff isfrustrated by requests for information because it is time-consuming and difficult to provide the information. Management does not have reasonable assurance that the information it is using is accurate. 79

Monitoring Monitoring is accomplished through routine, ongoing activities, separate evaluations, or both. Internal control systems should be monitored to assess their effectiveness and to modify procedures as appropriate based on results of the monitoring activities (feedback). Red Flags Previous audit findings are not being resolved adequately or timely. Significant problems exist in controls and management was not aware of those problems until a big problem occurrs; or until another outside party brings it to their attention (e.g., a recipient of funding, or an external audit). 80

Questions or Comments