9 melinda cash investment ic sog new format · relevant principles be present and functioning...

10/20/17

1

InternalControlMelindaAndrewsOctober2017

State and Local Government Finance Division

Law

•WhoseResponsibleforInternalControls?

• DoesanyoneworkinanorganizationweretheFinanceOfficerdoesnotplayaleadroleinInternalControls?

10/20/17

2


ReporttotheNationsonOccupationalFraudandAbuse– 2016GlobalFraudStudy• Analyzed2,410occupationalfraudcasesthatcausedatotallossofmorethan

$6.3Billion

• Medianlossfromasinglecaseofoccupationalfraudwas$150,000

• 23%ofoccupationalfraudresultedinalossofatleast$1million

• IfyoutakemedianlossbyregiontheUSwassecondlowestwith$120,000.MiddleEastandNorthAfricahadthehighestmedianlosseswith$275,000


Characteristicsofthetypicaloccupationalfraudster

10/20/17

3

FraudbyIndustry


TypeofOccupationalFraudforUnitedStates

10/20/17

4


InitialDetectionofFrauds


CasesReferredtoLawEnforcement

10/20/17

5


ResultsofCasesReferredtoLawEnforcement


10/20/17

6



SeveralFraudCasesgoingonNowinNC

• RegisterofDeedsCase$2.3millionmissing• EmployeeinSherriffDepartmentincollusionwithpersonrecordingtime

sheetdatainanotherdepartment• ManagerinvestigatedbyFBIforP-cardfraud• FinanceOfficerremoveseverypennyfromallbankaccounts• Boardmember’sdaughterishigherandissuedadebtcard– makingcash

withdrawals

• Wouldestimatethereareatleast10-20fraudsayearinlocalgovernments

10/20/17

7


WhyDoWeNeedInternalControls?

• AUnitofGovernmentinNChad$300,000takenusingon-linebanking- unitsbankingID,passcodesanddigitalcertificatewereused

• Cashwastakenbyapersoncollectingcash– personissuedreceiptfromreceiptbooktheyboughtatalocalstore

• Personcheckingreceiptnumberingdidn’tfullyunderstandwhattheyweredoing

• Cashtakenfromsafe– safewasnotlocked– itwasn’tconvenienttolocksafe


WhydoWeNeedInternalControls?

• BaringsBankFailurein1995• Britain’soldestMercantileBank• Napoleonicwars,theLouisianapurchase,andtheErieCanal.

BaringswastheQueen'sbank• OnePersonbroughtitdown

• CyberAttackersEmptyBusinessAccountsinMinutes• OfficeofInspectorGeneralrecoveredmorethan$2.4Mduetofuel

fraud

10/20/17

8


CCOOSSOO–– CCoommmmiitttteeeeOOffSSppoonnssoorriinnggOOrrggaanniizzaattiioonnss• 2013– updatedthe1992internalcontrolframework

• Evolutionarynotrevolutionary

• Effectiveinternalcontrolsrequiresthefivecomponentsand17relevantprinciplesbepresentandfunctioning(principlesarenew)


InternalControlDefinition

“process,effectedbyanentity’sboardofdirectors,management,andotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesrelatingtooperations,reporting,andcompliance.”

10/20/17

9


ThreeObjectives- COSO

• OperationsObjective– relatedtotheeffectivenessandefficiencyoftheentity'soperation,includingoperationalandfinancialperformancegoals,andsafeguardingassetsagainstloss.

• ReportingObjective- relatedtointernalandexternalfinancialandnonfinancialreportingtostakeholders,whichwouldencompassreliability,timeliness,transparency,orothertermsasestablishedbyregulators,standardsetter,ortheentity'spolicies.

• ComplianceObjectives- relatedtoadheringtolawsandregulationsthattheentitymustfollow.


FiveComponentsofCOSO

1. ControlEnvironment– setofstandards,processesandstructuresthatprovidethebasisforcarryingoutinternalcontrolacrosstheorganization• Commitmenttointegrityandethicalvalues• Bd.OfDirectorsexercisesoversightindevelopmentandperformanceofIC• Mgmt.establisheswithboardoversight,structures,reportinglinesand

appropriateauthorities• Commitmenttoattract,develop,andretaincompetentindividuals• Holdsindividualsaccountable

10/20/17

10



2. RiskAssessment– involvesdynamicanditerativeprocessforidentifyingandanalyzingriskstoachievingtheentity’sobjectives,formingabasisfordetermininghowriskshouldbemanaged.Managementconsiderspossiblechangesintheexternalenvironmentandwithinitsownbusinessmodelthatmayimpedeitsabilitytoachieveitsobjectives.• Clearobjectives• Identifiesrisktoachievementofobjectives,analyzesrisk,howtheyshouldbe

managed• Potentialforfraud• IdentifiesandassesseschangesthatcouldimpactsystemofIC



3. ControlActivities- actionsestablishedbypoliciesandprocedurestohelpensuremgmt.’sdirectivestomitigateriskarecarriedout– performedatalllevelsoftheentity,variousstagesofthebusinessprocess,includethetechnologyenvironment.Activitiesarepreventive,detective,includemanualandautomated,authorizations,approvals,verifications,reconciliations,businessreviews,segregationofduties.• Controlactivitiesthatmitigaterisk• Generalcontrolactivitiesovertechnology• Deployscontrolactivitiesthroughpolicy/procedures

10/20/17

11



4. InformationandCommunication– Informationisnecessaryfortheentitytocarryoutinternalcontrolresponsibilitiesinsupportofachievementofitsobjectives.Communicationoccursbothinternallyandexternallyandprovidestheorganizationwiththeinformationneededtocarryoutday-to-dayinternalcontrolactivities.Communicationenablespersonneltounderstandinternalcontrolresponsibilitiesandtheirimportancetotheachievementofobjectives.• Relevant,qualityinformationisusedtosupportthefunctioningofinternalcontrol• Internalcommunicationsincludingobjectivesandresponsibilitiesofinternal

controlisnecessarytosupportfunctioningInternalcontrols.• Communicationswithexternalpartiesaboutmattersaffectingfunctioningof

internalcontrols



5. MonitoringActivities– Ongoingevaluationsand/orseparateevaluations,areusedtoascertainwhethereachofthefivecomponentsofinternalcontrolispresentandfunctioning.Findingareevaluatedanddeficienciesarecommunicatedinatimelymanner,withseriousmattersreportedtoseniormanagementandtotheboard.

10/20/17

12


AreasofRisk

• Developingpolicyandproceduresinaconstantlychangingenvironmentbutyourproceduresdonotcontainaprocessforkeepingupwithnewdevelopments• Rapidchangeintechnologymakesthisdifficult

• ChangingAccountingstandards

• Evaluateeachcashcollectionsite• Eachsiteshouldhaveanindependentwaytotietoexpectedrevenue


AreasofRisk

• Fictitiousvendors• Verifynewadds• MakesureA/Pcan’taddvendors• VerifySSNandTINforeverynewvendor

• Makesurepersonsaccountingandreconcilingcashcannotwritejournalentries

• WeallhavetheaccountthatnoonewouldbeabletotelliftherewereafewinappropriateJE’sintheaccount

10/20/17

13


AreasofRisk

• VerytightcontrolsoverACHbankinginformation

• ACHfraudcontrol

• Positivepayforallcheckingaccounts

• Monitorbankaccountsmoreoftenthanjustthemonthlybankrecon


AreasofRisk

• Whatisthestructureforsendingwires/ACH’sinyouroffice• Twopersonsmustapproveatemplate• Templatescangooutwithoneperson• Templateshaveanottoexceedamt.• Freeformwiresrequiretwoindividuals

• Whatkindofsecuritydoesyoubankhaveovertransactions

10/20/17

14


AreasofRisk

• ContractVendors– internetprovidersforcashcollection– PCI

• Whenandifyouchangebankscouldyoucontactalltheinstitutionsthatdepositmoneyintoyourbankandnotifythemofthebankchange• Stealingfundselectronically• Becausetimeisoftheessenceinbeingsuccessfulingettingbackfundsstolen

electronically,doweneedtohavepersonreviewallnon-checkdisbursementsbeforetheendofeachday?


WhatCanIDo?

• Hireinternalauditstafforperformthefunctionwithexistingstaff

• HotLine-MeetwithfinancialstaffallovertheCountytoinformthemofanumbertocalltoreportanythingtheyarenotcomfortablewith.Don’thavetoleaveyourname.

• Meetwithstafftoevaluatethegreatestareasofriskinyourenvironment

• ChargeallFinancestafftoberesponsibleforinternalcontrol– putontheirworkplans

10/20/17

15


WhatCanIDo?

• Beforeanynewprocessisputintoplaceevaluateinternalcontrols,documentcontrolsandtrain

• Usetokensinsteadofdigitcertificatesforon-linebanking

• Don’tletemployeesperformon-linebankingfromhomeusingtheirpersonalPC’s

• LetthemVPN(VirtualPrivateNetwork)usingworkPCs


WhatCanIDo?• EmbraceyourredflagrulesandPCIcompliance– makethisamanagementissuenotafinanceissue.–

InvolveIT,Attorney,Depts.

• HaveDepartmentHeadsignaninternalcontrolplanfortheirdepartmentandmakethemnameapersonwhoisresponsibleforensuringitisfollowed

• HaveInternalAuditreviewcompliancewithinternalcontrolplan

• Banksnowrequiringthatonlinebankingtransactionsmustuseaseparatemachinethathaslimitedaccess

• EMV(chiptechnology)requiredasof10/1/2015

• Unitofgovernmentcannotactonchangeinpaymentinformationfromavendorwithoutcallingthevendortoverifythechange.

10/20/17

16


I/CthatAffecttheControlEnvironment

• Makesuremanagementisnotoverridingcontrols• SplitPO’s• Unauthorizedp-cardspurchases• Stickthecontractinthemiddleofthepileandmaybefinancewon’tseeit

• OrganizationalChart– Matrixofauthoritywithbackups

• InternalControlsforSmallUnitsofGovernment– Memo2015-15

• Monthlyreportsshouldbegeneratedandunderstoodbymanagement


I/CthatAffecttheControlEnvironment

• EthicalandProfessionalStandards• Whoteachesethicsinyourunit

• Crosstrainemployeestoperformdutieswhenpersonisout.

• Staffmustbeadequatelytrained

• ListentoAuditorsuggestions

10/20/17

17


I/CinAccountingSystem

• Booksshouldbebalancedandtimely

• Timelybankreconciliations

• Controlaccountsshouldbereconciled

• Accountingproceduresshouldbedocumentedandeasilyaccessedbystaff

• Transactionsshouldbepostedtimely

• Alljournalentriesshouldbeapprovedandexplained- notmadebyanyonethatdealswithcash

• Recordsneedtobeinsecureplace/backups

• WhatareyougoingtodowhenBirdflue/floodingprohibitsyouremployeesfromcomingtowork?


I/CforFederalandStateGrants

• Fundsarerecordedandexpendedincompliancewithprogramrequirements

• Distinguishcontractorsfromsub-recipients

• Monitoringandindirectcost

• Documentthefilingofgrantreports

• Makesureyourreviewingsubrecipientauditreports

• Followingprocurementprocedures

10/20/17

18


I/CforCashReceipts

• Recordcashatearliestpossiblepoint• Cashmustbetiedbacktoanindependentsystem– cashreceiptsaloneisnotthe

bestsystem• Personkeyingaccountingentryshouldnotbepersoncollectingcash• Everyoneinvolvedneedstounderstandwhattheyaredoingandwhy• Whoissuesyourdepositslipsandreceiptbooks?• HaveInternalAuditreviewbanking,cashandinvestmentprocedures


InternalControlsOverInvestments

ForPurposesofthisdiscussion,InvestmentsreferstoinvestmentsotherthanNCCMT,CDARS,Finistar,andICS

MusthaveControls• Investmentpolicy

• Typesofinvestments,lengthoftime,diversifiedportfolio,whattypes/amountofmoneycanbeinvested?• Broker/DealerAgreements

• CanonlysellyoulegalinvestmentsforNClocalgovernmentsandinaccordancewithyourinvestmentpolicy• GetReferencesfromotherNClocalgovernments

• CustodialAgreements– InvestmentsresideintheTrustareaofthebank.• SafekeepingAgreements– Investmentsresideinthecommercialsideofthebank• Seememo2013-03CustodyandProperSafekeepingofLGInvestments onStateTreasurer’sweb

sitehttps://www.nctreasurer.com/slg/Memos/2013-03.pdf

10/20/17

19


InternalControlsoverInvestments

Issues1. GeneralFundoperatingfundbalanceisinvestedin15yearagencies2. Investmentsarebeingheldbyacustodian/safekeepingagentthathasno

signedcontractwithalocalgovernmentunit3. Brokershavesoldinvestmentstolocalgovernmentsthatarenot

authorizedbygeneralstatutes.

ThisallhappenedduringthispastfiscalyearItisnotuncommonforbrokerstoapproachthegoverningboardaboutimprovinginterestearnings


InternalControlsoverInvestments

Beforeyousetupaninvestingprogramyouneedtosetupproperinternalcontrolsovertheinvestmentactivities.ContactBeckyDzingeleskiat919-814-4287.

BecomeamemberoftheNCLocalGovernmentInvestmentAssociation• Theycanprovideyouamentortohelpyousetupyourinvestment

programorhelpyouevaluateasuggestionmadebyabroker.

• http://www.nclgia.org/ReviewtheNCStateTreasurerWebsiteforsamplecashandinvestmentpolicyandbroker/dealerquestionnaire.

10/20/17

20


RedFlagRules

• JointCommitteeoftheOCC,FederalReserveBoard,FDIC,OTS,NCUAandtheFederalTradeCommissionpassedthefinallegislationforSection114oftheFairandAccurateCreditTransactionsAct• Aimedtopreventormitigateidentitytheftassociatedwithcustomeraccounts• Coveraccounts- Apersonalaccountthatinvolvesorisdesignedtopermit

multiplepaymentsortransactions- utilities


RedFlagRules– GuideforBusiness

TheRedFlagsRuletellsyouhowtodevelop,implement,andadministeranidentitytheftpreventionprogram.Aprogrammustincludefourbasicelementsthatcreateaframeworktodealwiththethreatofidentitytheft.

1. Aprogrammustincludereasonablepoliciesandprocedurestoidentifytheredflagsofidentitytheftthatmayoccurinyourday-to-dayoperations.RedFlagsaresuspiciouspatternsorpractices,orspecificactivitiesthatindicatethepossibilityofidentitytheft. Forexample,ifacustomerhastoprovidesomeformofidentificationtoopenanaccountwithyourcompany,anIDthatdoesn’tlookgenuineisa“redflag”foryourbusiness.

10/20/17

21


RedFlagRules– GuideforBusiness

2. Aprogrammustbedesignedtodetecttheredflagsyou’veidentified.IfyouhaveidentifiedfakeIDsasaredflag,forexample,youmusthaveprocedurestodetectpossiblefake,forged,oralteredidentification.

3. Aprogrammustspelloutappropriateactionsyou’lltakewhenyoudetectredflags.

4. Aprogrammustdetailhowyou’llkeepitcurrenttoreflectnewthreats.

RedFlagrulesexpireDecember31,2015– FederalTradeCommissionhasproposalouttoextendforthreemoreyears.CommentperiodclosedOctober19,2015


PaymentCardIndustryDataSecurityStandard– PCIDSS

• ALL companiesthatprocess,storeor transmitcreditcardinformationmaintainasecureenvironment.• https://www.pcisecuritystandards.org/security_standards/pci_dss.sht

ml

• Ifyoualreadydocreditcardbusinessyouareawareoftheserules.IfyouarethinkingaboutacceptingcreditcardsmakesureyouunderstandPCIbeforeyoucommittoanyparticularprocess• IfyouneedtohireaconsultanttohelpyouwithPCIcompliancethe

StatehasCoalFireoncontractatastaterate.

10/20/17

22


RecommendedPractices&Roles

• InternalAudit

• AuditCommittees

• DisasterRecoveryPlan

• AccountingPoliciesandProcedures


Who’sResponsibleforIC?

Management(includesgoverningboard)hastheresponsibilityfortheestablishmentandmaintenanceofadequateinternalcontrols.

9 melinda cash investment ic sog new format · relevant principles be present and functioning...

Documents