Note: The author, Jeff Altamari, is a retired Fortune 500 executive financial officer. He is a graduate of Cornell University and also holds an M.S. degree in accounting. He began his career with an international ‘Big Eight’ accounting firm and was a member of the NYS Society of CPAs as well as the American Institute of Certified Public Accountants. Following public accounting and before beginning his career in industry he served as an internal auditor for the U.S. Department of the Treasury in Washington, D.C.
SARATOGA SPRINGS CHARTER REVIEW COMMISSION
POSITION PAPER ON INTERNAL AUDIT CONCERN
April 15, 2017
Jeffrey Altamari, Commission Member
The Charter Review Commission (CRC) commenced its journey with a blank canvas. It agreed to structure its final recommendations based on extensive research, empirical analysis, and solicitation of input from elected officials, City Hall employees, and community stakeholders. In addition to this rational approach to its mission, a major strength of the CRC was the variety of professional backgrounds and skills brought to the task by its members. The identification of a major structural financial weakness in the current commissioner form of government was raised by one of the financially experienced CRC members.
The significant structural weakness in question is that of internal audit. It became evident to the CRC during its first reading of the current charter (The Charter). The Charter enumerates in ‘Title 4. The Commissioner of Finance’, that the Commissioner of Finance (COF) shall have and exercise the following powers:
4.B. collection of all tax revenues, utility fees and other monies
4.C. disbursement of funds
4.D. execution of internal audits
4.E. custodianship of City funds
4.F. maintenance of financial records
4.G. oversight of budget process
4.H. certifier of City payrolls
Bringing all of these powers under one commissioner’s jurisdiction when they are also endowed with authority over the internal audit function is a highly dysfunctional and risky institutional flaw.
Sound financial management relies on the principal of segregation of duties. In short, this means a person or persons should not have the authority and responsibility for more than one of the following:
- collection of funds
- depositing of funds
- custodianship of funds
- disbursement of funds
- recording of fund transactions in books and records
- performance of bank reconciliations
In many small companies, not-for-profits, and governmental agencies, major embezzlement events are most often linked to the lack of segregation of duties. Good old Dorothy or Tom was the friendliest person on staff and worked tirelessly for years. It turns out they graciously agreed to perform all of the financial functions in their organization, as noted above. It is unfortunate that many small public and private organizations do not have the staffing levels necessary to guarantee proper segregation of duties. In these entities, where one individual may often be responsible for several fund related activities, a higher risk of error and theft exists.
It is not unusual in large organizations, be they publicly held companies, not-for-profits, or governmental organizations, for the CFO, Controller or Comptroller, to have ultimate responsibility for the collection, custodianship, and disbursement of funds as well as the recording of these transactions into the books and records. That said, sound financial checks and balances may be established within the financial organizations they control. Departments collecting funds are manned by personnel only dedicated to that task. Bank accounts, i.e. cash custodianship, are carefully controlled by treasurers. Accounts payable departments are run by personnel who have no access to bank accounts or collections staff. They can only make payments on pre-audited and approved customer invoices. The accounting departments make all entries on the books for collections and disbursements and perform bank reconciliations, independent of collections, treasury or accounts payable. This is how well-run financial groups in organizations operate and achieve adequate checks and balances through segregation of duties.
There are overarching requirements essential for insuring continuously adequate financial checks and balances. Before enumerating these, it is imperative to note that change is constant. All organizations are continuously bombarded by changes in leadership, changes in personnel, changes in laws, changes in the market place, changes in transactional volume, changes in technology including IT software and cyber-risk, changes in tax bases, changes in domestic and global economic conditions, changes in the political climate, etc. The larger and more complex the organization, the more arduous is the task of keeping strong financial controls in place. The following are values and tools used by successful organizations:
- Insuring top-notch professional financial leadership at the senior level as well as in middle-management roles and throughout the financial organization
- Establishing an engaged and competent Audit Committee to frequently review check and balance status
- Requesting external financial auditors (CPAs) to issue a Management Letter at the end of each engagement
- Employing a robust Internal Audit function answerable to the Audit Committee of the board of directors or governing body. The Internal Audit function is independent of all the internal entities which it examines
Before examining the current Saratoga Springs commissioner form of government through the prism of these essential protections, it is important to make the distinction between external and internal audits. There are common misperceptions that need to be clarified.
External audits by certified public accountants are ubiquitous in commercial, not-for-profit, and governmental life. Investors, banks, public finance agencies, taxpayers, etc. require assurance that the entities in which they have an interest (financial or otherwise) are truthfully disclosing their financial condition. External auditors (Certified Public Accountants in the US) who are licensed through professional exams, continuing education, and experience, apply Generally Accepted Auditing Standards (GAAS) to determine if an entity’s financial statements are in compliance with Generally Accepted Accounting Standards (GAAP). Their work culminates in an independent auditor’s report in which they opine on their conclusion. A public audit is not a census of all transactions for a given period. Neither does its audit scope typically include a search for fraud. An audit is most frequently executed by sampling financial transactions and performing analytical reviews. If an organization has demonstrated strong internal financial checks and balances, the CPA can reduce the need for sampling transactions. Conversely, if internal financial controls are weak, more sampling or total review of certain types of transactions may be required.
In addition to its independent auditor’s report, public accountants issue a Management Letter, or internal control letter, at the conclusion of an audit. In this letter, the CPAs communicate the status of an entity’s internal controls. The auditor details areas in the organizations where a misstatement in the financial statements would likely occur. A common comment identified in an internal control letter is a lack of separation of duties. This comment indicates that during a financial statement audit, an auditor identified job duties that should be separated between two or more individuals or departments but were not. The Management Letter is intended to summarize material (major) weaknesses and significant deficiencies in an entity’s internal financial checks and balances and may include recommendations on how to improve them.
The Management Letter is considered by many laypersons to be a sufficient review of checks and balances. This is a huge misconception. Public accountants are generally in and out of a client’s offices once or twice a year. They are focused on the big picture. The Management Letter may be very helpful identifying where role separation can strengthen checks and balances to help prevent a major financial misstatement. It may also identify a major control weakness regarding liquid assets, particularly cash. That said, there are a myriad of financial, operational, risk management, and compliance related areas that are rarely if ever touched in an external public audit.
The definition of internal auditing put forth by the Institute of Internal Auditors (IIA) is, “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control, and governance processes.”
Risk Management – With respect to the evaluation of risk management, the internal audit function can advise senior management if emerging risks are being adequately assessed and planned for by the organization. Just a few examples of these might include the adequacy of insurance programs, provisions for a cataclysmic natural event, protective measures against a major cyber breach, vetting and financial requirements of major suppliers, etc.
Internal Control – With respect to internal control, the internal auditor’s role is to provide reasonable assurance that core objectives are being achieved including effectiveness and efficiency of operations, reliability of financial and management reporting at all levels of the organization (not just the consolidated financial statements of the entity), compliance with laws and regulations, and safeguarding of assets. Examples of focus might include evaluation of the adequacy of the enterprise resource planning (ERP) system, separation of duties within the accounting department of a bureau issuing permits, productivity inside of a department that serves external constituencies (e.g. customers or taxpayers), conflicts of interest between employees and outside contractors, adequacy of procedural controls intended to safeguard the tools and supplies in a vehicle service garage, the filing of new employee forms to the Federal government as a result of a new disclosure law, etc. While internal auditors are responsible for helping management insure there is adequate internal control at an organizational level, their audit scopes can include any level of the organization. Internal auditor’s audit programs can be written in a highly specific and detailed manner. By comparison, the external auditors are principally focused on the fairness of the balance sheet, income statement, and cash flow statement. The CPA may focus on an account payable by matching the purchase order, receiving document and invoice to insure the financial liability is properly stated. The internal auditor, in addition to this same test, may examine the travel and entertainment expenses for the procurement department in relation to specific suppliers, compliance with the internal rules surrounding the solicitation of quotes from suppliers by the procurement department, compliance with internal rules used to establish certified suppliers for the organization, an intense review of the financial condition of large suppliers whose financial failure would cause serious harm if they could not meet their obligations, investigation to determine if suppliers are being used who are domiciled or are effectively controlled by nations under embargo by the US State Department, etc. CPA examinations, again, are focused on the big picture: fair statement of consolidated financial statements and major observed internal control weaknesses. The amount of time spent by CPAs at the client’s site performing an audit simply do not allow them to go into the level of detail the internal auditor enjoys. Nor are many of the internal auditor’s concerns necessarily germane to the external auditor’s mission. Productivity levels, for example, in a particular department, aren’t normally included in CPA audit programs.
Governance – Governance is the policies, processes and structures used by an institution’s leadership to direct activities, achieve objectives, and protect the interests of diverse stakeholders in a manner consistent with ethical standards. Internal audit is considered one of the “four pillars” of governance, the other pillars being the Board of Directors (or its equivalent), management, and the external auditor. A primary focus area of internal auditing as it relates to governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical management control issues, suggesting questions or topics for the Audit Committee’s meeting agendas, and coordinating with the external auditor and management to ensure the Audit Committee receives effective information.
While internal auditing was ubiquitous in American commercial, not-for-profit, and government life for years, the passing of the U.S. Sarbanes-Oxley Act of 2002 (Act) placed it firmly in the spotlight. Section 404 of the Act required that senior management develop and monitor procedures and controls for making the now required assertion about the adequacy of internal controls over financial reporting, as well as the required attestation by an external auditor of management’s assertion. This sent shockwaves throughout the land. Previously, management’s assertions involved the fairness and completeness of its financial statements. Now it had to make an assertion on the adequacy of internal controls as well. Not only that – the external auditors had to sign off on the assertion being made by management. Suddenly US institutional life was rocked by skyrocketing costs as a mad scramble ensued for additional resources to meet the deadlines for the internal control assertions demanded by the Act. External public accounting firms immediately staffed up, external consulting firms claiming to be expert on the Act sprang up. Institutions added accounting staff to accommodate concerns over segregation of duties. And, finally, the internal audit staffs across the land were called to the rescue. Where internal audit functions did not previously exist they were often added.
Following the initial years of the Act, once the ground-rules were understood and the hysteria had passed, the role and value of the internal audit function became permanently established. While the Act had set a high and sudden bar for quality internal control, institutions began to recognize that a permanent highly trained internal audit function had enormous value. It improved efficiency and reduced risks and, thus, improved profits and/or cost effectiveness. More importantly, it helped to insure high ethical standards by constantly examining compliance with internal and external policies and laws. The internal audit profession grew dramatically after 2002 because it was good for institutional health.
Before returning to the review of the internal audit function and the Saratoga Springs Commissioner form of government, a point should be made regarding the position of the internal audit function in the organization. While internal auditors are not independent of the organizations that employ them, independence and objectivity are a cornerstone of the IIA professional standards. Professional internal auditors are mandated by the IIA standards to be independent of the activities they audit. This independence and objectivity are achieved through the organizational placement and reporting lines of the internal audit department. In fact, in the US, in publicly traded companies, internal auditors are required to report directly to the Board of Directors or the Audit Committee, and not management except for administrative purposes.
The financial management of the city of Saratoga Springs is seriously flawed by virtue of its Charter. Returning to previously noted requirements for creating and protecting an environment of strong internal control, the Commissioner form of government, which the city embraces….
- Lacks any provisions or procedures in its Charter mandating a high level of professional competency in its financial leadership at any level of the financial organization. The highest level of financial leadership, that of Commissioner of Finance, is left to the electorate, with absolutely no vetting requirements. Any resident citizen can potentially serve. The power to appoint a deputy (S2.6) establishes no requirement for financial professionalism or competency
- Has no provision for an independent Audit Committee
- Places the internal audit function completely under the control of the COF who has total oversight and responsibility for all transactions and custodianship of the City’s funds
- With respect to the Charter requirement for a Finance Policy & Procedure Manual (S4.2.1) and amendments thereto, does not expressly call for review by a competent financial professional
If Saratoga Springs were a publicly traded corporation with annual revenue of $45 million, its shareholders would quickly vote out of office a Board of Directors that had the audacity to offer this structure as a means of insuring strong internal financial control, proper risk management, and robust governance. Unfortunately, even if an experienced financial professional were elected to the Commissioner of Finance office, the problem could not be resolved. The fact that the COF selects who and what gets internally audited completely taints the internal audit function and renders it practically superfluous. What guarantee is there that fraud or defalcation would ever be detected if a corrupt Commissioner controlled the internal audit function? What guarantee is there that the internal audit function could not be wielded as a political weapon against other commissioners under this model? What guarantee is there that internal audits themselves could meet the standards required by the IIA when they might be led by individuals with no formal internal audit training or experience?
The fact is that the city of Saratoga Springs is a ‘public’ entity. It is owned by its citizens and taxpayers, and they have a strong interest and right to competent financial management. This point is not made to disparage any individual Commissioner, past or present. It simply is the way the Charter is written. It’s interesting to note that this version of the Charter, completed in 2001, precedes the debacle of the implementation of the Sarbanes-Oxley Act of 2002 creating a huge awareness for strong internal financial controls.
As discussed, the wind of change and its challenges continuously beat against the door of City Hall. Competent professional leadership is needed to proactively manage the City’s financial destiny. Notwithstanding the opinion of many laypersons, the annual external financial audit gives little assurance that the concerns of internal control, risk management and governance are being met. These can only be assured through a competent and professional internal audit function reporting to an independent committee at the top of the organization. This is why the CRC has proposed in its draft charter that a professional internal audit function report to a Finance Committee made up of City Council members who have legislative but absolutely no executive or administrative responsibility. It is also the reason the CRC calls for a competent heavily vetted City Manager with professional financial experience to manage the executive branch and be continuously subjected to professionally administered internal audits. The citizens of Saratoga Springs deserve nothing less.