Introduction
You are the director of finance for a local government that traditionally receives all the accolades in financial reporting, budgeting, as well as “clean” audits from your external auditors on an annual basis. However, recently you just found out that millions of dollars have been stolen from taxpayers under your watch, and it has been happening for years. Now, your stakeholders and local government board are looking at you as to how this could happen. They were under the impression that you and your department had sound financial controls, as represented, to prevent such a thing. Sounds like a nightmare? This is now becoming less of a make believe and more of a reality.
Evident by recent events here in California, as well as across the United States, state and local governmental entities are having to react to situations of fraud and errors made by employees, as well as the blunt questioning by tax payers over internal controls. Let’s face it, most (not all) governmental entities rely on their external financial statement auditors to identify errors and fraudulent activity. However, the fact is that external financial statements audits should not be relied upon to identify all errors and fraudulent activity. The main objective of an external financial statement audit is to provide reasonable assurance that financial statement information is being accurately presented and in accordance with accounting principles generally accepted in the United States (US GAAP). From an internal control perspective, the financial statement information being reviewed by external financial statement auditors is the result of fact gathering information from internal control processes on a sample basis, and it happens months after financial activities have taken place. Therefore, external financial statement audits are limited in resolve to identify all internal weaknesses and fraudulent activity. It is also limited due to the fact that information is reviewed on a sample basis, the sample of which is determined by material amounts from financially presented information.
Relying on external financial statement audits that are limited and only responding to an issue after it happens are all reactive solutions to providing assurance to taxpayers and your board that internal controls are in place and working to mitigate fraud and errors. Do not be reactive! A better approach is to be proactive in identifying potential deficiencies that could cause problems and addressing them before they happen. A proactive approach would introduce a process of continuous reviews and improvements, tailored to your organization. Being proactive makes you more likely to prevent fraud from occurring and reduce potential loss from earlier detection.
Our goal with this white paper is to introduce an approach that we believe could help governmental entities develop a robust internal control/audit environment that is more proactive than reactive. Below is a five-step process developed utilizing the principles of COSO, or what we like to think of as C.R.I.M.E (Control activities, Risk assessment, Information and communication, Monitoring, and Environment of controls).
These five steps are as follows:
• Step 1 – Self Evaluation
• Step 2 – Risk Assessment
• Step 3 – Develop a Plan
• Step 4 – Communication and Education
• Step 5 – Monitoring/Follow-up
Step 1: Self Evaluation
Just as if you would interview an external person for a position, the first step in creating a proactive approach is to interview yourself. Develop an understanding as to where you are as a department, as an entity, from an expertise level. Do you have the experience, education, tools, and most importantly the time to perform a continuous review of your internal controls? Do you have the knowledge to determine what strong internal controls are for each of your local government’s control environment? These are questions that you need to ask yourself to determine if you have the expertise. Business environments are forever evolving and changing. New technologies are being introduced that increase the speed of information sharing and the security of that information. This also means that there are new techniques designed to defraud governmental entities and more ways for errors to happen.
You may be asking yourself, even if technologies change, the principles of internal controls surrounding those technologies (i.e. proper segregation of duties) has not changed. You may also feel that you have sound controls in place. For example, there are two or more signatures and a manager reviewing every procurement transaction before it gets paid. This may be a correct assumption; however, do you understand what that means in a control environment? Would you be able to identify, consistently, initiation and authorization conflicts to mitigate the risks of collusion or approval of related party transactions? If not, then you probably do not have the expertise to identify segregation of duties or preventive controls that should be in place to reduce the risks of employee collusion.
Another part of the self-evaluation step is to determine how committed you can be to a proactive process. Consider the time it would take to essentially “audit” your entity on a continuous and periodic basis. If you determine that you have the expert staff in place to create a proactive environment, evaluate whether those staff members– on top of other daily duties – could dedicate the appropriate amount of time to the process. Incorporating a proactive environment takes time and commitment. It should be a continuing and developing systematic process, with dedicated staff performing the procedures along with dedicated management. A common issue that most governmental entities face is that it may not be cost effective to hire any additional full time staff to create the perfect control environment. A solution to this issue may be to outsource. This issue should also be considered when creating a proactive environment. Local governments today are already challenged with staffing changes, cutbacks, consolidated workloads and desegregating finance functions; while having the expectations from board members to maintain a balanced budget and strong internal control functions.
Finally, determine as an entity if you can remain objective and independent to perform a complete and thorough audit of your processes. Sometimes this is the most difficult part due to the dynamics of having friendships and other relationships that can hinder objectivity and independence. In addition, to be effective, all departments must be reviewed in order to have a complete and comprehensive process. In an ideal proactive environment process, the self evaluation process may indicate that your entity may not have the expertise, the time, objectivity or independence in-house to create a proactive environment. It may be more efficient to obtain support of an outside CPA firm or individual with the necessary tools and background to participant in creating a proactive environment.
Step 2: Risk Assessment
After performing a self-evaluation, the next step in a creating a proactive approach is to create a risk assessment process. A risk assessment is a formalized and systematic process to identify internal and external risks (what could go wrong) and to develop objectives that will mitigate those risks. A risk assessment is a robust process that includes, at minimum, performing a “look across” at other governmental entities similar in size to identify deficiencies and issues that they are facing, the potential cause of those deficiencies and issues, and how those deficiencies and issues were addressed. In addition, as part of the risk assessment process, the governmental entity should internally evaluate its own processes and controls. The evaluation should include considerations such as the level of expertise needed to perform the duties of that area, the level of oversight currently involved, the frequency that controls in those processes are performed and the level of exposure to the governmental entity; amongst other inherent considerations. The governmental entity should use these considerations to evaluate all departments and sub-departments within the governmental entity when performing their risk assessment. We propose utilizing a scale of measurement, such as High/Med/Low or 1 through 10, when completing the evaluation. After risks have been identified, the next process in the risk assessment is to develop objectives to mitigate those risks. For example, an objective to mitigate the risk that employee laptops are stolen would be have a centralized department (IT) tracking and monitoring employee laptops with no access to purchasing capabilities. Once objectives have been identified, procedures should be developed on how to test the controls to ensure those objectives are being met (discussed later in Step 3). The risk assessment should take place whether the governmental entity decides to assign the duties in-house or outsource them. In either case, management of the governmental entity needs to be heavily involved in the risk assessment and making the decisions relating to the results of the evaluation. The risk assessment should be an evolving process, changing as processes, controls and technologies change. We propose performing a risk assessment at least on an
annual basis.
Step 3: Develop a Plan
After the risk assessment has been performed and objectives to mitigate the risks have been identified, the next step in the proactive approach is to develop an audit plan. The audit plan should outline the processes, sub-processes and departments that will be reviewed and the procedures necessary to accomplish each risk assessment objective. As discussed in Step 1 – self-evaluation, it is crucial that individuals with the appropriate background and internal control understanding are assisting in developing the audit plan.
As you may find, the biggest challenge to developing a comprehensive audit plan is follow through. More times than not, governmental entities can get overwhelmed by other obligations, which causes the audit plan to be placed aside. To have a successful plan, a governmental entity must stay dedicated to the process. No matter the results or the outcome, the governmental entity must see the plan through fruition. We recommend establishing an internal audit function assigned with the duties of developing the audit plan.
Another key part to developing a successful audit plan is determining how to measure the results of that plan. Results are measured through communication and the level of deficiencies identified. For example, a result of the audit plan may discover that the purchasing director has the ability to approve and initiate any transaction under $100,000. This amount may be immaterial to the governmental entity; however, through the audit plan you noticed that 200 transactions at $1,000 for one vendor were approved by the purchasing director over a two-year period. Even though this may not be a deficiency, it identifies a potential issue that increases the risk of fraud happening, errors to take place, and helps the governmental entity consider developing mitigating controls to reduce that risk. To us, this is a successful result. Not all results have to identify a deficiency, but more so identify an area or control that could be improved upon. Objectivity and independence – having the ability to objectively step back, look at yourself and your processes with a clear set of eyes – are huge factors in this step.
Step 4: Communication and Education
Communication and education may be one of the most important steps, and it starts with education. The first step in the education process should be with the body of governance. A governmental entity should look to identify individuals who are completely removed from the day-to-day operations and responsible for the management of the governmental entity to serve as a body of governance. This body of governance can be separate from the local government board. From our experience, the biggest obstacle or concern for the body of governance is analyzing the benefits in comparison to the costs of developing an internal audit function. The fact is most California governmental entities do not have an internal audit function and are larger, in terms of operations, than most publicly traded companies. Governmental entities also have more stringent compliance rules and regulations with more involved stakeholders.
In comparison, most if not all publicly traded companies have an internal audit department charged with developing a proactive environment to ensure that risks are identified and addressed. Most of these companies charge their internal audit departments with Sarbanes-Oxley (SOX) evaluation requirements or have a completely separate SOX department
in effort to mitigate risks and to promote a proactive environment. Governing bodies should view a proactive approach as reducing the potential costs that could be detrimental to the governmental entity. Communication on the results of your audit should be internally communicated to both the individuals that were reviewed and the governing body.
Step 5: Follow-up
The proactive process does not conclude with identifying problems as well as solutions and communicating them to your board. The final step in the proactive process is to develop follow-up procedures on the issues and deficiencies identified to ensure that they are being properly corrected and that no additional issues arise through the implementation process (or unforeseen problems). Communication is a key process and should be incorporated in the follow-up procedures.
Conclusion
You may be asking yourself if your organization would really benefit from implementing such an approach; or if this is a priority. Recent events have shown that having a proactive internal audit environment is definitely a priority. Finance directors and other key operational management are being asked to respond to fraudulent acts and weak controls; and explain how this may have occurred and why it was not prevented or detected timely. Unfortunately, many have little or no explanation. Don’t be in this situation. YES! This process should be a priority.
In an ideal proactive environment, a local government performs an annual risk assessment of key controls at each department, develops an internal audit plan based on the risk assessment to validate that those key controls have been standardized and are actively being followed by departments. Execute the audit plan on a periodic basis through process reviews and internal audits. Communicate the results of the internal audits and reviews to the board while making valid recommendations to correct the deficiencies identified. Lastly, follow up and monitor deficiencies identified as a result of the internal audits.
We believe that a proactive environment will help an organization identify the areas where they are the weakest at preventing errors and/or fraud from taking place. There are plenty of resources on establishing proper internal controls in a local government, however, there are limited resources on how to develop a proactive environment that includes active internal audits, measuring results of those internal audits and correcting deficiencies identified. At Lance, Soll & Lunghard, we take pride in being the foremost leaders in performing internal audits for local governments of any size.
Please contact one of our internal audit experts to start the education process in developing a proactive environment for your organization at (714) 569-1000.
Click here to print.
