Christopher Dawkins, CPA, CIA

Director of County Audit

Martha O. Haynie, CPA

Orange County Comptroller’s Office

What Will I Talk About?

Why we have auditors and the difference between external auditors and internal auditors

How to create or ensure you have an effective audit department

The Three W’s of internal controls

What

Why

Where

The six elements of internal control

What Will I Talk About?

What can happen when controls breakdown

Overview of fraud

Red flags of fraud

Organization

Documents

Procedures

Employee

Some specific types of fraud

Why Government Auditors Exist?

An auditor is a man who watches the battle from the safety of the hills and then comes down to bayonet the wounded.

Sir Charles Lyell, 1797 - 1875, American accountant

Might be true but….

Why Government Auditors Exist?

People have a right to know how their money is spent

People have a right to know whether governmental programs are accomplishing what they set out to accomplish in an efficient and effective manner

Difference Between Internal and External Auditors

External Auditors Attest that the numbers on the financial statement are

fairly presented

Review operations and controls for the purpose of determining the reliability of the financial data

Independent contractor

Incidentally concerned with how we can do things better

Incidentally concerned with the detection and prevention of fraud in general, but is most concerned when financial statements may be materially affected

Difference Between Internal and External Auditors

Internal Auditors Provide an independent appraisal activity that evaluates

whether management has efficiently carried out its responsibilities

Perform an in-depth review of various county functions/programs

Are the organization's employee

Primarily concerned with how we can do things better

Directly concerned with the prevention/detection of fraud

What Do We Do? Review controls to ensure assets (revenues and property) are

adequately protected and expenditures are appropriate

Review the efficiency and effectiveness of county operations and management practices for areas needing improvement

Investigate instances of fraud, waste, and abuse, (coordination with law enforcement)

Participate with County management as a consultant on controls, compliance, and other matters of significant importance

Characteristics of An Effective Audit Department

Independent and qualified staff

Obtain adequate training

Adopt and follow auditing standards

Conduct a risk analysis of Operations within audit universe

Aware of current issues within County and nationally

Perform full scope audits - including financial, compliance and performance

Assist management when possible (consult)

Prepare professional audit reports

Overview of Audit Process

Preliminary survey

Entrance conference

Finalize audit plan

Fieldwork

Pre-exit conference

Quality review

Exit conference

Report issuance

Audit Objectives

Compliance

Performance

Internal Controls

Accountability

COMPLIANCE WITH WHAT?

LAWS

CONTRACTS

GRANT AND OTHER AGREEMENTS

PROCEDURES

ENTITY-WIDE

INTERNAL

Performance?

Are we efficiently carrying out our responsibilities?

Are we spending time doing things that don’t need to

be done?

The Three W’s

Internal Controls Framework…Five Inter-Related Components:

RiskAssessment

Control Activities

Information &Communication

Monitoring

15

Control Environment

Simple Definition – What?

Internal controls are what we do to see that the things we want to happen will happen …

16

And the things we don’t want to happen won’t happen

Types Of Internal Controls

Directive Preventive

Designed to deter fraud, errors, and mismanagement

Detective Designed to uncover or reveal any fraud, errors, or mismanagement

Corrective Designed to correct an error as it is made in real-time

Recovery Designed to help reduce or eliminate exposure to loss

Overall Environment (Tone at-the-Top)

17

Overall Environment – The One Most Effective Control:

18

Managers have to set the tone. Staff won’t

use controls if their managers don’t

take controls seriously

WHY DOES MANAGEMENT

HAVE CONTROLS? Transactions are properly authorized, executed, and

recorded

Assets are safeguarded

Resources are used efficiently and effectively

Prescribed policies and directives are followed

Why Do Controls Help?

Ensure internal business is properly transacted

Reduce the opportunity for fraud

Protect employees from personal liability

Helps provide a positive image by reducing errors, fraud, and mismanagement

20

Why Controls Don’t Always Work

Inadequate knowledge of policies or governing regulations. “I didn’t know that!”

Inadequate segregation of duties. “We trust ‘Barry’ , he does all of those things.”

Inappropriate access to assets. Passwords shared, cash not secured…

Form over substance. “You mean I’m supposed to know why I initial it or sign it?”

Control override. “I know that’s the policy, but we do it this way.” “Just get it done; I don’t care how!”

Inherent limitations. People are people and mistakes happen. You cannot foresee or eliminate all risk.

21

Where are Controls Most

Important?

22

High RiskLow Frequency

High RiskHigh Frequency

Low RiskLow Frequency

Low RiskHigh Frequency

How to Identify WhereFor each department/division objective, ask:

• What could go wrong? How could we fail?

• What must go right to succeed?

• What decisions require the most judgment?

• What activities are most complex?

• What activities are regulated?

• On what do we spend the most money?

• How do you bill/collect related revenue?

• On what information do we most rely?

• What assets do we need to protect?

• How could someone or something disrupt our operations?

23

Factors That Increase

the Need for Controls

Too much trust

Approval of documents without review

Lack of verification of transactions after they have been entered in the system

Lack of reconciliations

No follow-up when things appear “questionable” or “not reasonable”

Lack of knowledge of policies and procedures

Lack of understanding of subordinates job

24

Examples of Internal ControlThink about what you do…..

Lock your home and vehicle

Keep your ATM/debit card pin number separate from your card

Avoid including SSN on any forms unless absolutely required.

25

Where in Everyday Life?

Where Are My Work Controls

Redact protected information from court records

Buildings/restricted areas are kept locked

Recorded documents are kept secured

Computer records are backed up

Cash Registers or locked boxes

Cashiers balance collections

Journal entries require authorized

Bank account reconciled

Inventory tagged

Payroll transmittals authorized

Other examples…..??

26

Effective Internal Controls…

Make sense within each organization’s unique operating environment

Benefit rather than encumber management

Are not stand-alone practices; they are woven into day-to-day responsibilities

Are cost-effective

27

Who Is Responsible for Internal

Controls Oversight?

Managers are directly responsible for overseeing, designing, implementing, maintaining and documenting controls

Staff members play a role in effecting control; reporting problems, etc.

Internal auditors examine and contribute to the ongoing effectiveness of internal controls through evaluations and recommendations

28

What Are Internal Controls Six Elements….

Element #1 –

Competent, Trustworthy Personnel

Most important element!

Screening new hires is vital Background Check

Drug Testing (if maintain program, make sure it is effective)

Credit Report

Biennial Report Card on American Youth by Josephson Institute of Ethics (www.charactercounts.org)

30

Element #2 –

Adequate Segregation of Duties

In order for a person to misuse assets without detection, they must have custody of the assets, be able to authorize removal of the assets, and have the ability to adjust the books that inventory the assets.

31

Element #3 –

Authorization Procedures

Authorization may be general or specific

General authorization allows staff or supervisors to approve small routine transactions that occur frequently

Specific authorization is required by supervisors. Specific authorization should require review of voids, not just pass the key!

32

Element #4 –

Adequate Documents and Records

Record and summarize all transactions

Transmit information within and between organizations

Provide assurance that assets are properly controlled and transactions are recorded correctly

Provide accountability for future verification

33

Element #5 –

Physical Control Over Assets and Records

Secured storerooms should be used to protect against pilferage or spoilage

Fireproof safes or safe deposit boxes should be used to protect cash, securities, or vital documents

Keep the door closed and locked!

34

Element #6 –

Independent Checks on Performance

Last element of control is a continuous review of the previous five elements

Essential characteristic of the reviewer is independence from the person responsible for originally preparing the data

35