# In Black & White

## Freeing Finance & Budget Departments from Drudgery One Article at a Time

### Improve your Internal Controls to Lower Audit Fees

• Jamie Black
• In Control
• minute(s)If you're a typical finance department, discussions about Internal Controls are probably not part of your daily work day. In our experience, accounting teams start thinking and discussing Internal Control when they have: found an alarming incidence of error in their business processes are subjected to a performance audit (if they are a local government) heard of another organization falling victim to fraud Outside of these scenarios, the strength of internal controls systems doesn't often get a lot of finance's attention while they take care of payroll, budgeting, management reporting, financial reporting and so much more.  There is a large, but often overlooked reason to focus on your internal controls system, an opportunity to reduce audit fees. Audit Fees Increase with Poor Internal Controls Poor internal controls and/or poor documentation of existing controls directly lead to increased audit fees. Why? Auditors must increase the amount of testing performed (sample size) when they determine that internal controls can not be relied upon (International Standard on Auditing  - 530 Audit Sampling) to reduce audit risk to an acceptable level (International Standard on Auditing - 330 Auditor Responses to Assessed Risk). Specifically: "Deficiencies in the control environment, however, have the opposite effect; for example, the auditor may respond to an ineffective control environment by: • Conducting more audit procedures as of the period end rather than at an interim date. • Obtaining more extensive audit evidence from substantive procedures. • Increasing the number of locations to be included in the audit scope.   The evidence of this direct relationship between audit fees and internal controls abounds. In December 2016, the Financial Executives Research Foundation (FERF) survey of more than 6,000 organizations found that reviews of internal controls continue to be one of the three major driving factors behind rising audit fees: More than 20% of the respondents that had audit fee increases cited a “review of manual controls from [Public Company Accounting Oversight Board] inspections.” Companies that cited ineffective internal controls as adding to audit fees experienced a 5.1% median increase, almost two percentage points higher than the median increase for all other filers. 3 Recommendations to Reduce Audit Fees In their followup article "Mitigating Increases in Audit Fees" the FERF interviewed preparers and auditors to understand causes and develop recommendations. Several recommendations focused specifically on Internal Controls improvements that drive lower audit fees including: Align key controls with key risks:  Ensuring the organization has strong controls to address the most significant risks will give management and auditors increased confidence. Document internal controls: If an organization has very light or poorly organized documentation, or hasn’t thought through all the branches in a process, attestation becomes difficult for the auditor — and more costly for you. Evaluate the latest technology: External and internal auditors are both using data analytics  and continuous controls monitoring technology to increase audit quality, work smarter and potentially reduce costs. There are many great reasons to focus on improving your organizations' internal controls. Lower Audit fees is another good one.
Finance professionals know the importance of strong internal controls for managing but overlook the opportunity to reduce audit fees.

### In Control: Why Monitor When We Know it is Broken?

• Holly Ueland
• In Control
• minute(s)In part 1 of this series, we discussed how continuous controls monitoring is incredibly valuable for management. In this installment of the series, we address a recurring question we hear.  When chatting with clients we hear "Listen, I know our processes is broken. Why waste time monitoring it when we could spend that time fixing it? Aren't we checking the pulse of a dead patient?" This statement does seem to have some logic to it. But it over-simplifies the situation. The reality is that monitoring your control activities is an integral part of the effort to fix them. When we say "broken" we typically mean that the process is failing to achieve its objective. Translating this into Internal Control terminology we mean the control activities are failing to mitigate risk.  Business processes are often very complex with many steps, risks, controls, stakeholders and participants. When we say "the process" is broken we mean one or more risks are not being controlled. But which controls? Why? That information is going to be critical in determining how we fix "it". Monitoring controls that we suspect are not functioning can tell us which controls are failing and why. This information is critical to making good decisions about how to resolve the issue: Further, once we resolve the issue (Repair, Implement, or Remove) we will want to monitor to ensure new problems don't crop up or old ones reocur. If you go in for heart surgery, Doctors want to keep a close eye on you for some time thereafter! How does your organization determine what expected controls are for various processes and determine which ones to monitor? Through best practices, which we discuss in part III of this series.
The importance of Monitoring is often overlooked in internal control systems. Even when processes are"broken", it turns out monitoring is essential.

### 6 Key Fraud Findings for Government Finance Officers

• Holly Ueland
• In Control
• minute(s)The Association of Certified Fraud Examiners (ACFE) 2016 Report to the Nations on Occupational Fraud and Abuse had several findings that will be very interesting to finance managers in local government. The 2016 report is based on the results of the 2015 survey. As part of the survey, respondents were asked to provide a detailed narrative of the single largest fraud case they had investigated since January 2014. Respondents were then presented with 81 questions to answer regarding the particular details of the case, including information about the perpetrator, the victim organization, and the methods employed, as well as fraud trends in general. While the report is very interesting from many respects, there are 6 points we want to highlight. 6 Findings relevant for Government Finance Officers The most prominent organizational weakness that contributed to the frauds in the study was a lack of internal controls, which was cited in 29.3% of cases, followed by an override of existing internal controls, which contributed to just over 20% of cases. Government and public administration experienced the third highest incidence of losses due to error and fraud, with a median loss of $109,000/ incident. Small organizations had a significantly lower implementation rate of anti-fraud controls compared to large organizations. Small government organizations are more susceptible to fraud. Out of all the government bodies included in the report, from federal to local, small organizations (those with fewer than 100 employees) accounted for the greatest number of fraud occurrences overall. In addition, of the fraud occurrences in small organizations, those involving cash occurred over twice as frequently. The presence of anti-fraud controls was correlated with lower fraud losses. ACFE compared organizations that had specific anti-fraud controls in place against organizations lacking those controls and found that where controls were present, fraud losses were 14.3%–54% lower Anti-fraud controls also correlated with much faster detection. Frauds were detected 33.3%–50% more quickly if the organization used such controls. The report also notes that total losses represented in the study were actually significantly higher. However, to conservatively report loss amounts, the top and bottom 1% of results were excluded from the total loss figure. Even viewing the losses reported through a conservative lens, a typical loss of$108,000 per fraud can be devastating to many organizations, especially when combined with the indirect fallout that often accompanies a fraud scheme.   Join us for a free webinar and see how CaseWare's Continuous Controls Monitoring will improve your organization's internal control. We’ll examine the ever-evolving risk profile that governments experience and also demonstrate the significant benefits available (timeliness, accuracy, and cost-effectiveness) of automating monitoring and enforcement of internal control (Continuous Monitoring) using CaseWare solutions.
2016 ACFE Report outlines several key points for government finance officers interested in internal control and eliminating fraud.

### Continuous Controls Monitoring is Management's Best Friend

• Holly Ueland
• In Control
• minute(s)Being audited is hard work! Managers spend a lot of time getting prepared, answering questions and generally feel like they are under a microscope. Despite this, most acknowledge that audits are valuable. How can you get the benefits that audits provide without the pain? Continuous Controls Monitoring (sometimes referred to by the acronym CCM or just shortened to continuous monitoring)! To understand why this is true, we need to understand a bit about the similarities and differences between audits and CCM. Both include the performance of assessments. One difference is ownership of the assessment process – the auditor is responsible for auditing, while monitoring is owned by management. You could say monitoring is auditing performed by management. CCM also provides several benefits. Easier (and Cheaper) Audits Continuous controls monitoring and external audit often directly impact each other.  If you have an undocumented, unmonitored set of internal control activities, you should expect your external auditor to perform extensive sampling and testing. That leads to increased time and effort for the auditor, increased professional fees and increased support work for you. Contrast that with an organization who has very strong monitoring of their internal controls, excellent documentation of the exceptions found and their remediation. Your auditor can review this evidence of your strong internal control system and conclude that there is minimal risk. That means less testing and time on their part, reduced professional fees and less work for you. With continuous monitoring, your audit reports can change from a laundry list of errors made throughout the prior year to a discussion of improvements in your management and control processes to better prevent, detect and remediate errors in the future. Timely and Efficient Management In addition to reducing the number of tests being performed (which should yield less expensive audits), continuous monitoring provides another significant benefit - timeliness. CCM occurs alongside business processes, so identified issues can be addressed proactively before it becomes a major (public) problem. Consider the difference between: finding and putting a hold on a suspected duplicate invoice payment before it is paid vs. detecting the payment months after it has occurred during an audit and then trying to recover funds from the vendor. By monitoring your internal control activities continuously, you have the opportunity to manage your processes as they are happening, rather than retrospectively. Check out the second part of this blog series to find out why continuous monitoring is even more important when we know controls are broken.
Continuous Controls Monitoring (CCM or sometimes Continuous Monitoring) provides a massive benefit to management AND simplifies the annual audit process.

### In Control: Internal Control - More than Just Segregation of Duties

• Holly Ueland
• In Control
• minute(s)We strike up conversations about all manner of topics with finance professionals across North America, but discussions about Continuous Controls Monitoring (CCM) can be difficult. In part it is challenging because not many of us have extensive experience with Internal Control. For example, on numerous occasions we've heard comments like “Yes, our internal controls are great; we have segregation of duties!”  With this in mind, and in consideration of the problems that a weak system of Internal Control causes, we thought we would explore some of the basics in this post. Perhaps the simplest way is to use an analogy: Imagine you are driving in your vehicle. Your objective?  To safely get to the grocery store and back, taking the most efficient route possible.  On your route, there are risks - other vehicles, pedestrians, traffic lights - which threaten to slow you down or even derail you completely on your journey. But you're not powerless.  Your car has a number of features that allow you to navigate these dangers - the mirrors, the steering wheel. the turn signals, etc. The skillful use of these features can greatly increase the likelihood of you getting to the grocery store. More than just Segregation of Duties Imagine you climbed into your vehicle and all you found was a brake pedal - no steering wheel, no turn signals, no headlights....  Would you start off on your trip? Most likely not - a single safety feature is not enough! You need a wide array of components working as an integrated system in order to have a safe and efficient trip. Your organization's internal control system is the same. Segregation of duties is an important component (see Control Activities below) of the system.  But it alone is not enough to protect your organization and ensure the attainment of your goals. What is needed is an entire framework of internal control. There are a number of different frameworks but the most popular and the one recommended by the GFOA is COSO. Below, the COSO pyramid illustrates the components of a their framework: Control environment This is often referred to as “tone at the top” and represents the many elements of the internal environment that define how the entity will conduct its activities overall.  These include “soft controls” such as shared values, high ethical standards and expectations, and openness.  However, it also includes “hard controls” such as formal job descriptions and performance reviews, and enforced disciplinary practices for violations from expected behavior.  It is hard to over-estimate the importance of this component. In fact, in January of this year the GFOA published a best practice regarding the control environment we strongly encourage you to read. Risk assessment Risk is defined as an event that will impact the achievement of one or more objectives. Risk assessment involves the identification and assessment of likelihood and impact of relevant risks.  Control activities Control activities are those actions carried out to mitigate risk in order to increase the likelihood that objectives will be achieved. Generally they break down into two categories: Preventative & Detective. Preventative: Authorization and approval: These activities provide the go-ahead to act on the entity’s behalf.  A common example is purchase approval limits, whereby individuals can commit up to a specific amount of the organization’s funds to obtain goods and services. Physical controls: This includes activities that ensure the physical security of assets, such as pass cards to restrict building access to only authorized personnel. Detective: Verification: Verification assists in determining if a transaction is legitimate and based on valid information.  For example, ensuring that purchases are made only from approved vendors. Reconciliations: The most common type of this control is bank account reconciliations.  However, any activity that ensures two or more types of information agree can be defined as a reconciliation, such as a 3-way match between a purchase order, receiving documents and the invoice received from the vendor. Here we see the role of segregation of duties. It is an example of one type of control activity (preventative).  It involves separation of the responsibility for the various aspects of a transaction – initiation, custody, recording and reconciling.  For example, separating the approval of a purchase (initiating), the ability to create a purchase order (custody), actually creating the purchase order (recording), and performing the 3-way match mentioned above (reconciling).  Information and communication Communication is the glue that holds this system together.  Information is obtained both from internal activities, such as transaction data, and external sources, such as regulatory requirements.  Appropriately and effectively communicating information across and outside the entity is essential for the achievement of objectives. Monitoring How do you know the control activities you are counting on are present and functioning? This is the role of monitoring. Unfortunately it is all-too-frequently overlooked. Your control monitoring system can either be based on manual effort from staff, or automatic checking from one of your computer systems. The other important aspect of your monitoring system is its frequency: periodic or continuous. Manual monitoring very rarely approaches continuous unless you have the resources for MANY dedicated internal auditors. It's much more likely that it will be periodic. Your automated monitoring protocols are more likely to be continuous, although the way you implement them will determine their frequency. Monitoring tends to be one of the weakest elements in most organization's internal control structure for two reasons:  Time-intensive: Let's say your organization processes 12,000 A/P disbursements per quarter and you are worried about duplicate payments. To ensure your control activities are working (monitoring), you need to find over 600 randomly sampled disbursements. Once you have this random sample, you now must find and review all the supporting documentation to ensure that there are no duplicates. For most organizations this is several weeks of work. Ongoing: You need to monitor all the time. The more infrequent the monitoring, the less confidence you have that your control activities can be relied on to mitigate risk. If you spend weeks of time looking for duplicate payments, how likely are you to tackle monitoring of duplicate payments every quarter? For most of us, we don't have the time available to dedicate to this rigorous of a protocol, despite how high-risk this area is.  Improve Your Framework of Internal Control It should be clear now that breaking some high-risk tasks into a pieces and segregating them among different staff is just one small (but important) piece of an effective internal control system. But it's not nearly enough. Developing a proper framework involves much more, and relies on a robust, continuous monitoring program in order to safely "drive" your organization to your objective. Click the image below to learn more about how to ensure a more efficient, effective and organization.
Understanding internal control components is essential for finance officers & is the first step in understanding the benefits Continuous Controls Monitoring CCM

### Internal Control is Key to the Success of Government Programs

• Jamie Black
• In Control
• minute(s)For most finance professionals, “internal control” is synonymous with activities designed to prevent or detect fraud. One example activity: segregating the tasks of recording deposits and making deposits. But internal control is a much broader topic than most of us appreciate.  Internal Control is an entire process for assuring achievement of an organization's objectives in: operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. Segregation of duties related to making and recording deposits is a single control activity designed to deal with a single risk. The pyramid illustrating the internal control process illustrates the many elements that must fit together to provide a complete an effective internal control system. It would be better if we thought of a skeletal system when we hear the phrase “internal control”. Like a skeleton, internal control is the structure that supports the correct functioning of your organization. Without understanding internal control as a comprehensive system, it is much more difficult to maintain strong internal controls and thereby assure achievement of your government’s objectives. Need convincing? Consider the 2014 Fall Report of the Auditor General of Canada (AG). Chapter 6 of the report, focuses on Nutrition North Canada (NNC). NNC is a subsidy program provided by Aboriginal Affairs and Northern Development Canada (AANDC), designed to provide Northerners in isolated communities with improved access to perishable, nutritious food. The program pays a subsidy to retailers in eligible communities, intended to reduce the cost of nutritious foods. In a CBC radio interview, the AG states the program “wasn’t living up to what it’s intended to do” and “Senior Management at AANDC focused on what was easy to measure instead of what was critical to measure.” In other words, the AANDC is failing to achieve its objective. Why? To recast the AG’s comments from an internal control perspective, AANDC failed to mitigate risks with appropriate control activities. Consider the following table, comparing the original control activity compared with a better-designed control activity tailored to help in achieving the AANDC's objectives: Control Objective Provide funding for residents of those  communities most at need Risk #1 The wrong communities receive the subsidy Current Control Activity Assess each community’s need based on historical use AG Proposed Control Activity Assess each community based on current need   Risk #2  Subsidy not being passed along to consumers (kept by retailer) Current Control Activity Measure quantity of food being shipped to retailer and measure the average cost of estimated food consumption  AG Proposed Control Activity  Measure the actual cost paid by residents for the perishable nutritious food they purchased Table 1 - AANDC Control Activities Still need convincing of the benefit of the systemic view? Consider a personal example based on our skeletal system metaphor: if you went to the doctor with leg pain and numbness, what result would you prefer? The doctor prescribes pain pills, or; The doctor investigates, finds the cause is a compressed vertebrae and prescribes a back brace to allow the vertebrae to heal naturally. Clearly, the best choice is to find the cause and fix it. Similarly, armed with a proper systemic understanding of internal controls and how the various elements need to function together, finance officers are likely to identify the AG’s concerns as symptoms of a deeper issue. That should lead to an evaluation of the overall system of internal control. As a finance officer, you have the opportunity to have a profound impact on all aspects of your government’s operations, including program delivery. When you see symptoms of poor execution, look for the cause. A failure of internal control is often at the root of it.
Finance officers should leverage strong internal control to enable the success of their government's programs.

### The Importance of Modern Internal Control for Government

• Jamie Black
• In Control
• minute(s)A cautionary tale provided by Canadian Senate Scandal If you are Canadian, no doubt you know some of the details: It is an ongoing political scandal concerning the expense claims of certain Canadian senators which began in late 2012. Senators Patrick Brazeau, Mike Duffy, Mac Harb, and Pamela Wallin claimed travel and living allowance expenses from the Senate for which they were not eligible. Duffy, Harb, and Wallin repaid ineligible amounts. Harb retired a few months into the scandal, and in November 2013, Brazeau, Duffy, and Wallin were suspended from the Senate without pay. Brazeau, Duffy, and Harb were criminally charged. Recent coverage has focused on many of the details of the scandal including the total audit cost: $23.6 million and nearly 122,000 hours. While others may be interested in the politics of the issue, the more relevant question for finance professionals is: Why were these expense anomalies not caught sooner? Our first indication of any problem was in June of 2012 when the Auditor General of Canada released a performance audit of the Senate Administration – their first since 1991! The audit found that expense claims from some senators did not contain sufficient documentation to determine if they were legitimate. By the time of the report, these expense claim irregularities had been occurring for many years. Canadian governments of all levels have a mandate to be accountable (demonstrate and take responsibility for its actions, decisions and policies and be answerable to the public at large) & transparent (conduct its business in an accessible, clear and visible manner). Taking this mandate seriously means that we must do more than merely present our financial reports on an annual basis and await the auditor’s opinion. In fact, we must do more than merely present those reports more frequently. The US Government Accountability Office summarizes this point excellently: “A key factor in improving accountability in achieving an entity’s mission is to implement an effective internal control system. An effective internal control system helps an entity adapt to shifting environments, evolving demands, and new priorities…. Internal control serves as the first line of defense in safeguarding assets. In short, internal control helps federal managers achieve desired results through effective stewardship of public resources. ” For government finance professionals, this scandal should serve as a wake-up call. Do you wait for the auditor to find anomalies or are your systems designed and maintained to prevent / detect this type of catastrophe? Are you regularly reviewing risks, leveraging data analytics and continuously monitoring control activities to ensure that they are effective? Does the frequency of these review and testing processes occur frequently enough and on a large-enough set of your transactions to provide real comfort that there is not an expense scandal waiting in your future? Unfortunately we see all too often in local government that finance resources are stretched so tight that investing in internal control is not prioritized. Consider the damage that results from a weak control system.$24 million and 120,000 hours spent auditing historic activities; an investment that has little to no future value. The Senate gives us a great example of how stronger internal controls would have spared the taxpayers millions of dollars and politicians considerable drama and wasted time.
Excellent Internal Controls are essential for efficiency, effectiveness & avoiding political scandal but traditional internal audit testing can't keep pace.