Financial Risk Assessments Help Target Areas in Need of Internal Control Reviews
As the old adage goes, “an ounce of prevention is worth a pound of cure." This is obviously true in the case of healthcare, where regular exercise and healthy dietary choices may help to reduce the risk of developing serious maladies. Periodic battery replacement in home smoke detectors, a very simple preventive measure, can help save lives. And, routine oil changes can help avoid costly car repairs and keep a vehicle running for more than 200,000 miles. The same adage applies to establishing internal controls over municipal financial operations. Taking the time to review, analyze and document appropriate control procedures over financial transactions is the ounce of prevention that is worth a pound of cure—with the pound of cure being the investment of time and money that may be needed to re-create financial records or recover from a fraud loss.
When launching a process to establish and document an effective and efficient system of internal controls, the most common dilemma is deciding where to start and how to prioritize the areas in need of review. Since every municipality is different in terms of their control environment, staffing levels and existing procedures, the priorities for review of financial operations will also be different for every municipality. A risk assessment will help determine which financial operations may be high-risk areas for your particular municipality, thereby identifying the need to evaluate whether internal control weaknesses exist in that area and whether control procedures need to be established or modified to mitigate that risk. In other words, a risk assessment helps identify the financial operations that need immediate attention in order to decrease the chance that an undesired event may occur (such as a theft of money), or a desired event may not occur (such as the pre-approval of an expenditure), with either event going undetected.
Categories of Risk
There are three types of risk to consider in a financial risk assessment: change risk, inherent risk and fraud risk.
Change Risk: A variety of “changes" can elevate the level of risk associated with any operation. For example, a change in personnel always results in an element of risk due to the “learning-curve" period. This risk is increased by an extended vacancy in a position, frequent turn-over of staff or a change in a high-level position. Changes in operations due to economic, political or financial reasons also contribute to risk. A sudden change in the demand for services in a particular area, such as an increase in the number of welfare applications due to local business closures, raises the level of risk associated with that municipal function. Change in the organizational structure of an operation or department, particularly if necessitated by staff reductions, can weaken any system of checks and balances that previously existed. The implementation of new programs, services or activities can also increase the level of risk, as can a change in vendors. And, finally, changes in technology systems may increase the risk that existing controls procedures are no longer adequate.
Inherent Risk: Some transactions or operations by their nature are inherently risky. Cash transactions present an obvious risk. Whenever cash is handled, inherent risk exists. As quoted by Stephen Gauthier of the Government Finance Officers Association, “When money passes through hands, sometimes it sticks!" The complexity of an operation also increases the level of inherent risk, following the old saying, “the more that can go wrong, the more that is likely to go wrong." Decentralized operations, meaning those operations that occur away from town hall, also carry inherent risk. Finally, failure to take corrective action on previously identified internal control weaknesses, such as weaknesses addressed in an audit report, management letter or internal control review, elevates the level of inherent risk by sending a negative message regarding management’s attitude about the importance of good internal controls.
Fraud Risk: Fraud risk is most often associated with an employee that may be experiencing financial pressures attributable to addiction, credit problems, over-commitment of financial resources, health issues or simply living beyond their means. These attributes are not limited to the employee, but could be experienced by the employee’s spouse, other family members or business associates. Disaffection resulting from a sense of being treated unfairly, such as being subject to disciplinary action or denied a pay increase or promotion, may also increase the risk of fraud. And, certainly, past personnel issues that have not been appropriately addressed increase this form of risk.
The goal of a risk assessment is to identify those operations where multiple forms of risk exist, especially if there are no procedures in place to mitigate those risks. Again, the purpose of the risk assessment is to identify those areas that may be a high priority in terms of needing an immediate review of the control procedures in place, or lack thereof. The following three scenarios illustrate this risk assessment process:
Scenario 1: There is a significant increase (change risk) in the number of summer recreation program registrations. Since there is only one type of risk present, this situation does not necessarily indicate the need to place a high priority on a review of the registration control procedures.
Scenario 2: A new employee (change risk) is responsible for processing cash transactions (inherent risk) in the planning department. However, there is adequate supervision and timely reconciliations are performed by other staff. Although this situation involves cash, and cash is always risky, the supervision and reconciliation functions provide compensating controls to help mitigate the identified risks.
Scenario 3: There is a significant increase in the volume of activity (change risk) at the transfer station (inherent risk) that involves inadequate supporting documentation of cash transactions (inherent risk) now being handled by only one person due to staff reduction (change risk), a disgruntled employee with past personnel issues and possible financial problems (fraud risk). This scenario should be a high priority for an immediate review of the internal control procedures at the transfer station due to the multiple types of risk identified.
From the descriptions of the three scenarios and the charts below, it should be evident that the circumstances in scenario three warrant an immediate need to review the internal control procedures regarding the transfer station operations due to the multiple risks that exist in all three risk categories. Once the risk areas have been identified, appropriate control procedures to mitigate those risks can be implemented.
Since municipal operations are on-going and fluid, meaning that change occurs on a regular basis (staff turnover, vacancies, budget reductions, increases in demand for services, new programs, technology upgrades, changes in employees’ personal lives, etc.), a risk assessment must also be on-going. Knowledge of the different types of risk that may exist—change risk, inherent risk and fraud risk—will aid in identifying financial operations that may need attention and help to ensure that adequate internal controls are in place and working properly.
Barbara Reid is Government Finance Advisor for the New Hampshire Local Government Center.