Download - Kuliah Minggu ke 5 Internal Controls and Fraud Protection Board and Management Responsibilities
Kuliah Minggu ke 5
Internal Controls and Fraud ProtectionBoard and Management Responsibilities
Agenda
Part I: Overview of Board and Management
Responsibilities Auditor Responsibilities Framework of Internal Controls
Part II: Overview of an Organization-Wide Model
of Internal Control Best Practices Pertaining to Board and
Management Oversight
Elements of an Organizational System of Internal Control
1. Financial Controlsa. Preventive controlsb. Detective controls
2. Non-Financial Systems3. Management Oversight and
Behavior
II. Non-Financial Systems
Several Non-Financial Systems Are Important to Internal Controls and Fraud Protection
Among the Most Important: Human Resources Systems Information Technology Systems Communications Systems Insurance Protection
Human Resources Systems
Hiring Policies and PracticesNew Employee OrientationCode of Ethics and Related PoliciesPerformance Evaluation SystemsCompensation Adjustment PracticesGrievance PoliciesCounseling of Troubled EmployeesExit Interviews
Communications
Organization Chart Clear understanding of lines of
communicationAccess to Audit Committee
Or equivalent board-level representativesHotlines
Anonymous reporting of suspected fraud and abuse, or any other misconduct, by employees
External Crisis management
Methods of Detection:NPOs Overall
Tips 34.4% 34.2%By Accident 28.7% 25.4%Internal Controls 19.7% 19.2%Internal Audit 16.4% 20.2%External Audit 14.8% 12.0%Notified by Police 4.9% 3.8%Source: 2006 ACFE Report to the Nation on
Occupational Fraud and Abuse
Tips Came From:
Employee – 64.1%Anonymous – 18.1%Customer – 10.7%Vendor – 7.1%
III. Management Oversight
Day-to-Day Management ActivitiesBoard of DirectorsFinancial Oversight and Monitoring
Board and management level Department/program level
Day-to-Day Management
Understanding Responsibilities and RisksSetting an Example – Follow all Policies
“Tone at the top” Communicate seriousness of internal control
All Supervisors and Managers Have Responsibilities Awareness of red flags of problems
Enforcement of Policies And reward ethical behavior
Responding to Fraud and Deficiencies in I.C.Open-Door Policies – Receive
Communications Regarding Allegations of Wrongdoing
Corrective Actions
Board of Directors
Oversight Responsibilities in Many Areas
Establishment of Committees so That Committee can Address Issues in Greater Detail Than Full Board Separate Audit Committee
Committee Charters Outline Responsibilities and Authority Committees Deal With Issues in Detail,
Bringing Summaries and Recommendations to the Full Board
Audit Committee Should be Independent of Finance Committee
So, what’s it all mean for me as a board member?
Best Practices for Board Members
1. Codes of Ethics2. Hotlines and Whistleblower Protection3. Functioning Audit Committee4. Fraud Risk Assessment Process5. Model Oversight and Policies After U.S.
Sentencing Commission Guidelines6. Make Inquiries Regarding The NPC’s
Financial and Non-Financial Controls
1. Codes of Ethics
1. Draft or edit to make sure it is comprehensive and accurate
2. Draft or edit related written policies and procedures
3. Reinforce awareness and importance4. Staff training and certification
Codes of Ethics
Two Approaches to Drafting Detailed – identifying specific acts Broad – conduct in general terms
If Broad, Cross-Reference Other Written Policies, Such as Personnel Manual, etc.
Codes of Ethics
Borrowing from SOX – Codes Should Deter Wrongdoing and Promote: Honest, ethical conduct, including handling
of conflicts of interest Full, fair, timely disclosures Compliance with applicable laws and
regulations Prompt internal reporting of violations Description of what constitutes fraudulent
behavior Accountability for adherence to the code and
sanctions for those who breach it
Codes of Ethics
Communicate the Code Effectively, Through Policy Manuals, etc.
Have Employees Sign, Acknowledging They Understand it and Agree to Comply With it
Emphasized at Orientation for New Employees
Training and Periodic Re-certification
Monitoring of Code is the Responsibility of: Management Audit committee
Ethics Training Topics
Code of EthicsConflicts of InterestEthical IssuesKickbacksHotline Usage & Other Methods of
ReportingProtection from RetaliationEach Person’s Role in Maintaining an
Ethical Workplace
The Value of Ethics Training
With Fraud Awareness or Ethics Training: Median Loss = $100,000 Median Months to Detection = 15
Without: Median Loss = $200,000 Median Months to Detection = 24
Policy on Suspected Misconduct
Functions in Conjunction With Code of EthicsIdentifies How to Report Suspected ActivitiesIncorporates Whistleblower Protection
ProvisionsStates Employer’s Rights
Including right to inspect and search employee files, lockers, desks, etc. that are provided as an employee convenience by the employer
Explains Disciplinary Actions That May Result, Including Termination
2. Hotlines
Allows for Anonymous Reporting of Suspected Wrongdoing
Utilize Third-Party Services (EthicsLine of Association of CFE’s; The Network; Pinkerton Security; Other Services)
FraudNet, a Service of GAO to Report Wrongdoing Involving Federal Funds [email protected] or (202) 512-3086
Hotlines
Consider Method of Reporting: Telephone interview Voicemail service Web-based format
Consider Protocol for Dissemination of Information: Direct to audit committee Compliance officer Human resources Internal audit
Promote the Hotline
Personnel Manual and Other Policy Manuals
Staff MeetingsMemos/NewslettersPostings in Break RoomsIntranet
The Value of Hotlines
With Hotlines Median Loss = $100,000 Months Prior to Detection = 15
Without Hotlines Median Loss = $200,000 Months Prior to Detection = 24
Whistleblower Protection
Key to Encouraging Proper Use of a Hotline is Protection of Whistleblower
Does Not Protect Trouble-MakersProtects Employees Who Report
Possible Misconduct Based on Information They Believe to be Truthful
Protects Against Retaliation Against Whistleblower in any Form
3. Audit Committee Functions
Oversee All Audit Functions Selection, Planning, etc.
Review and Approve Audit ReportsOversee Corrective Actions in
Response to Auditor FindingsMonitor Adequacy of Internal ControlsReceive CommunicationsInvestigate Allegations of Fraud
Audit Committee Functions (2)
Monitor Compliance With Code of Conduct
Manage Conflicts of InterestMonitor Adequacy of Insurance
ProtectionAssess Financial Risks Due to
Current Operating Environment
Audit Committee Charter
Clearly Describe ResponsibilitiesProvide Committee With Proper
Authority Access to records Authority to hire investigators, if deemed
necessary
Describe Member and Meeting Requirements
4. Fraud Risk Assessments
Active, ongoing discussion involving each of the following: Identification of potential fraud risks Evaluation of current internal controls in
response to those risks Consideration of changes necessary to
properly respond to the risks Design and implement changes in internal
controls Monitoring of the performance of internal
controls Receive input regarding control breakdowns
Who is Involved?
The Board’s role is to oversee and make sure this process is taking place; Direct involvement depends on the individual circumstances (size and structure of NPC)
Others with roles: Senior management Chief financial and operations officers Program personnel (research and education) Auditors Others as deemed necessary
5. Model Practices After USSC
Directly applicable only in certain federal cases; Includes guidelines for assessing penalties against corporations
Similar approach often taken to penalizing corporations in non-federal non-criminal cases
Excellent source of best practices regarding establishment of an ethical culture by boards and senior management
Sentencing Guidelines Due Diligence
1. Establish standards and procedures (internal controls) to prevent and detect criminal conduct
2. Assign high-level personnel responsibility for compliance and ethics program, and specific individuals for day-to-day operational responsibility for the program
3. Reasonable efforts not to include within substantial authority any person the organization knew, or should have known through due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program
Sentencing Guidelines Due Diligence
4. Communicate standards and procedures of the compliance and ethics program periodically and in a practical manner by conducting training and otherwise disseminating information
5. Take reasonable steps to ensure the program is followed (monitoring and auditing), including having a publicized system for employees and agents to report problems or seek guidance
6. When criminal conduct is detected, take steps to prevent further similar criminal conduct
Sentencing Guidelines Due Diligence
7. Periodically assess risk of criminal conduct and design, implement, or modify the preceding requirements to reduce the risk of criminal conduct
8. Large organizations should encourage small organizations (such as subcontractors and vendors) to implement effective compliance and ethics programs
6. Make Inquiries
As stated earlier, the role of the NPC board is not necessarily to be internal control experts or to directly carry out each of the steps described in this presentation
Direct involvement in development of policies or practices that are the responsibility of the board
Make inquiries of management and staff regarding how each of the other areas is being addressed
Make inquiries regarding fraud risks and the existence of internal controls in response to specific fraud risks that we’ll explain in the second part of this series.