In general, what are the major objectives of internal control? What is their purpose?
Key internal controls are critical to an organization functioning effectively and safely. Their purpose is efficiency and reduction of fraud in the transactional process. Key controls relate directly to risk. Segregation of duties is a key control. The same person should not have custody, authorization, recording and reporting responsibilities for any asset, such as cash. A second person should review and approve a transaction before it is authorized.
Transactions should be accurately recorded, posted, and balanced. Unusual variations and deviations need to be identified, researched and resolved. Each key control needs to be tested. For example, if a key control is that the Board of Directors is properly experienced, the test would be to review the latest 10-K, view the biographical data on each board member and then document their independent status.
The ever-present risk is that controls may not exist or may not be operating properly.
What are the risks associated with providing financial services such as those of a trustee? Classify each risk as (1) high, (2) medium or (3) low.
Transaction controls are very high risk (1). In the case under consideration, the Finance Department requires supporting documentation for any disbursement. Case workers may make smaller payments from petty cash. This is medium risk (2) due to the smaller nature of the amounts involved. Incoming mail is opened by a client’s financial representative. This is high risk (1) since cash or checks may be misappropriated. Bank reconciliations are required. This is high risk (1) since without an appropriate monitoring function discrepancies or fraud cannot be detected. It was noted that the Finance department requires supporting documentation for all disbursements, but it was not always provided. Allowing an exception to this control is an invitation to fraud, as the payment could be to a fictitious company controlled by an employee.
Review the processes outlined in the case and indicate where: (a) Controls should be in place but do not exist and (b) Controls are in place but aren’t working effectively.
Controls should exist in the hiring process. Proper documentation should exist to verify previous employment, as well as degrees. The HR department missed this key control according to the narrative by not verifying an out of country college degree. The HR department also used a close personal reference as a business reference.
Controls were in place but not being observed in the transactional level. A pre-audit is required on disbursements to make sure approvals have been obtained along with proper documentation. The narrative states that smaller dollar values of disbursements did not fall under this control. This left the door open for a series of fraudulent transactions. All client funds must be administered through the bank accounts. Either the financial representative or the case worker is authorized to sign checks on bank accounts. The fact that bank reconciliations were not performed monthly opened another avenue for fraud to occur through misappropriation without detection. Without a monitoring control (reconciliation of a bank account every month), major funds can disappear and not be detected for a long period of time. Cash was received in the mail, but the control states that only one person is responsible. This is an invitation to malfeasance, since at least two people under a proper segregation of duties scenario should be involved in the receipt of cash. One should open the mail and log it, and the second should prepare a bank deposit.
For each of the controls that are in place, or should be, identify whether that control is preventive or detective.
Prior to a payment being made, a pre-audit is done. Preventive.
Necessary approvals are obtained before disbursement. Preventive.
Proper documentation to backup the disbursement. Preventive.
Payments authorized by one person and approved or reviewed by another. Preventive.
Bank reconciliations should occur monthly. Detective.
New workers are properly vetted. Preventive.
Bank reconciliations are reviewed by a supervisor. Detective.
Petty cash disbursements are approved prior to payment. Preventive.
Was NCT’s senior management adequately performing its fiduciary responsibilities on behalf of its clients? Give an example of how it was or was not meeting its responsibilities.
No, there was not a proper conduct of fiduciary responsibilities. The Finance department in particular had lax internal controls, was not conducting a monitoring function on its cash, and was allowing internal controls to be bypassed. Corporate governance at a higher level, that of management, was at fault for not having an active Internal Audit function. The function of Internal Audit is to actively monitor key controls over each process, particularly high-risk processes such as cash receipts and cash payments. A strong Internal Audit function would have detected the fraud well ahead of schedule. Quarterly tests would have been made on key controls in the finance function. Both management and the Finance department were responsible for allowing the fraud to reach the extent it did.
What are the ethical responsibilities of senior management to its clients?
Ethical responsibilities include proper control over funds, and disbursing funds only for authorized expenditures. Management has the duty to preserve and protect the capital of its clients. It can do this only through a strong series of Internal Controls which are based on a risk matrix. Secondly, it has to actively enforce and monitor those controls through an Internal Audit function.
How would you test whether inappropriate activity had occurred?
The testing function should occur through the Internal Audit staff. These are highly trained auditors who know how to develop a risk matrix for any organization. A risk matrix looks at the narrative overview of how a process operates, and then decides on three to six key control points where fraud could occur in any transaction. These key control points are tested at least quarterly and sometimes monthly.
Testing should have occurred primarily at the transactional level. Key control points to have been tested would have been to verify that all cash received is posted, logged and banked properly. All disbursements should be pre-approved and documented by at least two independent people. These tests are designed by auditors and basically are a review of the transaction. For example, in a disbursement, the invoice is determined to exist, and an authorized signature for review approval should appear on the invoice. The invoice should appear reasonable and related to the client’s situation. It is tested by examination and review of the document. In terms of bank reconciliations, they should be performed. This is tested by reviewing an actual reconciliation. It should balance with no discrepancies. It should be prepared by one person and separately reviewed by another. The supervisor who reviews it should initial and date the time of his review and approval on the bank reconciliation. The bank reconciliation should tie in to the numbers on the bank statement. All of this documentation needs to be preserved and ready for review on a monthly basis by an independent auditor.
According to a 2010 Report on Occupational Fraud, small organizations are highly subject to employee fraud due to the lack of significant anti-fraud controls which are active, in place, and audited. Therefore simply having in place enough valid and active internal controls at key points in processes is sufficient to guard against fraud being perpetrated. The philosophy, though, of some smaller organizations is counterproductive to this as they do not practice this key business principle (Heslop and Kapp, 2011).
Internal controls are a process created by an entity’s board of directors and management. They provide reasonable assurance regarding the achievement of objectives. Effective internal controls safeguard assets, provide reliable financial report and promote efficiency while complying with laws (Jahmani and Ansari, 2014).
- Heslop, G., & Kapp, L. A. (2011, October). Protecting small businesses from fraud: simple controls can reduce opportunities. The CPA Journal, 81(10), 62+. Retrieved from http://edb.pbclibrary.org:2077/
- Jahmani, Y., Ansari, M. I., & Dowling, W. (2014). Testing for internal control weaknesses in accelerated filers. Academy of Accounting and Financial Studies Journal, 18(1), 97+. Retrieved from http://edb.pbclibrary.org:2077/