christopher dawkins, cpa, cia director of county audit ......christopher dawkins, cpa, cia director...
TRANSCRIPT
Christopher Dawkins, CPA, CIA
Director of County Audit
Martha O. Haynie, CPA
Orange County Comptroller’s Office
What Will I Talk About?
Why we have auditors and the difference between external auditors and internal auditors
How to create or ensure you have an effective audit department
The Three W’s of internal controls
What
Why
Where
The six elements of internal control
What Will I Talk About?
What can happen when controls breakdown
Overview of fraud
Red flags of fraud
Organization
Documents
Procedures
Employee
Some specific types of fraud
Why Government Auditors Exist?
An auditor is a man who watches the battle from the safety of the hills and then comes down to bayonet the wounded.
Sir Charles Lyell, 1797 - 1875, American accountant
Might be true but….
Why Government Auditors Exist?
People have a right to know how their money is spent
People have a right to know whether governmental programs are accomplishing what they set out to accomplish in an efficient and effective manner
Difference Between Internal and External Auditors
External Auditors Attest that the numbers on the financial statement are
fairly presented
Review operations and controls for the purpose of determining the reliability of the financial data
Independent contractor
Incidentally concerned with how we can do things better
Incidentally concerned with the detection and prevention of fraud in general, but is most concerned when financial statements may be materially affected
Difference Between Internal and External Auditors
Internal Auditors Provide an independent appraisal activity that evaluates
whether management has efficiently carried out its responsibilities
Perform an in-depth review of various county functions/programs
Are the organization's employee
Primarily concerned with how we can do things better
Directly concerned with the prevention/detection of fraud
What Do We Do? Review controls to ensure assets (revenues and property) are
adequately protected and expenditures are appropriate
Review the efficiency and effectiveness of county operations and management practices for areas needing improvement
Investigate instances of fraud, waste, and abuse, (coordination with law enforcement)
Participate with County management as a consultant on controls, compliance, and other matters of significant importance
Characteristics of An Effective Audit Department
Independent and qualified staff
Obtain adequate training
Adopt and follow auditing standards
Conduct a risk analysis of Operations within audit universe
Aware of current issues within County and nationally
Perform full scope audits - including financial, compliance and performance
Assist management when possible (consult)
Prepare professional audit reports
Overview of Audit Process
Preliminary survey
Entrance conference
Finalize audit plan
Fieldwork
Pre-exit conference
Quality review
Exit conference
Report issuance
Audit Objectives
Compliance
Performance
Internal Controls
Accountability
COMPLIANCE WITH WHAT?
LAWS
CONTRACTS
GRANT AND OTHER AGREEMENTS
PROCEDURES
ENTITY-WIDE
INTERNAL
Performance?
Are we efficiently carrying out our responsibilities?
Are we spending time doing things that don’t need to
be done?
The Three W’s
Internal Controls Framework…Five Inter-Related Components:
RiskAssessment
Control Activities
Information &Communication
Monitoring
15
Control Environment
Simple Definition – What?
Internal controls are what we do to see that the things we want to happen will happen …
16
And the things we don’t want to happen won’t happen
Types Of Internal Controls
Directive Preventive
Designed to deter fraud, errors, and mismanagement
Detective Designed to uncover or reveal any fraud, errors, or mismanagement
Corrective Designed to correct an error as it is made in real-time
Recovery Designed to help reduce or eliminate exposure to loss
Overall Environment (Tone at-the-Top)
17
Overall Environment – The One Most Effective Control:
18
Managers have to set the tone. Staff won’t
use controls if their managers don’t
take controls seriously
WHY DOES MANAGEMENT
HAVE CONTROLS? Transactions are properly authorized, executed, and
recorded
Assets are safeguarded
Resources are used efficiently and effectively
Prescribed policies and directives are followed
Why Do Controls Help?
Ensure internal business is properly transacted
Reduce the opportunity for fraud
Protect employees from personal liability
Helps provide a positive image by reducing errors, fraud, and mismanagement
20
Why Controls Don’t Always Work
Inadequate knowledge of policies or governing regulations. “I didn’t know that!”
Inadequate segregation of duties. “We trust ‘Barry’ , he does all of those things.”
Inappropriate access to assets. Passwords shared, cash not secured…
Form over substance. “You mean I’m supposed to know why I initial it or sign it?”
Control override. “I know that’s the policy, but we do it this way.” “Just get it done; I don’t care how!”
Inherent limitations. People are people and mistakes happen. You cannot foresee or eliminate all risk.
21
Where are Controls Most
Important?
22
High RiskLow Frequency
High RiskHigh Frequency
Low RiskLow Frequency
Low RiskHigh Frequency
How to Identify WhereFor each department/division objective, ask:
• What could go wrong? How could we fail?
• What must go right to succeed?
• What decisions require the most judgment?
• What activities are most complex?
• What activities are regulated?
• On what do we spend the most money?
• How do you bill/collect related revenue?
• On what information do we most rely?
• What assets do we need to protect?
• How could someone or something disrupt our operations?
23
Factors That Increase
the Need for Controls
Too much trust
Approval of documents without review
Lack of verification of transactions after they have been entered in the system
Lack of reconciliations
No follow-up when things appear “questionable” or “not reasonable”
Lack of knowledge of policies and procedures
Lack of understanding of subordinates job
24
Examples of Internal ControlThink about what you do…..
Lock your home and vehicle
Keep your ATM/debit card pin number separate from your card
Avoid including SSN on any forms unless absolutely required.
25
Where in Everyday Life?
Where Are My Work Controls
Redact protected information from court records
Buildings/restricted areas are kept locked
Recorded documents are kept secured
Computer records are backed up
Cash Registers or locked boxes
Cashiers balance collections
Journal entries require authorized
Bank account reconciled
Inventory tagged
Payroll transmittals authorized
Other examples…..??
26
Effective Internal Controls…
Make sense within each organization’s unique operating environment
Benefit rather than encumber management
Are not stand-alone practices; they are woven into day-to-day responsibilities
Are cost-effective
27
Who Is Responsible for Internal
Controls Oversight?
Managers are directly responsible for overseeing, designing, implementing, maintaining and documenting controls
Staff members play a role in effecting control; reporting problems, etc.
Internal auditors examine and contribute to the ongoing effectiveness of internal controls through evaluations and recommendations
28
What Are Internal Controls Six Elements….
Element #1 –
Competent, Trustworthy Personnel
Most important element!
Screening new hires is vital Background Check
Drug Testing (if maintain program, make sure it is effective)
Credit Report
Biennial Report Card on American Youth by Josephson Institute of Ethics (www.charactercounts.org)
30
Element #2 –
Adequate Segregation of Duties
In order for a person to misuse assets without detection, they must have custody of the assets, be able to authorize removal of the assets, and have the ability to adjust the books that inventory the assets.
31
Element #3 –
Authorization Procedures
Authorization may be general or specific
General authorization allows staff or supervisors to approve small routine transactions that occur frequently
Specific authorization is required by supervisors. Specific authorization should require review of voids, not just pass the key!
32
Element #4 –
Adequate Documents and Records
Record and summarize all transactions
Transmit information within and between organizations
Provide assurance that assets are properly controlled and transactions are recorded correctly
Provide accountability for future verification
33
Element #5 –
Physical Control Over Assets and Records
Secured storerooms should be used to protect against pilferage or spoilage
Fireproof safes or safe deposit boxes should be used to protect cash, securities, or vital documents
Keep the door closed and locked!
34
Element #6 –
Independent Checks on Performance
Last element of control is a continuous review of the previous five elements
Essential characteristic of the reviewer is independence from the person responsible for originally preparing the data
35