Beruflich Dokumente
Kultur Dokumente
CONTROL
Essays & Ponderings
on Accountability
J. Timothy O’Toole
www.internal-control.us
www.1ceman.com
Internal Control – More Than a Good Idea – It’s Also the Law!
If you work in an office where individuals are physical security measures and legal
given considerable latitude, they may also be requirements. Investigators may also check into
susceptible to allegations of abuse of such staff finances and phone records.
power. There are also countless regulations
affecting various facets of daily life, which INTERNAL CONTROL
require periodic compliance procedures. PROCEDURES
We are all familiar with the following health, All of the foregoing examples are comparable to
safety and compliance procedures: that annual locking the barn door after the horses escape. It
vehicle inspection; the April 15 tax filing may also be difficult to get the toothpaste back
deadline; winter flu shots (if you are eligible). into the tube (and still meet OSHA regulations).
We also need to make sure we pay our fire To avoid these nightmares (and bad press) some
insurance premiums on time. Phone companies common sense procedures are in order.
and utilities may be patient waiting for It’s harder to fix traffic tickets these days
payment, but they are not going to wait because citations are numbered, and the
indefinitely. Comptroller insists they all be
We also expect our restaurants to be accounted for. This was probably
clean; produce in the supermarket to instituted as a revenue measure, but
be fresh; poultry inspected; milk to has also had a positive impact on local
be tuberculin-free; kosher foods government integrity.
receive proper rabbinical When accepting cash payments, cash
supervision; toddlers’ toys to registers keep track of (and issue) receipts.
be safe from choking hazards. Whether it’s a charity’s collection plate or
The list goes on and on. payroll at least two people should count the
These are all reasonable expectations for cash. The person who signs the checks should
consumers. Likewise, we in government have not be the person who reconciles the account.
reasonable expectations from one another You may have “read only” access to computer
(within and between agencies), and the public files, to protect them from tampering or
have reasonable expectations from government accidental deletion. Employment in some
(state/local/federal). sensitive positions may require a criminal record
When a child dies in a day care center, the check. Review the driving records of staff who
public look first at the provider. Then they look transport clients, BEFORE tragedy strikes.
at the licensing agency. Progressive discipline is required for employees
When a city bus hits a bystander, the police with chronic attendance problems. This is
check the driver’s blood-alcohol content. Then especially critical in 24/7 environments where
they check the brakes. Then they review the other staff must work involuntary overtime to
maintenance records at the garage. fill a post.
When $14 is missing from petty cash, it doesn’t Technically speaking, when a warehouse or
get much press. But when BOCES is missing a stockroom receives supplies and materials, staff
million or two, and their treasurer just retired, should check the quantity received. If it’s an
buying a new car, boat and summer house, all order of staples from Staples, this may not be
kinds of people take notice. critical. But a pallet full of PCs from DELL?
Count them twice.
When a prisoner escapes from custody, issues
under review include facility (or transport) There is an old adage that “history teaches us
procedures, staff qualifications and training; that no one learns from history”. Not true. If
Internal Control – More Than a Good Idea – It’s Also the Law!
your methadone clinic has been going through a you funnel all such entries through authorized
case of syringes every week, and suddenly that staff? Do you find a dozen DBAs all sharing
volume has doubled, either there is a growth the same Federal Employer Identification
trend in services provided, or someone is Number? Do you check those numbers against
sidelining supplies. employee Social Security Numbers? How about
P.O. Box addresses or Suite addresses (they can
If you are used to $35 phone bills each month
be a precursor of a bogus business).
and suddenly get a $495 bill, read it carefully
before you rush to your checkbook. How do you guard against paying the same bill
twice? If it’s the Phone Company or electric
(Note: “The way things have always been” is
utility, they will likely credit you for the
part of your control environment.)
overpayment against next month’s bill. But
When considering what kind of control there are those happy to make use of your
procedures are necessary, consider the money until you notice the overpayment. With
likelihood of risk, the significance of failure, delays in internal processing of vouchers,
and those three words from all those Law & double-billing is not just the province of
Order episodes: “means, motive, and unscrupulous healthcare providers.
opportunity”. Along with motive, you can add
For that matter, how do you ensure vouchers are
“rationalization”. Was a long-term employee
processed in a timely fashion? Prompt payment
passed over for promotion time and again? Is
legislation may not affect smaller transactions,
he/she in a position to get even? Has a
but it is best to eliminate billing
disgruntled worker
confusion at any price.
just given his/her two-
weeks notice? MONITORING
Wouldn’t it be wise to
change the computer If the South had won the war,
system password this would be called
BEFORE they are out “Merrimacking”. You know
the door? the old adage “If you can’t
measure it, you can’t manage it.”
If you have ever Monitoring is an ongoing
shopped on the process that involves measuring
Internet, you know outcome against expectation.
those bargains may be On an assembly line, we expect
risky. Windows XP for $29.95? Not likely. the drill presses to bore so many holes per hour,
Gutenberg Bible for sale on E-Bay? Sure. You fill so many ounces per bottle, and pack so
may have had reliable experience with L.L. many bottles per case. In some cases
Bean and Land’s End, but this cannot be applied monitoring can be automated, but even then,
to www.fly-by-nite.com. When you spend your manual inspection is called for on a sampling
own money, you like to know who you are basis. If your paper mill turned out less than
dealing with. When you are spending the 1,000 sheets per roll, the Federal Trade
State’s money, it is also wise to know your Commission would find out eventually
suppliers. (someone out there would have enough time on
You may have a sophisticated/computerized their hands to check the count).
purchasing system to ride herd on purchase If your laboratory is responsible for testing rabid
orders and vouchers, but such a system could be bats, you can be sure there are procedures in
compromised by unscrupulous staff. Can place to make sure that staff follow safety rules,
anybody add a vendor to your database? Or do file reports promptly, and destroy the carcasses
Internal Control – More Than a Good Idea – It’s Also the Law!
IF IT AIN’T BROKE, DON’T FIX IT Of course we do not advocate change for the
sake of change. Bureaucratic inertia (or tight
A frequent temptation for a new manager is the budgets) usually ensures this. Then there is the
urge to change a long-standing policy or bureaucratic equivalent of the Hippocratic Oath:
procedure, regardless of the need for change. “When in doubt, do nothing.” Some things have
Primates do like to mark their territory. a habit of sorting themselves out. When an
unwelcome trend is identified, the rules are
But one of the cardinal rules of bureaucracy is changed. Some situations are transitory (snow
“If it ain’t broke, don’t fix it.” Some people are plows are a seasonal affair, disaster movies
eager to embrace new technology, so that they notwithstanding). And sometimes, the people
will have bragging rights at cocktail parties. most affected by a trend look for solutions
These are often the same people who buy riding outside traditional channels.
mowers for their postage stamp lawns.
THE INTERNAL CONTROL ACT
But there are times when change is
justified, if it is the right change. There are cynics who feel that the Internal
And sometimes, any change will Control Act is just another meaningless
yield improvements in fad – and it will be a meaningless fad
productivity, primarily because unless it is embraced by executive staff,
people appreciate being noticed managers, supervisors, and rank & file
(even if it is negative attention). employees. The Internal Control Act
requires agencies to engage in periodic
Consider the Hawthorne Effect. review of their internal control systems –
Named for the Western Electric which means identifying those
Hawthorne Works in Cicero, procedures, measuring productivity
Illinois, Between 1927 and 1932 (qualitatively and quantitatively), and
professor Elton Mayo reviewed productivity and assessing the risks inherent in such operations.
work conditions, starting with lighting and
humidity, then addressing psychological aspects When properly implemented, those “annual
of the work group (changing break times or nuisances” can become an important
working hours, applying different managerial communication tool for you to get the attention
style, or creating a sense of competition between you need to resolve a long-standing problem.
work groups). Every change yielded Reallocating staff due to retirements and
improvement in productivity because people act reductions in force requires a reprioritization of
differently when they know they are being an agency’s mission and functions. It also
observed. requires training for those assigned to new roles
and responsibilities. It may also require new
Keeping in mind the X, Y and Z types of people procedures, or integration of data between units.
working for you, some will improve out of fear
of retribution (curtailing personal phone calls, Ideally, an internal control review would depend
double-checking their figures, improving on ongoing monitoring of key functions, not a
attendance and punctuality). Others will perennial paper chase. There are three standard
improve because they want to be noticed in a ways to monitor a situation, be it a
positive sense (even if you have no ambition to licensing/registration operation, fiscal audit or
higher office, positive feedback is an uplifting UN peacekeeping mission:
experience).
Observe – Interview – Document.
Internal Control – More Than a Good Idea – It’s Also the Law!
By Observe we are talking about using your progress. Checking dates (prompt payment
eyes and ears to monitor the operation. A good legislation is only one issue – delays in
shop foreman knows by sound alone whether a transaction can cost more than money).
printing press is functioning properly,
or if the staff are keeping When you are observing-interviewing-
busy. Are you getting documenting, avoid the tendency to second
the expected results guess your staff. Avoid the tendency to think
at the end of the you know more than they do. Approach the task
day? Are people with humility, not arrogance, and this will
ebullient or communicate to your staff that “you are all in
exhausted at quitting this together”.
time? And yes, even a sense of
smell can come in handy. Factory workers To these three trusted techniques, I would add a
know the value of good ventilation, and the fourth: Confer.
harmful effect paint and solvent fumes can have
on their bodies. There is also the “sense of
smell” an account clerk can develop processing
vouchers, or the “sense of smell” an auditor taps
into instinctively when reviewing questionable
transactions.
Then there are those who use their assigned instinct told you otherwise? How about
State vehicles to commute to the office, take approving an applicant for government funding
extensive side trips on the State’s dime, talking because they were the commissioner’s nephew?
to sweethearts on their State cell phone as they Was the commissioner even aware that a
drive (and probably not hands-free). Yes, just relative had approached your agency for
like sports celebrities who start buying hard funding?
drugs with their signing bonuses, there are
Worst-case scenario: the local papers uncover
“Masters of the Universe” near you who let it all
something smelly via the Freedom of
go to their heads. The fancy titles, private
Information Law (probably tipped off by a co-
offices, free long distance, State cars and private
worker who decided not to trust the Inspector
secretaries. They consider the accoutrements of
General with that information). Your name gets
office as personal prestige items, not tools to get
dragged through the mud, even though you did
the job done.
not personally benefit by the suspect activity.
When you work for the State, it is pretty easy to The commissioner embarrasses the governor, is
figure out how much everyone is making. Just forced to resign, and deep in his heart of hearts,
download the salary schedules from the Internet. blames you for never warning him that
Most of you reading this are probably struggling “something is rotten in the state of Denmark.”
to keep pace with gargantuan monthly mortgage
And the local press won’t follow Roberts Rules
payments; a car loan with seductively low
of Order, or rules of evidence in speaking and
interest – but equally low down payment;
speculating. Not even the UCMJ (Universal
orthodonture for the kids (maybe even private
Code of Military Justice). No blindfold, no
school tuition, not to mention $100 sneakers that
cigarette. You will never make it to SG-27
only last a semester).
now. Unless you are an SG-31.
So it is only reasonable for you to wonder about Executive Order No. 39 does say “The knowing
bosses or co-workers who appear to be living failure of any officer or employee so to report shall
beyond their means. Maybe the do have a rich be cause for removal from office or employment or
aunt, or a winning lottery ticket, or made a other appropriate penalty.”
killing in the stock market. This is not to
Maybe you will never pay a penalty for looking the
suggest that you start spying upon them in
other way, but then how does that make you feel
Orwellian 1984 style. But it does suggest that when someone around you is pilfering or
as part of your routine day-to-day work, you profiteering, lording it over legitimate workers.
remain alert to “anomalies” – i.e., things that Acting like the Aesop’s grasshopper, treating you
don’t make sense. Like irregularities in like an ant.
purchasing, absenteeism, possible no-show or
Is there a scandal waiting to erupt in your shop?
ghost employees (who just love direct deposit),
And is your signature on any of the paperwork?
wasteful practices (like travel junkets to
expensive conferences in Las Vegas, while the
rank and file can’t get their employer to cough
up $99 for a one-day, local seminar).
A partial list of Governor Pataki’s Executive Orders
So “What’s in it for me? Why should I risk (134 of them at last count) is available online at the
my career to report wrongdoing?” Chances Governor’s Office of Regulatory Reform:
are, even if the long arm of the law reaches out http://www.gorr.state.ny.us/gorr/executive%20orders.htm
and nabs an employee on the take, no one will
blame you. After all, it’s not as if you approved
their activities. Or is it? Were you pressured to
authorize payment to a vendor, when your
Internal Control – More Than a Good Idea – It’s Also the Law!
of staff to other responsibilities all conspire to You will have to take some of the feedback with
tell you the traditional way of doing things is no a grain of salt (photo courtesy of Smithsonian
longer the answer. Institution).
Yes, there are training gurus who will insist the After all, you’ve probably kept some of your
solution is to cross-train all your staff, so that staff walled off into tiny confines and limited
they can be assigned more flexibly to fill arising functions. People work best when they can see
need. But the weeks of training required to do the big picture, put that is probably not the
this will take them away from their current bureau you inherited with your last promotion.
responsibilities. Now is your chance to change that.
We’ve always done it that way” no longer
Sharing Power matters.
One, often overlooked solution is to share power Sharing power is a strange thing. In the 20th
with your staff. Remember the little Dutch boy? century, we thought there was only so much
Sure, you can plug a few holes single-handedly, power to go around, that sharing what we had
but when you run out of fingers, you need to with others would sacrifice the power we did
solicit additional help. I am not recommending have. Little did we suspect that sharing power
a press release or guest spot on Charlie Rose. I actually creates more power – like a breeder
am recommending honest two-way reactor creates more fissionable material to
communication with your staff. Let them know power additional reactors.
you have a problem, whether it’s “Louise is out Maybe the toxic byproducts of nuclear power
on Worker’s Comp” or “we have another make you nervous, but the byproducts of
unfunded mandate.” sharing human power are far from toxic. Surf
the Internet and you will find “power sharing”
Get a little brainstorming session going. Gain under discussion by feminists and theologians,
perspective and insight into the problem. Open military specialists and accountants,
the floor to suggestions. Be gentle with the international aid workers and West Wing
impractical. Look for examples of duplication strategists. Sharing power takes away the us vs.
of effort or waste motion. them phenomenon - where two opposing sides
If turnaround time is an issue, think like a neutralize one another, and nothing positive is
factory foreman. How does the assembly line accomplished.
flow? Are there bottlenecks in the overall
process? Are some units waiting for work,
while others are drowning in it?
Internal Control – More Than a Good Idea – It’s Also the Law!
business contact, was close to closing a big deal, with lots of time on hold being told your call
and had his or her employer pay for the lobster was important).
and champagne.
Now when we talk of “identity theft” we are
Then some unscrupulous employees started talking about two technically different items:
keeping track of credit card names and numbers,
selling the data to counterfeiters in Queens, NY • Account Theft – a stable indignity,
who could print and emboss some very whereby someone gets a hold on an active
authentic looking credit cards. The phony cards credit card number, and via Internet or 800
might have a useful shelf life of only 30 or 45 number, orders merchandise to be shipped
days, but each card had a high or open-ended to a different address;
credit limit, so it was worth the effort. In those • Identity Theft – a growing phenomenon,
days it was said that you could steal more with a whereby someone uses your personal
briefcase than you could with a gun. descriptors to open up new credit accounts,
then runs up mega-debts in your name.
Today, you don’t even need the briefcase.
In the first example, you may realize something
Enough preamble, here’s the meat of John is wrong when you get your next credit card
Sennett’s presentation. statement. In the second example, you may
It’s now the 21st Century, and banking, never see a bill until a collection agency knocks
commerce and the Internet have changed the on your door demanding repayment of $30,000
rules of the game. It all started toward the end for that fuschia Lexus.
of the 20th Century with the proliferation of Complaints to the Federal Trade Commission
credit cards. Consumer-oriented have been doubling annually for the
Visa, MasterCharge, and Discover all
eclipsed the more effete titans (Carte …it was said that past few years regarding that second
example (250,000 complaints in
Blanche and Diners Club), while you could steal 2003). Losses to businesses are
American Express picked up the more with a now $32.9 Billion (an average of
corporate side. Following Sears, briefcase than you $10,200 to each business), while
Roebuck’s lead, more and more could with a gun. losses to consumers total $3.8
companies turned to color catalogs to Billion (an average loss of $1,180 to
ply their trade, as 800 numbers Today, you don’t every victim).2 What’s worse, the
replaced expensive bricks & sticks even need the average victim of identify theft will
stores. Add the Internet and dot.com briefcase. spend an average of 60 hours re-
websites, and “distance shopping” negotiating a good credit rating, and
became the new reality. resisting the bill collectors.
Teens who used to steal hubcaps now learned To understand how we are being victimized by
how to hack into mainframe computer systems this new technology, we need to look at human
with lowly Commodore 64 computers and 300 psychology. After all, most of us are social,
baud modems. If your purse or wallet were gregarious creatures, who want to get along,
stolen, you worried more about the data in them, play well with others, learn to share, and not run
than the dollars lost. Laws were passed to limit with scissors.
the honest consumer’s liability to $50 for each
lost or stolen credit card. If you didn’t keep a
copy of that lost data elsewhere (names, 2
On the plus side, we are less frequently bothered by
numbers and 800 phone lines for each credit boiler room con artists and telemarketers at dinner time.
card; drivers license, bank number, etc.) you On the minus side, it’s a bit like termites eating away at
the foundation of your house. You don’t know there’s a
would spend hours retrieving that information problem until it’s too late.
Internal Control – More Than a Good Idea – It’s Also the Law!
3 5
Dave Barry might think this would make a great name Editor’s Note: A Firewall is critical if you have Internet
for a rock band. service via a cable modem (like Road Runner). A firewall
4
Binford Tools meets Benford’s Law. is desirable even if you are using a phone modem.
Internal Control – More Than a Good Idea – It’s Also the Law!
Sennett recommended you go to the big three They are just “phishing” for personal
credit reporting agencies annually to review information about you (credit card numbers,
your ratings. They are Equifax, Experian and date of birth, bank account, mother’s maiden
TransUnion. If you lose your Social Security name). Delete any letters you receive from
card (or someone starts claiming your number), former oil ministers of Nigeria, who need your
call the Social Security Administration at 1-800- help moving an account off-shore. Think of
269-0271. unsolicited e-mail as the equivalent of a stranger
knocking on your door. Do not
The Federal Trade
provide personal identifying
Commission has a website
information to anyone over the
devoted to ID theft:
phone, or via e-mail or Internet.
www.consumer.gov/idtheft
If your bank needs to be
Their website offers valuable reminded of your mother’s
instructions, plus an maiden name, tell them you
AFFIDAVIT form (PDF file) will call them back, then phone
for those of you who may your local branch manager.
have been the victim of
I’d like to close on an upbeat,
identify theft.
personal note about identity theft. The year was
Also, a new law is taking effect in New York 1967, and the FBI were trying their damnedest
State this year, requiring all new ATMs to print to get something on Joe Bananas, the crime
only the last five digits of your account code on family capo from New York City. His business
receipts (and existing machines must be associates (euphemism) had extorted the open-
retrofitted or replaced by 2007). ended use of a Diners Club card from a losing
gambler. Said card was then used by Joe’s son
Sennett also warned us of “frame spoofing”, or
Salvatore, then sanitized as Bill Bonnano, living
those insidious pop-up screens that appear when
in Arizona, riding horses, wearing southwest
using the Internet. They look genuine, but can
style clothing, and acting respectable. When the
draw you into a scheme, and lure you to reveal
gambler tired of the outrageous “vigorish”, he
your credit card number. And those on-line
went crying to Diners Club, and they succeeded
auctions play up the “scarcity” of collectibles,
where the FBI had failed – getting an indictment
drawing absurd bids, even if the merchandise is
and conviction of Salvatore for using someone
delivered.
else’s credit card. My father’s former co-
The follow-up discussion by the group yielded a workers were chagrined (to put it mildly), but
few more valuable observations and ideas. For they learned from the experience.
example, have one credit card with a low credit
We should all learn from our experiences.
limit that you use of on-line shopping (save
your Platinum card for impressing friends at Did I mention that the US Secret Service has a
restaurants). Watch out for spam that looks like fascinating CD-Rom about electronic evidence,
authentic, incredible offers from major credit card forgery (“Forward Edge”)? Not
corporations or absurd discounts on name-brand available in stores. They also have a detailed
items. For that matter, watch out for e-mail guide to seizure of electronic evidence at
links that take you to what looks like a http://www.secretservice.gov/electronic_evidenc
respectable website (complete with color logs).6 e.shtml .
6
As good citizens we need to discourage spam, by NOT
responding to such unsolicited offers. When you are assurance that you are going to the real on-line store, not a
ready to buy something, go to www.walmart.com or spoof. Of course, OFT’s WebSense will block the second
www.victoriassecret.com . In such instance you have the site, but you get the idea.
Internal Control – More Than a Good Idea – It’s Also the Law!
What is Internal Control? know what grade level they are – are they living
beyond their means?
Internal control is NOT a collection of
disconnected processes and procedures. Internal Of course, getting to know your people also can
control IS an integrated approach to sound be a positive experience. Your file clerk by day
management. It may involve specialized may be a web designer at night. Your senior
equipment (combination locks, computer accountant may be a wiz at restoring old Jaguars.
passwords, refrigerator thermometers, smoke The shop teacher in your facility may be bilingual.
detectors, fire extinguishers, etc.) but most of all it Your youth counselor may be a talented musician.
depends on PEOPLE. People who understand the Just as government is the sum of its parts, we as
why’s and how’s of the program, the significance individuals are the sum of our parts – our unique
of information generated, the purpose behind all background, education, talents, passions, biases,
that specialized equipment – and when to ignore ambitions, and even our clinical depressions.
it.
Part of getting to know your people involves
Internal control certainly involves getting to know what they are good at.
PROCEDURES – be it OSC payroll requirements, Micromanagers plague those who are quite
OGS purchasing, OFT computer security, EZ- capable of working without supervision. Laissez-
Pass scanners or State Police radar – but each of faire managers are the bane of those who require
these procedures depends on people, people constant attention to stay focused on tasks. And
talking to other people, people entering most of your people will be somewhere in
accurate/timely data into computer systems, between – excelling at the things they enjoy, and
people following up on problems and exceptions avoiding the onerous.
to the rule.
Some Definitions
Know Your People
We cannot totally escape some “boilerplate”
There are people who are clearly uncomfortable definitions of internal control, though we can
when we bring up this topic. They think that there discuss them logically.
is an ironclad rule of privacy that prohibits them
from learning anything personal about co- In New York State government, Internal control is
workers. a process, designed to implement a legislative
mandate, executed by executive, management,
True, when hiring new workers, there are certain supervisory and line staff, to provide reasonable
questions that are rightfully prohibited during the assurance that objectives will be achieved
interview process. Your race, ethnicity, religion, effectively and efficiently, in compliance with
marital status, political affiliation and sexual applicable laws and regulations, supported by
orientation have no part in the reliable financial and program reporting.
recruitment/selection process, be it for initial
employment or promotion. But this does not Reasonable assurance – takes into consideration
prohibit you from learning a little bit about your the significance of the program or activity (e.g. its
staff once they are on board. cost, impact on people, effect on agency
reputation), likelihood of error (some risks go
For example, does someone belong to an with the territory), and relevance and affordability
organization that is antithetical to the vision and of controls to those risks.
mission of your agency? Are they working a
second job somewhere that constitutes a conflict
of interest, or interferes with their productivity
and attendance at their government job? You
Internal Control – More Than a Good Idea – It’s Also the Law!
All too often in a hierarchical system, information is corrective action, and engages in follow-up activity to
“managed”, i.e. it is restricted to a limited few (under ensure their warning was heeded.
the theory that “knowledge is power”.) Some
A supervisor “monitors” staff attendance via visual
supervisors also embrace the Nike slogan “just do it”
observation, phone calls, computer log-in and/or spot-
when an employee seeks a greater understanding of
checks on-site. A program manager “monitors” grant
his/her role and responsibility.
activity through conversations (phone or in-person)
With apologies to the State Police and Department of with service providers or clients, or on-site visits to
Correctional Services, most of you will never be local service providers. A grant administrator
instructed to storm a building or tackle a fugitive, so “monitors” expenditure activity on a periodic basis by
you should have time for the luxury of knowing why reviewing expenditure reports or claims on a monthly
you do what you do. Knowing “why” may also or quarterly basis, comparing them to projections.
improve your chances for finding a more efficient and
Within the broad category of “monitoring” we can also
more effective way to do your job.
place “evaluation” and “auditing”. The distinction
Effective organizations are not afraid of information between these activities and managerial monitoring is
and communication. They look upon their employees primarily organizational.
as colleagues, are not afraid to answer questions, or
To ensure independent, unbiased thinking, evaluators
even consider new ways of doing things.
and auditors cannot be part of the operation being
Transforming an ineffective organization involves
reviewed. Evaluators are frequently specialists in
more than taking a few HPO or TQM classes, giving
program areas, employing research methods to
speeches or cutting ribbons. It involves development
determine the effectiveness of program services.
of a corporate culture that encourages communication
Auditors (in the past) focused on financial issues,
up and down the ladder, and sideways between
employing accounting skills to review inventories,
divisions and bureaus. Yes, you should still read the
fiscal resources, integrity in payrolls, purchasing and
manual, but comparing notes with your peers can be
grants. But more and more, auditors are becoming
invaluable.
management generalists, with a growing
Much of what we do in government is repetitive by its understanding of agency goals, program specialties,
very nature. Every year Taxation & Finance deals and bottom-line criteria of success. And of course,
with the same eternal issues. Every year, thousands of auditors will tell you they are there to help you.
citizens smile into the face of the DMV’s flattering
camera. Every year, the courts deliver thousands of all Tying It All Together
ages to our facilities, for education, correction, A good internal control system depends on “synergy”,
rehabilitation, medical treatment and the like. With i.e., the whole should be greater than the sum of its
long-established processes in place to continue these parts. The five components discussed above should
activities, there should be time to talk about the job, form an integrated system that reacts dynamically to
compare notes, and envision alternatives. changing conditions. Internal controls are most
A side issue for some, but it effects all – open effective when they are built-in to an operation, not
communication between interested parties, be they added on by some external force. In other words,
regulators, “stakeholders”, families, advocacy groups, don’t do it because the law says you have to do it. Do
legislative bodies or advisory groups. it because it makes sense.
Internal control cannot change a poor manager into a 1. Evaluate the control environment to determine
good one. But it can change a good manager into a the level of inherent risk,
better one, and set the stage for the next generation of 2. Determine what controls would need to be
managers. This is an important consideration, given imposed to provide 'absolute assurance',
our rapidly aging work force.
3. Of those controls, which ones would provide a
Shifts in government policy or programs, competitors' satisfactory level of 'reasonable assurance?'
actions or economic conditions can be beyond your
control, but at least you will be the first one on your 4. How would reasonable assurance controls be
block to recognize this. implemented?
Internal controls cannot guarantee an ironclad defense 5. How might they be monitored?
against fraud, waste and mismanagement. Human
nature is what it is, and there are those who are 6. How might communication flow support or
indolent, deceitful and imaginative just waiting to stifle the success of the controls in minimizing
scam your system. risk/maximizing success?
BACKGROUND CHECKS
BOGUS CREDENTIALS
Albany VA Hospital
The VA never checked the credentials of a medical researcher,
who doctored his undergraduate transcript (from St. Rose
College), was dismissed from medical school, then played
doctor at the VA, leading to the deaths of cancer patients. The
case has been dragging on for several years. At first the
hospital administration tried to dismiss allegations of
wrongdoing. Now it is going to cost them dearly.
Barings Bank
Singapore trader (Nick Leeson), working without supervision, fluffs up
accounts, engages in highly risky investments, losses totaling 830
million pounds - leading to bankruptcy of firm. He made the losses look
like profits!
Not to be outdone, two Long Island school district superintendents were charged with similar creative
accounting practices in 2004. OSC had a few harsh words to say about the auditor who reviewed
Roslyn (LI) books. That auditor had the account for 12 years. Did I mention the audit firm also sold the
accounting software used by 250 NYS school districts, including Roslyn?
A Grand Island BOCES staffer pled guilty to a mere $40,000 theft. Chump change!
• Angel Rodriguez: The City Council member from Brooklyn resigned after pleading guilty to
taking bribes to win his support for construction of a supermarket in Red Hook
• Anthony Serra, a Rikers Island prison official forced to resign for allegedly coercing Corrections
Department employees to work in Republican political campaigns.
• More than half of the city's plumbing inspectors were charged in June with taking bribes in
exchange for allegedly approving plumbing work without doing required inspections. Mayors
have tried and failed to clean up the Buildings Department, where the plumbing inspectors work,
and so, in the wake of the scandal, Bloomberg vowed that he too would tackle the longstanding
mess.
• Eighteen current and former New York City tax assessors were indicted in February on charges
that they accepted millions of dollars in bribes over 35 years in order to cut the property taxes on
500 buildings in the city. The alleged corruption cost the city some $160 million in tax revenues
in the last four years alone.
• These instances of malfeasance, however tawdry, were sadly predictable and local. But
newspapers throughout the nation took notice in November when it became known that financial
analyst Jack Grubman helped engineer a $1 million contribution from Citicorp to the 92nd Street
Y in order to improve his twins' chances of being admitted to the Y's selective nursery school.
The incident stepped over the line from surreal to scandal with allegations of what the Wall
Street Journal called a kid pro quo: Had Grubman altered his analysis of AT&T in order to win
the contribution? After all, the analyst and father said, "there are no bounds for what you do for
your children."
REAL ESTATE MOGUL SUES NEW YORK CITY FOR $500M . Real estate mogul Donald Trump
has sued the city of New York for $500 million, claiming a tax assessor bribery scandal forced him to
sell apartments at a luxury building at below-market prices, a published report said. Trump said corrupt
tax assessors hiked up taxes at Trump World Tower, a 72-story building near the United Nations, in
order to cover up their scheme to lower taxes for certain landlords, The New York Times. Authorities
said that Assessors took bribes totalling $10 million in exchange for lowering assessments on
commercial properties, mostly in Manhattan. At least one former tax assessor who pleaded guilty said
assessors would raise taxes on some properties in order to hide the lower taxes on others. (World News
(AP), November 8, 2002, summary by Sherldine Tomlinson).
School administrator admits to three felonies. Sheila Johnson-Moore entered a guilty plea in
County Court Thursday, 2/25 to embezzling $26,208 from the Buffalo School District. She had been on
paid suspension from her $60K+/year job for several weeks. The 39-year old black woman has a
criminal record which local school authorities had been warned about repeatedly when she began work
for the school district, and several times thereafter. She was strongly supported by former
Superintendents of Schools Thomson and Harris. Johnson-Moore was caught in the most recent felony
as a result of an investigation by the Internal Revenue Service. She had been allowed to be sole
financial administrator for a $800,000 federal grant. The matter has brought wide-spread public
outrage. An investigation into how Johnson-Moore got away with the embezzlement, and how her
previous criminal record could have been ignored, is reported underway. (2/25)
Internal Control – More Than a Good Idea – It’s Also the Law!
Schools had been warned three times of administrator's criminal record. The Buffalo
News reported that warnings about the criminal past of Sheila Johnson-Moore had come three times to
the Buffalo School district over a period several years from federal authorities. Still, the school district,
under the direction of Superintendents Thomson and Harris, continued to employ and promote Johnson-
Moore. A member of the Board of Education said this past week that an inspection of Johnson-Moore's
personnel file indicated that the warning communications from the federal government had
"disappeared." Meanwhile Johnson-Moore continues to draw her $60K+ salary while on suspension.
The investigation into improper handling of grant money in the Buffalo Schools reportedly is still
expanding. (1/23)
Administrator had been convicted of previous embezzlement. One of the targets in a probe
of "mis-handling" of a $800,000 federal grant to the Buffalo schools reportedly has an extensive police
record. The Buffalo News is reporting that Sheila Johnson-Moore had been convicted of embezzling
$23,991 from a federal minority program at an Tuskegee University in Alabama. That scam took place,
The News reports, before the 39-year old woman was hired in Buffalo first as a teacher, and then quickly
promoted to an administrator under the regime of former School Superintendent Albert Thompson. The
newspaper is also reporting in Sunday, 1/9, editions, that Johnson-Moore illegally collected welfare
benefits and food stamps from Erie County Social Services starting about mid-1990 and continuing
through 1991---a time when she was employed at a good-paying job with the Buffalo School District.
That scam, The News reports, was made possible by her use of the name Stella D. Moore. Johnson-
Moore is said to be making about $60,000 a year in her present position with the Buffalo Schools, a
position she has been on fully paid suspension form, since late last year. (1/9/00)
Roosevelt NY, head of private school, Shelly Williams, 1979 founder of Upward Prep School (private)
with emphasis on high test scores, etc. is charged with embezzling $329,000 of day care funds provided
by Nassau county. About $92,000 was diverted to improve her home in Old Westbury. $237,000 was
diverted to her personal account. (NYT, Apr 6, 2K, p. B8).
Other Scandals
PAXIL (GlaxoSmithKline anti-depressant) – linked with suicides in adolescents
Rensselaer – Police Chief vs. Mayor re using city gasoline for personal use. Bad press, but judge
drops charges.
Pick Six Betting Scandal (Autotote Employee rigging Breeders’ Cup “winning” ticket) They almost
got away with it.
Albany Police Department – improper use of drug forfeiture moneys for non-criminal justice purposes
(like retirement parties and artwork). $40,000+ involved
UN Oil for Food Program - Kofi Annan’s son implicated (appearance of impropriety). Other UN
officials bribed.
New York City – Park Avenue Armory, a favorite for antique shows. Staff extorted free Persian
carpets from exhibitors. Meanwhile, Javits Convention Center staff involved in other strongarm tactics.
Internal Control – More Than a Good Idea – It’s Also the Law!
• A purchasing agent can get a great deal from her In the ‘60’s, the Administrative Analyst’s
cousin, but he is not on state contract. Handbook had a quote: “An administrative
• A computer programmer pads her resume to get analyst should have a passion for anonymity.” I
the dream job she can’t handle. She holds things didn’t agree with that quote back then. But
together with a patchwork quilt of subroutines, today, with Gossip TV, yellow journalism,
but the day is drawing nigh when the entire muckraking and mudslinging back in vogue,
system will collapse under its own weight. your 15 minutes of fame may not be what Andy
Warhol envisioned.
No, the sky isn’t falling (though the bridge
might). But each of these instances, Do you really want to be quoted in the New
unaddressed by management and colleagues, York Times, the Albany Times-Union or the
spells trouble for accountability and agency Syracuse Post-Standard? Do you want 60
success. Minutes to do a feature on you, when you were
asleep at the switch? How about Fox News?
To the executives and managers I say – your
only hope is to listen to your people. Call them
the front line, underlings, subordinates, office
Rather fail with honor than succeed
temps, whatever. Listen to them, for
collectively they are the ones who know what is by fraud. - Sophocles
going on. You may be the only one who can put
all the pieces together, and do something about
it. But that’s your job.
Internal Control – More Than a Good Idea – It’s Also the Law!
ANATOMY OF FRAUD
Uniform Occupational Fraud Classification System
MAJOR CATEGORIES
I. CORRUPTION
• Conflicts of Interest
Purchase Schemes (split vouchers to avoid
competitive bidding)
Sales Schemes
Other
• Favoritism and nepotism in hiring,
purchasing or client services
• Governance in-breeding
• Bribery
Invoice Kickbacks (vendor collusion)
Bid Rigging (phony bids or no bids)
Other (bogus inspections, licenses granted)
Political (votes promised, nominations & endorsements)
• Illegal Gratuities
Christmas Presents
Theatre Tickets (Broadway)
Free Travel & Lodging (conventions)
Expensive Dinners or Country Club Greens Fees
Free Product Samples (laptops or cocaine)
Gift to Favorite Charity
• Economic Extortion (Political Extortion too?)
“By me, or I’ll sue”
“I’ll tell them about the freebies”
“I have the negatives”
1. Execution & a) Is there a set of written policies & procedures - including an updated
organization chart?
Authorization: b) Are employees made aware of policies & procedures?
c) Is employee or supervisor acting within scope of authority?
d) Are staff following management's intent?
2. Separation of
a) Are duties clearly defines so that no one individual is responsible for a
Duties: transaction from start to finish?
b) Are procedures designed to provide appropriate checks & balances?
c) Are key duties/responsibilities for authorizing, processing, recording and
reviewing transactions divided among individuals
(e.g. different individuals authorize purchase / receive goods)?
d) Are sensitive functions rotated periodically?
B. DOCUMENTATION
a) Are transactions promptly & properly recorded by persons other than
those authorizing transactions or having custody of assets?
1. Recording of b) Does documentation include pertinent facts (names, dates, dollar
Transactions: amounts, description of occurrence, purpose of transaction)?
c) Are documents inventoried to determine who uses them and how they
are stored?
3. Reconciliation a) Are assets (e.g. computer equipment) duly tagged or labelled (with a
of Assets: decal)?
b) Is an inventory of equipment and/or supplies kept and updated
appropriately?
c) Is periodic comparison made of the physical resources vs.
documentation (equipment/supplies inventories, bank reconciliations,
heating oil tank readings) ?
Internal Control – More Than a Good Idea – It’s Also the Law!
Event Management identifies potential events affecting its ability to achieve objectives
Identification Events with potentially negative consequences represent RISK.
Events with potentially positive consequences represent OPPORTUNITY.
Risk Management identifies response options, taking into consideration cost versus
Response benefit and acceptable level of risk. Responses may include avoidance, reduction,
sharing of risk (e.g., pooling of risk or co-insurance), and acceptance of risk.
The chosen response(s) may have significant impact on the entity’s business plan,
services provided, product line or corporate policy.
Control Policies and procedures help ensure appropriate risk response, including activities
Activities such as approval, authorization, verification, reconciliation, review of operating
performance, security of assets, and segregation of duties.
Information & Pertinent information from internal and external sources must be identified, captured
Communication and communicated in a timely and relevant fashion.
This includes exchange of relevant information among external parties, customers,
vendors, regulators, stakeholders.
Monitoring Monitoring assesses both the present and functioning of risk management
components, as well as quality of performance over time.
Perhaps each staff person is responsible for Some savvy supervisors call a site long AFTER
processing license fees or child support the worker should have concluded his/her work.
payments. One worker may log in $20,000 When told that their inspector left there an hour
every week, the other only $10,000. Before you ago, they just say “thanks, I’ll catch him/her at
go pointing fingers or calling in the Inspector the next site”.
Internal Control – More Than a Good Idea – It’s Also the Law!
A. INTRODUCTION
As a manager, you need to know, in detail, what procedures your unit employs to meet each
of its major functional responsibilities effectively, efficiently, and legally.
For the purposes of the Internal Control Act, we need to document procedures that touch on
staff responsibility and accountability, accuracy of records, chain of command in the decision
process, protection of assets and management oversight of each major function.
It does take time to review, document, and update these procedures, but the ultimate
beneficiary of this effort is your own organization. Well-documented procedures have
considerable value in training new staff, cross-training current staff, establishing work plans,
devising annual budgets to keep pace with workload responsibilities, and identifying new ways
to meet those responsibilities in a changing world.
The procedures you document for each major function should address the following questions:
• What documentation is maintained for each transaction, and who maintains these
records?
(e.g. shift logs, ledgers, computer entries, monthly reports, statements)
The procedures should reflect key steps from beginning to end, noting any interim reports, files
created, supervisory authorization, and individuals or units involved at each step. This
information should help you manage your operation by determining where accountability lies
for each component of the overall function.
Internal Control – More Than a Good Idea – It’s Also the Law!
CONTROL PROCEDURES
a) The Audit Director and Assistant Director develop an annual Audit Plan.
c) Audit request procedures and protocols are outlined in the Internal Audit Procedures
Manual, including the following phases:
On-Site - This phase includes entrance meeting, on-site data collection, daily
debriefings and phone contact with Central Office supervision, and exit meeting
with facility director.
Post On-Site - This phase includes debriefings with Central Office units, pre-
release meeting with Central Office units, and preparation/transmittal of the
audit report to the facility director and appropriate Deputies.
Procedures developed in greater detail can be used for such management purposes as new
employee orientation and training, as well as performance standards for employee evaluations.
Internal Control – More Than a Good Idea – It’s Also the Law!
MONITORING
M-1 Monitor the process Collect and assess information; user satisfaction;
assess performance
M-2 Assess internal control adequacy Timely operation of internal controls; operational
security and quality assurance
M-3 Obtain independent assurance Accreditation of IT services; proactive audit
involvement; independent evaluation of effectiveness;
compliance with applicable laws/rules/regulations
M-4 Provide for independent audit Professional ethics and standards; audit charter,
independence
Yes, this is a very demanding, comprehensive It is interesting to note that the fourth “domain”
list. It also requires: of COBIT objectives – Monitoring is very
similar to COSO Control Self-Assessment and
• Identification of the primary party OCFS Internal Control Review. ISACA has
responsible for each of these IT Control provided a 155 page document detailing these
Objectives 34 COBIT objectives, but a review of the table
• IT resources applicable above is informative enough for our purposes.
o People
A full-fledge COBIT review would entail
o Applications
o Technology considerable training of both auditor and
o Facilities auditee. A more workable alternative is for the
o Data internal control officer to initiate a series of
management consultations with IT executives
• Information criteria applicable and managers, following the general framework
o Effectiveness & Efficiency of a COBIT audit, though taking into account the
o Confidentiality incremental nature of such a review, since we
o Integrity are starting from the ground up.
o Availability
o Compliance It is also important for IT staff to take
o Reliability ownership of the need for such a review. As
agencies become increasingly reliant on
information technology there is a greater need
for self-reliance in the development,
maintenance and improvement of all its
information systems. Where necessary, there
will also need to be mutual agreement between
the internal control officer and IT regarding
Internal Control – More Than a Good Idea – It’s Also the Law!
terminology used, and degree of detail required However, the current fiscal/staffing climate may
to fulfill annual reporting/certification interfere with such eventuality (at least on a
requirements of the Internal Control Act. short-term basis).
Past experience with internal control review The following chart from the COBIT manual
processes in most agencies indicates that the bears an uncanny resemblance to Canada’s own
internal control review process is of greater internal control approach (CICA, vs. COSO),
value to those in charge or a program or indicating it is a constant renewal process, as we
function, when they fully embrace such process, learn by doing.
and document systems to a level of detail in
excess of minimum Internal Control Act
requirements.
Internal Control – More Than a Good Idea – It’s Also the Law!
• people
• application
systems
• technology
• facilities
• data
DELIVERY &
SUPPORT
ACQUISITION &
IMPLEMENTATION
DS1 define & manage service levels
DS2 manage third-party services
DS3 manage performance & capacity AI1 identify automated solutions
DS4 ensure continuous service AI2 acquire & maintain application software
DS5 ensure systems security AI3 acquire & maintain technology
DS6 identify & allocate costs infrastructure
DS7 educate & train users AI4 develop & maintain procedures
DS8 assist & advise customers AI5 install & accredit systems
DS9 manage the configuration AI6 manage changes
DS10 manage problems & incidents
DS11 manage data
DS12 manage facilities
DS13 manage operations
Internal Control – More Than a Good Idea – It’s Also the Law!
INTERNAL CONTROL
Grants and subsidies to ultimate recipients and
PERFORMANCE STANDARDS sub-recipients are made with proper
Source: Ernst & Young authorization and in compliance with legal
REVENUES requirements.
Grants and subsidies to ultimate recipients and
Grants, shared revenues and entitlements are
sub-recipients are recorded correctly as to fund,
accepted and received in compliance with
account, amount, and period.
program and legal provisions.
Physical loss of property and equipment is
Interfund transactions are authorized and
prevented; disposals/retirements/trade-ins are
recorded correctly as to fund, account, amount,
identified, authorized and are recorded correctly
and period.
as to fund, account, amount, and period.
Services rendered are billed promptly, in the
Indirect cost allocation plans are appropriately
correct amount.
developed and used to properly allocate
Revenues are recorded correctly as to account, overhead.
amount, and period.
Commitments and contingencies are identified,
Uncollectible/delinquent accounts are promptly monitored, and if appropriate, recorded or
identified for follow-up action. disclosed.
EXPENDITURES FINANCE
Budgets are prepared and approved in Cash receipts are recorded correctly as to fund,
accordance with legal requirements. account, amount, and period.
Budgetary compliance is monitored, and Cash disbursements are for goods and services
noncompliance is prevented or detected and or properly-supported claims authorized and
properly corrected. received.
Expenses are incurred only with proper Cash disbursements are recorded correctly as
authorization. to fund, account, amount, and period.
Expenses and related liabilities are recorded Debt, leases and other similar obligations and
correctly as to account, amount and period. related expenditures/expenses are authorized
and
Salaries, wages, and benefits are incurred only
for work authorized and performed. Fund segregations and transactions are
properly authorized and are recorded correctly
Salaries, wages, and benefits are calculated at
as to fund, account, amount, and period.
the proper rate.
Salaries, wages, benefits and related liabilities INVESTMENTS
are recorded correctly as to fund, account,
amount, and period. Investment transactions are authorized and are
recorded correctly as to fund, account, amount,
Goods or services are purchased with proper
and period.
authorization and in compliance with legal
requirements. Income earned on investments is recorded
correctly as to account, amount, and period.
Goods or services received (and related
liabilities) are recorded correctly as to fund, Investment assets are protected from loss or
account, amount, and period. misappropriation.
Internal Control – More Than a Good Idea – It’s Also the Law!
INVENTORY
Costs are assigned to inventory in accordance Hiring, retention and promotional practices
with the stated valuation method. comply with Affirmative Action requirements.
Usage and movement of inventory is recorded Policies and procedures are issued only with
correctly as to account, amount (quantities and proper management review and authorization.
dollars) and period.
Physical loss of inventory is prevented or COMPUTER SYSTEMS
promptly detected.
Computer programs are authorized, tested and
Obsolete, slow-moving, and overstock inventory approved prior to being placed into production.
is prevented or promptly detected and provided
for. Computer operations are separated from
applications development/programming.
CONTRIBUTIONS Data processing personnel are independent of
user department, and have no access to cash,
Contributions by employers and participants are investments or other similar assets.
at authorized or required amounts.
Changes to existing program applications
Contributions are recorded correctly as to fund, require authorization and approval.
account, amount, and period.
Systems documentation provides programmers
with information required to correctly maintain
BENEFIT PLAN OBLIGATIONS applications.
Benefit payments are to valid participants, are Physical access to data files is controlled;
determined in accordance with plan provisions, access to data files is restricted to authorized
and are processed only with proper users and programs; passwords are changed
authorization. periodically.
Benefit payments are recorded correctly as to Physical security precautions are taken for fire,
fund, account, amount, and period. flood and other applicable hazards.
Participant data accumulated for actuarial Appropriate backup procedures exist for data
valuation is complete and accurate. files/programs.
Uncharacteristic (unusually heavy) use of
INTERNAL ADMINISTRATION computer resources is investigated promptly.
Audits are properly planned and supervised;
audit findings are supported by evidential Obsolete or unnecessary programs/files are
matter. evaluated periodically and purged from system
or production schedules as appropriate.
Audit reports are issued only with proper
management review and authorization. User participation, approval and acceptance is
sought in the applications development
Research studies are properly planned and process.
supervised; reports are supported by evidential
matter. Formal documents of production schedules and
actual processing are maintained and reviewed;
Request for legal assistance are authorized and deviations from planned or usual processing
controlled by management; legal assistance is are identified/evaluated promptly.
supported by evidential matter.
Financial forecasts, cash flow projections and
status reports are developed from appropriate
information sources.
Internal Control – More Than a Good Idea – It’s Also the Law!
Senior executives have long sought ways to better The first category addresses an entity's basic
control the enterprises they run. Internal controls are business objectives, including performance and
put in place to keep the company on course toward profitability goals and safeguarding of resources.
profitability goals and achievement of its mission, The second relates to the preparation of reliable
and to minimize surprises along the way. They published financial statements, including interim and
enable management to deal with rapidly changing condensed financial statements and selected
economic and competitive environments, shifting financial data derived from such statements, such as
customer demands and priorities, and restructuring earnings releases, reported publicly. The third deals
for future growth. Internal controls promote with complying with those laws and regulations to
efficiency, reduce risk of asset loss, and help ensure which the entity is subject. These distinct but
the reliability of financial statements and compliance overlapping categories address different needs and
with laws and regulations. allow a directed focus to meet the separate needs.
Because internal control serves many important Internal control systems operate at different levels of
purposes, there are increasing calls for better effectiveness. Internal control can be judged
internal control systems and report cards on them. effective in each of the three categories,
Internal control is looked upon more and more as a respectively, if the board of directors and
solution to a variety of potential problems. management have reasonable assurance that:
5. Monitoring
2. Risk Assessment --Internal control systems need to be monitored--a
--Every entity faces a variety of risks from external process that assesses the quality of the system's
and internal sources that must be assessed. A performance over time. This is accomplished
precondition to risk assessment is establishment of through ongoing monitoring activities, separate
objectives, linked at different levels and internally evaluations or a combination of the two. Ongoing
consistent. Risk assessment is the identification and monitoring occurs in the course of operations. It
analysis of relevant risks to achievement of the includes regular management and supervisory
objectives, forming a basis for determining how the activities, and other actions personnel take in
risks should be managed. Because economic, performing their duties. The scope and frequency of
industry, regulatory and operating conditions will separate evaluations will depend primarily on an
continue to change, mechanisms are needed to assessment of risks and the effectiveness of
identify and deal with the special risks associated ongoing monitoring procedures. Internal control
with change. deficiencies should be reported upstream, with
serious matters reported to top management and the
3. Control Activities board.
--Control activities are the policies and procedures
that help ensure management directives are carried There is synergy and linkage among these
out. They help ensure that necessary actions are components, forming an integrated system that
taken to address risks to achievement of the entity's reacts dynamically to changing conditions. The
objectives. Control activities occur throughout the internal control system is intertwined with the entity's
organization, at all levels and in all functions. They operating activities and exists for fundamental
include a range of activities as diverse as approvals, business reasons. Internal control is most effective
authorizations, verifications, reconciliations, reviews when controls are built into the entity's infrastructure
of operating performance, security of assets and and are a part of the essence of the enterprise. "Built
segregation of duties. in" controls support quality and empowerment
initiatives, avoid unnecessary costs and enable
4. Information and Communication quick response to changing conditions.
--Pertinent information must be identified, captured There is a direct relationship between the three
and communicated in a form and timeframe that categories of objectives, which are what an entity
enable people to carry out their responsibilities. strives to achieve, and components, which represent
Information systems produce reports, containing what is needed to achieve the objectives. All
operational, financial and compliance-related components are relevant to each objectives
information, that make it possible to run and control category. When looking at any one category--the
the business. They deal not only with internally effectiveness and efficiency of operations, for
generated data, but also information about external instance--all five components must be present and
events, activities and conditions necessary to functioning effectively to conclude that internal
informed business decision-making and external control over operations is effective.
reporting. Effective communication also must occur
in a broader sense, flowing down, across and up the The internal control definition--with its underlying
organization. All personnel must receive a clear fundamental concepts of a process, effected by
message from top management that control people, providing reasonable assurance--together
responsibilities must be taken seriously. They must with the categorization of objectives and the
understand their own role in the internal control components and criteria for effectiveness, and the
system, as well as how individual activities relate to associated discussions, constitute this internal
the work of others. They must have a means of control framework.
communicating significant information upstream.
There also needs to be effective communication with
external parties, such as customers, suppliers,
regulators and shareholders.
Internal Control – More Than a Good Idea – It’s Also the Law!
take other actions needed to effect control. Also, all surprises. This study suggests that the chief
personnel should be responsible for communicating executive initiate a self-assessment of the control
upward problems in operations, noncompliance with system. Using this framework, a CEO, together with
the code of conduct, or other policy violations or key operating and financial executives, can focus
illegal actions. attention where needed. Under one approach, the
chief executive could proceed by bringing together
A number of external parties often contribute to business unit heads and key functional staff to
achievement of an entity's objectives. External discuss an initial assessment of control. Directives
auditors, bringing an independent and objective would be provided for those individuals to discuss
view, contribute directly through the financial this report's concepts with their lead personnel,
statement audit and indirectly by providing provide oversight of the initial assessment process
information useful to management and the board in in their areas of responsibility and report back
carrying out their responsibilities. Others providing findings. Another approach might involve an initial
information to the entity useful in effecting internal review of corporate and business unit policies and
control are legislators and regulators, customers and internal audit programs. Whatever its form, an initial
others transacting business with the enterprise, self-assessment should determine whether there is
financial analysts, bond raters and the news media. a need for, and how to proceed with, a broader,
External parties, however, are not responsible for, more in-depth evaluation. It should also ensure that
nor are they a part of, the entity's internal control ongoing monitoring processes are in place. Time
system. spent in evaluating internal control represents an
investment, but one with a high return.
Organization of this Report
This report is in four volumes. The first is this Board Members
Executive Summary, a high-level overview of the Members of the board of directors should discuss
internal control framework directed to the chief with senior management the state of the entity's
executive and other senior executives, board internal control system and provide oversight as
members, legislators and regulators. needed. They should seek input from the internal
and external auditors.
The second volume, the Framework, defines internal
control, describes its components and provides Other Personnel
criteria against which managements, boards or Managers and other personnel should consider how
others can assess their control systems. The their control responsibilities are being conducted in
Executive Summary is included. light of this framework, and discuss with more senior
personnel ideas for strengthening control. Internal
The third volume, Reporting to External Parties, is a auditors should consider the breadth of their focus
supplemental document providing guidance to those on the internal control system, and may wish to
entities that report publicly on internal control over compare their evaluation materials to the evaluation
preparation of their published financial statements, tools.
or are contemplating doing so.
Legislators and Regulators
The fourth volume, Evaluation Tools, provides
Government officials who write or enforce laws
materials that may be useful in conducting an
recognize that there can be misconceptions and
evaluation of an internal control system.
different expectations about virtually any issue.
Expectations for internal control vary widely in two
What to Do respects. First, they differ regarding what control
Actions that might be taken as a result of this report systems can accomplish. As noted, some observers
depend on the position and role of the parties believe internal control systems will, or should,
involved: prevent economic loss, or at least prevent
companies from going out of business. Second,
Senior Management even when there is agreement about what internal
Most senior executives who contributed to this study control systems can and can't do, and about the
believe they are basically "in control" of their validity of the "reasonable assurance" concept, there
organizations. Many said, however, that there are can be disparate views of what that concept means
areas of their company--a division, a department or and how it will be applied. Corporate executives
a control component that cuts across activities-- have expressed concern regarding how regulators
where controls are in early stages of development or might construe public reports asserting "reasonable
otherwise need to be strengthened. They do not like assurance" in hindsight after an alleged control
Internal Control – More Than a Good Idea – It’s Also the Law!
Educators
This framework should be the subject of academic
research and analysis, to see where future
enhancements can be made. With the presumption
that this report becomes accepted as a common
ground for understanding, its concepts and terms
should find their way into university curricula.
“Reasonable assurance” means just that. Any Interview – asking questions – of staff, customers,
program or administrative task has inherent clients, vendors, or peer professionals is often the only
way to get to the bottom of a situation in a non-
risks – the cost of doing business, and managers adversarial way.
must take such risks into consideration in a cost-
effective fashion. The cost of a management Documentation – this includes a review of items such
control must be proportionate to the risk. For as elevator inspection certificates, fire extinguisher
recharging tags, time sheets, vouchers, program
example a pharmacy would keep serious applications, day care center inspection reports, or even
narcotics (controlled substances) under lock and computer access logs.
key, but stock the public shelves with
antihistamines and aspirin. What differentiates internal audit from internal
control testing (or program monitoring, for that
Annual-salaried employees are trusted to keep matter), is auditor independence. If you’ve
track of their time and attendance, but additional followed the scandals of Enron, WorldCom,
management oversight is required for overtime Parmalat and the like, you understand the
payments. Program applicants submit temptation to tell the boss what he/she wants to
qualifying information to caseworkers, but such hear, overlook shortcomings, or downplay fiscal
information is subject to independent irregularities. Even with auditor independence,
verification where appropriate. collusion can occur (with adequate financial
Testing is a key ingredient in each state incentive).
agency’s “Internal Control Review”, i.e., a Testing is a management responsibility of
review of management controls systems in place each division and bureau, but an Internal
governing key program and administrative Control Officer needs to review the methods
functions of the agency. Such testing is employed to determine if they constitute
generally of two types: “reasonable assurance” that results are being
• Ongoing testing/monitoring – built into achieved as responsibly as possible, while
standard procedures, supervisory oversight, minimizing the downside of fraud, waste and
employee evaluation and case review; mismanagement.
• Periodic evaluation – e.g., on a quarterly Yes, we must recognize that anytime large sums
or annual basis, often conducted by a of money are involved, there is the potential for
consultant or independent body, with fraud – by an applicant, vendor/provider or
emphasis on program results, cost-benefit employee. And the damages resulting from
analysis, and timeliness of services. such fraud may be more than monetary. A
daycare center bribes an inspector to overlook a
Internal Control Testing and Internal Auditing
building code or fire safety violation. A
have much in common, which is why most state
mechanic uses substandard parts to replace the
brakes on a facility van. A computer vendor
1
Almost
1
Internal Control – More Than a Good Idea – It’s Also the Law!
contracts out hard disk manufacturing to a Commission. Applying the control self-
shoddy cousin (where does lost data go?). A assessment approach for auditing, testing and
defective smoke alarm causes a house fire. evaluating program performance is an ideal
process for reviewing office operations and
Internal Control Testing must keep in mind the
residential programs.
two sides of the coin:
Observation
• What are we trying to achieve? Have you ever sat at a traffic light, and
• What are we trying to avoid? wondered if it would ever change. Most lights
change on a 30 to 45 second cycle, but the light
If a risk does not interfere with results, one at the corner of Fuller Road and Washington
needs to ask “why spend money and time trying Avenue can take an eternity to cycle through all
to control such a risk.” Similarly, if the risk (or its choices.
“vulnerability”) is highly improbable (like a
Martian invasion2), we would only invest in If you’ve observed something happen more than
controls where the impact of such a long-shot once, you develop expectations. The shop
would be devastating. foreman on the automobile assembly line
expects you to install one bumper every 4
Plain Talk About Testing minutes and 19 seconds. The chief account
On a periodic basis, the Internal Control Officer clerk expects you to process 15 vouchers per
(ICO) will ask you how your specific program hour, regardless of their illegibility. A
or administrative function is going. The Survey crackerjack typist should be able to clock 90
form is quite simple, but as anyone knows, words per minute, provided the network doesn’t
trying to sum up anything into twenty-five crash.
words or less is no small task. As Mark Twain As a manager, you have had to justify staffing
once said “Please forgive this long letter, I based on a work plan that estimates the volume
didn’t have time to write a short one.” and complexity of activities, including
You are the expert when it comes to your individual unit times to complete an activity,
program or function, so the ICO will not dictate with total turnaround goals established to
what you have to do to verify things are going provide timely and accurate service.
as they should. But the ICO will review your Observation is one way to determine if reality
submission to determine if the frequency and is in sync with that work plan.
extent of testing you describe is proportionate to Interview
the scale and significance of the operation. Interviewing starts when you select someone to
The ICO should also meet with bureaus on a join your operation. Of course you will also
selective basis to review testing efforts, and check their credentials and references, but the
provide suggestions for improved testing, based interview is the final determinant in hiring.
on experience with comparable functions, and Interviewing doesn’t stop once a new employee
based on state and nationally recognized signs on. During his/her probation period you
standards for internal control and internal audit. will use the interviewing technique to reinforce
training, to verify the employee’s understanding
“Control self-assessment” is one such standard, of the processes/procedures employed, provide
expounded by the COSO3 or Treadwell an opportunity for the employee to ask
questions about his/her role and your
2
Them coming here, not NASA’s rover.
perceptions if his/her performance.
3
Committee of Sponsoring Organizations – including
the American Institute of Certified Public Accountants, Executives International, the Institute of Internal
the American Accounting Association, Financial Auditors, and the Institute of Management Accountants
2
Internal Control – More Than a Good Idea – It’s Also the Law!
National bodies such as the American Institute of Certified Public Accountants, US General
Accounting Office and major consultant firms have compiled a growing list of internal control
performance standards. One such list (from Ernst & Young) is included in this Guide (as
Appendix A), but it could all be summarized simply:
We must do our job responsibly - effectively, efficiently and legally. This includes
protecting the State's assets, providing services to clients according to recognized
standards, minimizing the State's exposure to lawsuit for improper or inadequate
activities, operating the agency without bias or favoritism, investing resources wisely in
activities which fulfill our mission.
The following examples of internal control objectives pertinent to major functions are not
intended to be exhaustive, but rather offer several useful examples of control objectives
relevant to a wide range of agency functions:
Personnel To recruit only qualified staff, in keeping with Civil Service Law rules
Recruitment and regulations, Affirmative Action policies and agency policies
regarding verification of credentials.
Payroll To ensure that salary, wages and benefits are incurred only for work
duly authorized and actually performed.
Purchasing To ensure that goods or services are purchased with proper authoriza-
tion and in compliance with legal requirements.
Capital To verify that new construction and building repairs meet all applicable
Construction building/fire codes
Vehicle To ensure that all vehicles are maintained in safe working order,
Management inspected annually, and operated only by authorized, licensed staff.
Internal Control – More Than a Good Idea – It’s Also the Law!
Computer To ensure appropriate precautions are taken for fire, flood and other
Security hazards. To ensure that access to data files is limited to authorized
users
Physical To verify that direct care staff are trained in restraint techniques and
Restraint procedures before physical encounter with clients.
Universal To ensure direct care staff are trained in and use universal
Precautions precautions when dealing with client during accidents, illness or
routine health care.
Contraband To ensure that facility practices are followed to prevent client access
Control to legal drugs, alcohol, tobacco products, weapons and inappropriate
amounts of cash.
Internal Control – More Than a Good Idea – It’s Also the Law!
Whenever someone talk to you about rules and We are NOT talking about the painful, but
regulations, policies and procedures, or internal necessary controls placed upon us by Civil
controls, your body has an inevitable response. Service, OGS, OSC, or Division of the Budget.
Eyes glaze over, ulcers start percolating, Hiring and firing, purchasing, payroll, budgeting
respiration and circulation decelerate. Your – all have administrative requirements to
brain goes to its happy place until the maintain integrity and accountability.
conversation slides to a more scintillating topic,
We ARE talking about the kind of management
like gout or tax reform.
controls your own agency puts in place to
Yes, there are rule and regulations that frustrate. control risk and monitor performance.
Policies and procedures that obstruct. And
Controls that are tailored to meet the needs of
overzealous controls that interfere with
your programs, your staff and the population
performance. How then do we translate vision
they serve. We can arbitrarily divide internal
into action? How then do we achieve our
control into four major categories:
goals while avoiding unacceptable risks?
• Hardware controls – like locks on doors,
As a leader in government service, your primary
combinations on safes, smoke detectors
concerns are not rules and regulations. You are
looking for results. Results that are achievable, • Software controls – like passwords on
affordable and accountable. Whether you are computer systems or edit routines to
fighting disease, poverty, ignorance or crime, reduce data entry errors
there are people counting on you to make a • Procedural controls – including
difference. And if you can do so without accounting procedures, instructions to
encouraging a visit from Mike Wallace or staff, form designs and documentation
Geraldo Rivera, so much the better. requirements
• “Soft” controls – knowledgeable, trained,
You may find this hard to believe, but: ethical staff who are dedicated to your
programs, honestly seeking to meet
agency goals without resort to slipshod
practices or dangerous shortcuts.
With good, honest, and dedicated staff (soft
controls), you can rely less on the other three
categories. For example, most of us have the
intellectual acumen to assemble peanut butter
and jelly sandwiches1 without referring to
detailed, step-by-step, illustrated instructions.
1
Believe it or not, it is possible to purchase frozen, pre-
assembled, crust-free PB&J sandwiches.
Internal Control – More Than a Good Idea – It’s Also the Law!
We know the value of separate knives for the Now the average fax may only cost 3 cents per
two main ingredients. When we join the two page, you can buy a home machine for $50, and
slices of bread together, we ensure the filling is faxes themselves are being supplanted by e-mail
on the inside. Chances are, we didn’t have to and MS Word attachments. No more logs. No
use a keypad to open the refrigerator, and the more over-control in one instance.
jars opened without password protection.
What about under-control? We all know the
Of course, the cost factor value of locking the barn door after the horses
involved in such an operation escape. There are times we are unwilling (or
is negligible. Beluga caviar, un-prepared) to impose new controls in a new
on the other hand, requires setting, because we have had no negative
special handling. (Hey kids, experience controlling that risk. When
don’t try this at home) computers were all kept in air-conditioned
You’ve probably seen the PBS commercial rooms, with raised floors and locked doors,
where a young child scoops out some sturgeon entrusted to a few wizards, the rest of us did not
roe, and dumps it into her aquarium, reasoning it need Palm Pilots to hold all our passwords.
is just fish eggs, after all. Maybe you have no Then PCs started showing up on all our desks,
caviar at home2, but if you did you probably and passwords evolved from our pet’s birth date
rethought where to store it away from such to complex algorithms with letters and numbers
innocent intellects. and control characters.
Internal controls are developed over time, in For the record, your agency’s internal control
response to risk and experience. Risk officer is NOT a control character (though it
assessment is an ongoing process (part formal, takes a special breed to devote every waking
part informal). Experience tells us (if we are hour to this benighted profession).
paying attention) the likelihood of occurrence,
At this point, we could “sit on the ground and
and the negative impact of such occurrence (be
tell sad stories of the death of kings.”3 Better
it frequent or infrequent).
we should talk about the circumstances on our
And years of negotiating (battling) with the own agency, examine the over-controls that
control agencies tells us whether controls are have outlived their usefulness, and consider the
affordable (DOB) and adequate (OSC). You possible risks we are exposed to due to under-
may not be responsible for a warehouse full of control.
caviar, but you may have been assigned a
All in all, we are just looking for a reasonable
$2,000 laptop computer. Ever wonder where
assurance that no one will die on our watch,
you left it?
none of our staff will wind up involuntary
While we have divided internal controls into clients of another State agency, and Mike
four major categories, some folks just divide Wallace and Geraldo Rivera will focus their
them into two categories – over-control and attentions elsewhere, at least for the next two
under-control. weeks.
When fax machines were a novelty, some
agencies/offices inflicted users with sign-in
sheets or onerous logs when sending a fax. Of
course no one filled out a form when receiving a
fax.
2 3
Of course you do – you are a leader, aren’t you? William Shakespeare, Richard II, Act III. Scene ii.
Internal Control – More Than a Good Idea – It’s Also the Law!
I would make an additional point – unless you Keep a paper log of transactions. Start
make it clear to your IT (information numbering incoming correspondence. Maintain
technology) people what you need to know – the key statistics on 3 X 5 cards.
kind of decisions you need to make, the Start a checklist. Include key statistics in your
resources to be invested in such decisions, the monthly report. It might impress your boss, but
impact of such decisions on world peace, the it will help whoever follows you in your
economy or good dental hygiene, then your IT position.
people will just be alienated technologists – who
will look upon you “surface Establish realistic goals, set
people” as Eloi, while they deadlines, then monitor results. If
work in the dark, underground the NYS Education Department can
as Morlochs. See H.G. Wells renew an RN’s certification in 24
Time Machine for details. hours, maybe you can inspect and
recertify that day care center in 30
Of course, the IT folks will not days.
make your data needs a priority
unless they see evidence that you Do you need to expand your RFP
1) care about the data; 2) make mailing list? Try “Googling”
valid decisions based on the data; potential vendors via the Internet.
and 3) your decisions make a
positive impact on the people of
Network with peers in other/
New York State. Yes, they can also help the people comparable agencies (we are all in
of Ohio or Vermont, but they have their own way of this together – maybe they know something
doing things. useful). Boldly go where none have gone
before (just be sure to get competitive bids, and
If you have the soul of a manager, you will have save your receipts).
an insatiable need for more data, faster data, more
relevant data, data you can synthesize into Here is where you have to do a little
INFORMATION. Maybe you are monitoring something on your own: Make a list of your
ground water contamination levels around a landfill, key functions.
PCBs in the Hudson River, or acid rain in the What are the
Adirondacks (most of which comes from Ohio, I
goals? What
think). Or then there is the alarming incidence of
asthma in our next generation. Or the paucity of
risks must you
engineers graduating from our universities. Or the avoid in order to
number of potholes on I-90. meet those goals?
Then make a list
There is an old axiom (there are rarely new of the kinds of
axioms) “If you can’t measure it, you can’t data that would help achieve positive results.
manage it.” Some folks just throw in the towel, Are there mandated deadlines? Will delay in
and assert the second half of the axiom. These processing hurt a citizen, client, patient, student,
are called “experienced managers”. It is too late taxpayer, applicant or vendor? Who can you
for them – they’ve burned out from years of assign to handle those key functions? Do you
inadequate data support. But there is hope for have useful procedures written down, or have
you IF you start clamoring now for timely and you got trained staff to rely on? When is Louise
relevant information. retiring? Can you get out before she does?
Maybe you will need to start collecting it the If you don’t have the soul of a manager, pass
old-fashioned way. Ask people questions. this two-page treatise on to someone who does.
Wouldn’t you like to have one of these? A way to monitor your agency’s
performance. Current status on budget balance, purchasing and contract
expenditures, computer system stability, personnel turnover, succession
planning, program performance?
While you wait and hope for IT (information technology) to craft a real-time
feedback system, the grains of sand keep dripping through the hourglass.
Have you considered gathering information the old-fashioned way – by talking
to people? The annual Internal Control Review process can help you do just
that! It’s not a chore, it’s a proven method to facilitate two-way
communication, identify goals and objectives, and recognize the inherent risks
and administrative weaknesses that interfere with achievement.
An integrated database would be ideal, though absorbing huge amounts of data out of context can be a
daunting proposition. Instead, consider the merits of 5 X 7 index cards, or simple one-page forms
covering all your critical functions. Who is in charge? How do you measure success or failure? What
“Checkpoint Charlies” have you installed to track performance. Who are the gatekeepers for quality
control? Who are the protectors of resources? What procedures have you built in to control the flow of
money, data, supplies and materials? Where are the gaps in your armor where fraud or theft could
occur?
The Association of Certified Fraud Examiners developed the following chart to capture all the possible
ways staff, vendors, applicants, clients or grantees could take advantage of your resources, and
compromise your integrity. While some of these apply only to commercial ventures (e.g., stock market
manipulations), the majority can affect government and not-for-profit entities:
ANATOMY OF FRAUD - Uniform Occupational Fraud Classification System1
MAJOR CATEGORIES
I. CORRUPTION
• Conflicts of Interest
Purchase Schemes (split vouchers to avoid competitive bidding)
Sales Schemes
Other
• Favoritism and nepotism in hiring, purchasing or client services
• Governance in-breeding
• Bribery
Invoice Kickbacks (vendor collusion)
Bid Rigging (phony bids or no bids)
Other (bogus inspections, licenses granted)
Political (votes promised, nominations & endorsements)
• Illegal Gratuities
Christmas Presents
Theatre Tickets (Broadway)
Free Travel & Lodging (conventions)
Expensive Dinners or Country Club Greens Fees
Free Product Samples (laptops or cocaine)
Gift to Favorite Charity
• Economic Extortion (Political Extortion too?)
“By me, or I’ll sue”
“I’ll tell them about the freebies”
“I have the negatives”
1
Source: Association of Certified Fraud Examiners
2004 Report To The Nation On Occupational Fraud And Abuse.
• False Sales & Shipping
• Purchasing & Receiving
• Unconcealed Larceny
DETECTING FRAUD
The ACFE has recognized that “internal controls” come in fourth place when it comes to detecting
fraud. Experience from 2002 to 2004 shows this has improved somewhat, but government and industry
still have a ways to go, implementing appropriate and affordable controls to minimize risk. Within
government agencies, internal controls detected less that 12% of all frauds during the survey period.
SHRINKAGE
No, it’s not about making your kids smaller. Nor
is it about a mid-life crisis requiring professional
help. It’s not about fast food or hot water making
your clothing feel tight.
It’s about inventory disappearing – either through
shoplifters, employee theft, poor security or even
bad accounting.
And things are not always as they seem.
I offer into evidence two case studies – one retail,
one manufacturing. The thoughts provoked herein
should be applicable to any setting, public or
private.
The Case of the Incredible
Shrinking Chicken Wire
The managers, convinced that employee theft was the culprit, called on a famous consultant to review
their plant security. His initial observations focused on shrinkage, and the facility with which
employees could smuggle out the precious commodity. He noted that all employees drove through a
gate, and parked inside the perimeter, within walking distance of the factory. It would have been
relatively easy to transport fencing in a car trunk, since security staff did not screen outgoing vehicles.
The consultant recommended the fence be moved, so that employees would need to file past the guard
on foot, thereby limiting the potential for pilfering. Lunch boxes are not known for their ability to
conceal large quantities of chicken wire.
However, the real issue was not shrinkage. The consultant being rightly famous and astute discovered
the real culprit was bad accounting. All scraps of wire too short to be fed into the fence-making
machinery were sold to a scrap dealer, who promptly and dutifully paid a fair price for these remnants.
All the money went into a special headquarters account that was overlooked by the local plant managers.
The company did move the fence, just in case a lucrative chicken wire black market ever developed.
And the employees all breathed a sigh of relief when the consultant returned to the big city to ferret out
other evil doers and malingerers.
THE OLD DISAPPEARING MUSTARD TRICK
A gourmet deli in upstate New York prided itself on its real-time
inventory system. Every purchase at the register was fed into their
computer system upstairs, so that managers would know what was
selling, and when to reorder favored items.
The system did have its drawbacks. During peak shopping periods
(e.g., Christmas, New Year’s, Kentucky Derby, Saratoga summer),
the undersized computer could not keep pace with all the data, and
the cash registers crawled, infuriating customer and clerk alike.
Considering that a gourmet bottle of mustard or a wedge of cheese made in the Himalayas by elves
could cost $10 or $20 (crackers extra), the missing stock was eating heavily into the store’s profit
margin.
The prime suspects were ravenous employees or larcenous customers. Little did anyone realize that the
real culprit was the “state of the art” computerized inventory system, and a little thing called “returns”.
It seems the bookkeeper was authorized to entire a certain kind of transaction into the system – at her
office desk, far from prying eyes, and far from the disappearing mustard. When a customer returned
merchandise, it would have to be entered into the inventory system – with a refund to the customer. It
turns out the bookkeeper was creating phantom returns to generate personal revenue to support her
lavish lifestyle. Thousands of dollars later, the flaw in the system was discovered – bad software,
inadequate separation of duties, and a dishonest manager. It didn’t help that the owner of the business
spent most of his time in Florida, trying to sell his real-time inventory control software to other stores.
The company in question sold out to a pair of restaurateurs who drove what was left of the business into
the ground, encouraging local supermarkets to go upscale with specialty items.
One could suggest the gourmet enterprise could have survived had it tended to its core mission (fantastic
vittles) and leave the high tech malarkey to geeks. One could also suggest that the time to get to know
your employees is AFTER they are hired. When employees start dressing better than the bosses, driving
nicer automobiles, and vacationing overseas, it’s time for the bosses to get nervous.
Tim O’Toole of Albany, NY is approaching his 20th year in harness overseeing internal control
activities in his home state. You can find more of his writings at www.1ceman.com and
www.internal_control.us
TEAM-BUILDING, NATION-BUILDING AND COMMUNITY
In his long career as healer and author, M. Scott Peck penned a series of books under the “Road Less
Traveled” banner. One of these popular works, “A World Waiting to Be Born: Civility
Rediscovered” dealt with human organizational dynamics. His observations can be related to any
human organization, be it the fledgling republic in Iraq, the boardrooms of corporate America, or the
austere cubicles of state and local government.
A true community must be one of participants, When America sent people to the Moon, it
not spectators. Unfortunately most pseudo- kindled a team spirit and pride in
communities (and this is where most of us spend accomplishment. It may have only been a
our 9-to-5 existences) can be divided into three pseudo-community (as we ignored the grim
groups that I call: realities in Vietnam, and the continued failure of
the war on poverty), but it was a start.
Wheeler-Dealers - at it daily jockeying for
power, forming cartels and cliques, second- In the coming year, New York State government
guessing one another, albeit often well- will undergo transformation in countable and
intentioned. Back-stabbing upstarts, pooh- uncountable ways. Time for the next rank of
poohing subordinates, making unilateral commissioners to set the tone at the top.
SOFT CONTROL thing” is in a biker gang, or that tattooed Goth
The conventional wisdom that pervades the sings in a choir – not a rock band.
internal control literature (bedtime reading for
What relevance does this have for internal
accountants when PBS is fund-raising), speaks
control? Well, if the position involves access to
of staff competence, integrity, shared purpose,
valuable resources (be it revenue, inventory or
dedication and experience. Each of these values
confidential data), the wise supervisor will key
can make a difference, fostering effectiveness
in on dramatic changes in lifestyle.
and efficiency in the absence of formal
monitoring systems. When an entry-level person takes a European
vacation, then shows up for work in a bright red
Such glowing realities need not pervade an
Ferrari (parking next to the supervisors Dodge
organization, though clusters of clarity and
Dart), a few questions are in order.
honesty may occur in the nooks and crannies of
any bureaucracy. When an employee seems to have hay fever
year round, is it a sign that the office air quality
When a supervisor has the luxury of recruiting
is hazardous, or is petty cash being siphoned to
new staff, he/she has the opportunity to define
pay for nose candy?
what office life will be like for years to come.
Affirmative action officers may Is the new employee fully integrated
agonize over limitations of the merit into the team, or are some of the
system, or subconscious tendency of Your co-workers staff resistant for inappropriate
people to select staff based on are more than reasons?
external characteristics (“will he/she interchangeable Then there is the question of your
fit in?”). Is the supervisor a “good parts. own style of leadership. Do you
judge of horse flesh”, or is he/she
encourage open communications?
under pressure to make a quick
decision and fill a critical vacancy
Do you share important information with staff,
while the list is still valid - or budget approval in
and solicit their feedback?
force?
Do you communicate instructions clearly, then
Sometimes, time pressures lead to shortcuts in
take the time to review assignments? Do staff
“vetting”1 the new hire. Doctored transcripts,
consider they are making contributions to a
diploma mills, and unchecked references. Snap
larger purpose, or do they see their work as a
decisions based on a twenty-minute interview.
mere chore that pays the bills? Can you relate
Then that new employee will need training. Are your own work to a higher purpose?
procedures well-documented and up-to-date? Is
Do your co-workers collaborate on a project, or
the right kind of training available and
act individually/sequentially? Have you
affordable? How will other staff accept the
segregated duties adequately, to reduce the
newcomer? Was an insider passed over for
chance or fraud, forgery or embezzlement?
promotion? Are the newcomer’s tasks and
What about cross-training so that work is not
standards legitimate and current?
interrupted by illnesses and vacations?
In the hiring process, questions about religion,
Do you value all your co-workers, or did you
sex and politics are taboo. Likewise questions
inherit some goldbricks from the previous
about family and hobbies. Once hired, the
supervisor?
challenge is to determine if that “sweet young
Take the time to get to know your people, and you
are on your way to learn what motivates them.
1
I delight in telling you that “vetting” has its roots in
horse racing. Wikipedia claims it relates to a veterinarian You can find author Tim O’Toole at
carefully inspecting a horse before a race. Winners are www.1ceman.com and www.internal_control.us
then subjected to drug tests. Losers can keep their secret.