Transcription of Good Internal Control Practices and Fraud Prevention Tips
1 Good Internal Control Practices and Fraud Prevention Tips Good Internal Control Practices and Fraud Prevention Tips Jayne Blackburn, CPA Audit Manager, UW Internal Audit Laura Schrag Senior Auditor, UW Internal Audit November 2017 Good Internal Control Practices and Fraud Prevention Tips Table of Contents Introduction .. 1 Course Objectives .. 3 What are Internal controls? .. 5 A Broad Definition of Internal Controls .. 7 Five Components of Internal Control .. 8 Why are Internal controls necessary? .. 13 Who is responsible for Internal controls? .. 17 Roles and Responsibilities .. 19 How do I implement Internal controls in my department? .. 21 Type of Controls .. 23 Control Design and Operating Effectiveness .. 23 Basic Elements of Internal Control .. 24 Separation of Duties: Checks and Balances .. 25 Authorization .. 26 Documentation .. 27 Reconciliation and Review .. 28 Monitoring .. 29 Safeguarding of Assets and Records .. 30 Information Systems Security.
2 31 Common Causes of Internal Control Breakdowns .. 33 A Guide to Creating Your Own system of Internal Controls .. 34 Fraud .. 35 What Is Fraud ? .. 37 Fraud Reporting .. 39 Types of Fraud .. 40 Types of Fraud Perpetrators .. 40 Consistent Patterns in Fraud Cases .. 41 Fraud Prevention Tips .. 43 Payroll .. 45 Purchasing: Departmental Revolving Fund .. 48 Purchasing .. 50 Purchasing: ProCard .. 51 Purchasing .. 52 Cash Receipts .. 54 58 Appendix .. 59 Good Internal Control Practices and Fraud Prevention Tips Internal Controls A Guide to Separation of Duties: Procard Functions .. 61 Internal Controls A Guide to Separation of Duties: Petty Cash Functions .. 62 Internal Controls A Guide to Separation of Duties: Cash Receipt Functions .. 63 Internal Controls A Guide to Separation of Duties: Payroll Functions .. 64 Common Audit Findings .. 65 UW Administrative Policy Statement: Policy on Financial Irregularities and Other Related Illegal Acts 72 Good Internal Control Practices and Fraud Prevention Tips 1 Introduction Good Internal Control Practices and Fraud Prevention Tips 3 Course Objectives What are Internal controls?
3 Gain an understanding of concepts. Why are Internal controls necessary? Establish importance and basic elements. Who is responsible for Internal controls? Explain roles and responsibilities in implementing Internal controls. How do I implement Internal controls in my department? Provide guidelines for evaluating and enhancing Internal controls in your unit. Implement procedures that can prevent Fraud . Create an awareness of Fraud symptoms (red flags). Gain an understanding of the University s Fraud investigation process. Good Internal Control Practices and Fraud Prevention Tips 5 What are Internal controls? Good Internal Control Practices and Fraud Prevention Tips 7 A Broad Definition of Internal Controls A process effected by an entity s governing board, management, faculty, and staff, designed to provide reasonable assurance regarding the achievement of the following objectives: Operations Effectiveness and efficiency of operations Reporting Reliability of financial/non-financial reporting Compliance Compliance with applicable federal/state/local laws and regulations The definition of Internal controls emphasizes the following: A process consisting of ongoing tasks and activities.
4 It is a means to an end, not an end in itself. Effected by people. It is not merely about policy manuals, systems, and forms, but about people at every level of an organization that impact Internal Control . Able to provide reasonable assurance, not absolute assurance, to an entity s governing board and senior management. Geared to the achievement of objectives in one or more separate, but overlapping, categories. Adaptable to the entity structure. 8 Good Internal Control Practices and Fraud Prevention Tips Five Components of Internal Control Control Environment Risk Assessment Control Activities Information and Communication Monitoring Good Internal Control Practices and Fraud Prevention Tips 9 Control Environment Foundation for all other components of Internal Control Sets the tone of an organization Provides discipline and structure Commitment to/model integrity and ethical values Leadership sets ethical tone (by example) Teach employees that the right thing matters Set expectations of appropriate behavior Address acts of misconduct and other wrongdoing Be clear on consequences of bad behavior (consistency) Commitment to competence Hire the right staff (background/reference checks) Invest in employee education Practice management accountability.
5 Delegate or empower Be clear on limits of authority Be clear on responsibility and accountability Risk Assessment Identify/analyze relevant Internal and external risks to achievement of objectives Basis for determining how risks should be managed Risks include operational, strategic, regulatory, financial, reputational Identify/deal with risks associated with change Includes consideration of Fraud 10 Good Internal Control Practices and Fraud Prevention Tips Control Activities Policies and procedures that help ensure that necessary actions are taken to address risks/achieve objectives Occur throughout the organization, at all levels, in all functions Include a range of activities such as reviews, approvals, authorizations, verifications, reconciliations, segregation of duties, security of assets Objectives, Risks, Control Activities What you want to accomplish Objectives What can get in the way/stop you from accomplishing objectives Risks How do you decrease risks Control Activities Information and Communication Pertinent information identified, captured, and communicated in a form and time frame that enables people to carry out their Internal Control responsibilities All personnel must receive a clear message that Control responsibility is taken seriously, understand their own role in the Internal Control , and how their activities relate to the activities of others Effective communication flows to external parties, and internally up, down, and across all levels Monitoring Processes used to assess the quality of Internal Control performance over time Accomplished through ongoing monitoring activities, separate evaluations.
6 Or a combination of the two Internal Controls Help achieve performance and profitability targets Help ensure reliable financial reporting Help ensure compliance with laws and regulations Help avoid damage to reputation Provide information on the entity s progress, or lack of it, towards achieving goals Good Internal Control Practices and Fraud Prevention Tips 11 Internal Controls Limitations Cannot guarantee that all risks are mitigated, and all objectives will be met Limitations exist in all Internal Control systems Human decision making/judgment can be faulty resulting in Control failures/errors Controls can be circumvented and overridden Characteristics of Effective Control Management expectations are communicated to all employees Procedures are performed by the right person Employees understand why controls are important No rubber-stamping! Control activities are performed consistently Control activities are performed in a timely manner Errors/irregularities are identified and corrected Employees are held accountable for actions Trust is not a Control .
7 Good Internal Control Practices and Fraud Prevention Tips 13 Why are Internal controls necessary? Good Internal Control Practices and Fraud Prevention Tips 15 Reasons Why Internal Controls Are Necessary Obvious Systems- or Finance-Related Safeguard assets/funds As a public institution, the University is responsible for protecting government assets against loss or misuse. It has this same responsibility to donors. Prevent, detect, and correct errors and irregularities ( Fraud ) Controls are designed primarily to prevent errors and improper conduct. However, controls should also be designed to detect and correct. Avoid cost of investigations and other related costs If Fraud is prevented, the University will spend less time and money investigating, litigating, and correcting. Promote efficiency and cost effectiveness Citizens and donors entrust resources to the University for specific purposes. It is not enough to simply safeguard assets; money must be used efficiently and effectively to achieve its intended purpose.
8 Provide reliable financial/ statistical reports Decisions are as good as the information they are based on. Therefore, it is essential that we provide decision-makers with reliable data. The University has the responsibility to report on its stewardship of various resources. Reliable data is essential when reporting to sponsors and donors. Ensure compliance with laws and regulations The University's use of government resources is tightly controlled and limited by legal and contractual restrictions. Policies and procedures must ensure compliance with applicable laws and regulations. 16 Good Internal Control Practices and Fraud Prevention Tips Subtle Human Factor Protect employees Employees should never be put in a position in which their honesty could be questioned. An employee may be trusted not to steal, but it is unreasonable to trust them not to make mistakes, which can be as damaging as Fraud . Errors or small-scale frauds can lead to termination of employment, which can produce tragic personal consequences.
9 Maintain employee morale Suspicion and distrust created by a discovery of Fraud can cast a shadow upon individuals in the department even if they weren t involved in the Fraud . Avoid public embarrassment and loss of public confidence Frauds that have occurred in the past few years have brought increased media attention and scrutiny. Instances of Fraud call into question the public s trust in the University. Prevent whistleblowers and citizen complaints Employee concerns not immediately addressed by management lead to complaints. When a department is under scrutiny, Internal controls become a focal point during an investigation. Good Internal Control Practices and Fraud Prevention Tips 17 Who is responsible for Internal controls? Good Internal Control Practices and Fraud Prevention Tips 19 Roles and Responsibilities Everyone in an organization has responsibility for Internal Control ; roles vary in responsibility and level of involvement with each component.
10 The governing board has a key role in defining expectations on integrity/ethical values, and Internal Control responsibilities. The CEO is ultimately responsible for the effectiveness of the Internal Control system . Senior management guides the development and implementation of Internal Control policies and procedures, which are executed by all personnel directly involved at a detailed level. Internal auditors evaluate the effectiveness of Internal controls, but do not develop/implement/maintain them. Good Internal Control Practices and Fraud Prevention Tips 21 How do I implement Internal controls in my department? Good Internal Control Practices and Fraud Prevention Tips 23 Type of Controls Detective: Designed to detect errors or irregularities that may have occurred Corrective: Designed to correct errors or irregularities that have been detected Preventative: Designed to keep errors or irregularities from occurring in the first place Manual Controls Automated Controls Control Design and Operating Effectiveness To meet objectives and mitigate risks, the controls must be adequately designed, and operate as designed One design does not fit all.
