The Role of Internal Controls in the Financial Oversight Process

Risk Management

The Role of Internal Controls in the Financial Oversight Process

The number of financial scandals in the last several years has led to passage of federal legislation aimed at improving corporate accountability (the American Competitiveness and Corporate Accountability Act, otherwise known as Sarbanes-Oxley), not to mention widespread re-examination of financial oversight practices by businesses in general. While many provisions of Sarbanes-Oxley were aimed at publicly held companies, not-for-profit organizations such as clubs can also benefit from increased attention to financial management and oversight of their operations as well.

The Importance of Oversight

Clubs, like other smaller not-for-profits, may be particularly vulnerable to lapses in oversight. For example, board and officer turnover may be more frequent. Clubs without a central management figure, such as a GM or COO, may require staff to answer to a number of different committee heads, thereby complicating or even disrupting lines of authority and communication. Administrative staffs may be smaller, leading to a lack of separation of functions. Small staffs also tend to know each other well, which may lead to a higher level of trust and at the same time make management less alert to the possibility of dishonesty.

In short, fraud can happen in the most conscientiously run operation, most often perpetrated under circumstances and by people least suspected. It can take a number of different forms, including intentional deception, misappropriation of assets and inventory, and manipulation of financial reports or data.

In its 2002 edition of Report to the Nation on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners detailed 663 cases of fraud that caused more than $7 billion in losses. ACFE defines occupational fraud as “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” According to ACFE’s definition, all occupational fraud schemes share four elements: The activity is clandestine, violates the perpetrator’s fiduciary duties to the victim organization, is committed for the purpose of direct or indirect financial benefit to the perpetrator, and costs the victim assets, revenue or reserves.

Among the conclusions drawn from the 2002 Report to the Nation were:

O More than half the frauds studied caused losses of at least $100,000; nearly one in six caused losses in excess of $1 million.

O Fraudulent statements were the most costly form of occupational fraud, with median losses of $4.25 million per scheme.

O The typical perpetrator was a first-time offender.

O Small businesses (100 employees or less) were the most vulnerable—The average small-business scheme caused $127,500 in losses versus an average cost to large businesses of $97,000.

O The most common way in which fraud was initially detected was through an employee tip, which occurred in over one-quarter of cases reviewed; the next most common methods of detection were accidental discovery of the scheme (18.8 percent) and through an internal audit (18.6 percent).

The examiners who participated in the ACFE study ranked a single anti-fraud measure as most effective by a wide margin (nearly two to one): internal controls. The next two most effective measures were background checks on new employees and regular fraud audits.

Making Internal Controls Work

Most organizations, including clubs, have some basic structure of internal controls. Yet the ACFE study demonstrated that in an overwhelming number of fraud cases (86 percent), controls were either insufficient or were ignored. More startling still, examiners reported that in more than a quarter of cases, victim organizations failed to take corrective action that would protect them from future abuses.

What can club leaders do? Ensuring adequate controls are in place is an important management responsibility and a proper board concern. The manager, club controller, and outside auditor should be charged by the board with developing a plan of control procedures. The American Institute of Certified Public Accountants defines this as a “plan of organization, [including] all the methods and measures adopted by a business to safeguard its assets, check the accuracy and reliability of accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies.”

The first step in developing effective financial controls is to review the club’s bylaws and organizational structure. The bylaws create the board, officer and committee structure and vest certain individuals with the authority to act on behalf of the club. Understanding the importance of proper lines of authority and defining powers for the board and management team is essential; for example, clubs that follow the general manager concept will follow different procedures than those developed for a club without a central management figure.

Secondly, professional and volunteer leaders must also establish a control environment which is committed to sound business practices. This environment reflects the overall attitude, awareness and actions of the board, officers and management. If club employees believe that the board and management accept improper business practices and conflicts of interest, or that internal controls are lax, there is little hope for an effective system.

Finally, since most clubs already have some procedures in place, an ongoing review of the current system should be done annually. The primary purposes of this evaluation are to determine strengths and identify gaps in procedures. The external audit should be an integral part of this process. Check lists to assist with this review are available through a number of sources—including NCA; the Hospitality, Financial and Technology Professionals (HFTP); ACFE; and the American Institute of CPAs—to name a few.

Internal control policies and procedures should be written to ensure they are applied and outlast any board and management team that produces them. Once the club has a written system in place, it should be periodically reviewed. Some clubs perform this review in conjunction with the annual audit to test for gaps and any changes that might be required to strengthen the system.

Workplace Ethics & Discipline—The Foundation for Internal Controls

In addition to setting the tone of the control environment, professional and volunteer leaders must pay attention to the club’s hiring and employment practices. Worker attitudes toward their employer are often a factor in fraud cases, especially when internal communication systems are lacking.

The Council of Better Business Bureaus recommends establishing a system that allows employees to bring concerns to top management if they suspect wrongdoing or are uncomfortable with current practices. Other companies have established hotlines to allow employees to report suspected wrongdoing without fear of reprisal.

Management by walking around is another helpful practice. The general manager who walks around and speaks directly to employees has a better understanding of the club’s workings and is more likely to be viewed as interested and accessible.

Fraud cuts into the club’s bottom line, and may jeopardize raises, bonuses, even jobs. Regular training in prevention and detection of fraud creates an educated workforce that is more likely to assist in its prevention.

As more and more managers exercise care in the quality of hiring, they are routinely following up on information contained in candidates’ applications, resumes and supporting documents. For example, simple verification of school attendance and educational degrees may reveal much about a candidate’s honesty. Clubs should consider the use of an outside service which for a fee will provide background checks for prior criminal records, termination for dishonesty, etc. This control procedure may prove to be invaluable, especially for employees who are being hired into positions of financial stewardship and who have access to club assets.

Greed and dishonesty are not the only motivating forces behind fraud. An employee suffering from substance abuse, mental health problems, or financial pressures may also feel compelled to steal. In these cases, Employee Assistance Programs may provide relief and prevent potential losses. An EAP’s primary function is to provide treatment referral for troubled employees. Even if your club decides it is not big enough or lacks the resources for a formal program, help may still be available through local self-help groups and agencies.

In short, employees who feel they have an avenue to express their concerns, and are well-treated and compensated will be more likely to work as a team and care about the club’s success.

The flip side of creating a comfortable, respectful working environment is what the club does when rules and policies are broken. Increasingly, businesses are developing policies that address theft and related issues such as restitution. Often, an anti-theft policy will be incorporated into the club’s code of ethics for distribution to vendors, suppliers and consultants, as well as employees. Such policies usually include the following points at a minimum:

1. A statement that the club will not tolerate theft or fraud.

2. A statement that claims as club property all raw materials, cash, service products, proprietary information from computers and databases, as well as fixed physical property.

3. A statement of intent to prosecute if evidence warrants, and a demand for restitution upon conviction.

4. Language that holds vendors, contractors and consultants responsible for costs associated with any fraud perpetrated by them or any workers in their employ.

5. A conflict of interest statement signed by all directors, employees, contractors and consultants who are responsible for contracts with the club’s vendors.

Note that comprehensive codes of ethics and conduct are also available through ACFE. To view these documents online or print in Adobe Acrobat format, go to www.cfenet.com/downloads.asp and select the Code of Business Ethics and Conduct or Management Antifraud Programs and Controls, Guidance to Help Prevent and Deter Fraud, which contains sample codes of conduct as attachments. The latter document was produced jointly by a number of organizations, including the American Institute of CPAs, Financial Executives International, Information Systems Audit and Control Association, The Institute of Internal Auditors, Institute of Management Accountants, National Association of Corporate Directors, and the Society for Human Resource Management.

Conclusion

While the directives of Sarbanes-Oxley are intended for publicly held companies, its pervasiveness now extends beyond those borders. Club management and its board of directors must take the proper steps to insure accountability. Developing and maintaining a strong system of internal controls should assist them in providing proper financial oversight.

John D. Zook CPA/PFS, MBA is an assistant professor of accounting at LaSalle University (Philadelphia, PA) and is the founder and managing director of Zook, Dinon & Roman, P.A., Certified Public Accountants, in Moorestown, NJ.

SIDEBAR 1:

Internal Controls Check Lists

Most internal control checklists are designed to cover the following areas in detail:

O Accounting & Finance—segregation of duties to reduce the opportunity for any one person to commit and conceal errors and irregularities, proper design and use of forms and records to ensure transactions are properly recorded, and assignment of responsibility for purchasing, receiving, and authorization of invoices and payments.

O Monthly financials—preparation, review and explanation of any variances.

O Human resources and payroll—procedures for maintaining complete personnel records, including applications, references and background checks, and work eligibility; payroll budgets and schedules; wage and hour compliance; timekeeping, preparation and disbursement of payroll.

O Computers and data systems—password management, back up and security procedures, transaction registers, document retention and destruction, hardware and software acquisition and upgrade schedules.

O Budget process—accountability; timing; planning procedures; roles of officers, management team, and committees; definition of goals and measurement of their effectiveness; justification and authorization for capital expense items.

O Investments—policies and strategies governing segregation of instruments by category; appropriate procedures for record-keeping, review, approval, storage and protection.

O Audit committee—establishment of a proper audit committee consisting of only outside directors; annual or as required meetings with the auditors to review management’s effectiveness and adherence to policies and controls.

O Annual audit—selection of the auditor, scope of audit procedures and review of the management letter.

O Insurance—maintaining an appropriate level of employee dishonesty insurance and directors’ and officers’ liability insurance coverage.

SIDEBAR 2:

The Auditor Selection Process

The audit committee’s adherence to stricter independence rules should be implicit in the auditor selection process. Private clubs have a history of selecting auditing firms owned by a club member or members. Current ethics rulings allow a club member’s firm to audit the club as long as membership in the club, by the audit firm owner, is essentially a social matter.

Independence is not considered to be impaired under these circumstances. However, if the club member or any of the firm’s partners or professionals serves on the club’s board, the auditing firm will not be considered independent with respect to the club. (See the American Institute of Certified Public Accountants, Code of Professional Conduct, ET Section 191, Rulings No. 16 and 17, July 2002.)

While this process is acceptable, it weakens the club’s efforts to maintain an arm’s-length relationship with a key component of financial oversight. Not that the auditors are not independent in fact, but rather, the appearance of independence may be affected. Given the current ethical landscape that now exists, especially since the enactment of the Sarbanes-Oxley Act, it would be in the best interest of all clubs for their audit committees to select an auditing firm that has no partners or professional staff as members of the club.

While this process may exclude some quality firms from the private club’s audit selection process, it will enhance the level of independence by eliminating any appearance of impropriety. This should remove any question from the club’s membership regarding the ability to provide proper stewardship without a conflict of interest on the part of the audit committee when it selects an auditor.

SIDEBAR 3:

Certifying the Audit

Many organizations believe that adequate assurance is provided through a longstanding procedure of having the CEO and CFO sign a Management Representation Letter as part of every audit engagement. (The equivalent positions at a 501(c)(7) club would be the general manager and controller.) The detailed representations contained in this letter—while typically not made public—go to the heart of the assurances sought by the Sarbanes-Oxley Act, relative to management’s responsibility for the financial statements and system of internal control.

What should not be overlooked when deciding whether to have your GM and controller certify financial statements is the fact that Sarbanes-Oxley actually calls for two types of certification. The first is a boilerplate attestation similar to the Management Representation Letter.

However, the second certification involves independent assurance from the auditor that management has a basis, separate from the basic financial audit process, to rely on the system of internal control and financial reporting process in certifying the statements. It is estimated that this additional assurance engagement costs approximately an additional 35 percent of the base audit fee. Accordingly, most not-for-profits that have agreed to embrace the first level of certification have balked at incurring the additional costs inherent in the second.