Headline: City finance employee embezzles public money. While the facts may differ, the story underlying this all-too-common headline is usually one in which a trusted employee slowly pockets money by writing checks or electronically transferring funds to a personal bank account until the fraud is eventually uncovered. How did this happen? Citizens want to know. They look to the governing board for answers—we elected you and entrusted you to protect us.
This is an unfortunate situation all around. Yet, there are steps local governments can (and must) take that will help keep them out of the headlines. These steps are called internal controls. Adopting a strong system of internal control over financial operations is the best way to help guard against fraud. However, internal controls have additional benefits as well. Internal controls help promote accurate financial reporting and provide reasonable assurance of compliance with the laws outlined in the Local Government Budget and Fiscal Control Act (LGBFCA) that relate to depositing, investing, obligating, and disbursing public funds.
Internal Control Defined
Internal controls are the processes, procedures, and techniques that, when effectively implemented, provide reasonable assurance that the goals and objectives of the organization will be met. These objectives include fostering smooth business operations, reliable financial reporting, and compliance with applicable laws and local policy. In short, internal controls help units achieve the things they want to happen, and controls help prevent unwanted events from occurring. An underlying goal of internal control is to guard against fraud, mistakes, and other risks of loss.
Responsibility for Internal Control
The primary responsibility for internal control rests with management and the governing body. Management includes the manager, finance officer, department heads, or others with upper-level responsibilities. The management team must design and implement controls, as well as communicate internal control responsibilities to lower-level staff. The governing board provides oversight of the internal control system and is responsible for ensuring that the controls established by management are effective. Together, the governing board and management establish the control environment, otherwise called the “tone at the top.” To foster a strong control environment, they must communicate the importance of integrity and ethical values in the workplace. By doing so, employees are more likely to follow established controls and to behave in an ethical manner.
It is a common misconception that the external auditor is responsible for establishing or monitoring the effectiveness of internal controls. While auditors can help identify control weaknesses, the responsibility for internal controls ultimately rests with management and the governing board.
Identifying Risks in Financial Processes
Before implementing internal controls, management should perform a risk assessment to identify and evaluate areas of risk within the finance department’s operations (ideally risk assessments should include all departmental operations). The risk assessment typically involves a review of major financial functions and processes, including the cash management process, preaudit process, disbursements, accounts payable, accounts receivable, financial reporting, investments, and similar functions and processes.
To begin, management, in particular the finance officer, will identify objectives for each financial function or process. For example, an objective of accounts payable is to ensure transactions are properly recorded into the accounting system as to account, amount, and period. Whether there are risks to this objective being achieved may depend on the answer to questions such as: is the accounts payable clerk properly trained in the accounting software? Are duties appropriately segregated to ensure the accounts payable clerk does not also reconcile the accounting records? How could an unauthorized payment made? By asking questions about each financial function, the local government should be able to identify the risks that, if they occur, may lead to inaccurate financial reporting or raise other legal compliance issues. The types of controls that will be established will correlate to the level of risk identified in each financial function or process.
Designing a System of Control
Control activities form the backbone of any internal control system. They are the policies, processes, and techniques utilized to help promote reliable financial reporting and compliance with governing laws. Although there are many types of control activities, there are certain types of controls that are essential to the makeup of any internal control system. These fundamental controls include:
- Written financial policies and procedures. Policies and procedures should be used to describe the process for performing all major financial functions within the unit’s finance department (e.g., cash management, fund balance, procurement, preaudit, disbursements, accounts payable, accounts receivable, investments, etc.). The policies must be updated regularly to reflect existing business processes. The School’s new NC Finance Connect website will include model financial policies for basic financial processes (website launch scheduled for early November 2023).
- Segregation of incompatible duties. An incompatible duty is one that allows a single employee to be in a position to commit an irregularity and then conceal it. Ideally, the authorization, custody, recording, and reconciliation functions related to any transaction should be segregated. Complete segregation of duties can be a challenge for small units due to limited staffing. At a minimum, one employee should not control more than two functions, and the recording function (entering financial information into the accounting system) and the reconciliation function must always be performed by different employees. Small units may need to adopt compensating controls, such as periodic rotation of duties or having a governing board member spot-check bank reconciliations.
- Proper authorization and approval authority. The establishment of clear authorization and approval authority helps to facilitate smooth workflow processes. Authorization involves the right to perform a specific task or responsibility. Approval authority grants oversight responsibility—the approver will verify the occurrence of a process or transaction.
- Adequate documentation and records. Financial records and documents transmit important information. Therefore, there should be a system established to ensure that all transactions are properly recorded and that financial records are accessible to those who need access (and inaccessible to those who do not). Certain financial processes will have specific documentation requirements. For example, cash receipts should be pre-numbered. Units must anticipate staff turnover and ensure that important documents remain accessible.
- IT system-access controls. The IT system controls are those electronic controls that restrict access to sensitive electronic information. Strong IT controls are necessary to restrict access to authorized users and protect sensitive information from cyberattacks. Requiring dual authentication before a user may gain access to a restricted database is an example of a helpful (and arguably necessary) IT system control.
- Account reconciliation. The reconciliation process is a detective control that can help by identifying mistakes, errors, and potential acts of fraud as early as possible. At a minimum, each month the finance officer should reconcile the general ledger balance with the bank statement balance. The unreconciled amount should be zero. Any discrepancies must be investigated.
Local Government Commission (LGC) Oversight
Every local government has the flexibility to implement controls in a way that fits their unique needs and capabilities. At a minimum, the control activities must help ensure compliance with the statutory controls outlined in the LGBFCA. For example, the LGBFCA establishes specific statutory requirements related to the deposit of moneys, preaudit, disbursements, dual signature requirements, investments, and more. Accordingly, the local government must put controls in place that help provide reasonable assurance that the unit is complying with these basic laws.
The Local Government Commission (LGC) has authority pursuant to N.C.G.S. 159-25(c) to investigate and require modification of a local government’s internal control procedures related to the receipt, deposit, investment, transfer, and disbursement of money. If the LGC consistently finds that a local government has weak internal controls over its financial operations, it may place the unit on the Unit Assistance List. Accordingly, if your local government has not yet established controls over financial operations, or if it is time to revisit the effectiveness of established controls, now is the time to do so. For additional guidance on how to structure an internal control system, and for specific examples of control activities, see the Government Accountability Office’s Standards of Internal Control in the Federal Government (the “Green Book”).
For questions related to internal control, please contact SOG faculty member Rebecca Badgett at rbadgett@sog.unc.edu