The introduction to the new Yellow Book summarizes the significant changes as follows:
This revision contains major changes from, and supersedes, the 2011 revision. These changes, summarized below, reinforce the principles of transparency and accountability and strengthen the framework for high quality government audits.
All chapters are presented in a revised format that differentiates requirements and application guidance related to those requirements.
Supplemental guidance from the appendix of the 2011 revision is either removed or incorporated into the individual chapters.
The independence standard is expanded to state that preparing financial statements from a client-provided trial balance or underlying accounting records generally creates significant threats to auditors’ independence, and auditors should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level or decline to perform the service.
The peer review standard is modified to require that audit organizations comply with their respective affiliated organization’s peer review requirements and GAGAS peer review requirements. Additional requirements are provided for audit organizations not affiliated with recognized organizations.
The standards include a definition for waste.
The performance audit standards are updated with specific considerations for when internal control is significant to the audit objectives.
Effective with the implementation dates for the 2018 revision of Government Auditing Standards, GAO is also retiring Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005) and Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014).
The 2018 revision of Government Auditing Standards is effective for financial audits, attestation engagements, and reviews of financial statements for periods ending on or after June 30, 2020, and for performance audits beginning on or after July 1, 2019.
Early implementation is not permitted.
The 2018 revision of Government Auditing Standards supersedes the 2011 revision (GAO-12-331G, December 2011), the 2005 Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005), and the 2014 Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014).
Below I provide useful governmental internal controls that you need to know.
Why am I providing this list of useful controls? Most small governments struggle with establishing sound internal controls. So, the list provides a foundation for preventing theft in your government. While not a comprehensive list, I thought I would share it.
Many of the internal controls listed below are also pertinent to nonprofits and small businesses as well. You will find this same checklist in The Little Book of Local Government Fraud Prevention (available on Amazon) which provides many more fraud prevention ideas.
I am providing general fraud prevention controls and then transaction-level controls for:
Cash receipts and billing
Cash payments and purchasing
Useful Governmental Internal Controls
General Internal Controls
Have bank statements mailed directly to someone outside of accounting; recipient should peruse bank statement activity before providing it to accounting
Perform surprise audits (use outside CPA if possible)
Elected officials and management should review the monthly budget to actual reports (and other pertinent financial reports)
Map internal control processes by transaction cycle (preferably done by a seasoned CPA); once complete, provide the map to all employees involved in the cycle; when control weaknesses exist, institute additional controls (see 11. below)
Use a whistleblower program (preferably use an outside whistleblower company)
Reconcile bank statements monthly (have a second person review and initial the reconciliation)
Purchase fidelity bond coverage (based on risk exposure)
Periodically request from the government’s bank a list of all bank accounts in the name of the government or with the government’s federal tax I.D. number; compare the list to bank accounts set up in the general ledger
Do not allow the electronic transmission (e.g., email) of sensitive data (e.g., social security numbers) without the use of protected transmission technology (e.g. Sharefile); create policy and train staff
Where possible, segregate who (1) authorizes transactions, (2) records transactions, (3) reconciles records, and (4) has custody of assets; when segregation of duties is not possible, require documented second-person review and/or surprise audits
Is it possible for one person to steal over $53 million from a city with an annual budget of less than $10 million? Yes. The Rita Crundwell story provides a cautionary tale for small businesses, governments, and nonprofits.
Rita Crundwell, comptroller, and treasurer of Dixon, Illinois stole $53 million over a twenty-year period. The city of 16,000 residents held Crundwell in high esteem. One friend described her as “sweet as pie.” Another said: “You could not find a nicer person.”
So why did she steal? It appears Rita just enjoyed the good life. She used the money to fund one of the top quarter horse ranches in the country, and she did it with style: Some of the funds were used to purchase over $300,000 of jewelry and a $2.1 million motor coach vehicle.
The picture is courtesy of AdobeStock.com
Her annual salary? $80,000.
The city’s annual budget? $6 to $8 million
Were yearly audits performed? Yes.
Were budgets approved? Yes.
Too Much Trust
So how did this happen? Rita Crundwell won the trust of those around her—especially that of mayor and council. In April 2011, finance commissioner and veteran council member, Roy Bridgeman, praised Crundwell calling her “a big asset to the city as she looks after every tax dollar as if it were her own.” (Too much trust is the main cause of white-collar crime.)
It was a disturbing moment when Dixon Mayor James Burke presented the FBI with evidence of Crundwell’s fraud. Burke later recalled his emotions and words: “I literally became sick to my stomach, and I told him that I hoped my suspicions were all wrong.” Such a response is understandable given that Crundwell had worked for the city for decades. She had fooled everyone.
Secret Bank Account
According to the mayor, the city’s annual audits raised no red flags, and the city’s primary bank never reported anything suspicious. So how did she steal the money? In 1990, Crundwell opened a secret bank account in the name of the city (titled the RSDCA account: the initials stood for reserve sewer development construction account). Crundwell was the only authorized check signer for the account, and the RSDCA bank account was never set up on the city’s general ledger. The City’s records reflected none of the RSDCA deposits or disbursements.
Crundwell would write and sign manual checks from a legitimate city capital project fund checking account, completing the check payee line with “Treasurer.” (Yes, Crundwell had the authority to issue checks with just her signature—even for legitimate city bank accounts.) She would then deposit the check into her secret account. From the bank’s perspective, a transfer had been made from one city bank account to another (from the capital projects fund to the reserve sewer development construction fund).
While the capital project fund disbursement was recorded on the city’s books, the RSDCA deposit was not. A capital project fund journal entry was made for each check debiting capital outlay expense and crediting cash. But no entry was made to the city’s records for the deposit to the RSDCA account. Once the money was in the RSDCA account, Crundwell wrote checks for personal expenses—and she did so for over twenty years.
To complete her deceit, Crundwell provided auditors with fictitious invoices from the Illinois Department of Transportation; these invoices included the following notation: Please make checks payable to Treasurer, State of Illinois. (So the canceled checks made out to Treasurer agreed with directions on the invoice, but the words “State of Illinois” were conveniently left off the check payee line.) Remember Crundwell was the treasurer of Dixon.
Those invoices and the related checks were often for round dollar amounts (e.g., $250,000) and most were for more than $100,000. In one year alone, Crundwell embezzled over $5 million.
Vacation Leads to Arrest
So how was she caught? While Rita was on an extended vacation for horse shows, the city hired a replacement for her. For some reason, Crundwell’s substitute requested all bank account statements from the city’s bank. As the bank statements were reviewed, the secret bank account was discovered. And soon after that, the mayor contacted the FBI.
Multiple people should perform accounting duties, not just one.
Moreover, accounting employees should annually take a one-week vacation (or longer). And while they are gone, someone else should perform the vacant person’s duties. The vacation itself is not the key to this control. The performance of the absent accountant’s duties is. Why? Doing so allows the replacement person to understand the work of the vacant employee. But, more importantly, the substitute can note any unusual or fraudulent activity.
Here’s another action to take: Periodically contact your organization’s bank and ask for a list of all bank accounts. Then compare the list to the bank accounts in your general ledger. If a bank account is not on the general ledger, see why. And request a copy of the related signature card from the bank.
Kelly Richmond Pope has masterfully captured the Rita Crundwell tale in the movie All the Queen’s Horses, available on Amazon. Think auditing is boring? Then watch the movie. It does a better job of explaining the psychological and financial damage of fraud than any textbook.
In businesses, nonprofits, and governments, the theft of capital assets happens often. Today I explain how these thefts occur and how you can prevent them.
A USA Today article began with, “Stolen and sensitive U.S. military equipment, including fighter jet parts wanted by Iran…have been available to the highest bidder on popular Internet sales sites.” The article went on to say that the equipment, “purchased with taxpayer money,” was available for purchase on eBay and Craigslist and included “components from F-14 fighter jets” and “used Nuclear Biological Chemical protective suit.”
Picture is courtesy of Adobe pStock.com
Capital assets often go missing because no one is paying attention, and the thief knows it. Such assets can be stolen with the intent to sell and convert to cash or simply for personal use.
The thefts often occur when employees place equipment or other capital assets in their vehicles and drive home. If the employee wants to cover their tracks, they might complete accounting paperwork for disposal of assets (saying the equipment was junked). More often than not, however, the asset is just stolen because the employee knows that no one will notice, or, if someone does, he can say, “I don’t know what happened to that piece of equipment.”
Long-term employees realize that the external auditors seldom audit existing capital assets. Yes, the auditor will examine an invoice, but how many auditors physically inspect plant, property and equipment?
The main enabling factor is usually a lack of accountability. Many companies, nonprofits, and small governments do not perform periodic fixed asset inventories. Often equipment is purchased and added to the depreciation schedule, but no one–at a later date–compares this master list of fixed assets to what is (or should be) physically present.
Performing periodic inventories is the key to lessening the threat of capital asset theft.
First assign each capital asset to a person (usually a department head or a supervisor); let this person know that he or she is personally responsible for the item. Then have someone external to each department perform periodic inventories of departmental assets.
Also, install security cameras to record all activity.
As you’ve seen many times, fraud occurs in darkness.
In J.R.R. Tolkien’s Hobbit stories,Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.
Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment of theft. What’s the solution? Transparency. It protects businesses, governments, and nonprofits. And while we desire open and understandable processes, often businesses have just a few employees that operate the accounting system. And many times they alone understand how it works.
It is desirable to divide accounting duties among various employees, so no one person controls the entire process. This division of responsibility creates transparency since multiple eyes see the accounting processes–but this is not always possible.
Lacking Segregation of Duties
Many small organizations lack appropriate segregation of duties and believe that solutions do not exist or that fixing the problem is too costly. But is this true? Can we create greater transparency and safety with simple procedures and without significant cost?
Below I propose two processes to reduce fraud:
Bank account transparency and
1. Bank Account Transparency
Here’s a simple and economical control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.
Persons who might receive the bank statementsfirst (before the bookkeeper) include the following:
A nonprofit board member
The mayor of a small city
The owner of a small business
The library director
A church leader
What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).
In many small entities, accounting processes are a mystery to board members or owners since only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.
One set of eyes on an accounting process is not a good thing. So how can we shine the light?
Picture courtesy of DollarPhoto.com
Second Person Sees the Bank Statements
Allow a second person to see the bank statements.
Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.
Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person, and let the bookkeeper know that the other person will review bank activity.
Even the appearance of transparency creates (some) safety.
Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of reviews enhances safety. I am not recommending that you don’t perform the review, but if the bookkeeper even thinks someone is watching, fraud will lessen.
2. Surprise Audits
Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs) but involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA or performed by someone other than the bookkeeper–such as a board member.
Picture courtesy of DollarPhoto.com
Adopt a written policy stating that the surprise inspections will occur once or twice a year.
The policy could be as simple as the following:
Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.
Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be inspected but distinct enough that an actual review occurs with regularity (thus the need to specify the minimum number of times the review will be performed).
Sample Inspection Ideas
Here are some sample inspection ideas:
Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
Agree all receipts to the deposit slip for three different time periods
Review all journal entries made in a two week period and request an explanation for each
Review two bank reconciliations for appropriateness
Review one monthly budget to actual report (to see that the report was appropriately created)
Request a report of all new vendors added in the last six months and review for appropriateness
The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not be caught.
Again multiple people seeing the accounting processes reduces the threat of fraud.
Shine the Light
The beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement but nevertheless powerful. So shine the light.
What other procedures do you recommend for small entities?