Internal Controls
When Is It Too Much or Too
Little
October 2007
PEOPLE. PRINCIPLES. POSSIBILITIES.
Introduction and Background
Eide Bailly, LLP
More than 120 firm wide professionals at Eide Bailly are
loyal to serving governments, which range from small
local governments to large state agencies, for more than
40 years.
Boise office has 30 professionals that serve
governments.
PEOPLE. PRINCIPLES. POSSIBILITIES.
Introduction and Background
Offices in:
Arizona
Idaho
Montana
Oklahoma
North Dakota
South Dakota
Minnesota
Iowa
PEOPLE. PRINCIPLES. POSSIBILITIES.
The “Fraud Triangle”
PEOPLE. PRINCIPLES. POSSIBILITIES.
The “Fraud Triangle”
Motive
PEOPLE. PRINCIPLES. POSSIBILITIES.
The “Fraud Triangle”
Motive
Rationalization
PEOPLE. PRINCIPLES. POSSIBILITIES.
The “Fraud Triangle”
Motive
Perceived Rationalization
Opportunity
PEOPLE. PRINCIPLES. POSSIBILITIES.
What is the Most Important Reason for Having
a Strong Internal Control System?
To prevent errors from occurring
To safeguard assts from unauthorized use of
misappropriation (i.e. to prevent fraud)
PEOPLE. PRINCIPLES. POSSIBILITIES.
Keep this in Mind...
Few things are more devastating, demoralizing, and
tragic than the discovery that someone you trusted
has committed fraud
There is, however, one thing that is considerably
more devastating, demoralizing, and tragic ...
When a totally innocent and honest employee falls
under suspicion simply because the lack of internal
control created the appearance of an opportunity to
commit fraud
PEOPLE. PRINCIPLES. POSSIBILITIES.
PERSPECTIVE
You will not prevent all losses.
You are trying to prevent large losses
PEOPLE. PRINCIPLES. POSSIBILITIES.
COSO
Committee of Sponsoring Organizations of the
Treadway Commission
Five components of a good control system:
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
PEOPLE. PRINCIPLES. POSSIBILITIES.
COSO
Identified control environment as the most critical
Autopsies of major scandals identify the control
environment as the primary cause of the scandal
PEOPLE. PRINCIPLES. POSSIBILITIES.
Why???
Why then do managers, auditors and regulators
put so much emphasis on control activities – Hard
Controls (i.e. policies, procedures, systems)
Because it is easy
Professional guidance and requirements that
auditors and regulators follow
PEOPLE. PRINCIPLES. POSSIBILITIES.
Because it is easy
More objective to assess
Easy to read policy and spot situations where
duties should be segregated
Easy to determine if policies are being followed
Was the invoice approved
Was a bid obtained when required
Bank reconciliation was reviewed by someone other than
who prepared it.
PEOPLE. PRINCIPLES. POSSIBILITIES.
Professional guidance
Public Company Accounting Oversight Board
SEC
AICPA
All have issued standards and related rules that
define internal controls over financial reporting with
more emphasis on activities than environment
PEOPLE. PRINCIPLES. POSSIBILITIES.
When is it too much?
When controls
Decrease the efficiency of processes
To many checks and balances
Require more people than necessary – Cost vs. Benefit
Gives the perception that the controls are in place
because employees can not be trusted
PEOPLE. PRINCIPLES. POSSIBILITIES.
Control Environment/soft controls
Tone at the top
Management’s attitude, philosophy, operating style
the ethics and integrity of people in the
organization – the competence of people. It is the
foundation of all other control components.
PEOPLE. PRINCIPLES. POSSIBILITIES.
Soft Control
Failures:
PEOPLE. PRINCIPLES. POSSIBILITIES.
Reasons Controls Break Down
Reason Number 1
Don’t Understand the
Control Implications
Of Policies,
Procedures and Reports
Yes ___ No ___
PEOPLE. PRINCIPLES. POSSIBILITIES.
Reasons Controls Break Down
Reason Number 2
Don’t Have the
Information Needed to
Assure Transactions
Are Proper
Yes ___ No ___
PEOPLE. PRINCIPLES. POSSIBILITIES.
Reasons Controls Break Down
Reason Number 3
Not Enough Time
to do the
Control Procedures
Yes ___ No ___
PEOPLE. PRINCIPLES. POSSIBILITIES.
Reasons Controls Break Down
Reason Number 4
Blind Trust
Believers ---------------------------- Doubters
Yes ___ No ___
PEOPLE. PRINCIPLES. POSSIBILITIES.
Reasons Controls Break Down
Reason Number 5
Willful Blindness
I choose not to see
Yes ___ No ___
PEOPLE. PRINCIPLES. POSSIBILITIES.
Reasons Controls Break Down
Reason Number 6
Not Questioning
the Strange,
Odd and Curious
Yes ___ No ___
PEOPLE. PRINCIPLES. POSSIBILITIES.
Reasons Controls Break Down
Reason Number 7
Not Enforcing
Documentation
Requirements
Yes ___ No ___
PEOPLE. PRINCIPLES. POSSIBILITIES.
Reasons Controls Break Down
Reason Number 8
Inadequate Fraud
Prevention and
Detection Skills
Yes ___ No ___
PEOPLE. PRINCIPLES. POSSIBILITIES.
Reasons Controls Break Down
Reason Number 8
Situational
Incompetence
PEOPLE. PRINCIPLES. POSSIBILITIES.
Which of the four options below would make the most significant impact on
helping your organization be more effective in fighting fraud, misconduct, and
wrongdoing?
Implementing the policy suggestions
14%
in the Anti Fraud Environment list
Conducting an organization wide
Comprehensive Fraud Exposure Analysis, 14%
including the creation of a Fraud Risk Inventory
Providing awareness, prevention and early
detection skills training for managers 62%
and key employees
Catching and prosecuting wrongdoers 10%
PEOPLE. PRINCIPLES. POSSIBILITIES.
Reasons Controls Break Down
Reason Number 9
Those Responsible for
Control Procedures
or Oversight
are Crooks!
Yes ___ No ___
PEOPLE. PRINCIPLES. POSSIBILITIES.
Soft Control Suggestions
1. Clarify Fraud Expectations
2. Fraud Policy
3. Fraud Skills Training
4. Fraud Exposure Analysis
5. Use “How Do I Know”
PEOPLE. PRINCIPLES. POSSIBILITIES.
1. Clarify Fraud Expectations
Fraud prevention and detection expectations
should be stated and understood. Never assume
managers and employees know what is expected.
Tell them.
At an upcoming staff meeting, discuss what you
personally expect of others. Include thoughts on
risks, awareness, prevention, early detection and
proper response.
Cover anything that would fall under wrongdoing,
misconduct and outright fraud.
PEOPLE. PRINCIPLES. POSSIBILITIES.
2. Fraud Policy
All organizations face the risk of wrongdoing and
fraud. And to effectively manage those risks,
everyone should know what their responsibilities
are in this important area.
An effective “Policy on Suspected Misconduct” is
the perfect place to document these
responsibilities.
Employees and managers will have a one-stop
source explaining their role in deterrence, early
detection and effective incident response.
PEOPLE. PRINCIPLES. POSSIBILITIES.
Fraud Policy Statement
1. Positive message
2. Manager responsibilities
3. Exposures
4. Procedures to prevent
5. Procedures to detect
6. What to do / not to do
7. Emphasis on SUSPECTED acts
PEOPLE. PRINCIPLES. POSSIBILITIES.
3. Fraud Skills Training
Don’t expect team members to be able to
handle fraud risks if they have never been
shown how to do so.
Most employees have never been taught the
skills needed to be effective in this area.
Sponsor or conduct fraud awareness and skills
training programs specifically addressing what
employees and auditors need to know to
prevent, detect and handle fraud.
PEOPLE. PRINCIPLES. POSSIBILITIES.
Fraud Skills For Managers
What fraud skills are needed:
General knowledge of fraud risks
Why soft controls are as important as hard controls
What can happen in their areas
What it will look like when it happens
Suggestions on preventing
Suggestions on prompt detection when prevention
fails
PEOPLE. PRINCIPLES. POSSIBILITIES.
4. Fraud Exposure Analysis
Ask the question “What could go wrong?”
Create a robust inventory of fraud risks.
Use this list to provide training.
Develop offsetting prevention and early
detection procedures for each risk identified.
Publicize the effort and the results.
Create awareness in honest employees, and
fear in those tempted to commit wrongdoing.
PEOPLE. PRINCIPLES. POSSIBILITIES.
5. Use “How Do I Know”
When gathering information and in interviews,
utilize a “show me how you…” rather than a “do
you…” approach to verifying details.
Before sign-off on journal entries, exception
reports, disbursements, reconciliation results,
and many other daily events, make sure people
know that they are responsible for the results.
Verify important details.
PEOPLE. PRINCIPLES. POSSIBILITIES.
When in Doubt, Doubt
If something looks or feels wrong to you in your
area of responsibility, it probably is. You are in
the best position to know.
Choose to follow up to determine the cause of
indicators and behaviors that concern you.
If you’re not sure, make a habit of checking
details.
If you’re still not sure, get help! Refer
suspicions to others for resolution.
PEOPLE. PRINCIPLES. POSSIBILITIES.