Sunday, March 29, 2009

Maintain appropriate controls over assets

Assets can be a significant investment for many organisations. Ensuring the security of those assets is important, especially considering the different types of assets an organisation has.

Risk

The risk is that assets are taken by employees and / or volunteers and / or external parties of the organisation for personal use and not returned (in effect, the theft of the assets).

Methods to Mitigate the Risk

When developing controls over assets, the following should be considered:
  • Small assets should be secured by using locks or similar security measures where appropriate (for example, a security lock attaching a laptop to a desk);
  • All assets should be tagged with an Asset Number;
  • An Asset Register should be maintained. The Register should include the following information - Asset Tag number, Description of the asset, Date of purchase, Warranty information, Location of the asset.
  • Stock takes of assets should be undertaken at least yearly and any discrepancies to the Asset Register should be investigated. The stock take and investigation of discrepancies should be undertaken by a person who is not responsible for the recording of assets in the Asset Register.
  • If an asset is to be disposed of, it can only be removed from the Asset Register with a properly authorised Asset Disposal Form having been completed as required by the Asset Disposal Policy. Refer to my Blog post on 26 January 2009.

Sunday, March 22, 2009

Determine if controls in place are detection or prevention controls

When developing a set of internal controls or reviewing the current internal controls in place in an organisation, it is important to determine if the organisation has a balance of prevention as well as detection controls.

Prevention controls are those controls that reduce the likelihood of fraud occurring or “prevent” the fraud from occurring. Detection controls are effectively a “back-up” control and are there to detect fraud if the prevention controls have not been effective and have allowed the fraud to occur. Detection controls that are in place should allow for the fraud to be detected as quickly as possible.

Prevention controls can be split into two types – macro and micro prevention controls.

Macro prevention controls are those controls at a strategic level that are in place to prevent fraud from occurring. Examples of macro prevention controls include:

  • Having a board and management structure that lead by example – this is regularly referred to as the “tone at the top”. If the board and management of the organisation do not support fraud prevention and control in the organisation, it is difficult to have employees and volunteers support it.
  • Having an appropriate fraud control plan / strategy in place which employees and volunteers are aware of and receive appropriate training on. This allows employees and volunteers to understand that fraud is not acceptable within the organisation.
  • Having an ethical organisational culture within the organisation. It is important to understand the value of having an ethical organisational culture when it comes to fraud prevention. An ethical organisational culture is considered by organisations to be a primary factor in reducing the risk of fraud.[1]

Micro prevention controls are those controls that effect the day to day operations of the organisation. Examples of micro prevention controls include:

  • Segregation of duties. For example, the requirement to have two people process and approve a payment makes it more difficult for one person to commit fraud unless there is collusion involved or the person committing the fraud by-passes the second person, for example by forging the person’s signature approving the payment.
  • Having two cheque signatories or two passwords required for internet banking again makes it more difficult for an individual to commit fraud.

Examples of detection controls include:

  • Undertaking bank reconciliations on a regular basis and investigating any discrepancies that arise. For example, a common method of hiding a fraud is to “force” a bank reconciliation to reconcile (eg. to include incorrect entries, have a deposit outstanding for more than one reconciliation, have an outstanding deposit increase from one reconciliation to another). By having the bank reconciliation reviewed on a regular basis and conducting an investigation of any discrepancies can allow fraud to be discovered quickly.
  • Prepare realistic budgets and compare actuals to budgets on a regular basis and investigate discrepancies.
  • Conduct exception reporting and investigate discrepancies that arise.

    [1] BDO Not-for-Profit Fraud Survey 2008, Chart 5.5, page 66.

Sunday, March 15, 2009

Secure non cash donations received

Many organisations will receive non cash donations (for example from bequests) of expensive items such as jewelry. These items are easy targets for employees and/or volunteers to steal.

Risk

The risk is that an employee or volunteer either does not pay for or pays undervalue for an item that has been donated to the organisation for the purpose of sale so as to raise funds for the organisation.

Methods to Mitigate the Risk

To reduce the likelihood of this occurring, the following steps could be taken:

Have all donations of jewelry and other small valuable items sent directly to a valuer or auctioneer rather than to your organisation’s office. The valuer or auctioneer can catalogue items which provides independent verification that the items have been received and the value of those items;

Set a policy that states one of the following:

  • Employees / volunteers and their immediate families cannot purchase these types of donations in any circumstances;
  • Employees / volunteers cannot purchase these types of donations unless it is at auction; or
  • Employees / volunteers can purchase these types of donations before auction but only at the valuation / reserve price set by the valuer.