Best Practices in Finance for Volunteers Brandy Vannoy, CPA Tim Rodgers, CPA July 26, 2008

Purpose of Presentation Fraud Internal Control The Five Components of Internal Control References & Wrap-up Agenda

Help improve the effectiveness and efficiency of your internal control system Provide practical guidance illustrating how to update and/or incorporate internal controls Purpose of Presentation

Asset Misappropriation Theft or misuse of assets Corruption Influence in business transaction to obtain an unauthorized benefit Fraudulent Statements Falsification of financial statements Fraud

Median loss suffered by small organization (< than 100 employees) was higher than that in larger organization * Misappropriation of assets most common * Fraudulently writing checks Skimming revenues Processing fraudulent invoices < 10% of small businesses had anonymous fraud reporting systems * Fraud (Continued)

< 20% of small businesses had internal audit departments, conducted surprise audits, or conducted fraud training for their employees and managers * < 8% of the perpetrators had prior convictions * * Information from an ACFE study on data compiled from 1,134 cases investigated from January 2004 to January 2006 Fraud (Continued)

Systems of policies & procedures that protect the assets of an organization, create reliable financial information, promote compliance with laws & regulations and achieve effective & efficient operations Related to accounting, reporting, and communication processes Protection against fraud What Is Internal Control?

Risk Assessment Control Environment Control Activities Information and Communication Monitoring Five Components

Risk Assessment Control Environment Control Activities Information and Communication Monitoring Five Components

Proactive Risk Identification What Could Go Wrong? Significant Business Cycles Risk Prioritization Nature of Operations Environmental Factors Susceptibility to Theft or Fraud Risk Assessment

Significance Cost – Benefit Analysis Incentive Pressure Opportunities Weak Controls Management Override Risk Assessment (Continued)

Treasury and Accounts Payable Cycle Cash receipts are misappropriated Cash disbursements are unauthorized and/or misappropriated (including use of donor restricted funds for unrestricted purposes) Disbursements are incorrectly recorded Fictitious or unauthorized vendors could be established, which could facilitate unauthorized cash disbursements. What Could Go Wrong

Risk Assessment Control Environment Control Activities Information and Communication Monitoring Five Components

Culture Tone at the Top Organizational Structure Role of Management and the Board Hiring Practices Characteristics of Evaluators Communication Control Environment

Risk Assessment Control Environment Control Activities Information and Communication Monitoring Five Components

Design Response to Risk Assessment Key Controls Cost Benefit Analysis Prevent, Detect, Deter Implementation Communication Operation Control Activities

Segregation of Duties Custody, Recording, Authorization Checks and Balances Automated Controls Access Limitations, Password Protection Closing, Cut-off Reconciliation Procedures Record Retention Primary Control Activities

Authorization and Review Knowledgeable Downward within Organizational Structure High-level as well as Transactional Analytical Comparisons to Budget and Prior Year Downward within Organizational Structure Qualifications Primary Control Activities (Continued)

Control Activity Examples What Could Go Wrong?Control Response Cash receipts are misappropriated Cash received by administrative assistant, who has no access to the general ledger. The Administrative Assistant makes copies of all checks. The check copies are given to the Bookkeeper, who enters the necessary entries into the general ledger. The actual checks are taken to the bank by someone other than the Bookkeeper Monthly bank reconciliations are preformed by someone not having access to cash or the general ledger.

Control Activity Examples (Continued) What Could Go Wrong?Control Response Cash disbursements are unauthorized or misappropriated (including use of donor restricted funds for unrestricted purposes) Disbursements are incorrectly recorded Check requests are filled out by the applicable person. The request, along with supporting documentation, are given to the responsible person for review. Check request is signed to verify approval. The Bookkeeper enters the entry into the general ledger, and prepares the check. The check signer reviews and signs the check. Any check over a predetermined amount requires a second signature. Monthly bank reconciliations are preformed by someone not having access to cash or the general ledger.

Control Activity Examples (Continued) What Could Go Wrong?Control Response Fictitious or unauthorized vendors could be established, which could facilitate unauthorized cash disbursements. The accounting software will only allow checks to be cut to approved vendors. Only someone who does not have check request approval or check authorization authority, is allowed to enter and approve vendors in the system.

Additional Control Considerations Access to specific general ledger functions (such as vendor maintenance, check processing and journal entry posting) are password protected. The Bookkeeper prepares monthly financial statements, which are reviewed by the Treasurer. The Treasurer compares financial results to the budget and prior year, gaining explanations for unusual or unexpected variances. Control Activity Examples (Continued)

Additional Control Considerations (Continued) The Board of Directors are given quarterly financial packages for review. This package includes analysis of current quarter results compared to prior year and budget. The Board of Directors approves the annual budget. All employees are adequately trained and qualified to perform their control functions. They have all been made aware of the control functions they are to perform. Control Activity Examples (Continued)

Risk Assessment Control Environment Control Activities Information and Communication Monitoring Five Components

Expectations Policy and Procedure Manuals Job Descriptions Training Periodic Meetings Performance Reviews Open Lines Anonymous Whistleblower Hotline “Open Door” Policy Information & Communication

Entity-Wide Between Departments (i.e. – IT, Accounting) Upward as well as Downward Board Involvement External Auditors, Regulators Information & Communication (Continued)

Risk Assessment Control Environment Control Activities Information and Communication Monitoring Five Components

Monitoring

Application Interviews Walkthroughs Systematic Process (“What” and “How”) Investigation Assess and Report Discipline and Remediation Evaluation, maintenance and Improvement Monitoring (Continued)

Indicators of Fraud Changes in lifestyle Frequent complaints from vendors or members Missing or altered documents Limited internal controls Erratic behavior Employees refusing to take vacations for long periods of time Inability to manage money Monitoring (Continued)

Internal Control - Integrated Framework COSO (Committee of Sponsoring Organizations of the Treadway Committee) Managing the Business Risk of Fraud: A Practical Guide IIA (The Institute of Internal Auditors) 2006 ACFE Report to the Nation on Occupational Fraud & Abuse ACFE (Association of Certified Fraud Examiners) References

Internal Controls and Financial Accountability for Not- for-Profit Boards Andrew Cuomo, NY State Attorney General Protecting Your Company from Employee Fraud Duane Reyhl, CPA References (Continued)

Questions