Internal Audits for Fraud Protection

“I hope I shall possess firmness and virtue enough to maintain what I consider the most enviable of all titles, the character of an honest man.” — George Washington

The “American Greed” TV show on CNBC chronicles the dishonesty of white-collar criminals. Along with “Dateline NBC” and “60 Minutes,” there appears to be no end to the number of sensational stories of fraud and malfeasance. As an auditor, I am paid and expected to be a skeptical person. While many of us are inherently trusting of others, it is not unusual to learn after-the-fact that your trust has been misplaced.

This column has frequently covered the need for Medicaid and Medicare service providers to establish and maintain robust regulatory compliance programs. As required by the state and federal governments, these programs are appropriately focused on compliance with Medicaid and Medicare regulations.

However, too often we observe in the audit world a lack of appropriate people resources dedicated to internal auditing. Internal auditing differs from compliance auditing in that its primary focus is on the testing and verifying of internal controls established in the organization from both an operational and financial reporting perspective.

New York State Public School Districts and Public Authorities have been required by legislation in recent years to establish internal audit processes and work plans.

Last year, New York State Attorney General Eric Schneiderman issued a report entitled “Revitalize and Reform New York’s Nonprofit Sector” (http://www.ag.ny.gov/press-release/ag-schneiderman-announces-bold-plan-revitalize-and-reform-new-yorks-nonprofit-sector). Schneiderman recognized, as did Andrew Cuomo and Eliot Spitzer who preceded him as attorney general, that fraud, abuse, and malfeasance in the nonprofit industry can occur far beyond the boundaries of Medicare and Medicaid reimbursement. Therefore, government regulators have set crystal-clear expectations for assessing the need for a risk-management function in every nonprofit organization.

An internal-audit program in your nonprofit is a function that  supplements the internal-control structure designed to mitigate the risk of undetected fraud and abuse. Unfortunately, in the current funding environment for many nonprofits, managers and board members find it difficult to allocate scarce budgetary dollars to what should be a valuable control mechanism.

Generally speaking, if a nonprofit organization has an annual budget exceeding $100 million, I would consider a formal internal-audit function to be a necessity. For nonprofits with budgets between $50 million and $100 million, the need for internal auditing is certainly present and desirable. However, it can be a judgment call based on individual agency facts and circumstances.

For those organizations with budgets between $10 million and $50 million, I believe a variation of a formal internal-audit function can be both effective and efficient.

That is, management and the board, in the absence of a formal internal-audit function, should implement a procedure that identifies three-to-five internal-control functions, program sites, processes, and procedures that should be tested annually on a sample basis. The areas identified should be a combined effort of your management team with input from your external auditors. The actual internal-audit work can be either outsourced or performed by knowledgeable staff within the organization.

You cannot and should not rely on your external audit of the agency’s annual financial statements. The scope of a financial statement audit will not and need not be focused on risk mitigation, but rather on whether the financial statements are free of material misstatements and in accordance with Generally Accepted Accounting Principles (GAAP).

There are three resource tools that can be very helpful to every nonprofit in conducting an assessment of what has been defined as “enterprise risk management” (ERM) in the post Enron / Lehman Bros. Age of Accountability.

First, visit www.coso.org and check out the Executive Summary and the PowerPoint presentation on “Enterprise Risk Management — An Integrated Framework.” COSO, the Committee of Sponsoring Organizations, has issued this material as an extension of its landmark 1994 material, entitled “Internal Controls — An Integrated Framework.”

These tools can be very effective in establishing a practical, scalable, and feasible approach to internal auditing in the areas of internal control and risk management.

The second resource is located at www.AICPA.org. There, you will find an auditing standard from the Auditing Standards Board, entitled “Communication of Internal Control Related Matters in an Audit.” Auditing standards in this area were issued “to enhance the requirement to identify and report to audit committees or their equivalent any significant deficiencies and material weaknesses in internal control that are noted in a financial statement audit.”

The audit-reporting requirements, in defining internal-control deficiencies, place very specific responsibilities on both the auditor and client to fully disclose control matters identified in an audit process. For example, if an organization fails to reconcile its bank accounts in a timely manner “throughout the year under audit,” the auditor is required to document and communicate this as a significant control deficiency in an internal-control letter to the Finance/Audit Committee.

Another example of an internal-control deficiency that must be reported is the existence of audit adjustments after the client’s year-end closing that are material in the aggregate or individually to the reported interim financial results. If your organization has routinely relied on the external-audit firm as bookkeepers to clean up the financial records during the audit, there is a strong possibility that your auditor will be required to disclose this as a significant deficiency or material weakness in internal controls.

The reporting of internal-control deficiencies may vary among audit firms. In order to clearly understand what should be expected from your audit firm, go to http://www.aicpa.org/ForThePublic/AuditCommitteeEffectiveness/Pages/ACEC.aspx and read the Audit Committee guidance. We continue to recommend that all of our clients place a high priority on documenting internal controls and risk-management procedures.

The final resource tool for consideration is at www.nonprofitpanel.org. The recommendations of this panel to Congress represent the baseline foundation of many of the recommendations included the Schneiderman report. For purposes of establishing a practical framework for risk management and procedural documentation assessment, these 11 recommendations should be addressed in the context of your agency’s risk assessment and need for an internal-audit function. The recommendations represent the collective concerns of the rule-makers and regulators at a national level related to tax-exempt organizations.

If your organization has already addressed the issues above, there is always a benefit to conducting an annual assessment of the quality and success of your internal audit/risk mitigation efforts.

However, if these areas have landed on your budget-cut scrap pile, time may be running out. Management and board should immediately evaluate the need for process changes to comply with these increased expectations in the area of internal controls, governance practices, and risk-management procedures. Make it a New Year’s resolution to move risk mitigation to the top of your priority list of goals and objectives.

Gerald J. Archibald, CPA, is a partner in charge of the management advisory services at The Bonadio Group. Contact him at (585) 381-1000, or email: garchibald@bonadio.com