According to the Association of Certified Fraud Examiners in its 2024 Report to the Nations, median losses at local governments due to occupational fraud were $148,000.1 More than half of the cases were perpetrated by tenured employees of six or more years. Those statistics alone make the case for the need for strong internal controls. The following provides some examples of controls that small cities should put in place to help reduce the opportunity for fraud.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provided the Internal Control-Integrated Framework (Framework) to design, implement, conduct, and assess internal control in 1992 and updated the Framework in 2013. The Framework outlines three categories of objectives: operations, reporting, and compliance. These are the goals an organization strives to achieve, such as operational performance goals, safeguarding assets against loss, timely and reliable reporting for both internal and external stakeholders, and adherence to applicable laws and regulations. The objectives form the columns of the cube.
Source: COSO Internal Control - Integrated Framework Executive Summary, May 2013Five components form the rows of the cube. The components are the ways an organization can obtain its objectives.
- Control Environment
- Risk Assessment
- Control Activities
- Information & Communication
- Monitoring Activities
- Control Environment – The standards, processes, and structures that are the basis for internal control across a government. The ‘tone at the top’ sets management’s expectations for every department.
- Is there an established code of conduct?
- Are integrity and ethical values prioritized over expediency?
- Is there a focus on attracting, training, and retaining competent individuals?
- Risk Assessment – An iterative process for identifying and gauging the possibility that an objective will not be met. Re-evaluate risk assessment when situations change.
- Are there increases or decreases in staffing size?
- Has there been a change in the process or the desired outcome?
- Although long-tenured employees are often not questioned, various possibilities of risk should be considered.
- Familial relationships are often present in small governments, which increases the need for risk assessment.
- Consider the possibility of fraud or collusion.
- Control Activities – Policies and procedures that mitigate risk. Control activities can be preventative or detective in nature and should be present throughout the organization.
- Are there secondary reviews of journal entries prior to posting?
- Are bank reconciliations performed and reviewed timely?
- Consider surprise audits of cash drawers, particularly in high-volume departments.
- Where segregation of duties is not practical, develop alternative control activities, even by a person outside of a department.
- Duties grids, like the proprietary one shown below, can highlight conflicts in which one person has functions in two or more areas of access, recording, or monitoring.
- Information & Communication – Information is generated from internal and external sources and communication provides for sharing of information. This component supports the achievement of objectives.
- Is the information relevant and timely?
- Does information flow up, down, and across the organization?
- Is it shared with external parties?
- Monitoring Activities – Evaluations, either ongoing or sporadic, that are designed to ensure control activities are present and functioning.
- Results of evaluations should be compared to expected outcomes.
- Results should be shared timely with internal and external parties, and adjustments to control activities should be made where needed.
Key Takeaways
The Framework was designed to be simple and adaptable to all industries and requires the use of professional judgment for effective implementation. Strong internal controls can help governments achieve their objectives, improve performance, increase public trust, and lessen the opportunity for fraud.
If you have questions or need assistance, please reach out to a professional at Forvis Mazars.
- 1“Occupational Fraud 2024: A Report to the Nations®,” ACFE.com. Accessed August 12, 2024.