control, and governance
The Importance of Financial Controls
Is the financial information your property distributes reliable?
JOE OPROSKO, CPA
MANAGING DIRECTOR, API CONSULTING
“So how are we doing in the restaurant this week?” or “It seemed to be pretty empty this weekend, how did that new promo work out?” are only two of many questions that the operations management team may be asking, but need to know on a regular basis. The answers to these questions, and other similar ones, should be readily available from the accounting and finance group. The results being reported need to be accurate so that the operations management team can make informed decisions about the business. The key questions that internal auditors need to ask themselves are: “Does the financial information make sense?” and “Are we proactively protected from fraud?”
Strong financial controls help internal auditing and the operations team have confidence in the numbers being reported to management and help protect the organization’s assets. As in any area of operations — whether it be gaming, food and beverage, or the hotel — the financial controls need to be documented, assessed, revised, and strengthened where necessary and tested regularly.
The Fraud Triangle
The Fraud Triangle
Unfortunately, the regulatory focus on the gaming side of business, along with the Bank Secrecy Act or Title 31 concerns, means that the controls over financial information and reporting is usually put on the back burner until a major discrepancy surfaces, or worse yet, a fraud occurs.
Due to the current troubled economic environment, the likelihood that fraud will occur has increased significantly. The pressures — the first of the three components of the Fraud Triangle — on employees and customers have increased through lower or lost wages, spouses being out of work, and lack of medical insurance. These tough times also have allowed potential fraudsters to easily rationalize — the second component of the Fraud Triangle — the fraud that they are contemplating. Many fraud perpetrators say they are “just borrowing the money to pay a medical bill” or “using the money to help out until their spouse gets a job.” Other common rationalizations include: “They will never miss US $200 a day with all the money they make,” or “They don’t pay me enough anyway.” Operations has little control over most of those pressures and rationalizations but it does have control over the last component of the Fraud Triangle: opportunity. By evaluating and strengthening the financial internal controls of the operation, internal auditors can greatly reduce the opportunity component.
STRENGTHENING FINANCIAL CONTROLS
When assessing the current state of an organization’s financial controls, begin by determining which financial processes pose the most risk. One way internal auditors can assess financial controls is by looking at all of the functions and processes in accounting and finance and asking if a process were “broken” and activities were not getting done correctly, how much trouble would that cause the organization? For example, if for some reason checks were not cut or the accounts payable system did not function and vendors were not paid, goods and services would no longer be coming in and things would get dicey. In this example, the cash disbursements process would be an area where internal auditors would want strong financial controls in place. Additionally, within the cash disbursements processes, employees could set up fictitious vendors, cut fraudulent checks, or make deals with vendors to defraud the operation. Another example of an area where strong controls are absolutely essential would be within the payroll function. Payroll is such a huge expense for all operations that the slightest weakness or gap in the controls could have disastrous results. Employees could be paid incorrectly — or not at all — and once again, unscrupulous employees could exploit gaps and weaknesses in the controls to perpetrate frauds such as having fictitious employees on the payroll, not recording vacation or other paid time off, or overpaying themselves, relatives, and friends. Unfortunately, there always will be people who try to perpetrate fraud, but internal auditors need to stay one step ahead.
In addition to the potential for fraud in the operation, without strong financial controls it would be easy for innocent mistakes (e.g., misposting to the general ledger or forgetting to book an entry) to allow a major reporting error to go undetected and cause management to make an incorrect decision, which could potentially cost large amounts of money. Strong financial controls not only help prevent and detect fraud, but they also help detect true mistakes in the accounting and management reporting.
Other risk areas within an operation include controls around cash, financial reporting, general ledger, general ledger account reconciliation, and inventory (particularly in the food and beverage area), as well as controls around the hotel front desk. Another area that often is overlooked — but warrants strong controls — is management reporting. Is anyone in internal auditing verifying that the information being sent to the management team daily, weekly, or monthly is accurate? Could there be inconsistencies or mistakes made in the haste to get them done? Does the sum of all the departments’ profit and loss reports equal the total of the entire operation’s profits and losses? Many times when these areas are audited, numerous discrepancies surface and the first questions clients will ask are: “How long has this been going on?” and “Did we pay incorrect bonuses as a result?”
The above-mentioned items are not meant to be complete by any means; rather, they should get auditors thinking outside the gaming areas in their risk assessment and audit planning and provide a starting point for their audit. Internal auditing’s own customized risk assessment should identify all the areas that auditors feel are at risk within their specific operation, including the nongaming areas.
REMEDYING GAPS AND WEAKNESSES
Once auditors have performed their risk assessment and have identified the areas that they feel are at risk within their organization, they need to assess the controls currently in place. Review the policies and procedures for each of those areas, interviewing staff at all levels within the particular areas and observing them performing the various functions. After documenting the current state, auditors should determine whether the controls are adequate to mitigate or protect the organization from the risks, or if there are weaknesses or gaps that need to be addressed and corrected.
To best accomplish this, the operation should prepare remediation plans with a time line and identify responsible people. The internal audit team should review the plan, and once the remediation plans have been developed and are in progress, it is important to monitor progress regularly. Having the operations staff responsible for the remediation send periodic updates to the internal audit team would be an excellent way to monitor each of the various remediation plans. The update should include tasks accomplished to date, tasks outstanding (with expected completion dates), and any identified issues or roadblocks. This will allow internal auditing to know at which stage each of the remediation plans is as they move forward.
Once the remediation plans have been completed and the revised controls have been in operation for a few months, internal auditing should test compliance with, and the effectiveness of, the new controls. When the reviews have been completed with satisfactory results , internal auditing should add the accounting and finance departments to its audit plan and schedule — if it hasn’t already — so that the financial controls are being monitored regularly going forward.
Strong financial controls will allow for reliable financial reporting throughout the organization, which will allow for more solid financial management of the operation. Strong controls also provide greater peace of mind that the accounting data is correct and the money is better protected from potential frauds. That, in turn, allows for larger profits for the operations. And who wouldn’t want that during this current economy?
Joe Oprosko, CPA, managing director of API Consulting, specializes in internal controls, compliance solutions, customized training, and development and investigations within the gaming industry. He has more than 20 years of external and internal audit, Bank Secrecy Act, Title 31, and training and development experience. Oprosko has worked with McGladrey and Pullen, RSM McGladrey, and Jefferson Wells International as a manager and director.