RISKY BUSINESS: Monitoring Financial Reporting by HC120727103738


									            RISKY BUSINESS:
            Monitoring Financial
              Barbara Reid, CPA
        LGC Government Finance Advisor
             Sheri Rockburn, CPA

             LGC Annual Conference
               November 8, 2007
7/27/2012                                1
The Landscape Has Changed!
 SAS 112: Communicating Internal
  Control Related Matters Identified in an
 Provides guidance to auditors on how to
  evaluate internal control deficiencies.
 Requires auditor to communicate
  significant deficiencies and material
  weaknesses in writing to management
  and those charged with governance.
7/27/2012                                    2
Why Has the Landscape
   Sarbannes-Oxley Act of 2002
   ASB decided to eliminate the auditors
    option to communicate significant
    internal control issues in writing.
   SAS 112 will most likely lower the
    reporting threshold and may increase the
    number of audit findings.
   Effective for audit periods ending on or
    after December 15, 2006.
7/27/2012                                   3
SAS 112 Terminology
 “Those charged with governance”
 Control deficiency
 Significant deficiency
 Material weakness
 Eliminated the term “reportable

7/27/2012                           4
SAS 112 Terminology

 “Those charged with governance” – the
    person(s) with responsibility for
    overseeing the strategic direction of the
    municipality and obligations related to
    the accountability of the municipality.

7/27/2012                                       5
Those charged with governance…
 In most entities, governance is a collective
     responsibility carried out by:
      – The Board of Selectmen or Council
      – A committee of the Board or Council,
        such as an audit committee or finance
      – A management team such as the
        manager/administrator, finance
        director, department heads, etc.

7/27/2012                                        6
Control Deficiency
 A control deficiency exists when the
  design or operation of a control does not
  allow management or employees, in the
  normal course of performing their
  assigned functions, to prevent or detect
  misstatements on a timely basis.
 Examples – reconciliations not
  performed or not timely completed.

7/27/2012                                     7
Significant Deficiency
 A significant deficiency is a control deficiency,
  or combination of control deficiencies, that
  adversely affect the entity’s ability to initiate,
  authorize, record, process, or report financial
  data reliably in accordance with generally
  accepted accounting principles.
 A remote likelihood that a misstatement will
  not be prevented or detected.
 Example – lack of authorization or records for
  significant purchases.

7/27/2012                                              8
Material Weakness
 A material weakness is a significant
  deficiency, or combination of control
  deficiencies, that results in a more that
  remote likelihood that a material
  misstatement of the financial statements
  will not be prevented or detected.
 Example – inadequate records of
  delinquent property taxes.

7/27/2012                                     9
Definition of Internal Controls
 A process effected by those charged with
     governance, management, and others
     designed to provide reasonable assurance
     regarding the achievement of your
     entity’s objectives, including
      – Reliable financial reporting
      – Effective and efficient operations
      – Compliance with laws, regulations,
        policies and procedures
      – Safeguarding assets.

7/27/2012                                       10
What Are Internal Controls?
 A process: a means to an end, not the end
 Accomplished by people, not merely
  policy, procedures and forms.
 Reasonable, but not absolute, assurance
  that assets and resources are

7/27/2012                                     11
What Are Internal Controls?
   Think about what YOU do:
            • Lock your home and your vehicle.
            • Keep ATM/debit card separate from PIN.
            • Check your bills and credit card
              statement before paying.
            • Don’t leave blank checks and cash lying
            • Expect your children to ask permission
              before doing certain things.

7/27/2012                                           12
What Are Internal Controls?
 Municipal internal controls are similar:
            • Offices, buildings, vehicles are locked .
            • Computer passwords are changed
            • Invoices are reviewed and approved
              before payment.
            • Checks and cash are secured.
            • Authorization is required for certain

7/27/2012                                                 13
7/27/2012   14
Risk Assessment – Consider
Changes Effecting Risk:
 Changes in operations - economic,
 Changes in personnel.
 Changes in IT systems.
 Rapid growth.
 Change in structure, staff reductions.
 Change in programs, activities, services
  or vendors.

7/27/2012                                    15
Risk Assessment – Consider
Inherent Risk
 Cash – the more easily an asset can be
  converted to personal use, the more likely
  it is to be stolen.
 Complexity – the more that can go
  wrong, the more that is likely to go
 Decentralization.
 Prior problems - unresponsiveness to
  previously identified internal control
  weaknesses sends a negative message
  about management’s attitude!
7/27/2012                                      16
Risk Assessment – Consider
Fraud Risks

 Financial Stress – personal, business,
 Addictions – gambling, drugs, alcohol.
 Disaffection - an employee believes they
  are being, or have been, mistreated.
 Past Problems.

7/27/2012                                    17
  Implementing Control Activities
   Policies (what should be done) and
    procedures (how it should be done)
    designed to ensure that the objectives
    (protect assets, effectiveness/efficiency,
    accurate records, and compliance) are
   Compensating control – a control that
    that limits the severity of a control
    deficiency and prevents it from rising to
    the level of a significant deficiency or
    material weakness.
7/27/2012                                        18
Types of Internal Controls
 Preventive – Designed to stop an
     unwanted outcome before it happens.
            • Reading/understanding policies
            • Review/approve purchase orders
            • Passwords to stop unauthorized access
 Detective – Designed to find and correct
     errors that have already occurred.
            • Cash counts/reconciliation
            • Expenditures vs. budget
            • Reviewing payroll reports

7/27/2012                                             19
Implementing Control Activities
 Authorizations – in writing, in advance, by
  specific individual(s), documentation (audit
 Properly designed records – sequential
  numbering, automatic duplicates, info for
  multiple purposes, avoid unnecessary info.
 Security of assets and records – controlled
  access, physical security, keep confidential
  records separate from non-confidential
  records, computer backup, disaster recovery.

7/27/2012                                        20
Implementing Control Activities
 Periodic reconciliations – i.e. bank
  reconciliations, accounting record
  reconciliations (i.e.tax collector to treasurer),
  reasonableness review.
 Periodic verification – i.e. physical inventory,
  payroll payout.
 Analytical review – what’s expected vs. what’s
  reported, data entry controls, edit checks,
  exception reporting, financial vs. non-financial

7/27/2012                                             21
Implementing Control Activities
   Segregate incompatible duties – duties where
    someone is able to both commit an irregularity
    and then conceal it:
        • Authorize a transaction
        • Record the transaction
        • Maintain custody of the asset resulting
          from the transaction
   Provide compensating controls when
    segregation not possible – vacation, periodic
    rotation of duties, have someone else do the job
    and see if there is any noticeable change,
    appoint a deputy.
7/27/2012                                          22
Implementing Control Activities:
Segregation of Duties
   RSA 669:7 Incompatible Offices
    establishes a minimum segregation of
   Segregating functions such as payroll,
    cash receipts and accounts payable, is not
    sufficient. Need to segregate the tasks
    involved in each function so no one
    individual is responsible for all facets of
    the function.

7/27/2012                                     23
Monitoring Internal Controls
 Just as a smoke alarm does not put out a
  fire, the same is true of internal controls
  – both are designed to provide an “alert”.
 Internal controls are a tool to detect and
  prevent errors and irregularities
  (intentional misstatement of the financial
  statements or a theft of assets).
 Be alert to “red flags” such as unusual or
  unexplained discrepancies.

7/27/2012                                       24
Balancing Risks and Controls
 Excessive Risks – loss of assets, loss of
  funding, poor decisions, non-compliance,
  increased regulation, public scandal.
 Excessive Controls – increased
  bureaucracy, complexity, time, non-value
  added activities, reduced productivity

7/27/2012                                     25
Questions To Ask Regarding
Risk Assessment
 Where is the potential risk?
 What is the likelihood of an unwanted
  occurrence and what would be the
 What compensating controls can be
 Does the cost of the controls exceed the

7/27/2012                                    26
The Control Environment
   Set the tone at the top – internal controls are
   Integrity and ethical values - must be clearly
    communicated in writing and by example.
   Commitment to competence –sound personnel
    policies including job descriptions, hiring
    policies, background checks, job qualifications,
    performance evaluations.
   Authority and responsibility – clear lines of
    authority. If everyone if responsible, then no
    one is responsible. Provide all of the authority
    necessary and only the authority necessary.
7/27/2012                                             27
Most Common Internal
Control Deficiencies
 Lack of written financial policies and
 Inadequate controls over cash receipts.
 Unsecured locations for cash on hand, check
  stock, signature stamps, credit cards etc.
 Lack of segregation of duties.
 Inadequate, untimely reconciliations.
 Lack expertise in preparing financial
  statements in accordance with GAAP and
  identifying proper year end cut-off entries.

7/27/2012                                        28
Where to Start:
Where Are the Risks?
 Don’t sweat the small stuff!
 Ask yourself:
Where does the money come from, where does it go,
  where is it stored before it goes to the bank, who
  records it?
Are there policies in place, are there adequate
  segregation of duties, are my assets safeguarded?
Does my ICS provide answers to these questions?

7/27/2012                                          29
Where to Start:
Where Are the Risks?
 Ask yourself:
     Do I rely on my auditors too much?

     Don’t I pay them to detect errors, prepare
     financial statement, provide year end
     entries, reconcile accounts and assure me
     there is no fraud?

7/27/2012                                         30
Government Finance Officers
Association Statement on
Fraud Prevention
 Fear of detection and punishment is a
  product of effective internal controls.
  Weak internal controls both permit and
  invite irregularities by reducing or
  removing that fear.
 The single most important step that can
  be taken to prevent fraud is for
  management to establish and maintain an
  effective internal control structure!
7/27/2012                                 31
GFOA Recommended Practice
SAS 112
 Not sufficient that auditors determine
  financial statements are fairly presented
  in accordance with GAAP
 Requires financial statements be a
  product of a reporting system that offers
  reasonable assurance that management is
  able to produce financial statements in
  accordance with GAAP.
7/27/2012                                     32
GFOA Recommended Practice
SAS 112
 Auditors often assist clients with
  preparation of financial statements
 Assistance no problem if it’s a matter of
 Will be considered significant deficiency
  or material weakness IF, prep is matter
  of necessity.

7/27/2012                                     33
GFOA Recommended Practice
SAS 112 –Crafting Strategies
 Be prepared to provide evidence that
  town has sound financial system.
  Document that management is able to
  prepare GAAP F/S
 Minimize likelihood of material audit
 Review any F/S preparation assistance
  provided by auditors. Document staff
  member has requisite skill set and has
  reviewed auditor’s work.
7/27/2012                                  34
Assessing Deficiencies

 Identify Deficiency
     • Segregation Of Duties
     • Lack of Oversight
     • Lack Of Expertise in Financial Reporting
     • Inadequate Cash Controls
 Assess Compensating Controls?
 Determine Severity of Control Deficiency?

7/27/2012                                         35
Assessing Deficiencies: Case 1

 One person in charge of accounting &
  reporting over cash disbursements – Lack of
  segregation of duties = control deficiency
 Compensating Controls:
 Board member reviews all disbursements
 Treasurer signs all checks
 Banks statements mailed directly to Treasurer
 Board member and treasurer perform
  reconciliations and review returned cks

7/27/2012                                         36
Assessing Deficiencies: Case 1
 Severity of control deficiency depends on
  the effectiveness of the compensating
 IF, board member/treasurer examines
  returned checks for appropriate signatures
  and alternations and reconciles monthly
  then control deficiency only.
 IF, board member/treasurer do not perform
  timely reconciliations nor reviews all checks
  for appropriate signature and that the payee
  and amount have not been altered,
  compensating control is not effective. Then
  control deficiency becomes a material
7/27/2012                                     37
Assessing Deficiencies: Case 2
 One person, employed by the Town for over 10 yrs, is
     in charge of all accounting & reporting functions,
     including monthly bank recons. (Lack Seg Duties =
     Control Deficiency)
    Treasurer leaves blank checks and signature stamp
     with accountant “in case of emergency”
    Board member/town manager/treasurer do not review
     emerg. checks before they are mailed nor do they
     review recons done by the accountant. (Lack of
     Oversight = Control Deficiency)
    Compensating Control:
    Town has auditor perform interim quarterly recons in
     addition to the annual audit. Towns believes the
     auditors are substitute for the lack of review by
     board/town mgr/treasurer during the year.
7/27/2012                                                   38
Assessing Deficiencies: Case 2

 SAS 112 states the auditor can not be
  part of your internal controls, therefore
  the fact the auditors perform quarterly
  recons is not a compensating control.
 Should the accountant betray trust,
  potential misstatement could be material.
 Therefore, lack of segregation of duties
  and lack of management oversight =
  material weakness

7/27/2012                                     39
Assessing Deficiencies: Case 3

 Town requests auditor to assist in
  preparing financial statements and notes.
 The finance director, town manager and
  board members receive a copy of the
  draft financial statements and notes.
 The finance director and town manager
  sign a letter stating they have reviewed
  and understand the financial statements
  and notes.

7/27/2012                                     40
Assessing Deficiencies: Case 3
 Remember, Auditor must determine if their
  assistance is out of necessity or convenience.
 If the finance director makes revisions to the
  statements, obtains & completes the AICPA
  checklist, prepares all necessary year-end entries,
  & questions the auditors on certain accounts &
  presentation, the auditor may conclude that the
  town has adequate expertise over the financial
  reporting functions. No deficiency is reported.
 However, if the town does not adequately review
  the statements, does not have a complete
  understanding of the footnote disclosures and is
  unable to explain the information to other board
  members or citizens, then the auditor may be
  preparing the f/s out of necessity = significant or
  material deficiency.
7/27/2012                                               41
Assessing Deficiencies: Case 4
 Transfer station is open Wed and Sat and most
     transactions result in cash received.
    Money received at transfer station is less than 2%
     of the total revenue received by the Town.
    One person works the transfer station.
    Pre-numbered cash receipts are not given and
     money is kept with the attendant in a bank bag
     until the next business day when it is brought to
     the Town Office for deposit.
    Auditor performs procedures during the audit and
     determines that the likelihood that the attendant
     could pocket the money and not have it be detected
     is more than remote.
    Therefore, lack of controls over cash receipts =
     control deficiency.
7/27/2012                                                 42
Assessing Deficiencies: Case 4
 Since the amount of cash that could be taken from
  the transfer station is so small compared to the
  total revenue received by the town, the magnitude
  of a material misstatement on the financial
  statements is slim. Therefore the control deficiency
  may be considered only a significant deficiency.
 However… you consider how the citizens of the
  community may feel to learn that the transfer
  attendant could be pocketing cash.
 A prudent official would probably view the
  absence of controls over cash material.
 Therefore, the control deficiency now would be
  considered a material weakness.

7/27/2012                                             43
 Keys to Success
 Review prior year audits &
  exit conference docs for areas
  of weakness and high risk
 Develop a plan to review your
  internal controls and
  determine where controls
  could be strengthened
 Develop a process to
  determine controls are
  working as designed
 Develop a communication
  tool for reporting deficiencies

 Remember, the controls in place before SAS 112 was
 issued should be, at least, the same controls you have
7/27/2012                                                 44
                  Barbara Reid, CPA
            LGC Government Finance Advisor

                   Sheri Rockburn, CPA
                     Senior Associate
                 Municipal Resources, Inc

7/27/2012                                      45

To top