Internal Controls Policies and Procedures 2017 NCDA Conference Miami, Florida Maria F. Eisenhart, CPA

City of Miami Beach December 2016 New York man charged with stealing $3.5 million from Miami Beach bank account http://www.miamiherald.com/news/local/community/miami-dade/miami- beach/article154053414.html

City of Miami Beach Bank Reconciliations Review of Transactions Staff and Management unaware

City of Coral Gables May 9, 2017 Former Coral Gables employee accused of stealing $85,000 from the City http://www.miamiherald.com/news/local/community/miami-dade/coral- gables/article149496899.html

City of Coral Gables Management did begin the investigation Employee perpetrated fraud just before retiring

Uniform Guidance 2CFR 200.303 – Internal Controls The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

2CFR 200.303 – Internal Controls (Continued) (b) Comply with Federal statutes, regulations and the terms and conditions of the Federal awards. (c) Evaluate and monitor the non-Federal entity’s compliance with statute, regulations and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified in audit findings. (e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass- through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality.

Committee of Sponsoring Organizations of the Treadway Commission(COSO)

Control Environment (5 Principles) The organization demonstrates a commitment to integrity and ethical values. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment (4 Principles) The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The organization considers the potential for fraud in assessing risks to the achievement of objectives. The organization identifies and assesses changes that could significantly affect the system of internal control

Control Activities (3 Principles) The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. The organization selects and develops general control activities over technology to support the achievement of objectives. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information & Communication (3 Principles) The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. The organization internally communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities (2 Principles) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. https://www.coso.org/Documents/COSO-ICIF-11x17-Cube-Graphic.pdf

Standard for Internal Control in the Federal Government (The Green Book)

Green Book What is the Green Book and how is it used? https://www.gao.gov/assets/670/665712.pdf

COSO and Green Book Sample of Control Control Environment Principle 1 : Integrity and Ethical Values COSO: The organization demonstrates a commitment to integrity and ethical value. Green Book: The oversight body and management should demonstrate a commitment to integrity and ethical values. Objectives: Sets the Tone at the Top (COSO and Green Book) Establishes Standards of Conduct (COSO and Green Book) Evaluates Adherence to Standards of Conduct (COSO and Green Book) Addresses Deviation in a Timely Manner (COSO)

Samples of Controls Policies 1) The entity may have a “Code of Ethic or Code of Conduct” manual. 2) Management sets the tone that high-quality and transparent financial reporting is expected http://ahacpa.org/education/

Elected Officials/BOD/Management COSO Policy process to achieve objective Green Book

Questions? Maria F. Eisenhart, CPA City of Miami Department of Community and Economic Development Meisenhart@miamigov.com