Internal Controls, Fraud and Abuse Awareness presented by South Texas College Business Office Financial Information Services Connecting And Leading.

1.1.

Internal ControlsInternal Controls

Business OfficeBusiness OfficeFFinancial inancial IInformation nformation SServices ervices CConnecting onnecting AAnd nd LLeadingeading

SAS NO. 78 CONSIDERATION OF SAS NO. 78 CONSIDERATION OF I/C IN A F/S AUDIT: AN I/C IN A F/S AUDIT: AN

AMENDMENT TO SAS NO.55AMENDMENT TO SAS NO.55

Definition of I/C:Definition of I/C:

““Internal control is a process - effected by an Internal control is a process - effected by an entity’s board of directors, management, and entity’s board of directors, management, and other personnel - designed to provide other personnel - designed to provide reasonablereasonable assuranceassurance regarding the regarding the achievement achievement of objectives in the following of objectives in the following categories:categories:

a) reliability of financial reportinga) reliability of financial reporting

b) effectiveness b) effectiveness and and efficiency of operations, efficiency of operations,

c) compliance with applicable laws and c) compliance with applicable laws and regulations.”regulations.”

SAS NO. 78 CONSIDERATION OF SAS NO. 78 CONSIDERATION OF I/C IN A F/S AUDIT: AN I/C IN A F/S AUDIT: AN

AMENDMENT TO SAS NO.55AMENDMENT TO SAS NO.55

Five components of I/C:Five components of I/C:1) Control environment1) Control environment2) Risk assessment2) Risk assessment3) Control activities3) Control activities4) Information and communication4) Information and communication5) Monitoring5) Monitoring

Control EnvironmentControl Environment

This component includes the This component includes the attitude ofattitude of managementmanagement at all levels toward at all levels toward operations in general and specifically operations in general and specifically the concept of controls. This includes:the concept of controls. This includes: ethics, ethics, competence, competence, integrity, integrity, a demonstrated interest in the well being of a demonstrated interest in the well being of

the organization and the organization and organization structure and management's organization structure and management's

policies and philosophy.policies and philosophy.

Risk AssessmentRisk Assessment

This component is and has been a part This component is and has been a part of progressive internal audit activity. It of progressive internal audit activity. It involves:involves: identifying the risks in all areas of the identifying the risks in all areas of the

organizationorganization establishing the vulnerability of the establishing the vulnerability of the

organization through evaluating the risks.organization through evaluating the risks.

The objectives in all aspects of the The objectives in all aspects of the operation must be considered so as to operation must be considered so as to assure that all parts of the organization assure that all parts of the organization

are operating in concert.are operating in concert.

Control ActivitiesControl Activities This component includes those activities This component includes those activities

that are traditionally associated with the that are traditionally associated with the concept of internal control. These activities concept of internal control. These activities include:include: approvals, approvals, responsibilities responsibilities authorities, authorities, separation of duties, separation of duties, documentation, documentation, reconciliation, reconciliation, competent and honest personnel,competent and honest personnel, internal check, internal check, and internal auditing. and internal auditing.

These activities should be risk evaluated These activities should be risk evaluated throughout the entire organization throughout the entire organization considering the organization as a universe.considering the organization as a universe.

Information and Information and CommunicationCommunication

This component is an essential part of the This component is an essential part of the management process. Management cannot management process. Management cannot function without function without current intelligence.current intelligence.

The communication of information relative The communication of information relative to the operation of internal controls to the operation of internal controls provides substance on which management provides substance on which management can can form its evaluationsform its evaluations as to the control as to the control process effectiveness and to manage its process effectiveness and to manage its operations.operations.

MonitoringMonitoring

Monitoring is the provision of Monitoring is the provision of dynamic rational evaluation of the dynamic rational evaluation of the information supplied by the information supplied by the communication of information for communication of information for the purpose of control the purpose of control management.management.

Benefits of Control Benefits of Control

Controls are means of helping Controls are means of helping managers achieve objectives and managers achieve objectives and goals.goals.

Benefits of ControlBenefits of Control (Cont.)(Cont.)

Management looks at control as a Management looks at control as a means of integrating personal and means of integrating personal and enterprise objectives to help enterprise objectives to help people meet their goal people meet their goal

They can also activate individuals They can also activate individuals to improve their performance not to improve their performance not just get by with what they are just get by with what they are doing. doing.

Benefits of ControlBenefits of Control (Cont.)(Cont.)

For example, it is well accepted For example, it is well accepted that three conditions must exist that three conditions must exist before a person will embezzle an before a person will embezzle an employer's funds: employer's funds: unusual need (actual or perceived), unusual need (actual or perceived),

(motive)(motive) opportunity and opportunity and rationalization, (incentive) rationalization, (incentive)

Benefits of ControlBenefits of Control (Cont.)(Cont.)

Management can do little about Management can do little about how an employee perceives his or how an employee perceives his or her needs. But by adequate her needs. But by adequate control, the opportunity or control, the opportunity or temptation to embezzle can be temptation to embezzle can be removed or diminished. removed or diminished.

Benefits of ControlBenefits of Control (Cont.)(Cont.)

2.2.

Fraud AwarenessFraud Awareness

Business OfficeBusiness OfficeFFinancial inancial IInformation nformation SServices ervices CConnecting onnecting AAnd nd

LLeadingeading

According to According to Statements on AuditingStatements on Auditing Standards (SAS) 99Standards (SAS) 99, Consideration of , Consideration of Fraud in a Financial Statement Audit, Fraud in a Financial Statement Audit, management is responsiblemanagement is responsible for for

designing and implementing systems and designing and implementing systems and procedures for the prevention and detection procedures for the prevention and detection of fraud of fraud

and, along with the board of directors, for and, along with the board of directors, for ensuring a culture and environment that ensuring a culture and environment that promotes honesty and ethical behavior.promotes honesty and ethical behavior.

Fraudulent and Fraudulent and Dishonest ActsDishonest Acts

The key components of a The key components of a fraudfraud prevention and detection programprevention and detection program consist of consist of

a culture of honesty and ethics,a culture of honesty and ethics, fraud risk assessment and properly fraud risk assessment and properly

designed (mitigating) controls designed (mitigating) controls an appropriate oversight process.an appropriate oversight process.

Fraudulent and Fraudulent and Dishonest Dishonest Acts Acts (Cont.)(Cont.)

A fraud or dishonest act generally A fraud or dishonest act generally involves a deliberate act or failure involves a deliberate act or failure to act with the intention ofto act with the intention of

obtaining an unauthorized benefitobtaining an unauthorized benefit destruction of property destruction of property or otherwise fraudulent behavior.or otherwise fraudulent behavior.

Definition of FraudDefinition of Fraud

The Association of Certified Fraud The Association of Certified Fraud Examiners (ACFE) defines “fraud” as: Examiners (ACFE) defines “fraud” as: ““The use of one’s occupation for The use of one’s occupation for personal enrichment through the personal enrichment through the deliberate misuse or misapplication of deliberate misuse or misapplication of the employing organization’s resources the employing organization’s resources oror assets”assets”

(Report to the Nation on Occupational Fraud Abuse, 1999).(Report to the Nation on Occupational Fraud Abuse, 1999).

Definition of FraudDefinition of Fraud (Cont.)(Cont.)

Occupational fraud and abuseOccupational fraud and abuse encompasses a wide variety of encompasses a wide variety of conduct by employees, managers, conduct by employees, managers, and principals or organizations and principals or organizations ranging from pilferage to ranging from pilferage to sophisticated investment swindles.sophisticated investment swindles.

Definition of FraudDefinition of Fraud (Cont.)(Cont.)

The key is that the activity :The key is that the activity : Is clandestine (Is clandestine (held or done in secrecyheld or done in secrecy or or

concealment for purposes of deception)concealment for purposes of deception) Violates the employee’s Violates the employee’s fiduciary dutiesfiduciary duties

to the organization.to the organization. Is committed for the purpose of direct or Is committed for the purpose of direct or

indirect financial indirect financial benefit to the employeebenefit to the employee CostsCosts the employing organizations the employing organizations

assets, revenues and reserves.assets, revenues and reserves.

Definition of FraudDefinition of Fraud (Cont.)(Cont.)

ExamplesExamples

Fraud or dishonest acts include, but are Fraud or dishonest acts include, but are not limited to the following.not limited to the following. Theft or misappropriation of funds, Theft or misappropriation of funds,

long distance telephone services, long distance telephone services, supplies, property, computer software, supplies, property, computer software, intellectual property, or other intellectual property, or other resources.resources.

Fictitious disbursementsFictitious disbursements Check tampering such as forged Check tampering such as forged

endorsement, altered payee, or endorsement, altered payee, or concealed checks.concealed checks.

Fictitious write-offs and refundsFictitious write-offs and refunds Fictitious vendor or employee or Fictitious vendor or employee or

student payments.student payments. False statementFalse statement False overtimeFalse overtime Petty theft and pilferagePetty theft and pilferage False request for reimbursementFalse request for reimbursement Forgery or alteration of documentsForgery or alteration of documents

Examples Examples (Cont.)(Cont.)

Bribery or attempted briberyBribery or attempted bribery Invoice kickbacksInvoice kickbacks Bid riggingBid rigging Illegal gratuitiesIllegal gratuities Economic extortionEconomic extortion Unauthorized use of records or Unauthorized use of records or

access to information systems, access to information systems, including unauthorized sharing of including unauthorized sharing of computer security clearancescomputer security clearances

Examples Examples (Cont.)(Cont.)

Unauthorized alteration, Unauthorized alteration, manipulation, or destruction of manipulation, or destruction of computer files and datacomputer files and data

Falsification of reports to Falsification of reports to management or external agenciesmanagement or external agencies

Conflicts of interest that pursue a Conflicts of interest that pursue a personal benefit or advantage while personal benefit or advantage while compromising the public interestcompromising the public interest

Improper handling or reporting of Improper handling or reporting of financial transactionsfinancial transactions

Examples Examples (Cont.)(Cont.)

Financial asset misappropriation such Financial asset misappropriation such as asset/revenue overstatements or as asset/revenue overstatements or understatements, fictitious revenues, understatements, fictitious revenues, concealed liabilities and expenses concealed liabilities and expenses and improper asset valuationsand improper asset valuations

Inaccurate employment credentialsInaccurate employment credentials Authorizing or receiving Authorizing or receiving

compensation for goods not received compensation for goods not received or services not performedor services not performed

Examples Examples (Cont.)(Cont.)

Authorizing or receiving Authorizing or receiving compensation for hours not workedcompensation for hours not worked

Incurring obligations in excess of Incurring obligations in excess of appropriation authority, and willful appropriation authority, and willful violation of laws, regulations or violation of laws, regulations or policies, or contractual obligations policies, or contractual obligations when conducting STC businesswhen conducting STC business

Use of College property for personal Use of College property for personal benefitbenefit

Payroll and sick time abusesPayroll and sick time abuses

Examples Examples (Cont.)(Cont.)

Employee Employee ResponsibilitiesResponsibilities

An employee with a reasonable An employee with a reasonable basis for believing fraudulent or basis for believing fraudulent or other dishonest acts have other dishonest acts have occurred has a occurred has a responsibility to responsibility to reportreport the suspected act in a the suspected act in a timely manner.timely manner.

Reports should be made to the Reports should be made to the employee’s immediate supervisor or employee’s immediate supervisor or manager or Director of Human manager or Director of Human Resources. The employee should Resources. The employee should report in writing the following:report in writing the following:

Department where it is occurringDepartment where it is occurring What is occurringWhat is occurring When it occurredWhen it occurred Who is involvedWho is involved How is it occurringHow is it occurring

Employee Employee Responsibilities Responsibilities

(Cont.)(Cont.)

An employee may also report the An employee may also report the fraudulent or dishonest act by fraudulent or dishonest act by calling the calling the Anonymous Fraud and Anonymous Fraud and EthicsEthics HotlineHotline at the number at the number posted on the College’s website or posted on the College’s website or the State Auditor’s Office Fraud, the State Auditor’s Office Fraud, Waste, and/or Abuse Hotline at 1-Waste, and/or Abuse Hotline at 1-800-TX-AUDIT. Employees may 800-TX-AUDIT. Employees may choose to remain anonymous.choose to remain anonymous.

Employee Employee Responsibilities Responsibilities (Cont.)(Cont.)

3.3.

Abuse AwarenessAbuse Awareness

Business OfficeBusiness OfficeFFinancial inancial IInformation nformation SServices ervices CConnecting onnecting AAnd nd

LLeadingeading

AbuseAbuse

Abuse is distinct from fraudAbuse is distinct from fraud, illegal , illegal acts, and violations of provisions acts, and violations of provisions of contracts or grant agreements. of contracts or grant agreements. When abuse occurs, no law, When abuse occurs, no law, regulation, or provision of a regulation, or provision of a contract or grant agreement is contract or grant agreement is violated.violated.

Rather, abuse involves behavior Rather, abuse involves behavior that is deficient or improper when that is deficient or improper when compared with behavior that a compared with behavior that a prudent personprudent person would consider would consider reasonable and necessary reasonable and necessary business practice given the facts business practice given the facts and circumstances.and circumstances.

Abuse Abuse (Cont.)(Cont.)

We should be alert to situationsWe should be alert to situations

or transactions that could be or transactions that could be indicative of abuse.indicative of abuse.

Abuse Abuse (Cont.)(Cont.)