Internal Control Tricks or Treats
It’s a spooky time of year, but you don’t have to be scared of potential internal control gaps or tricky fraud schemes – be prepared instead, by reading about what you can do to better manage inventory, prevent and detect ghost employees and vendors, and keep your data and funds safe.
Death and Inventory
Robust inventory management controls are an important function of many university operations. UCSF’s Willed Body Program (the Program) maintains a comprehensive and dependable inventory management system of internal controls that can serve as an example for other critical inventories.
The Program supplies anatomical material, including cadavers and disarticulated specimens, to UCSF’s medical, dental and pharmacy programs. Additionally, it supplies anatomical material to State Universities, Community Colleges, and private colleges and universities throughout Northern California for use in their anatomy courses. The Program also supports research projects, surgical procedural training, postgraduate medical education, and the development and testing of new medical devices.
The Program relies on donations from public to ensure it maintains a reliable inventory for medical study and research. More importantly, the Program relies on the preserving the public trust that it carries out its mission with dignity, respect and compassion; and that the donations that it receives are not misused or misdirected. To retain the public’s trust the Program has developed these internal controls to track the life cycle of a donation from receipt through to final disposition.
- Donations are received and recorded in their specialized inventory management system. This system helps Program staff manage and track all aspects of donation, including anatomical preparation, handling, inventory management, allocation, and disposal of anatomical materials.
- All anatomical specimens are returned to the Program and tracked through to their final disposition. Independent periodic inventories of the Program are conducted and records reconciled to physical inventory.
- To ensure that donations and anatomical materials are protected from misuse, facilities that store or use anatomical materials provide physical security that permit only authorized access by approved personnel.
No matter the type of inventory that you may manage, you can implement similar internal controls for a robust inventory management system.
Trick or Treat
Happy Halloween! Below are some tricks that fraudsters use to be aware of, and some internal control processes that can bring treats your way.
Trick: Phishing Emails - Cybersecurity continues to be a big threat facing many organizations including UCSF. When in doubt about the authenticity of the email, click on “Report Phish” in Outlook and wait for IT security assessment before proceeding with the message.
Trick: Payment Diversion Fraud - The objective of this type of fraud is to divert genuine payments between organizations into accounts controlled by the attackers. Some red flags to consider are: (1) Being asked to transfer money in a way that doesn’t follow the organization’s normal process; (2) Being asked to confine communications to email or being asked to keep the transaction confidential; and (3) Communication from email addresses that are similar but not identical to the addresses you trust.
Treat: Data Recovery – Especially as we continue to work from home, consider regularly backing up to ensure your data is saved in case of data outages. According to the University of California Electronic Information Security (IS-3) policy, “Units must protect IT Resources classified at Availability Level 4 from power failures and other disruptions caused by failures in supporting utilities or environmental controls.” It is important to have institutional information backed up and recoverable – and it will prevent you from having to re-create work.
Treat: Unallocated Funds - You might be in for a treat when you perform reconciliations between the General Ledger and the subledger (where the details reside). During the reconciliation process, you may find money that is due to you that may have been in a suspense account; this account is used as a temporary resting place for an entry that will end up somewhere else once its final destination is determined.
Top Things that Scare Auditors
While it can be frightening to see ghosts and goblins around Halloween, our members of UCSF Audit & Advisory Services have encountered some terrors of their own from time to time. Here are some examples of petrifying issues that give us shivers.
- Inadequate IT Security: From cybersecurity, to phishing and ransomware, auditors are responsible for ensuring proper IT controls exist to minimize risk of data breaches. The average healthcare data breach can cost $7.1M, according to a recent IBM report. Always remember to think twice before clicking on any mystifying links.
- Inadequate or no segregation of duties – Management or manual override of controls can lead to an occurrence of fraud which can go undetected.
- A personally addressed letter from FBI or other government agency - A little-known, somewhat spine-chilling fact: One of the members of the UCSF Audit & Advisory Services Team received a mysterious, personally addressed letter from the Department of Defense. Luckily, it was a reference request for a former employee. Our team members are highly sought after for other employment opportunities!
- Control deficiencies not addressed timely – When an audit finding requires a corrective action plan, it is imperative that the control deficiency identified is addressed timely to prevent the same issue from recurring.
- UCSF in the news – While publicity can be helpful for companies, negative media coverage linked to inappropriate issues/practices can cause reputational damage to an organization and it is something we always try to avoid.
- Surprise visits by the state auditor or regulatory agencies – Whether it is a State or Federal agency, a surprise visit from an external agency can cause goosebumps for anyone! It is always a good idea to identify issues in advance and rectify any gaps in compliance before their arrival. If you need any assistance or support to address potential issues and prepare for compliance, your audit advisors in UCSF Audit & Advisory Services is always here to help and provide consultation.
And, of course, the IRS is always terrifying for everyone.
Ghosts in the Workplace
While all fraud can be scary, this time of year is a good opportunity to see if you have ghost employees or vendors in your organization.
Ghost employees: If turnover is high, or you are in a large organization, there is a risk of payroll fraud involving ghost employees. Ghost employees can be fictitious names, but they can also be real people who have left the organization but are still being issued paychecks. Either way, the organization ends up paying for time not worked, rewarding the fraudster and reducing the funds available for other needed expenses. Some things that can be done to prevent or detect ghost employees include the following examples. The good news is that UCSF having gone live with UCPath as another layer of control, as payroll processing is performed by the UCPath Center.
- Setting up segregation of duties between posting time and attendance, preparing payroll disbursement, editing employee records, and approving payroll transactions.
- Monitoring for red flags, such as not having appropriate or reasonable deductions, or inconsistencies in timekeeping information (like not having paid time off).
- Regularly reviewing payroll budget reports for variations and discrepancies.
Ghost vendors: One of the most common types of internal fraud schemes, ghost vendors are nonexistent companies that have been entered into an organization’s Accounts Payable system and are paid for goods or services not provided – instead the money is going to an employee committing fraud. And, while the vendor may not exist, the fraudster may use a name similar to an existing, legitimate vendor in order to confuse the issue, and help hide the fraud. A few controls that can be put in place to help prevent or detect ghost vendors include:
- Having a formal vendor approval process and written policy on approving vendors.
- Monitoring payment activity for deviations from expected.
- Checking vendor information against employee information for key fields, such as address.