Internal Control / Fraud Deterrence

Duties within the department or function should be segregated so that one person does not perform every facet of a particular business process. Duties that should be segregated include: Authorization, Custody of the Assets, and Recording Transactions.

If an adequate segregation of duties does not exist, the following could occur:

• Misappropriation of assets.
• Misstated financial statements.
• Inaccurate financial documentation (i.e., errors or irregularities).
• Improper use of funds or modification of data could go undetected.

Best Practice

Design a system of checks and balances to decrease the likelihood of errors and irregularities. The person who prepares documentation should not be the same person to authorize and execute the transaction (i.e. one person should not be able to accept cash, record deposits for banking, make the bank deposits, and reconcile the account).

Written policies and procedures codify management’s criteria for executing an organization’s operations. Developing and documenting policies and procedures is the responsibility of management; thus, they should document business processes, personnel responsibilities, departmental operations, and promote uniformity in executing and recording transactions. Thorough policies and procedures serve as effective training tools for employees.

If written policies and procedures do not exist, are inaccurate, incomplete, or simply not current, the following could result:

• Inaccurate and unreliable financial records due to inappropriate recording of transactions.
• Inconsistent practices among employees and/or departments.
• Processing errors due to a lack of knowledge.
• Inability to enforce employee accountability.

Best Practice

1. Document all significant business practices, processes, and policies.
2. Make the policies and procedures available to all personnel.
3. Ensure they are accurate, complete, and current.
4. Revise policies and procedures for changes in business processes and policies. This is particularly important when new systems are developed and implemented, or other organizational changes occur.
5. Communicate significant changes to all affected personnel immediately to ensure they are aware of any revisions to their daily duties and responsibilities.
6. If there are changes in personnel (i.e. new employees are hired, promotions granted, etc.), documented policies and procedures will facilitate training and provide guidelines for the respective positions. Policies and procedures are only effective if people are aware and understand them.

Assets are the economic resources a business owns that are expected to be of benefit in the future. Cash, office supplies, merchandise, furniture, equipment, land, buildings, and sensitive or confidential data are some examples. Protective measures must be taken to ensure that assets are maintained in a properly controlled and secured environment. The most important type of protective measure for safeguarding assets is the use of physical precautions. If physical precautions are not in place the following could occur:

• Theft.
• Items may be lost or misplaced.
• Fraud may be committed using unauthorized data.
• Unauthorized transactions or processing could occur if data is not adequately safeguarded.
• The University could incur added expenses and loss or revenue.

Best Practice

1. Store all assets in a secure, locked area.
2. Cash should be stored preferably in the fire-proof safe.
3. Restrict access to data and other assets to a limited number of individuals within the department or organization.
4. Ensure proper access controls are in place in systems. (i.e., user IDs and passwords that are unique and forced to be changed frequently by the system)

Efficient performance accomplishes goals and objectives in an accurate and timely fashion using minimal resources. Inefficiencies in operations occur when processes are performed that provide no additional benefit or value. Operations are considered effective when they are functioning as intended. If, for example, two individuals are both responsible for executing the same function within a process, a duplication of efforts would exist. This is an inefficient and ineffective use of time and resources. Inefficiency and ineffectiveness may result in a lack of resource availability and may cause a unit to be unable to meet its objectives. Frequently, this results in added operational costs to the organization. Those costs could be measured in additional overtime wages needed to accomplish goals and objectives, unmet targets, lost productivity, or the inability to accept additional responsibility. Accordingly, inefficiencies result in the inability to be effective in attaining objectives.

Best Practice

• Analyze business processes and identify and eliminate any duplicated efforts.
• Streamline processes by reducing any non-valued added procedures.
• Identify any processes that have been done merely because “that’s the way we’ve always done it". Determine if those processes are still needed. If they are, identify methods that would allow steps to be completed either timelier or effectively.
• Strive to process documents and/or transactions in a minimum required time to increase the efficiency and effectiveness of the unit.
• Employ a cost-benefit methodology when analyzing and developing new processes. If the costs outweigh the benefits, then consider eliminating the procedures or significantly reducing the number of steps needed to complete the process.
• Think “outside of the box”. Look for more innovative ways to accomplish goals and objectives.
• Automate where possible.

When a process is performed within a department, there should always be another level of review and approval performed by a knowledgeable individual independent of the process. The approval should be documented to verify that a review was done. Review and approval are controls that help management gauge whether operational and personnel goals and objectives are being met. The lack of review and approval could result in the following:

• Errors may be overlooked resulting in misstatements that could affect financial, as well as, operational decisions.
• Inaccurate or incomplete information in accounts and/or reports.
• The inability to detect irregularities.

Best Practice

• A thorough review of processes, transactions, and reports should be performed for accuracy, completeness, and timeliness.
• The reviewer should be knowledgeable about the items or areas being performed such that they are able to readily identify errors and/or omissions.
• The reviewer should preferably be someone who has the authority (e.g., supervisory role) who is able to authorize, provide direction, and make decisions about the items under review.
• The reviewer should be someone who does not perform the process.
• Evidence of the review and approval should be documented. (e.g., signed or initialed and dated by the reviewer/approver)

Reporting is defined as disclosing facts about an entity. These facts could be financial, regulatory, or statistical in nature. Decision makers use these facts to make assumptions about an entity. Inaccurate or incomplete reporting could result in the following:

• The loss of research funding and state appropriations.
• Difficulty obtaining debt financing.
• Reduced credibility.

Best Practice

• Accurate, complete, and current.
• Full Disclosure.
• Concise.
• Objective.
• Provided on a timely basis.

Accounting is a system that measures business activities, processes that information into reports, and communicates these findings to decision makers. Two major controls of an accounting system are accurate posting of transactions and adequate account review and reconciliation. Inadequate controls over an organization’s accounting system could result in:

• Misstated financial reports.
• Inaccurate and unreliable financial records.

Best Practice

• Employees are properly trained on performing accounting functions.
• Only authorized personnel can establish or modify accounting ledger attributes. (e.g., accounts, object codes, transaction codes)
• Transactions, adjusting journal entries, and reports are reviewed for accuracy, completeness, and timeliness of processing before they are authorized.
• Accounts are reconciled monthly.
• Individuals performing account reconciliations are independent of the cash receipts or cash disbursements process.
• Reconciling items, errors and omissions are identified and corrected on a timely basis.
• Account reconciliations are documented.
• Reconciliations are reviewed and approved.
• Automated accounting systems are properly developed by knowledgeable accounting and computing staff.
• Automated accounting systems have the proper level of input and processing controls to ensure the integrity of the financial data being reported.
• A proper segregation of duties exists within the accounting function.

In simple terms, timeliness means meeting prescribed deadlines. When deadlines are not met, the following could occur:

• Inefficiencies could result.
• Fines or penalties could be imposed.
• Prospective projects or customers could be lost.
• Other operational processes could be negatively impacted.

Best Practice

Frequently, the timeliness of processing is not a major priority on an individual’s “to do” list. As organizations continue to push to do more with less and create increased operational efficiencies and profits, timeliness has become important to the overall success of the organization as whole. It’s the one area where all employees can analyze their workflows and identify ways to work smarter and save time. Here are a few tips:

• Obtain an understanding of all the required deadlines particularly those that are “not negotiable” such as regulatory due dates.
• Build in adequate lead times to ensure the work product or report is complete, accurate, and has been reviewed before it is submitted. Meeting the deadline is great but providing a quality product on time is better. If it must be returned for corrections or omissions, the deadline has not been met.
• Prioritize activities when critical deadlines are imminent.
• Ensure adequate resources are available, trained, and able to complete the tasks in order to meet the deadlines.
• If deadlines cannot be met, notify the appropriate parties in advance. Determine if the deadline is negotiable. Commit to the new date and be willing to do whatever it takes to meet it.
• Create a synergy within the unit or organization that embraces the Kaizen philosophy that continuous process improvement means that a product is quality if it’s great and on time.