I C NTERNAL ONTROLS G P , G , UIDANCE FOR RIVATE OVERNMENT N E AND ONPROFIT NTITIES L G , CPA, PhD, CFE YNFORD RAHAM JOHNWILEY&SONS,INC. Thisbookisprintedonacid-freepaper. Copyright2008byJohnWiley&Sons,Inc.Allrightsreserved. PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey. PublishedsimultaneouslyinCanada. WileyBicentennialLogo:RichardJ.Pacifico Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedinanyform orbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwise,exceptas permittedunderSection107or108ofthe1976UnitedStatesCopyrightAct,withouteithertheprior writtenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeeto theCopyrightClearanceCenter,Inc.,222RosewoodDrive,Danvers,MA01923,978-750-8400,fax 978-646-8600,oronthewebatwww.copyright.com.RequeststothePublisherforpermissionshouldbe addressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ 07030,201748-6011,fax201748-6008,oronlineathttp://www.wiely.com/go/permissions. LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbesteffortsin preparingthisbook,theymakenorepresentationsorwarrantieswithrespecttotheaccuracyor completenessofthecontentsofthisbookandspecificallydisclaimanyimpliedwarrantiesof merchantabilityorfitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysales representativesorwrittensalesmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitable foryoursituation.Youshouldconsultwithaprofessionalwhereappropriate.Neitherthepublishernor authorshallbeliableforanylossofprofitoranyothercommercialdamages,includingbutnotlimited tospecial,incidental,consequential,orotherdamages. ForgeneralinformationonourotherproductsandservicespleasecontactourCustomerCare DepartmentwithintheUnitedStatesat877-762-2974,outsidetheUnitedStatesat317-572-3993or fax317-572-4002. Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappearsinprintmay notbeavailableinelectronicbooks. FormoreinformationaboutWileyproducts,visitourWebsiteathttp://www.wiley.com. LibraryofCongressCataloging-in-PublicationData: Graham,Lynford. Internalcontrols:guidanceforprivate,government,andnonprofitentities/LynfordGraham. p.cm. ISBN978-0-470-08948-4(cloth) 1.Auditing,Internal. 2.Managerialaccounting. I.Title. HF5668.25.G7242008 658.15(cid:1)1—dc22 2007020133 PrintedintheUnitedStatesofAmerica. 10987654321 A A BOUT THE UTHOR LYNFORD GRAHAM CPA, PhD, CFE Lynford Graham is a Certified Public Accountant with more than 25 years of public accounting experience in audit practice and in national policy devel- opment groups. He is currently a consultant on professional accounting and auditing matters and an author. Dr. Graham is a member of the American Institute of Certified Public Accountants (AICPA), and a recent past member of the Auditing Standards Board.HechairedtheAICPA’sAuditRiskGuideTaskForce(“Assessingand Responding to Audit Risk in a Financial Statement Audit”) and was the U.S. representative to the International Auditing and Assurance Standards Board (IAASB) Materiality Task Force (ISA 320 and 450). He previously served as a member of the AICPA’s Materiality and Audit Risk Task Force (SAS 47); was a founding member of the AICPA’s Information Technology Section, serving on its Executive Committee; and was a member of the AICPA’s Sta- tistical Sampling Subcommittee during the development of SAS 39 on Audit Sampling. He drafted the 2007 revision of the AICPA Audit Guide, Audit Sampling.PreviouslyhechairedtheEducator-PractitionerCaseDevelopment Task Force for the annual AICPA Education Conference and served on the Executive Committee of the Pre-Certification Education Committee. He is a former partner and the national director of audit policy for BDO Seidman, LLP. There Dr. Graham was responsible for the development and implementation of audit policy and software, as well as Assurance Services Learning and Education programs, and was the firm’s sampling coordinator. HeservedonseveralinternationalBDOSeidmantaskforcesdevelopingaudit software, audit methodology, sampling approaches, and audit automation techniques. Dr. Graham was responsible for BDO Seidman’s implementa- tion of audits of internal control under PCAOB AS 2 and participated with professional groups in developing industry-wide guidance on audits of inter- nalcontrol.PriortojoiningBDOSeidmanLLP,Dr.Grahamwasanassociate professor of accounting and information systems and a graduate faculty fel- low at Rutgers University in Newark, New Jersey, where he taught primarily iii iv ABOUTTHEAUTHOR financial accounting courses. Prior to joining Rutgers, he was a national accounting & SEC consulting partner for Coopers & Lybrand, responsible for their technical issues research function and database, auditing research, and sampling techniques. A Certified Fraud Examiner and a member of the Association of Certified Fraud Examiners, Dr. Graham has provided consulting guidance on matters ofinternalcontrolandstatisticalandauditmethods,includinginventorysam- plingproblems,fraudinvestigations,litigationconsulting,costreimbursement studies and loan reviews. He has also worked with a variety of government agencies on the development and implementation of audit regulations. Throughout his career he has maintained an active profile in the academic as well as the business community. A member of the American Accounting Association (AAA), he served as vice chairman of the Auditing Section and as a member of numerous committees and task forces. Dr. Graham had a leadership role in the development of Coopers & Lybrand’s award winning “Excellence in Audit Education” materials, widely used in university audit coursesinthe1990s.HeisthepastauditingsectionchairfortheMid-Atlantic Section of the AAA. In 2002 he received the Distinguished Service Award of theAuditingSectionoftheAAA.Hisnumerousacademicandbusinesspubli- cationsspanavarietyoftopicalareas,includinginformationsystems,internal controls,expertsystems,auditrisk,auditplanning,fraud,sampling,analytical procedures, audit judgment, and international accounting and auditing. Dr. Graham holds an MBA in Industrial Management and a PhD in Busi- ness and Applied Economics, both from the University of Pennsylvania (Wharton School). HeisalsocoeditoroftheAccountant’sHandbook11thEdition (JohnWiley & Sons, 2007) as well as coauthor or editor of many other audit and account- ing books and publications. C ONTENTS Preface vii 1 An Introduction 1 2 First Steps: A Pilot Project 9 3 The Five Components of the Controls Framework 27 Appendix 3A Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees 69 4 Documenting Internal Controls Using a Framework 71 Appendix 4A Sample Control Objectives for Major Cycles 86 5 Setting the Scope of Your Documentation Project: Identifying the Core 99 6 Establishing a Basis for Controls Effectiveness: Testing Controls 109 Appendix 6A Sample Size Tutorial 124 Appendix 6B Conducting Interviews: Gathering Internal Control Information 128 7 Assessing Design Effectiveness and Operating Effectiveness 137 Appendix 7A A Framework for Evaluating Control Exceptions and Deficiencies 160 8 Fraud Risks and Entity Self-Defense 179 v vi CONTENTS Appendix 8A Management Antifraud Programs and Controls: An Element of The Control Environment 193 Appendix Instructions for the Controls Design Assessment Case Study 219 Part 1 Narrative of Controls Design 223 Contribution to Cash Cycle Template—CCS 225 Part 2 Contribution to Cash Cycle with Control Procedures—CCS 229 Part 3 Contribution to Cash Cycle—Completed—CCS 233 Index 239 P REFACE A mountain of words has been written about internal controls and fraud following the revelations at the turn of this new century regarding Enron, WorldCom, Tyco, Global Crossings, and others. Nevertheless, it is hard for many smaller, nonpublic entities to relate to these happenings, since they do not form subsidiaries to keep transactions off the face of their financial statements, use stock options to compensate executives “silently,” or design compensationandincentivepackagesthatseemsufficienttofinanceanempire but are immaterial to the overall business. However, the issue of internal controls and fraud does affect each and every business and organization, from the smallest to the largest, from the Women’s Club to family businesses to the large private enterprise with many branches and international subsidiaries. Wherever an owner values the entity that he or she has worked to develop or has pride in the service and mission of their not-for-profit, the value of giving some attention to internal controls exists. This book was written to address the need of entities and their auditors to understand practical internal controls principles design and implementation issues, not necessarily just the requirements of reporting on internal controls due to regulation or public company legislation, such as the Sarbanes-Oxley Act of 2002 (SOX). Nevertheless, we should not dismiss the importance of that legislation and what it can teach us about the elements and importance of controls. There are lessons in Sarbanes-Oxley for all of us. Beginning in 2007, private companies, not-for-profit entities, and govern- ments that prepare audited financial statements will be receiving a closer scrutiny of their internal controls by their auditors. Identified gaps in con- trols design and findings that controls are not working effectively require the auditor to prepare a written communication of these matters to manage- ment and those charged with governance, such as a board or committee with oversight responsibility. Many more control issues will be identified in the future than have been identified in the past. Common organizational control gaps in smaller entities include the lack of controls documentation, the lack of accounting expertise, and the inability to properly accrue for expenses vii viii PREFACE and prepare financial statements. More and more oversight groups, private equity lenders, bankers, and regulators are asking that these communications be made explicitly and are asking that they be informed of such issues. For many of these entities, it is simply a matter of self-protection. They need to know if such risks exist, so they can decide how to address them. The management and the auditors of failed organizations are often challenged as to why such information was not shared on a timely basis. Oral com- munications are quickly forgotten. Such information, clearly articulated and communicated, might have signaled the condition leading to the business failure and led to remedial actions. This book will expand your understanding internal controls, the use of a framework like COSO from which to understand and assess controls, and common internal control problems. Based on the observations and 25-plus years of practical experience of the author, it will provide cost-effective sug- gestions for mitigating or remediating these common problems. Private companies and their auditors will benefit from an increased aware- ness of how internal controls can improve operations and expand profits, and provide more time for management to attend to important matters, such as growing the business. Not-for-profit entities will better understand how they can fulfill their mission statements and protect themselves against the scandals that have affected (and sometimes destroyed) others. Government entities will benefit from practical ideas that will help them demonstrate their stewardship of funds in meeting their mission and mitigate the risk of fraud and waste so common in environments where controls are an afterthought. And yes, public company auditors, internal auditors, and management can benefit from the information and tools presented in this book in their mis- sion of compliance with the changing rules in their regulated environment. While the specific rules and requirements in that environment are subject to change, the fundamental principles of controls and best practices should endure. Auditors may also find the content here to be instructive as they develop a more robust understanding of the internal control framework and gather an appreciationofwhattheyneedtodoversuswhatauditedentitiesareexpected to do under the new auditing standards. When asides in the book are directed to auditors, these comments are generally marked in a box. While I do not intend to bludgeon the reader with SOX discussions, the rich environment that came from the implementation of the requirements for accelerated filer public companies to report on internal controls in 2004 PREFACE ix make it instructive to borrow some observations from that process. Readers requiredtocomplywithPublicCompanyAccountingOversightBoardreport- ing requirements on internal control will need to consult Auditing Standard No. 5 and may need also to consult with other materials and SEC guidance focused on the SOX requirements. 1 A I N NTRODUCTION BUT HOW DOES ALL THAT RELATE TO ME? There has been so much press lately about the required public company reporting of internal controls that some people believe that internal controls pertain only to public companies. That is a misperception, since this issue has been and will continue to be relevant for all enterprises. Writings in the auditing literature that predate the birth of all the potential readers of this work address issues of internal control. And, after all, how would Scrooge and Marley in Charles Dickens’s AChristmasCarol have prevailed in taking ownershipofthebusinesshadtherenotbeena“discrepancyintheaccounts”? The issues here transcend time and cultures. The myth has also developed that internal controls have to be expensive and complicated. That argument is perhaps more a consequence of the semichaotic 2004 public company implementations of internalcontrol reporting requirements than thetrue costs ofimplementingeffectiveinternalcontrolsthemselves.Thistopicisdiscussed more at the end of this chapter. Of course, designing and implementing an iron-clad system of controls might be a very expensive proposition. Ian Fleming’s (James Bond) Goldfin- ger dreamed of penetrating Fort Knox, but most businesses are not likely to yield such a large reward worthy of such a complicated effort. And in a business where the doors are wide open to all who choose to enter and create mischief, such extremes are not necessary. Many who choose to take advan- tage do so because it is easy and because we business owners and managers make it so easy for them to do so. Let’s speak facts. A 2006 published survey on fraud, published by the AssociationofCertifiedFraudExaminers(ACFE),notedsomestatisticsabout 1