Compleat Works

INTERNAL
CONTROL
Essays & Ponderings
on Accountability
J. Timothy O’Toole
www.internal-control.us
www.1ceman.com
Internal Control – More Than a Good Idea – It’s Also the Law!
HOW TO BE A BETTER MANAGER • Do you have a hundred or a thousand

employees doing your bidding, or just a
How can I improve productivity, accuracy,
favored few?
integrity and effectiveness of my operations?
Can internal control techniques make a • Are you involved in purchases/
difference? Am I just making more work for expenditures/contracts in the millions, or are
myself? Besides, is anyone really enforcing the your expenses limited to an occasional
Internal Control Act? Amtrak run to New York City?
Okay, all reasonable questions. In order to • Has your program had a track record of
respond, let’s start at the beginning, and discuss success, or a history of negative press, grand
the Control Environment. Sounds fancy, but it jury investigations and scathing audit
just means - what is the reality of your reports?
program/function operation?
I think you get the picture. Control environment
• Do you handle dangerous drugs or refers to the set of circumstances you and your
chemicals – or just sales tax forms? program are in at all times. The answers to each
of these questions form a baseline of “inherent
• Is it a 9-to-5 office or a 24/7 residential
risk” against which you must consider the
facility?
wisdom of enforcing some internal controls
• Is your operation centralized or far-flung? (a/k/a management controls). Before you jump
to conclusions, you need to conduct a…
• Do you deal directly with the public (in
office or residential settings), or local RISK ASSESSMENT
government/elected officials?
If you’ve answered the preceding questions
• Are you responsible for expensive inventory fully, and have taken into consideration unique
(computer parts, medical supplies, sides of factors relevant to your specific operation, you
beef, power tools or firearms), or more are ready to assess your risk (or “vulnerability”).
routine office supplies (paper clips, pens, Fraud, waste and mismanagement are the issues
pads, binders, rubber bands)? of greatest concern in most of our operations,
but public safety, environmental health,
• Are you the gate-keeper for confidential
susceptibility to litigation, scandal or satire in a
records (computer or paper)?
future Dilbert cartoon may also be at the back of
• Are your staff seasoned, trained and your mind (along with that April 15 filing date).
reliable? Or
• Have you had a lot of turnover (due to
illness, retirement, indictment) - and there is
a hiring freeze?
• Are your policies and procedures up-to-
date? Or
• Are you hamstrung by out-of-date
regulations, hidebound legacy computer
systems, or management indecision? (“Is
that what’s troubling you, bunky?”)
• Are you being held accountable for
something over which you have no
authority?
1
We tend to procrastinate regarding unpleasant damage in dollars or lives lost, illness or

realities. You may also have leadership that litigation? What would be the impact on your
does not encourage or even welcome questions, agency’s reputation and continued funding?
yet you are the one who will be held Now imagine the likelihood of occurrence of
accountable. Clearly you can’t afford any any of these calamities. It may sound cold-
further delay in assessing your risk. hearted, but we cannot protect against all
The best place to begin is with a baseline review potential risks. We must establish priorities,
of each element of your operation, sample some weigh the economic feasibility of each control,
data, interview some staff (and clients), and ask the availability of staff to enforce such controls,
some questions. Common sense and logic come and consider what role such risk would play in
in handy here – even if they deviate from the interfering with your mission. We are looking
“conventional wisdom” that was followed for a “reasonable assurance” that bad things
historically. won’t happen.
Is any one person (staff or public) in a position “Reasonable”, but not “absolute”.
to take advantage of weak management For example, a warehouse or mailroom may
controls? For example, does the person in keep its laptop computers in locked storage, but
charge of petty cash also reconcile the account leave mailing envelopes and copier paper out in
every month? Do your staff accept information the open. You have to use a password to send e-
submitted by the public without question, in mail via computer, but the fax machine does
effect rubber-stamping their applications, be it your bidding without further ado. Keys for the
for a license, public assistance, employment, or company car are kept secure, but staff are
student loan? trusted to use the copier without a keycard.
Are you under pressure to purchase only from
selected vendors? Are you constantly splitting UNIVERSAL PRECAUTIONS
orders to keep under the competitive bidding In health care settings, medical professionals are
threshold? If you are fortunate enough to be required to follow universal precautions for their
able to hire replacement staff, are heroic own protection, and that of their patients. It’s
measures being taken to circumvent the “rule of not just about AIDS. We are becoming one
three”? world, and TB from Zimbabwe, bird flu from
Imagine your worst case scenario: Saigon, or encephalitis from Belgium can show
up in Schenectady without warning.
• A major embezzlement.
• A bridge collapse. Dental hygienists
• A patient abuse scandal. wear gloves (maybe
• Bid rigging. even masks). Red
• A bribery investigation. Cross workers are
• A three-car pileup. very careful when
• Tainted vaccine. collecting your pints
• A diploma mill. of AB+ or O-. Even
• Asbestos. barbers now sterilize their scissors between
• Polluted drinking water. customers.
All of these have occurred somewhere in the In business and government, there are certain
past, and will continue to do so in the future. “universal precautions” taken by financial
What would bring Mike Wallace to your door officers, account clerks, stock-room staff, data
with a video camera? What is the potential entry clerks – to protect assets and to protect
their individual reputations.
If you work in an office where individuals are physical security measures and legal
given considerable latitude, they may also be requirements. Investigators may also check into
susceptible to allegations of abuse of such staff finances and phone records.
power. There are also countless regulations
affecting various facets of daily life, which INTERNAL CONTROL
require periodic compliance procedures. PROCEDURES
We are all familiar with the following health, All of the foregoing examples are comparable to
safety and compliance procedures: that annual locking the barn door after the horses escape. It
vehicle inspection; the April 15 tax filing may also be difficult to get the toothpaste back
deadline; winter flu shots (if you are eligible). into the tube (and still meet OSHA regulations).
We also need to make sure we pay our fire To avoid these nightmares (and bad press) some
insurance premiums on time. Phone companies common sense procedures are in order.
and utilities may be patient waiting for It’s harder to fix traffic tickets these days
payment, but they are not going to wait because citations are numbered, and the
indefinitely. Comptroller insists they all be
We also expect our restaurants to be accounted for. This was probably
clean; produce in the supermarket to instituted as a revenue measure, but
be fresh; poultry inspected; milk to has also had a positive impact on local
be tuberculin-free; kosher foods government integrity.
receive proper rabbinical When accepting cash payments, cash
supervision; toddlers’ toys to registers keep track of (and issue) receipts.
be safe from choking hazards. Whether it’s a charity’s collection plate or
The list goes on and on. payroll at least two people should count the
These are all reasonable expectations for cash. The person who signs the checks should
consumers. Likewise, we in government have not be the person who reconciles the account.
reasonable expectations from one another You may have “read only” access to computer
(within and between agencies), and the public files, to protect them from tampering or
have reasonable expectations from government accidental deletion. Employment in some
(state/local/federal). sensitive positions may require a criminal record
When a child dies in a day care center, the check. Review the driving records of staff who
public look first at the provider. Then they look transport clients, BEFORE tragedy strikes.
at the licensing agency. Progressive discipline is required for employees
When a city bus hits a bystander, the police with chronic attendance problems. This is
check the driver’s blood-alcohol content. Then especially critical in 24/7 environments where
they check the brakes. Then they review the other staff must work involuntary overtime to
maintenance records at the garage. fill a post.
When $14 is missing from petty cash, it doesn’t Technically speaking, when a warehouse or
get much press. But when BOCES is missing a stockroom receives supplies and materials, staff
million or two, and their treasurer just retired, should check the quantity received. If it’s an
buying a new car, boat and summer house, all order of staples from Staples, this may not be
kinds of people take notice. critical. But a pallet full of PCs from DELL?
Count them twice.
When a prisoner escapes from custody, issues
under review include facility (or transport) There is an old adage that “history teaches us
procedures, staff qualifications and training; that no one learns from history”. Not true. If
your methadone clinic has been going through a you funnel all such entries through authorized
case of syringes every week, and suddenly that staff? Do you find a dozen DBAs all sharing
volume has doubled, either there is a growth the same Federal Employer Identification
trend in services provided, or someone is Number? Do you check those numbers against
sidelining supplies. employee Social Security Numbers? How about
P.O. Box addresses or Suite addresses (they can
If you are used to $35 phone bills each month
be a precursor of a bogus business).
and suddenly get a $495 bill, read it carefully
before you rush to your checkbook. How do you guard against paying the same bill
twice? If it’s the Phone Company or electric
(Note: “The way things have always been” is
utility, they will likely credit you for the
part of your control environment.)
overpayment against next month’s bill. But
When considering what kind of control there are those happy to make use of your
procedures are necessary, consider the money until you notice the overpayment. With
likelihood of risk, the significance of failure, delays in internal processing of vouchers,
and those three words from all those Law & double-billing is not just the province of
Order episodes: “means, motive, and unscrupulous healthcare providers.
opportunity”. Along with motive, you can add
For that matter, how do you ensure vouchers are
“rationalization”. Was a long-term employee
processed in a timely fashion? Prompt payment
passed over for promotion time and again? Is
legislation may not affect smaller transactions,
he/she in a position to get even? Has a
but it is best to eliminate billing
disgruntled worker
confusion at any price.
just given his/her two-
weeks notice? MONITORING
Wouldn’t it be wise to
change the computer If the South had won the war,
system password this would be called
BEFORE they are out “Merrimacking”. You know
the door? the old adage “If you can’t
measure it, you can’t manage it.”
If you have ever Monitoring is an ongoing
shopped on the process that involves measuring
Internet, you know outcome against expectation.
those bargains may be On an assembly line, we expect
risky. Windows XP for $29.95? Not likely. the drill presses to bore so many holes per hour,
Gutenberg Bible for sale on E-Bay? Sure. You fill so many ounces per bottle, and pack so
may have had reliable experience with L.L. many bottles per case. In some cases
Bean and Land’s End, but this cannot be applied monitoring can be automated, but even then,
to www.fly-by-nite.com. When you spend your manual inspection is called for on a sampling
own money, you like to know who you are basis. If your paper mill turned out less than
dealing with. When you are spending the 1,000 sheets per roll, the Federal Trade
State’s money, it is also wise to know your Commission would find out eventually
suppliers. (someone out there would have enough time on
You may have a sophisticated/computerized their hands to check the count).
purchasing system to ride herd on purchase If your laboratory is responsible for testing rabid
orders and vouchers, but such a system could be bats, you can be sure there are procedures in
compromised by unscrupulous staff. Can place to make sure that staff follow safety rules,
anybody add a vendor to your database? Or do file reports promptly, and destroy the carcasses
hygienically – not to comfort the bat’s next of

kin, but to protect the public health. When a resident is placed on suicide watch, how
Based on experience, you may find it necessary do you verify that staff looked in on a frequent
to monitor certain processes more than others – basis (as prescribed in the suicide watch
or to review the work of some staff more than protocol)?
others. But you still need that “reasonable In some cases, there is DOCUMENTATION to
assurance” that things are going as planned. show a transaction occurred, and when it
The Division of the Budget – and the Internal occurred. Computer logs, date stamps, EZ-Pass
Control Act – recognize the value of records, toll booth receipts, phone records.
monitoring. They insist on some sort of formal Along with standardization of records, many
testing process, whereby management can computer applications now add a time/date
identify problems or emerging trends, determine element. Filter a digital report file through an
an acceptable level of error, and a target level of Excel spreadsheet, and you can “sample” all the
production for each major function. data – rather than a 5% sample – then filter and
massage it a hundred ways. If this approach can
Granted, there are some long-range goals not
help you monitor your function, make sure you
immediately verifiable (like reducing illiteracy
receive the proper training to take advantage of
or acid rain, increasing employment, or curbing
this technology.
recidivism). That is where the cousin to
monitoring, “evaluation”, comes in. Documentation can be helpful, but there are
other times when you have to INTERVIEW
Evaluation, by definition, is conducted by an
staff, clients, vendors, the public to gain
impartial group not directly involved in program
perspective on an operation. Find out if your
implementation. This is done to ensure
staff really know what they are supposed to do.
independent judgment. Evaluation may also
Find out if clients have unreasonable
involve research techniques beyond the
expectations from a program. Find out if
capability of on-site managers, like following a
vendors understand the RFP. The public
cohort of clients over a five year period,
(including the press, advocacy groups, and
interfacing with other agencies and their data
elected officials) may have a totally different
systems (e.g. Department of Labor, OTDA, DCJS),
or field interview of former clients. This all impression of what you are about. In some
takes time, and you may be retired before the cases this means re-engineering your program.
report is finalized, so concentrate on monitoring. In other cases this means educating the public as
to your capabilities.
How do you know that
things are going as Finally, OBSERVATION is a tried and true
planned? technique. Shop foremen take a walk around
the factory floor. They know by experience
How do you know that what sights, sounds and smells to expect on a
vouchers are checked normal business day. If a factory (or a phone
against purchase bank) is unusually quiet, it is time to find out
orders, and processed why. Unless you work in a welding shop, if you
through OSC in a smell something burning, don’t pass it off as an
timely fashion. olfactory hallucination. Check it out – your
How do you know health (or your life) may be at stake. If you look
those eye test forms around the office on a Monday morning, and
turned in at DMV are you are the only one who is there, don’t jump to
legitimate?
conclusions about malingerers. Check your

calendar – maybe it’s a holiday.
And if everybody is gathering around the water
cooler, locked in animated conversation, it
might involve vital information. By design,
managers are usually the last to know. That’s
why they are kept in private offices, secretaries
screen their calls, and in some cases they eat in
separate dining rooms.
This is where we segue whimsically to our next
element of better management:
The military talk about the 3 C’s – command,
INFORMATION & control, and communication. We civilians
COMMUNICATION talk about horizontal and vertical two-way
communication. Your subordinates need to
“Everybody’s talkin’ at me…but I can’t hear a bring things to your attention. You need to
word they’re saying….” The opening lyrics confer with them, fielding questions and
from the theme from Midnight Cowboy may be concerns, passing on vital information from
your work reality, but probably not. Like most above. You need to keep your bosses in the
of us, you probably have fallen prey to the status loop concerning issues that affect the agency or
quo of hierarchical decision-making and program. And you need to compare notes with
pecking order communication. “Right to know” your peers in other parts of the agency – to
and “need to know” are phrases that apply to make sure you are not working at cross-
more than the CIA and Homeland Security. If purposes, duplicating each other’s work, and
you are responsible for an operation, you need pick up information that missed your desk.
all the available information to bolster Knowledge is power, only if it is shared. And
productivity – which includes both efficiency the more people who share the knowledge, the
AND effectiveness. more productive your agency can be.
IF IT AIN’T BROKE, DON’T FIX IT Of course we do not advocate change for the
sake of change. Bureaucratic inertia (or tight
A frequent temptation for a new manager is the budgets) usually ensures this. Then there is the
urge to change a long-standing policy or bureaucratic equivalent of the Hippocratic Oath:
procedure, regardless of the need for change. “When in doubt, do nothing.” Some things have
Primates do like to mark their territory. a habit of sorting themselves out. When an
unwelcome trend is identified, the rules are
But one of the cardinal rules of bureaucracy is changed. Some situations are transitory (snow
“If it ain’t broke, don’t fix it.” Some people are plows are a seasonal affair, disaster movies
eager to embrace new technology, so that they notwithstanding). And sometimes, the people
will have bragging rights at cocktail parties. most affected by a trend look for solutions
These are often the same people who buy riding outside traditional channels.
mowers for their postage stamp lawns.
THE INTERNAL CONTROL ACT
But there are times when change is
justified, if it is the right change. There are cynics who feel that the Internal
And sometimes, any change will Control Act is just another meaningless
yield improvements in fad – and it will be a meaningless fad
productivity, primarily because unless it is embraced by executive staff,
people appreciate being noticed managers, supervisors, and rank & file
(even if it is negative attention). employees. The Internal Control Act
requires agencies to engage in periodic
Consider the Hawthorne Effect. review of their internal control systems –
Named for the Western Electric which means identifying those
Hawthorne Works in Cicero, procedures, measuring productivity
Illinois, Between 1927 and 1932 (qualitatively and quantitatively), and
professor Elton Mayo reviewed productivity and assessing the risks inherent in such operations.
work conditions, starting with lighting and
humidity, then addressing psychological aspects When properly implemented, those “annual
of the work group (changing break times or nuisances” can become an important
working hours, applying different managerial communication tool for you to get the attention
style, or creating a sense of competition between you need to resolve a long-standing problem.
work groups). Every change yielded Reallocating staff due to retirements and
improvement in productivity because people act reductions in force requires a reprioritization of
differently when they know they are being an agency’s mission and functions. It also
observed. requires training for those assigned to new roles
and responsibilities. It may also require new
Keeping in mind the X, Y and Z types of people procedures, or integration of data between units.
working for you, some will improve out of fear
of retribution (curtailing personal phone calls, Ideally, an internal control review would depend
double-checking their figures, improving on ongoing monitoring of key functions, not a
attendance and punctuality). Others will perennial paper chase. There are three standard
improve because they want to be noticed in a ways to monitor a situation, be it a
positive sense (even if you have no ambition to licensing/registration operation, fiscal audit or
higher office, positive feedback is an uplifting UN peacekeeping mission:
experience).
Observe – Interview – Document.
By Observe we are talking about using your progress. Checking dates (prompt payment
eyes and ears to monitor the operation. A good legislation is only one issue – delays in
shop foreman knows by sound alone whether a transaction can cost more than money).
printing press is functioning properly,
or if the staff are keeping When you are observing-interviewing-
busy. Are you getting documenting, avoid the tendency to second
the expected results guess your staff. Avoid the tendency to think
at the end of the you know more than they do. Approach the task
day? Are people with humility, not arrogance, and this will
ebullient or communicate to your staff that “you are all in
exhausted at quitting this together”.
time? And yes, even a sense of
smell can come in handy. Factory workers To these three trusted techniques, I would add a
know the value of good ventilation, and the fourth: Confer.
harmful effect paint and solvent fumes can have
on their bodies. There is also the “sense of
smell” an account clerk can develop processing
vouchers, or the “sense of smell” an auditor taps
into instinctively when reviewing questionable
transactions.
By Interview we are talking

about talking to your people,
both new employees and
seasoned staff. Ask them
questions about their work. It has been said that the Army is run by its
Are they following the Sergeants. Generals may plan campaigns,
proper protocol? Are they colonels may issue edicts, and lieutenants (fresh
keeping up with the out of Officer Candidate School) may think they
workload, or are they cutting are giving the orders, but it is the wise, seasoned
corners to avoid backlogs? sergeants who make things work.
Do they have any ideas on
how to improve the Think of yourself as a sergeant, not a general.
operation? Do they fully Confer with other sergeants. Develop a network of
understand WHY they do what they do? people you can compare notes with, vent your
frustrations, ask questions, or pool resources.
By Document we are talking about Perhaps your predecessor is still available for
manual and computer record- consultation. There is no need to supervise in a
vacuum. No matter what size your agency, there are
keeping. Sampling trans-actions
people you can turn to for specialized assistance (be
for anomalies (often with it training, information technology, labor relations,
computer technology, methods and procedures, or EAP). Don’t be afraid
you can filter ALL to ask for help.
transactions for glitches).
Double-checking figures, If you must sweep something under the
verifying signatures, carpet, remember - that carpet was provided
setting up tracking by the low bidder.
systems to document
MASTERS OF THE UNIVERSE The key provision of the Executive Order

affecting all State employees is:
In Tom Wolfe’s best-selling novel, Bonfire of “Every State officer or employee in a
the Vanities, one of his characters, a Wall covered agency shall report promptly to the
Street bond trader, proclaims his invulnerability, State Inspector General any information
saying that he is one of the “masters of the concerning corruption, fraud, criminal
universe.” Such invulnerability claims are activity, conflicts of interest or abuse by
usually signs of adolescence. A teenager is sure another state officer or employee relating to
that he/she will never get hooked on drugs, his or her office or employment, or by a
never catch VD, be able to beat that train to the person having business dealings with a
covered agency relating to those dealings.
grade crossing (usually on prom night, after a
The knowing failure of any officer or
lot of heavy drinking). employee so to report shall he cause for
removal from office or employment or other
Tom Wolfe’s novel (based in New York appropriate penalty. Any officer or
City) serves as a fascinating microcosm employee who acts pursuant to this
of that urban environment, with paragraph by reporting to the State
different characters – in different Inspector General improper
walks of life – living parallel governmental action as defined
existences. What they all had in in Civil Service Law Section 75-
common was “living on the edge” b shall not be subject to
or “living beyond their means”, dismissal, discipline or other
prompting them to engage in adverse personnel action.”
various unethical or self- Take a close look at the above
destructive behaviors. The paragraph, then ask yourself
movie was terrible, but the book “Do I know any “Masters of
is an excellent read. the Universe’?” Worse yet, are
YOU one of these myopic
No, I don’t get a commission creatures? You probably know
from Barnes & Noble. I mention this book as a what constitutes corruption or fraud (rigged
lead in to the eternal Internal Control issues of bids, buying overpriced goods and services from
fraud, waste and mismanagement. These relatives or cronies, bribery or kickback
same issues are the raison d’être (reason for schemes), but what constitutes “abuse?”
being) of the Inspector General’s Office.
How about time and attendance ambiguity? Is
The Governor’s Executive Order No. 39 someone really working in the field, or working
(issued June 17, 1996) requires all State at home, when they say they are? Did they
employees to report instances of fraud, waste or really put in those extra hours of overtime, or
mismanagement to the Inspector General. “Any did they slip out once the boss went home? Do
state employee who reports wrongdoing will they tend to take an extra-long lunch hour every
receive "whistle-blower" protection against payday (without charge to accruals)? What
dismissal, discipline or other adverse personnel about all those executives who go to a daylong
action.” This is not to promise that you will conference, yet never seem to attend the closing
win a popularity contest, get promoted, or be session (which is probably about the important
named as Employee of the Year. of internal control)?
Then there are those who use their assigned instinct told you otherwise? How about
State vehicles to commute to the office, take approving an applicant for government funding
extensive side trips on the State’s dime, talking because they were the commissioner’s nephew?
to sweethearts on their State cell phone as they Was the commissioner even aware that a
drive (and probably not hands-free). Yes, just relative had approached your agency for
like sports celebrities who start buying hard funding?
drugs with their signing bonuses, there are
Worst-case scenario: the local papers uncover
“Masters of the Universe” near you who let it all
something smelly via the Freedom of
go to their heads. The fancy titles, private
Information Law (probably tipped off by a co-
offices, free long distance, State cars and private
worker who decided not to trust the Inspector
secretaries. They consider the accoutrements of
General with that information). Your name gets
office as personal prestige items, not tools to get
dragged through the mud, even though you did
the job done.
not personally benefit by the suspect activity.
When you work for the State, it is pretty easy to The commissioner embarrasses the governor, is
figure out how much everyone is making. Just forced to resign, and deep in his heart of hearts,
download the salary schedules from the Internet. blames you for never warning him that
Most of you reading this are probably struggling “something is rotten in the state of Denmark.”
to keep pace with gargantuan monthly mortgage
And the local press won’t follow Roberts Rules
payments; a car loan with seductively low
of Order, or rules of evidence in speaking and
interest – but equally low down payment;
speculating. Not even the UCMJ (Universal
orthodonture for the kids (maybe even private
Code of Military Justice). No blindfold, no
school tuition, not to mention $100 sneakers that
cigarette. You will never make it to SG-27
only last a semester).
now. Unless you are an SG-31.
So it is only reasonable for you to wonder about Executive Order No. 39 does say “The knowing
bosses or co-workers who appear to be living failure of any officer or employee so to report shall
beyond their means. Maybe the do have a rich be cause for removal from office or employment or
aunt, or a winning lottery ticket, or made a other appropriate penalty.”
killing in the stock market. This is not to
Maybe you will never pay a penalty for looking the
suggest that you start spying upon them in
other way, but then how does that make you feel
Orwellian 1984 style. But it does suggest that when someone around you is pilfering or
as part of your routine day-to-day work, you profiteering, lording it over legitimate workers.
remain alert to “anomalies” – i.e., things that Acting like the Aesop’s grasshopper, treating you
don’t make sense. Like irregularities in like an ant.
purchasing, absenteeism, possible no-show or
Is there a scandal waiting to erupt in your shop?
ghost employees (who just love direct deposit),
And is your signature on any of the paperwork?
wasteful practices (like travel junkets to
expensive conferences in Las Vegas, while the
rank and file can’t get their employer to cough
up $99 for a one-day, local seminar).
A partial list of Governor Pataki’s Executive Orders
So “What’s in it for me? Why should I risk (134 of them at last count) is available online at the
my career to report wrongdoing?” Chances Governor’s Office of Regulatory Reform:
are, even if the long arm of the law reaches out http://www.gorr.state.ny.us/gorr/executive%20orders.htm
and nabs an employee on the take, no one will
blame you. After all, it’s not as if you approved
their activities. Or is it? Were you pressured to
authorize payment to a vendor, when your
PLAUSIBLE DENIABILITY proportionate to the risks identified. You have

considered both the likelihood and magnitude of
You’ve all seen the movies. Our Commander- such risks – be it life-threatening, financially
in-Chief is stunned to learn that there are aliens compromising, or disruptive to your program.
in formaldehyde at Area 54. Or the CIA has
replaced a world leader with a look-alike actor. Reasonable assurance depends on a number of
Or the Pentagon has a spare space shuttle known things – like recognition of legitimate risk (no
but to a few. When the President asks “Why Hollywood meteor disasters or white sharks,
wasn’t I told?”, the answer is “plausible please), and open, honest communications
deniability.” involving management and line staff (no buried
Morton Thiokol memos about Space Shuttle O-
Well-meaning Presidential aides think they are rings). But most of all it depends on people –
protecting their leader by shielding POTUS your people.
from the truth.
Article 54, S 950 of the Internal Control Act
Such melodramatic moments don’t cut it in the defines “internal control” as
real world. If something happens on your “a process that integrates the activities,
watch, it won’t matter whether it ever made it to plans, attitudes, policies, systems, resources
your in-basket. Print and media journalists will and efforts of the people of an organization
vivisect your administration gleefully. working together, and that is designed to
Advocacy groups and partisan politicians will provide reasonable assurance that the
vilify you. Small dogs will nip at your ankles. organization will achieve its objectives and
Maitre-d’s will lose your reservations. mission. The objectives of an internal
control system include, but are not limited
Maybe this doesn’t matter to you. You’ve got to: the safeguarding of assets; checking the
37 ½ years of State service under your belt, and accuracy and reliability of accounting data
and financial reporting; promoting the
Florida has no extradition treaty regarding
effectiveness and efficiency of operations;
incompetent bureaucrats. If so, read no further. ensuring compliance with applicable laws
and regulations; and encouraging adherence
But if you care about your reputation, your to prescribed managerial policies. Internal
career, or better yet, the people of New York, control review processes are used
then you will want more than plausible periodically to evaluate the ongoing internal
deniability to support your administration. That control system and to assess and monitor the
is where two magic words come in: implementation of necessary corrective
actions.”
Yes, that is a mouthful. But all these goals can

be met with smart administration.
Work smarter, not harder

Reasonable assurance is not a “get out of jail
free” card, nor is it a money-back guarantee that This vicious phrase, as beloved as “knowledge
things can’t go wrong. It is the recognition that is power” and “the check is in the mail” is
you have taken appropriate steps to minimize usually uttered by an unimaginative executive or
the likelihood of significant fraud, waste or a long-suffering budget analyst, when resources
mismanagement. You have internal controls are not adequate to the task at hand. Retirement
(management controls) in place that are incentives, reductions in force, or reassignment
of staff to other responsibilities all conspire to You will have to take some of the feedback with
tell you the traditional way of doing things is no a grain of salt (photo courtesy of Smithsonian
longer the answer. Institution).
In some instances, you need to take calculated

risks – inspecting pushcarts once a year, rather
than once a month. Licensing drivers for five
years, not three. Sampling 5% of income tax
returns over $80,000, rather than a 10% sample
of those over $60,000.
In other instances, you need to explore new

methodologies to collect and analyze data (e.g.
scan applications into a computer system, then
deep-six tons of paper).
Yes, there are training gurus who will insist the After all, you’ve probably kept some of your
solution is to cross-train all your staff, so that staff walled off into tiny confines and limited
they can be assigned more flexibly to fill arising functions. People work best when they can see
need. But the weeks of training required to do the big picture, put that is probably not the
this will take them away from their current bureau you inherited with your last promotion.
responsibilities. Now is your chance to change that.
We’ve always done it that way” no longer
Sharing Power matters.
One, often overlooked solution is to share power Sharing power is a strange thing. In the 20th
with your staff. Remember the little Dutch boy? century, we thought there was only so much
Sure, you can plug a few holes single-handedly, power to go around, that sharing what we had
but when you run out of fingers, you need to with others would sacrifice the power we did
solicit additional help. I am not recommending have. Little did we suspect that sharing power
a press release or guest spot on Charlie Rose. I actually creates more power – like a breeder
am recommending honest two-way reactor creates more fissionable material to
communication with your staff. Let them know power additional reactors.
you have a problem, whether it’s “Louise is out Maybe the toxic byproducts of nuclear power
on Worker’s Comp” or “we have another make you nervous, but the byproducts of
unfunded mandate.” sharing human power are far from toxic. Surf
the Internet and you will find “power sharing”
Get a little brainstorming session going. Gain under discussion by feminists and theologians,
perspective and insight into the problem. Open military specialists and accountants,
the floor to suggestions. Be gentle with the international aid workers and West Wing
impractical. Look for examples of duplication strategists. Sharing power takes away the us vs.
of effort or waste motion. them phenomenon - where two opposing sides
If turnaround time is an issue, think like a neutralize one another, and nothing positive is
factory foreman. How does the assembly line accomplished.
flow? Are there bottlenecks in the overall
process? Are some units waiting for work,
while others are drowning in it?
Right now a major power sharing experiment is Be Ruthless

underway in Iraq, hoping that Shiia, Sunni and
Kurd can work together to establish a rule of Every thing you and your staff do must
law, squelch insurrection, and create a contribute to meeting your goal. Or else it is
progressive society. just contributing to your administrative
overhead. Sure, there are lawyers and
A more esoteric version of power sharing accountants looking over your shoulder, to
involves the Search for Extra-Terrestrial make sure everything is legitimate and
Intelligence (SETI). Individual PC’s scattered accountable. But you are your staff are the
across the Internet are invited to participate in a arbiters of the procedures you employ. Is there
data processing effort (presumably data received data on a form, or a required field on your input
by radio-telescopes), that takes advantage of screen which add nothing to the process? The
down-time (e.g. when screen savers would kick U.S. Census likes to ask lots of questions every
in) from all participating computers to create a ten years, though only a handful relate to its
gigantic, virtual machine. original purpose (determining representation in
Congress).
If you are ordering shoes from L.L. Bean, they
don’t ask you for your hat size. Take a close
look at the data you process, and weed out the
inconsequential.
Remember too, there is a big difference between
efficiency and effectiveness. You may be
producing buggy whips with incredible
efficiency – holding down labor costs,
minimizing scrap, recycling tanning chemicals,
but sales outside of Lancaster, Pennsylvania are
less than brisk.
You are a leader, not a follower. When you
Of course we are still searching for terrestrial identify useless appendages, vestigial
intelligence. And that’s where you come in. If regulations, counter-productive procedures and
you are not tapping into all the mental resources fossilized forms, you have a responsibility to
at your disposal, you are wasting time, money, confront such situations, and communicate up
and staff talents. the line to change things.
The Internal Control Act insists that you

encourage “adherence to prescribed managerial
policies.” It is easier to do that when the
policies make sense.
IDENTITY THEFT While acknowledging that the Secret Service1

reported by someone claiming to be Tim O’Toole are the experts in this field, Sennett’s
presentation offered intriguing insights into the
No, it’s not about someone pretending to be heir criminal mind, and the “socially engineered”
to the throne of Lower Slobovia. Nor is it likely mind of the victim.
that someone will undergo plastic surgery so His presentation also awakened some family
they can attend your high school reunion, as memories for me, which will inevitably intrude
you! Identity theft is just the latest edition of an without warning in this article. But here goes:
age-old tradition. It is no longer cost-effective
to break into your home to steal your property, Once upon a time we all lived in small towns,
risk apprehension, then fence second-hand and like the bar in Cheers, everyone knew your
goods at a considerable mark-down. name. You shopped in person at local stores,
and paid cash, or ran up a tab at the company
It’s much more efficient to purchase brand new store. Your face and your signature were the
goods, with warranty, and let someone else pay only identification you needed.
for them. Free shipping and no sales tax are a
bonus for the digi-thief. Then Social Security arrived, to defend us from
total penury and starvation (there
You’ve probably seen the movie was a lot of that going on after
Catch Me If You Can, about 1929). A generation ago, a sign
Frank Abagnale – a child prodigy of maturity was getting your own
who started with a PanAm decal checking account after you
from a Revell model plane, then finished school and were
parlayed that into millions of gainfully employed. Your
dollars in bad checks. After a employer paid you by check, and
miserable stint in a French prison, you paid your recurring bills by
Frank reversed course, and now check (e.g., phone, electric, rent,
heads a major anti-fraud company car insurance). You probably
helping defend corporations from bought groceries by check once
forgery. you started feeding more than one
But there is a new generation of of you.
con artists out there (as featured Credit cards started happening with gusto in the
in a current credit card commercial), who 60’s. I know this because my father retired
recognize the weak underbelly of modern e- from the FBI in 1965, to take a job as Vice
commerce. President of Diners Club, the leading
Using psychology and technology, rather than entertainment credit card of that era. Would
lock picks and windows shims, they are you believe way back then, there were people
beginning to cost us real money, even by forging credit cards? Charges over a set dollar
Pentagon standards. amount had to be approved by phone call from a
restaurant or hotel to Diners Club.
On Thursday, February 26, 2004 the New York
State Internal Control Association featured a Waiters talked to human beings at 1 Columbus
presentation on Identity Theft by John J. Circle, and everyone was happy. The diner was
Sennett, a recent retiree of the FBI. Sennett is happy because he or she had just impressed a
now employed by the Department of Public
Service as their Director of Utility Security. 1
This will make my brother happy. He specializes in
collaring Nigerians who engage in imaginative banking
practices in North Carolina.
business contact, was close to closing a big deal, with lots of time on hold being told your call
and had his or her employer pay for the lobster was important).
and champagne.
Now when we talk of “identity theft” we are
Then some unscrupulous employees started talking about two technically different items:
keeping track of credit card names and numbers,
selling the data to counterfeiters in Queens, NY • Account Theft – a stable indignity,
who could print and emboss some very whereby someone gets a hold on an active
authentic looking credit cards. The phony cards credit card number, and via Internet or 800
might have a useful shelf life of only 30 or 45 number, orders merchandise to be shipped
days, but each card had a high or open-ended to a different address;
credit limit, so it was worth the effort. In those • Identity Theft – a growing phenomenon,
days it was said that you could steal more with a whereby someone uses your personal
briefcase than you could with a gun. descriptors to open up new credit accounts,
then runs up mega-debts in your name.
Today, you don’t even need the briefcase.
In the first example, you may realize something
Enough preamble, here’s the meat of John is wrong when you get your next credit card
Sennett’s presentation. statement. In the second example, you may
It’s now the 21st Century, and banking, never see a bill until a collection agency knocks
commerce and the Internet have changed the on your door demanding repayment of $30,000
rules of the game. It all started toward the end for that fuschia Lexus.
of the 20th Century with the proliferation of Complaints to the Federal Trade Commission
credit cards. Consumer-oriented have been doubling annually for the
Visa, MasterCharge, and Discover all
eclipsed the more effete titans (Carte …it was said that past few years regarding that second
example (250,000 complaints in
Blanche and Diners Club), while you could steal 2003). Losses to businesses are
American Express picked up the more with a now $32.9 Billion (an average of
corporate side. Following Sears, briefcase than you $10,200 to each business), while
Roebuck’s lead, more and more could with a gun. losses to consumers total $3.8
companies turned to color catalogs to Billion (an average loss of $1,180 to
ply their trade, as 800 numbers Today, you don’t every victim).2 What’s worse, the
replaced expensive bricks & sticks even need the average victim of identify theft will
stores. Add the Internet and dot.com briefcase. spend an average of 60 hours re-
websites, and “distance shopping” negotiating a good credit rating, and
became the new reality. resisting the bill collectors.
Teens who used to steal hubcaps now learned To understand how we are being victimized by
how to hack into mainframe computer systems this new technology, we need to look at human
with lowly Commodore 64 computers and 300 psychology. After all, most of us are social,
baud modems. If your purse or wallet were gregarious creatures, who want to get along,
stolen, you worried more about the data in them, play well with others, learn to share, and not run
than the dollars lost. Laws were passed to limit with scissors.
the honest consumer’s liability to $50 for each
lost or stolen credit card. If you didn’t keep a
copy of that lost data elsewhere (names, 2
On the plus side, we are less frequently bothered by
numbers and 800 phone lines for each credit boiler room con artists and telemarketers at dinner time.
card; drivers license, bank number, etc.) you On the minus side, it’s a bit like termites eating away at
the foundation of your house. You don’t know there’s a
would spend hours retrieving that information problem until it’s too late.
John Sennett referred to something called the

Before getting into a discussion of tips for
Six Peripheral Roots to Persuasion3:
protecting yourself from scams, John offered
1. Authority - we tend to believe something is more anecdotes on identify theft, including one
true, if it is stated by, or attributed to an Arab terrorist who was a sleeper agent in
authority figure; Canada. Acquiring the baptismal certificate of a
2. Scarcity – this item is in short supply, or on dead Québecois, he was able to upgrade that to a
sale for a limited time only, but you must act dozen identification items. (Even then, an alert
quickly; Immigration official prevented him from
3. Liking/Similarity – we want people to like completing his mission when he attempted entry
us, and we like to relate to folks with similar to the United States via the state of
interests or history (the old college tie, Washington).
service buddies, ethnic or religious
The scams are not limited to credit card
affiliation);
purchases of durable goods. Verizon now has
4. Reciprocity - I’d like to do something nice
400 investigators on staff delving into phone
for you, you’ve been such a nice audience. I
bills charged to someone else’s credit card
can offer you a free 56K modem, all you
(hopefully not yours). The electric utilities have
need to pay is the shipping and handling
a similar problem. Yes, there are conveniences
(which will cost twice what the item is
to digital shopping, but headaches as well to the
worth);
naïve and gullible.
5. Commitment and Consistency – we want
to “be nice”, and keep or promises; When questioned about what steps we could
6. Social Custom – we tend to value and trust take to avert financial catastrophe, Mr. Sennett
the written word, even if it’s just dots on a admitted he didn’t own a shredder, but he did
computer screen, or an amazing offer in an reconcile his bank statements promptly,
e-mail. reviewed his credit card bills (more power tools)
immediately, and tempered his “socially
Hearing John’s words, I was reminded that this
engineered” gullibility with a healthy dose of
is an election year, and a lot of the powers of
“buyer beware”.
persuasion relate to more than e-commerce
scams. He recommended we each photocopy the
contents of our wallets, and store that data in a
Having dissected our own brains, Mr. Sennett
safe place. Be sure to have current anti-virus
went on to describe the mind-set of the
software on your computer (to protect yourself,
perpetrators, who have nothing but contempt for
and be a good citizen, avoiding infecting
their gullible marks. They refer to a victim as a
others).5
“mooch”, saying the victim wanted something
for nothing, and instead them gave them We are more likely to be victimized by bogus e-
“nothing for something.” commerce come-ons. Given the large scale of
the Internet, a new “digital boiler room” scam
I’ve always heard that “if it’s too good to be
need only succeed in 1/10th of 1 %. Encryption
true, it’s too good to be true”, and “it’s hard to
techniques, e-mail filters, additional
cheat an honest man”. We are always looking
authentication measures and even bio-metric
for a bargain. John Sennett is into power tools4,
devices can help reduce the chance of chaos.
and has been known to “distance shop” for
routers in the wee hours of the morning.
3 5
Dave Barry might think this would make a great name Editor’s Note: A Firewall is critical if you have Internet
for a rock band. service via a cable modem (like Road Runner). A firewall
4
Binford Tools meets Benford’s Law. is desirable even if you are using a phone modem.
Sennett recommended you go to the big three They are just “phishing” for personal
credit reporting agencies annually to review information about you (credit card numbers,
your ratings. They are Equifax, Experian and date of birth, bank account, mother’s maiden
TransUnion. If you lose your Social Security name). Delete any letters you receive from
card (or someone starts claiming your number), former oil ministers of Nigeria, who need your
call the Social Security Administration at 1-800- help moving an account off-shore. Think of
269-0271. unsolicited e-mail as the equivalent of a stranger
knocking on your door. Do not
The Federal Trade
provide personal identifying
Commission has a website
information to anyone over the
devoted to ID theft:
phone, or via e-mail or Internet.
www.consumer.gov/idtheft
If your bank needs to be
Their website offers valuable reminded of your mother’s
instructions, plus an maiden name, tell them you
AFFIDAVIT form (PDF file) will call them back, then phone
for those of you who may your local branch manager.
have been the victim of
I’d like to close on an upbeat,
identify theft.
personal note about identity theft. The year was
Also, a new law is taking effect in New York 1967, and the FBI were trying their damnedest
State this year, requiring all new ATMs to print to get something on Joe Bananas, the crime
only the last five digits of your account code on family capo from New York City. His business
receipts (and existing machines must be associates (euphemism) had extorted the open-
retrofitted or replaced by 2007). ended use of a Diners Club card from a losing
gambler. Said card was then used by Joe’s son
Sennett also warned us of “frame spoofing”, or
Salvatore, then sanitized as Bill Bonnano, living
those insidious pop-up screens that appear when
in Arizona, riding horses, wearing southwest
using the Internet. They look genuine, but can
style clothing, and acting respectable. When the
draw you into a scheme, and lure you to reveal
gambler tired of the outrageous “vigorish”, he
your credit card number. And those on-line
went crying to Diners Club, and they succeeded
auctions play up the “scarcity” of collectibles,
where the FBI had failed – getting an indictment
drawing absurd bids, even if the merchandise is
and conviction of Salvatore for using someone
delivered.
else’s credit card. My father’s former co-
The follow-up discussion by the group yielded a workers were chagrined (to put it mildly), but
few more valuable observations and ideas. For they learned from the experience.
example, have one credit card with a low credit
We should all learn from our experiences.
limit that you use of on-line shopping (save
your Platinum card for impressing friends at Did I mention that the US Secret Service has a
restaurants). Watch out for spam that looks like fascinating CD-Rom about electronic evidence,
authentic, incredible offers from major credit card forgery (“Forward Edge”)? Not
corporations or absurd discounts on name-brand available in stores. They also have a detailed
items. For that matter, watch out for e-mail guide to seizure of electronic evidence at
links that take you to what looks like a http://www.secretservice.gov/electronic_evidenc
respectable website (complete with color logs).6 e.shtml .
6
As good citizens we need to discourage spam, by NOT
responding to such unsolicited offers. When you are assurance that you are going to the real on-line store, not a
ready to buy something, go to www.walmart.com or spoof. Of course, OFT’s WebSense will block the second
www.victoriassecret.com . In such instance you have the site, but you get the idea.
WHAT KIND OF LEADER

ARE YOU? Impoverished You don’t care much for the
job, or the people in your
While it must be recognized that there are organization, so your focus is
leaders in every field, leaders in every walk in on the minimum effort to get
life, and leaders at every level of an the job done, with limited
organization, this article is directed at YOU, interface with your staff.
because you are an executive, a decision-maker,
a policy setter. One who has considerable Country Club Your organization is pretty
influence on the operation and effectiveness of much a sheltered workshop,
your agency. pampering staff, creating a
A 1969 book by Paul Hersey and Kenneth friendly, family organization
Blanchard, Management of Organizational where nothing gets done, but
Behavior1 took a close look at several models nobody cares, because the staff
of leadership, notably the Ohio State model, the meetings serve great
University of Michigan study, and the refreshments.
Managerial Grid (popularized by Robert Blake
and Jane Mouton). While some of the language Task- You are obsessed with getting
in these studies requires a healthy vocabulary Oriented the job done, without
and post-graduate education, the Managerial kowtowing to human needs.
Grid should be familiar to most of you: You rant and rave when staff
have the audacity to call in
sick, or take maternity leave,
scream when the Legislature
delays approval of your budget
request, and don’t return phone
calls from the Employee
Assistance Program (EAP)
liaison.
Middle of Some may view this style as

the Road mediocrity, others as sanity.
You’ve got to balance
competing demands –
recognizing staff and resource
limitations, while still trying to
get the job done without
obsession. And parts of the job
are impossible anyway.
In 25 words or less, the Managerial Grid looks
inside your head, to determine your degree of Team- Utopia, here we come. You
concern for getting the job done (production) vs. Oriented have somehow managed to
your concern for the social order and motivation recruit and retain highly
of your staff (people). motivated staff, who are on
board with you, delighting in
1
Management of Organizational Behavior: Utilizing getting the job done in the
Human Resources, Paul Hersey and Kenneth Blanchard, most efficient and effective
Prentice-Hall, Inc, Englewood Cliffs, NJ, 1969.
manner. Here’s a few practical hints:

You get bonus points if you recognize Team-
Oriented as the ideal leadership style. This is • Don’t lord it over them. Perhaps you are
the style you should espouse during Civil believed by the Front Office, or have
Service oral examinations. friends in high places. That will not
impress your staff.
More realistically, most of you are probably • Set a good example. Don’t expect your
somewhere around the Middle of the Road in staff to work longer hours than you put in.
style. You started out with high ideals, This may be problematic with flex-time.
imagining an efficient and effective work Still, the rest of the crew get paid lesser
environment, presuming all your staff would be salaries for being on hand 37 ½ hours a
educated and motivated. But then four weeks week. It wouldn’t kill you to give 40 hours
latter when your first paycheck cleared the to the State.
Comptroller’s payroll system, you noticed that • Listen to your staff. There may be people
even those staff with good attendance patterns who have been there longer than you, who
had their limitations. have a few ideas on the subject (and may
Like the secretary who is still tangling with MS have been rebuffed by past administrators).
Word’s mail-merge feature. The motor vehicle There may be people new to the operation
operator with a drinking problem. The lounge lizard who have relevant experience elsewhere, or
hitting on all the female staff. The whiner who is fresh perspective on an operating problem.
always complaining about the job, the people, the • Be scrupulously honest when it comes to
computer system, the forms designs. The veteran management perks. That private office is
employee who has been passed over for promotion
too many times, and is now just counting the days
provided to you to get things done, not
till retirement. You may also be saddled with a have lots of personal phone calls with your
computer systems analyst who insists the solution to fraternity brother (or sorority sister) in
everything is a complicated, artificial intelligence Cleveland.
system that only she can maintain. • Avoid travel junkets. Don’t spend all of
your training budget on a convention in
You’ve probably also identified at least one
Las Vegas. Consider group memberships
employee who makes work avoidance an art
for your staff, so that all your workers can
form, and another who thinks they should have
get in on training opportunities, with
been given your job.
member discounts.
So how do you • Don’t stretch the truth. If you leave the
motivate these house at 7:30 on a business trip, don’t
disparate elements to pretend that you left at 6:30 so that you can
share your vision of a qualify for a free breakfast (like the new
Team-Oriented work- Awesome Omelet at Embolisms’ R’ Us).
place, where people Besides, an auditor will be checking your
are collegial and EZ-Pass records.
collaborative, the • State cars are for State business. Too
focus is on getting the many would-be leaders have sacrificed
job done effectively and efficiently, without more than their reputations, treating the
concern for individual egos and rewards? company car as a status symbol. State
agency license plates are distinctively
numbered – don’t park in front of an
establishment that would offend your
mother.
• Cell phones are not toys. Sure it may be

capable of text messaging and low-
resolution photos. Let the middle school
kids enjoy those features (and let their
parents pay dearly for them). Besides, you
will be so busy motivating your staff one-
on-one, that you won’t have time to jabber.
And turn the rude thing off when you are at
a conference, in a restaurant, riding up the
elevator, or at an Inaugural Ball (West
Wing staff excepted).
• Don’t sweep things under the carpet.
Deal promptly and effectively with
situations that adversely affect your staff
and/or your program.
• Don’t pressure your staff to contribute You’ve all seen examples of those “clear and
to your pet causes. Whether it is political, concise” brochures aimed at the rank and file –
religious, charitable or social, their time insisting that they toe the line on countless rules
and money is theirs alone. You do not and regulations, all in the interest of
want the Ethics Commission to know your accountability. Well take a look at the
name. alternative brochure “What to Expect from
• Don’t play favorites. Sure, some of your Management.” The brochure is written from
staff are easier to deal with than others, and the perspective of the rank and file – and their
some of your staff are more productive. expectations of what managers should do, and
You are responsible for ALL your people, how they should treat their staff. Take a good
so make sure each and every one benefits look at the brochure, then ask yourself: “Can I
from your leadership, and is provided with live up to these expectations?”
opportunities to excel.
• Fight for your people. You are in a chain The brochure (you probably ignored my advice
of command, which effectively makes you to read it just now) also details a lot of
“monkey in the middle” when problems expectations for a positive work place - a drug-
occur. This may irritate your own bosses, free, bias-free sanctuary (unlike the outside
but they need to be kept in the loop. Just world where parents worry about drive-by
be sure you have a list of solutions to offer shootings; immigrants, minorities and other
them. “different” people are demeaned by bullies;
hospitals double-bill; and hung-over mechanics
Maybe this sounds a bit like “Eight Simple both a simple oil change).
Rules for Dating My Teenage Daughter”. The
important thing to remember is that you are Come quitting time, each of your staff must go
NOT a breed apart. Your group may have had out and deal with that outside world (including
fewer cavities than theirs, but it wouldn’t hurt to gasoline costs, heating bills, supermarket lines,
floss after lunch. traffic jams, etc.). Wouldn’t it be nice if they
could focus on the job at hand during office
hours? Read the brochure.
Internal you cannot point back to such a mandate, then it’s

Control ~ time to ask some questions.
Grasping At In each of your operations/pro-grams/functions,
Straws? you are trying to achieve one thing, while
avoiding another. Public assistance programs aim
For years, managers and executives in the private to provide an economic safety net to those in
and public sectors have sought foolproof ways to need, while ferreting out fraudulent activity that
improve their bottom line, be it enhanced profits scams the system. Health agencies are concerned
or improved services. Those of us in government about affordable and professional medical
service may recall past and current attempts by services, but need to be alert to unethical practices
New York State to improve its operations. We amongst pharmacies, doctors and business offices
have seen a wave of centralizing and alike. Nuclear regulatory agencies are caught in a
decentralizing services, be it computer support, Catch-22, with citizens nervous about radioactive
fleet management, telecommunications – each waste and reactor accidents, while at the same
change an attempt to enhance performance time our dependence on foreign oil has far-
beyond mediocrity. reaching consequences.
Back in the 1960’s, the State of New York This may seem an awfully Big Picture to those of
employed a variety of management you with more mundane concerns, like licensing
improvement tools and techniques; PPBS day care centers, giving eye tests to drivers, or
(Program-Planning - Budgeting – dissecting crows and bats to monitor
Systems), followed a few years environmental health. But civilization
later by PAR (Program Analysis as we know it depends on all its
& Review). The next wave of complex parts working efficiently,
experimentation included MBO effectively, and honestly.
(Management by Objective),
TQM (Total Quality Management)
and HPO (High Performance
Efficiency vs. Effectiveness
Organization) as mechanisms for Jargon and buzz-phrases do not
improving productivity, improve communication for the
accountability and ultimately the bottom line. uninitiated. And pet phrases from various
management theories can age out rapidly. But
A recent Dilbert cartoon featured our hero of the
there is more than a semantic distinction between
cubicle interviewing a prospective employee. We
certain pairs of similarly sounding words.
have a slogan: “All our employees are
empowered”, to which the would-be recruit Efficiency – you may be able to process the
parries with “If all your employees are paperwork from applicants in record time, at a
empowered, why do the need a slogan?” rock-bottom price, with every entry scrutinized
for completeness, but
All these past and current management trends
have many things in common, so let us focus on Effectiveness – depends on the front-end of the
the logic of what it takes to run a smooth process being tied into other activities, to ensure
operation – especially one with changing program goals are met. For example, does anyone
mandates, shrinking workforce and tight budget. double-check the veracity of the information
contained in the application? Is the information
For starters, everything you do in government
collected relevant to the program function, be it
should relate back to legislation, be it your
licensing, small business loans, employability, or
agency’s enabling statute, or a patchwork quilt of
eligibility for public assistance?
laws and regulations added through the years. If
What is Internal Control? know what grade level they are – are they living
beyond their means?
Internal control is NOT a collection of
disconnected processes and procedures. Internal Of course, getting to know your people also can
control IS an integrated approach to sound be a positive experience. Your file clerk by day
management. It may involve specialized may be a web designer at night. Your senior
equipment (combination locks, computer accountant may be a wiz at restoring old Jaguars.
passwords, refrigerator thermometers, smoke The shop teacher in your facility may be bilingual.
detectors, fire extinguishers, etc.) but most of all it Your youth counselor may be a talented musician.
depends on PEOPLE. People who understand the Just as government is the sum of its parts, we as
why’s and how’s of the program, the significance individuals are the sum of our parts – our unique
of information generated, the purpose behind all background, education, talents, passions, biases,
that specialized equipment – and when to ignore ambitions, and even our clinical depressions.
it.
Part of getting to know your people involves
Internal control certainly involves getting to know what they are good at.
PROCEDURES – be it OSC payroll requirements, Micromanagers plague those who are quite
OGS purchasing, OFT computer security, EZ- capable of working without supervision. Laissez-
Pass scanners or State Police radar – but each of faire managers are the bane of those who require
these procedures depends on people, people constant attention to stay focused on tasks. And
talking to other people, people entering most of your people will be somewhere in
accurate/timely data into computer systems, between – excelling at the things they enjoy, and
people following up on problems and exceptions avoiding the onerous.
to the rule.
Some Definitions
Know Your People
We cannot totally escape some “boilerplate”
There are people who are clearly uncomfortable definitions of internal control, though we can
when we bring up this topic. They think that there discuss them logically.
is an ironclad rule of privacy that prohibits them
from learning anything personal about co- In New York State government, Internal control is
workers. a process, designed to implement a legislative
mandate, executed by executive, management,
True, when hiring new workers, there are certain supervisory and line staff, to provide reasonable
questions that are rightfully prohibited during the assurance that objectives will be achieved
interview process. Your race, ethnicity, religion, effectively and efficiently, in compliance with
marital status, political affiliation and sexual applicable laws and regulations, supported by
orientation have no part in the reliable financial and program reporting.
recruitment/selection process, be it for initial
employment or promotion. But this does not Reasonable assurance – takes into consideration
prohibit you from learning a little bit about your the significance of the program or activity (e.g. its
staff once they are on board. cost, impact on people, effect on agency
reputation), likelihood of error (some risks go
For example, does someone belong to an with the territory), and relevance and affordability
organization that is antithetical to the vision and of controls to those risks.
mission of your agency? Are they working a
second job somewhere that constitutes a conflict
of interest, or interferes with their productivity
and attendance at their government job? You
Five Components of Internal Control 3. Control Activities

Currently there are five major components of a Policies and procedures can help ensure success, by
good internal control system (equally applicable controlling significant risks. They include activities
such as approvals, authorizations, verifications,
to large or small organizations):
account reconciliations, operating reviews, protection
1. Control Environment of assets and segregation (or separation) of duties.
Do you deal directly with the public? In an office or The challenge for government workers here is to avoid
residential setting? Do you handle large volumes of over-control of insignificant risks, while avoiding
transactions, with or without a monetary component? under-control of significant risks. For example,
Does your executive set an example for ethical values drivers must have their vehicles inspected annually by
and integrity? Does your agency seek, train and retain a professional, licensed third party. Getting that
competent employees? What is your management’s sticker from your brother-in-law who never looks
philosophy and operating style? Are you highly under the hood may keep you from getting a traffic
centralized, or are offices/facilities/decisions ticket, but won’t protect you from that icy hill in
decentralized? Is there an independent oversight body February. By the same token, checking your tire
that reviews and evaluates your successes, and your pressure and oil level periodically is wise, but if you
failures? start doing this twice a day, someone might think you
have an Obsessive Compulsive Disorder.
Is your workforce stable? Does your agency have a
long-standing, positive reputation in its field? Are the Your main concern is getting the job done in a timely
resources provided commensurate with your and accurate way. Accuracy also means honesty. Get
responsibilities? Are your computer networks secure, those three bids in writing from reputable firms. Lock
your data stable, your offices safe and environmentally up valuables overnight. Have someone balance the
healthy? checkbook who doesn’t write the checks. Call up past
If you can answer YES to each of these questions, we employers and schools/universities to verify an
would then ask you if there are any job openings applicant’s work history and educational credentials.
within your organization. But, seriously, you get the Have your fire extinguishers inspected annually, and
picture – all these things affect your work, your recharged as necessary. Change those computer
agency’s mission, and how you feel about your job. passwords when an employee leaves your agency, or
your bureau.
2. Risk Assessment
We are all familiar with the logical procedures
Every operation faces internal and external risks – be it involved in purchasing – including physical count of
employee pilferage, contractor kickbacks, applicant the goods received examination of their quality, date-
fraud, bogus credentials, communicable diseases or checking of dairy goods, etc. But did you know that
computer network failure. Something as simple as a the temperature at which crude oil is delivered can
faulty smoke detector can interfere with success. affect how many gallons are actually provided? Was
Handling hard currency requires special procedures. that shipment of flu vaccine you just received part of a
Agencies that serve residential populations in a 24/7 manufacturer’s recall?
setting must focus on the special risks not inherent in a
9 to 5 office operation. Blacktopping your driveway is 4. Information and Communication
not as risky as bridge and tunnel construction, though Certainly, those in the military know the value of good
you won’t want to track anything indoors. information and communication. Knowing where the
Risk assessment is an ongoing process that identifies enemy is, where your own troops are, and the location
the likelihood of a risk, the potential magnitude of a of innocent civilians are all important elements of war
risk, and the degree to which such risk could interfere and peace. The Pentagon may term this military
with your agency’s mission and program success. Has intelligence, or command & control, but it is what it is.
it happened before? Then it will happen again, unless Phrases like “friendly fire” and “collateral damage”
you establish procedures to control such risk. pop up when communication fails.
All too often in a hierarchical system, information is corrective action, and engages in follow-up activity to
“managed”, i.e. it is restricted to a limited few (under ensure their warning was heeded.
the theory that “knowledge is power”.) Some
A supervisor “monitors” staff attendance via visual
supervisors also embrace the Nike slogan “just do it”
observation, phone calls, computer log-in and/or spot-
when an employee seeks a greater understanding of
checks on-site. A program manager “monitors” grant
his/her role and responsibility.
activity through conversations (phone or in-person)
With apologies to the State Police and Department of with service providers or clients, or on-site visits to
Correctional Services, most of you will never be local service providers. A grant administrator
instructed to storm a building or tackle a fugitive, so “monitors” expenditure activity on a periodic basis by
you should have time for the luxury of knowing why reviewing expenditure reports or claims on a monthly
you do what you do. Knowing “why” may also or quarterly basis, comparing them to projections.
improve your chances for finding a more efficient and
Within the broad category of “monitoring” we can also
more effective way to do your job.
place “evaluation” and “auditing”. The distinction
Effective organizations are not afraid of information between these activities and managerial monitoring is
and communication. They look upon their employees primarily organizational.
as colleagues, are not afraid to answer questions, or
To ensure independent, unbiased thinking, evaluators
even consider new ways of doing things.
and auditors cannot be part of the operation being
Transforming an ineffective organization involves
reviewed. Evaluators are frequently specialists in
more than taking a few HPO or TQM classes, giving
program areas, employing research methods to
speeches or cutting ribbons. It involves development
determine the effectiveness of program services.
of a corporate culture that encourages communication
Auditors (in the past) focused on financial issues,
up and down the ladder, and sideways between
employing accounting skills to review inventories,
divisions and bureaus. Yes, you should still read the
fiscal resources, integrity in payrolls, purchasing and
manual, but comparing notes with your peers can be
grants. But more and more, auditors are becoming
invaluable.
management generalists, with a growing
Much of what we do in government is repetitive by its understanding of agency goals, program specialties,
very nature. Every year Taxation & Finance deals and bottom-line criteria of success. And of course,
with the same eternal issues. Every year, thousands of auditors will tell you they are there to help you.
citizens smile into the face of the DMV’s flattering
camera. Every year, the courts deliver thousands of all Tying It All Together
ages to our facilities, for education, correction, A good internal control system depends on “synergy”,
rehabilitation, medical treatment and the like. With i.e., the whole should be greater than the sum of its
long-established processes in place to continue these parts. The five components discussed above should
activities, there should be time to talk about the job, form an integrated system that reacts dynamically to
compare notes, and envision alternatives. changing conditions. Internal controls are most
A side issue for some, but it effects all – open effective when they are built-in to an operation, not
communication between interested parties, be they added on by some external force. In other words,
regulators, “stakeholders”, families, advocacy groups, don’t do it because the law says you have to do it. Do
legislative bodies or advisory groups. it because it makes sense.
5. Monitoring Be on the lookout for changing conditions. Staff

turnover, new legislation, demographic changes in
On an ongoing basis, managers need to monitor population served, unusual weather conditions,
operations – to assess the quality of the system’s economic downturn, or even terrorist attack all require
performance over time. This includes regular quick response to changing conditions. Youth
management and supervisory activities, and other facilities and adult correctional facilities must pay
actions personnel take in performing their duties. The attention to judicial system flow-through, when
focus should be on critical aspects of an operation to constructing and staffing residential facilities. The
ensure that key elements are conducted properly. Department of Transportation has its hands full
Where performance falls short of expectation, monitoring traffic chokepoints throughout the state
managers need to notify those responsible for taking
(you may think the Northway is intolerable at rush Case Studies

hour, but we are a distant second place to other
roadways to the south and west). The following Case
Studies depict a proto-
The reasonable assurance doctrine requires that all
typical work process that
five components of your internal control system (a/k/a/
would be influenced by
management control) work together. When they do,
the establishment and
your job is easier. When they don’t your job is
application (or absence)
virtually impossible.
of internal controls.
What Internal Control Cannot Do Trainee(s) would be asked to:
Internal control cannot change a poor manager into a 1. Evaluate the control environment to determine
good one. But it can change a good manager into a the level of inherent risk,
better one, and set the stage for the next generation of 2. Determine what controls would need to be
managers. This is an important consideration, given imposed to provide 'absolute assurance',
our rapidly aging work force.
3. Of those controls, which ones would provide a
Shifts in government policy or programs, competitors' satisfactory level of 'reasonable assurance?'
actions or economic conditions can be beyond your
control, but at least you will be the first one on your 4. How would reasonable assurance controls be
block to recognize this. implemented?
Internal controls cannot guarantee an ironclad defense 5. How might they be monitored?
against fraud, waste and mismanagement. Human
nature is what it is, and there are those who are 6. How might communication flow support or
indolent, deceitful and imaginative just waiting to stifle the success of the controls in minimizing
scam your system. risk/maximizing success?
An internal control system, no matter how well

conceived and operated, can provide only reasonable--
not absolute--assurance that you will achieve your
objectives. Judgments in decision-making can be
faulty. Breakdowns can occur because of simple error
or mistake. Controls can be circumvented by the
collusion of two or more people, and management may
choose to override the system. There are also resource
constraints, and the benefits of controls must be
considered relative to their costs.
Internal control is an essential tool in achieving your
objectives, but it is not a silver bullet. When
combined with well-trained, motivated staff working
within an environment where the goals are clear,
internal controls will enable a manager to successfully
attain their organizational objectives both efficiently
and effectively.
“WE NEVER SAW IT COMING”
FAMOUS DISASTER WARNINGS IGNORED
The O-Ring Failure on the Space Shuttle

One Morton Thiokol engineer expressed concerns about the
effect of cold weather on the o-ring seals of the Space Shuttle
Challenger’s booster rockets. He was told to mind his own
business.
Flight School Training for Arab Terrorists

A female FBI agent (Coleen Rowley) in the Midwest expressed concern over the number of foreign
nationals taking flight training. They didn’t want to know how to land the jets, just fly them. She was
ignored by her bosses – after all, she was a woman. What do they know about terrorists?
BACKGROUND CHECKS
The Walker Spy Family

A low-ranking Pentagon code clerk shows up for work in a brand new, shiny red Ferrari. A rich aunt?
A lottery ticket? Nobody checked. He threw lavish parties, too. Were you invited?
BOGUS CREDENTIALS
Albany VA Hospital
The VA never checked the credentials of a medical researcher,
who doctored his undergraduate transcript (from St. Rose
College), was dismissed from medical school, then played
doctor at the VA, leading to the deaths of cancer patients. The
case has been dragging on for several years. At first the
hospital administration tried to dismiss allegations of
wrongdoing. Now it is going to cost them dearly.
COOKING THE BOOKS
Barings Bank
Singapore trader (Nick Leeson), working without supervision, fluffs up
accounts, engages in highly risky investments, losses totaling 830
million pounds - leading to bankruptcy of firm. He made the losses look
like profits!
Other luminaries in creative accounting:

Arthur Andersen and ENRON (whistleblower - Sherron Watkins);
Parmalat (founder - Calisto Tanzi); WorldCom (whistleblower - Cynthia Cooper)’ Lincoln Savings and
Loan, Tyco (Former Tyco International director Frank Walsh has been arrested and charged with
securities fraud after allegedly receiving a secret $20m (£12.5m) payment.); Lawrence Insurance Group
(Albert W. Lawrence - Llenroc a B & B)
Urban League of Albany

It’s board of directors was a Who’s Who of local politics, including
Albany’s Catholic bishop. But Aaron Dare kept juggling real estate deals,
including a promised jobs/lease arrangement with a suspect telemarketer.
In the end, the entire house of cards collapsed. None of the board members
were held personally liable for the $500,000 owed to the IRS (the ten
members could have each been tapped for $50,000). Due diligence? It
happened on their watch.
Capital Region BOCES

If he had just waited a few more months to retire, the treasurer could have
covered all his tracks. Instead, an inquiry from Schoharie County about a
small accounting error led to discovery of a multi-million dollar
embezzlement. When he retired, he bought a new car, a boat, and a
vacation home. No one would ever suspect!
BOCES RETIREE GOING TO PRISON

Wednesday, November 22, 2000 Page: B1
The former treasurer for Capital Region BOCES who stole $3.7
million from his employer and used the money to buy expensive
cars, homes and a boat, was sentenced Tuesday to five to 15
years in state prison.
Not to be outdone, two Long Island school district superintendents were charged with similar creative
accounting practices in 2004. OSC had a few harsh words to say about the auditor who reviewed
Roslyn (LI) books. That auditor had the account for 12 years. Did I mention the audit firm also sold the
accounting software used by 250 NYS school districts, including Roslyn?
A Grand Island BOCES staffer pled guilty to a mere $40,000 theft. Chump change!
William Cabin and the Lieutenant Governor’s Office

Phantom employees on the payroll let then Lt. Gov. Mario Cuomo’s Chief of Staff buy up lots of Centre
Square real estate. Fortunately, he turned a profit, which kept him out of jail, and gave the State an
excellent return on his investment.
Billie Sol Estes and the Magic Silos

Back in 1961, LBJ confidant Billie Sol Estes applied for some
agriculture loans, using the same handful of tractors and silos as
collateral. He graciously flew the auditors from one side of Texas to the
other, in his private plane, so they could conduct inventory. Meanwhile,
his staff were changing the numbers on the silos, and gluing new serial
numbers over the old on his tractors. Once the paint and glue dried,
he’d fly the auditors back to the other side of the state, so they could
inventory the “additional” property.
Did I mention the murder of USDA staffer Henry Marshall It was
originally ruled a “suicide” – he managed to shoot himself five times
with a bolt-action 22.
ALBANY TIMES-UNION ARCHIVES

ACCOUNTANT EMBEZZLED ALL THE CASH HE WANTED
Friday, June 4, 1993 Page: A1
John James Lugas needed far more than his $26,800 salary as an Air Force accountant to feed an
insatiable appetite for expensive cars, Rolex watches, diamond jewelry and beautiful young women. So
he exploited weaknesses in the Air Force bookkeeping system for three years to make sure U.S.
taxpayers paid for his avarice. He siphoned more than $2 million without arousing suspicions of officials
here at Reese Air Force Base on the wind-swept plains of west Texas, or higher up in the chain of
command.
THEFT CASTS CLOUD OVER SUNYA WEATHER CENTER
THURSDAY, March 29, 1990 Page: B1
Instead of reading the maps in the weather center at State University at Albany, five graduate students
pored over newspaper stories about one of their professors in trouble. Lightning expert Richard Orville
pleaded guilty in Albany County court Tuesday to stealing computer data from SUNYA that he sold for
$604,000, part of which he used to buy a car and a town house.
FORMER BANK AIDES ADMIT EMBEZZLEMENT
Thursday, September 15, 1994 Page: B4
ALBANY Two former employees of Albany Savings Bank pleaded guilty Wednesday in federal court
to stealing more than $47,000 from an elderly customer, using their jobs to create ATM cards to get into
the man's account. Joseph C. Debrango, 46, of Grove Street, Rensselaer, and Robert H. Arket, 36, of
Sanders Avenue, Scotia, will be sentenced Nov. 30 on charges of conspiracy to embezzle bank funds
and of forfeiture.
INSIDE THE EMBEZZLER'S MIND - CRIMINOLOGISTS DETAIL PATTERNS OF MONEY
PRESSURES, ACCESS TO CASH AND RATIONALIZATIONS
Sunday, June 25, 2000 Page: C1
When fallen insurance magnate Albert W. Lawrence diverted $38 million from policyholders,
employees and others for his own purposes, he was following a classic pattern among white-collar
criminals, experts say. First came the financial pressure, then the opportunity to take cash and, finally,
the rationalizations.
State Legislature – interns (sex scandals) – How the might have fallen.
Assemblyman Roger Green – travel abuses lead to resignation
Thruway Authority – Canal Land Deal (overturned by OSC)
4 MTA employees charged 1-12-05 with illegally taking gifts including deluxe meals and gifts from
vendors (chump change -
New York Racing Association (money laundering by pari-mutuel clerks; lavish perks for execs)
New York Bridge Authority – executive resigns in disgrace over travel expense improprieties.
MORE SCANDALS IN THE NEWS (Various Internet Sources)

NYC scandals of 2002 featured an array of miscreants, including:
• Angel Rodriguez: The City Council member from Brooklyn resigned after pleading guilty to
taking bribes to win his support for construction of a supermarket in Red Hook
• Anthony Serra, a Rikers Island prison official forced to resign for allegedly coercing Corrections
Department employees to work in Republican political campaigns.
• More than half of the city's plumbing inspectors were charged in June with taking bribes in
exchange for allegedly approving plumbing work without doing required inspections. Mayors
have tried and failed to clean up the Buildings Department, where the plumbing inspectors work,
and so, in the wake of the scandal, Bloomberg vowed that he too would tackle the longstanding
mess.
• Eighteen current and former New York City tax assessors were indicted in February on charges
that they accepted millions of dollars in bribes over 35 years in order to cut the property taxes on
500 buildings in the city. The alleged corruption cost the city some $160 million in tax revenues
in the last four years alone.
• These instances of malfeasance, however tawdry, were sadly predictable and local. But
newspapers throughout the nation took notice in November when it became known that financial
analyst Jack Grubman helped engineer a $1 million contribution from Citicorp to the 92nd Street
Y in order to improve his twins' chances of being admitted to the Y's selective nursery school.
The incident stepped over the line from surreal to scandal with allegations of what the Wall
Street Journal called a kid pro quo: Had Grubman altered his analysis of AT&T in order to win
the contribution? After all, the analyst and father said, "there are no bounds for what you do for
your children."
REAL ESTATE MOGUL SUES NEW YORK CITY FOR $500M . Real estate mogul Donald Trump
has sued the city of New York for $500 million, claiming a tax assessor bribery scandal forced him to
sell apartments at a luxury building at below-market prices, a published report said. Trump said corrupt
tax assessors hiked up taxes at Trump World Tower, a 72-story building near the United Nations, in
order to cover up their scheme to lower taxes for certain landlords, The New York Times. Authorities
said that Assessors took bribes totalling $10 million in exchange for lowering assessments on
commercial properties, mostly in Manhattan. At least one former tax assessor who pleaded guilty said
assessors would raise taxes on some properties in order to hide the lower taxes on others. (World News
(AP), November 8, 2002, summary by Sherldine Tomlinson).
School administrator admits to three felonies. Sheila Johnson-Moore entered a guilty plea in
County Court Thursday, 2/25 to embezzling $26,208 from the Buffalo School District. She had been on
paid suspension from her $60K+/year job for several weeks. The 39-year old black woman has a
criminal record which local school authorities had been warned about repeatedly when she began work
for the school district, and several times thereafter. She was strongly supported by former
Superintendents of Schools Thomson and Harris. Johnson-Moore was caught in the most recent felony
as a result of an investigation by the Internal Revenue Service. She had been allowed to be sole
financial administrator for a $800,000 federal grant. The matter has brought wide-spread public
outrage. An investigation into how Johnson-Moore got away with the embezzlement, and how her
previous criminal record could have been ignored, is reported underway. (2/25)
Schools had been warned three times of administrator's criminal record. The Buffalo
News reported that warnings about the criminal past of Sheila Johnson-Moore had come three times to
the Buffalo School district over a period several years from federal authorities. Still, the school district,
under the direction of Superintendents Thomson and Harris, continued to employ and promote Johnson-
Moore. A member of the Board of Education said this past week that an inspection of Johnson-Moore's
personnel file indicated that the warning communications from the federal government had
"disappeared." Meanwhile Johnson-Moore continues to draw her $60K+ salary while on suspension.
The investigation into improper handling of grant money in the Buffalo Schools reportedly is still
expanding. (1/23)
Administrator had been convicted of previous embezzlement. One of the targets in a probe
of "mis-handling" of a $800,000 federal grant to the Buffalo schools reportedly has an extensive police
record. The Buffalo News is reporting that Sheila Johnson-Moore had been convicted of embezzling
$23,991 from a federal minority program at an Tuskegee University in Alabama. That scam took place,
The News reports, before the 39-year old woman was hired in Buffalo first as a teacher, and then quickly
promoted to an administrator under the regime of former School Superintendent Albert Thompson. The
newspaper is also reporting in Sunday, 1/9, editions, that Johnson-Moore illegally collected welfare
benefits and food stamps from Erie County Social Services starting about mid-1990 and continuing
through 1991---a time when she was employed at a good-paying job with the Buffalo School District.
That scam, The News reports, was made possible by her use of the name Stella D. Moore. Johnson-
Moore is said to be making about $60,000 a year in her present position with the Buffalo Schools, a
position she has been on fully paid suspension form, since late last year. (1/9/00)
Roosevelt NY, head of private school, Shelly Williams, 1979 founder of Upward Prep School (private)
with emphasis on high test scores, etc. is charged with embezzling $329,000 of day care funds provided
by Nassau county. About $92,000 was diverted to improve her home in Old Westbury. $237,000 was
diverted to her personal account. (NYT, Apr 6, 2K, p. B8).
Other Scandals
PAXIL (GlaxoSmithKline anti-depressant) – linked with suicides in adolescents
Rensselaer – Police Chief vs. Mayor re using city gasoline for personal use. Bad press, but judge
drops charges.
Pick Six Betting Scandal (Autotote Employee rigging Breeders’ Cup “winning” ticket) They almost
got away with it.
Albany Police Department – improper use of drug forfeiture moneys for non-criminal justice purposes
(like retirement parties and artwork). $40,000+ involved
UN Oil for Food Program - Kofi Annan’s son implicated (appearance of impropriety). Other UN
officials bribed.
New York City – Park Avenue Armory, a favorite for antique shows. Staff extorted free Persian
carpets from exhibitors. Meanwhile, Javits Convention Center staff involved in other strongarm tactics.
WHY DOES INTERNAL • A dedicated and talented MSW stretches things

on a timesheet or travel voucher. When nobody
CONTROL MATTER? notices, she gets greedy. After all, “we aren’t
Say the words “internal control” and they are paying her what she’s worth.”
automatically confused with “internal audit”. • An information technology wizard is assigned a
Internal audit refers to a small group of trained cell phone, sign of on-call importance. Before
you know it he’s running up a monthly bill of
professionals who review accounts and business
$300 for personal calls.
practices, scrutinize databases and sample paper
• An executive is assigned a State car for business
records. All this in an attempt to identify travel. Soon his own car is up on blocks in his
weaknesses in an operation that could lead to garage, as every trip takes on governmental
fraud, waste or mismanagement. significance. The oil changes and car washes are
Enter the Internal Control Act, and now the on us, too.
• A building inspector regularly receives free
emphasis is on “accountability”. There is more
tickets to Yankee Stadium from the builders he
involved than just money. Agency reputations, inspects. “Hey, we’re not talking World Series
government credibility, and taxpayer support are here. It’s no big deal.”
all at risk. It’s more than a question of • A correction officer or teacher
pilferage from agency coffers. The takes a personal interest in an
very funding of government inmate or student, abandoning
programs is at stake. all pretense of professional
detachment.
Internal control involves more
• The Merit System is “tweaked”
than internal auditors – it by Human Resources, so that a
involves every government lesser-qualified candidate rises
employee. Front line, in an organization. Diversity is
supervisor, executive. And if also sacrificed.
you are lucky, it also involves • A school bus driver forgets to
citizen advisors and the general take his BP medication, then
public. Each of us knows a little drinks his lunch. The roads are
bit of what goes on in a government agency. hilly and icy.
Each of us has a sense of smell, and an ounce or • A grant decision or contract determination is
two of curiosity when things don’t add up. based not on its merits, but on influence of
political pressure or economic incentive (bribery
Yes, we have accounting systems in place, is such a dirty word).
segregation of duties when it comes to major • A doctor is involved in clinical trials, but her
expenditures, elaborate and onerous procedures investment portfolio includes a lot of
for contracting and purchasing. But all these pharmaceutical stock.
systems depend on trust, open communication • A contractor substitutes an inferior grade of steel
and personal integrity. When any of these three or concrete on a bridge project. Nobody will
elements are missing, disaster is imminent. notice for 20 years.
• A school teacher marks on a curve so that Johnny
Not all these disasters will make it to the who can’t read can move up to senior year. He
Evening News. More likely you are aware of a can always hope for an athletic scholarship when
series of minor disasters, individually his College Boards bottom out.
insignificant, but added together they can spell • An executive spends an inordinate amount of time
the downfall of an empire: on charitable work, drawing subordinates into the
process. It’s not like she is profiting monetarily
from their efforts. Heck, we even give that
charity a Member Item every year.
• A purchasing agent can get a great deal from her In the ‘60’s, the Administrative Analyst’s
cousin, but he is not on state contract. Handbook had a quote: “An administrative
• A computer programmer pads her resume to get analyst should have a passion for anonymity.” I
the dream job she can’t handle. She holds things didn’t agree with that quote back then. But
together with a patchwork quilt of subroutines, today, with Gossip TV, yellow journalism,
but the day is drawing nigh when the entire muckraking and mudslinging back in vogue,
system will collapse under its own weight. your 15 minutes of fame may not be what Andy
Warhol envisioned.
No, the sky isn’t falling (though the bridge
might). But each of these instances, Do you really want to be quoted in the New
unaddressed by management and colleagues, York Times, the Albany Times-Union or the
spells trouble for accountability and agency Syracuse Post-Standard? Do you want 60
success. Minutes to do a feature on you, when you were
asleep at the switch? How about Fox News?
To the executives and managers I say – your
only hope is to listen to your people. Call them
the front line, underlings, subordinates, office
Rather fail with honor than succeed
temps, whatever. Listen to them, for
collectively they are the ones who know what is by fraud. - Sophocles
going on. You may be the only one who can put
all the pieces together, and do something about
it. But that’s your job.
ANATOMY OF FRAUD
Uniform Occupational Fraud Classification System
MAJOR CATEGORIES
I. CORRUPTION
• Conflicts of Interest
Purchase Schemes (split vouchers to avoid
competitive bidding)
Sales Schemes
Other
• Favoritism and nepotism in hiring,
purchasing or client services
• Governance in-breeding
• Bribery
Invoice Kickbacks (vendor collusion)
Bid Rigging (phony bids or no bids)
Other (bogus inspections, licenses granted)
Political (votes promised, nominations & endorsements)
• Illegal Gratuities
Christmas Presents
Theatre Tickets (Broadway)
Free Travel & Lodging (conventions)
Expensive Dinners or Country Club Greens Fees
Free Product Samples (laptops or cocaine)
Gift to Favorite Charity
• Economic Extortion (Political Extortion too?)
“By me, or I’ll sue”
“I’ll tell them about the freebies”
“I have the negatives”
II. ASSET MISAPPROPRIATION

• Cash
Larceny (outright theft or embezzlement)
Skimming (cash receipts, charitable donations – cash or goods)
Fraudulent Disbursements
• Billing Schemes (shell company, personal purchases, collusion, fictitious goods)
• Payroll Schemes (no-shows, phony overtime, attendance abuse, workers comp)
• Expense Reimbursement Schemes (multiple and/or padded travel vouchers)
• Check Tampering (altered payee, diverted checks, forgeries)
• Cash Register Disbursements (false refunds, false voids)
• Company Credit Card (personal use)
• Inventory and Other Assets

Misuse
• Cell Phones, Gasoline, Vehicles, Computers, Copiers, Long Distance
Larceny
• Asset Requisition & Transfer
• False Sales & Shipping
• Purchasing & Receiving
• Unconcealed Larceny
III. FRAUDULENT STATEMENTS

• Financial
Asset/Revenue Overstatements
• Timing Differences (fiscal year roll-overs, delayed payments)
• Fictitious Revenues (inflated sales figures, bogus bonuses)
• Concealed Liabilities (stockholders will never know)
• Improper Disclosures (insider trading, trade secrets)
• Improper Asset Valuations (conceal company’s true value)
Asset/Revenue Understatements
• Tax Avoidance
• Deflate Sales Staff Commissions (favoritism/revenge)
• Non-Financial
Employment Credentials (often unverified, liars win)
• Diploma Mill PhD’s
• Forged Licenses or Degrees
• Fake Identification (criminals / illegal aliens)
• Concealed criminal history
• Padded Resumes, bogus references
Internal Documents (examples?)
External Documents (examples?)
Source: Association of Certified Fraud Examiners

2004 Report To The Nation On Occupational Fraud And Abuse.
; CHECK YOUR STANDARDS

A. AUTHORIZATION CONSIDERATIONS:
1. Execution & a) Is there a set of written policies & procedures - including an updated
organization chart?
Authorization: b) Are employees made aware of policies & procedures?
c) Is employee or supervisor acting within scope of authority?
d) Are staff following management's intent?
2. Separation of
a) Are duties clearly defines so that no one individual is responsible for a
Duties: transaction from start to finish?
b) Are procedures designed to provide appropriate checks & balances?
c) Are key duties/responsibilities for authorizing, processing, recording and
reviewing transactions divided among individuals
(e.g. different individuals authorize purchase / receive goods)?
d) Are sensitive functions rotated periodically?
B. DOCUMENTATION
a) Are transactions promptly & properly recorded by persons other than
those authorizing transactions or having custody of assets?
1. Recording of b) Does documentation include pertinent facts (names, dates, dollar
Transactions: amounts, description of occurrence, purpose of transaction)?
c) Are documents inventoried to determine who uses them and how they
are stored?
a) Are documents (paper files or computer records) readiliy available for

2. Retrieval of examination?
Information: b) Do you have a contingency plan for disaster/loss recovery of
information?
a) Is access to information limited to authorized individuals?

3. Access to b) Is use of information limited to appropriate individuals?
Information: c) Do you have a procedure for secure disposal/shredding of confidential
information?
C. ASSET a) Is access to assets (cash accounts, food stocks, equipment inventory,
PROTECTION vehicles) limited to authorized individuals? Remember - information is
an asset. Are paper and computer files properly secured?
1. Access to b) Are assets secured in safe, locked filing cabinet, locked room. etc.?
Assets: c) Are keys/combinations controlled and limited to authorized personnel
only?
2. Accountability a) Are individuals assigned/accountable for specific assets (e.g. stores,

for Assets: gasoline supplies, commisary) ?
b) Are physical assets maintained in safe working order (e.g. vehicles,
computers, copiers, appliances?
c) Is periodic inspection of facilities made for health & safety safeguards
(e.g. fire extinguisher recharging) ?
3. Reconciliation a) Are assets (e.g. computer equipment) duly tagged or labelled (with a
of Assets: decal)?
b) Is an inventory of equipment and/or supplies kept and updated
appropriately?
c) Is periodic comparison made of the physical resources vs.
documentation (equipment/supplies inventories, bank reconciliations,
heating oil tank readings) ?
COSO’S New Definition

There are eight components in COSO’s new definition of the Enterprise Risk Management process.
Five of them should be familiar to Internal Control practitioners.
Internal Reflects an entity’s philosophy on risk management, considering performance and

Environment value (i.e., cost of control vs. cost of risk) to arrive at an acceptable level of risk.
Objective Based on an entity’s mission, management sets strategic objectives, which if

Setting achieved will create and preserve value for the organization.
Event Management identifies potential events affecting its ability to achieve objectives
Identification Events with potentially negative consequences represent RISK.
Events with potentially positive consequences represent OPPORTUNITY.
Risk Management assesses likelihood and impact of negative events

Assessment (qualitatively and quantitatively).
Risk Management identifies response options, taking into consideration cost versus
Response benefit and acceptable level of risk. Responses may include avoidance, reduction,
sharing of risk (e.g., pooling of risk or co-insurance), and acceptance of risk.
The chosen response(s) may have significant impact on the entity’s business plan,
services provided, product line or corporate policy.
Control Policies and procedures help ensure appropriate risk response, including activities
Activities such as approval, authorization, verification, reconciliation, review of operating
performance, security of assets, and segregation of duties.
Information & Pertinent information from internal and external sources must be identified, captured
Communication and communicated in a timely and relevant fashion.
This includes exchange of relevant information among external parties, customers,
vendors, regulators, stakeholders.
Monitoring Monitoring assesses both the present and functioning of risk management
components, as well as quality of performance over time.
COSO’s draft ERM Framework is available at www.coso.org.

PROTECTING YOUR Even if you are beyond reproach, could

REPUTATION: someone else blame you for their own
malfeasance?
You’ve read the headlines. The CEO (Chief
Executive Officer) claims it was all the CFO’s Do you keep your
doing (Chief Financial Officer). This is computer password on a
somewhat akin to Claude Rains’ famous line Post-It tm note? Do you
from Casablanca: “I'm shocked, shocked to find share log-in identity
that gambling is going on in here!” 1 with a co-worker or
subordinate? How about
You may not be the head of a Fortune 500 the key or combination
corporation, but you do have certain authority to the safe? Even petty
that is hopefully commensurate with your cash can tempt someone
responsibilities. Sure, you trust the people you with a drug habit or
work with2 – you hired most of them. But could gambling problem.
a newcomer (one whose “ethical values are not
fully formed”3) take advantage of the situation –
diverting resources, selling information, or Would it be possible for someone in your office
doctoring records? (or a total stranger, for that matter) to send an e-
mail from your computer workstation, then let
Maybe you aren’t the protector of portable you take the blame when the Secret Service
assets, but you could be the keeper of show up? Could someone log onto an
marketable assets – like information. I don’t inappropriate website, fill your hard drive with
want to put ideas into your head, but there are prurient material, then start a whispering
people who will pay good money for adverse campaign about your Internet browsing habit?
information – be it financial information (late
child support payments or tax data), medical Never mind that – could they use your computer
problems, employee discipline (demotion, to doctor or delete critical records while you
termination), arrest records (even dismissals), were on break? And if those files were doctored
confidential family court proceedings (PINS, or deleted, would anyone ever notice?
JD), driving histories (speeding, DWI). And
there are other people who will pay good money There are a lot of things that can keep you lying
to change that information. awake at night (like nuclear or biological
terrorists, fuel bills, the economy, that upcoming
Are you one of those indispensable managers Civil Service exam or your kids’ report cards).
who does it all? Never takes a vacation – never Did you lock the back door, let the cat out, turn
takes a sick day? Authorizes the payments, off the stove, unplug the iron, log off at work?
writes the checks, reconciles the accounts?
There are a zillion case studies about such Honesty may be the best policy, but it is not
managers, and their off-shore bank accounts. the only way to protect you from false
accusation. At the very least, you should treat
your passwords like money – keep them in your
wallet, not on your CRT screen.
1
Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
2
My father used to say “Trust all men, but cut the cards.”
3
Thanks to OSC’s Dave Hancox for that euphemism.
IF YOU SUPERVISE General, you may want to examine other

elements of the workload.
MORE THAN ONE PERSON: Perhaps each worker is
processing an equivalent
Chances are you have noted differences between number of transactions,
your staff: but one deals with
• One might be an early riser, the other is small business, the other
“not a morning person” with major corpo-
rations (license fees),
• One might accept new assignments
or perhaps one staffer
cheerfully, the other grumpily
specializes in “deadbeats” or
• One may be very talkative, the other tight-
unemployed parents (child
lipped
support payments), while the
• One may be a very private person, the other processes routine payments.
other tells you more than you want to know
• One may have computer skills, the other Discrepancies could also be due to faulty
distrusts new technology procedures or misconstrued instructions. Is
• One may have been doing the job for years, there a division of labor, where one staffer
the other is a recent transfer passes on certain categories of transaction to the
Still, despite their different personalities, other? Is each person putting in a full workday,
experiences and skill sets, they may have or did one go to a three-day training class that
comparable workload. Do you have a month?
monitoring (supervising) mechanism in place to
detect anomalies? If you are dealing with productivity in an office
setting, there are ways to review the workload –
What’s an ‘anomaly” sampling incoming and outgoing paperwork, or
reviewing computerized exception reports. If
No, it’s not a variation on a frijole. An anomaly you are dealing with field staff (e.g. on-site
is a “deviation from the normal or common inspectors), supervision is more difficult.
order or form or rule”. Some people jump to
conclusions and decide there must be an error. How do you know a staffer actually inspected
An auditor-in-training may suspect there is an that factory or day care center? Do you follow
accounting irregularity (a/k/a fraud or up with licensees, agencies or vendors (by mail
embezzlement) when there actually is a rational or phone) on a periodic basis (or sample)? Do
explanation for the variation from the expected. field staff file a weekly itinerary with you so
Does one person handle ongoing transactions in that you can get in touch with them in case there
a timely fashion, while the other person gets is a change of plans, or a new priority crops up?
sidetracked with troubleshooting or ad hoc Yes, in this day of cell phones, it is easier to
assignments? Does one person scrutinize every “reach out and touch someone”, but are they
field in an application, while the other rubber driving to another inspection site, or driving a
stamps perfunctory acceptance? golf ball down the fairway?
Perhaps each staff person is responsible for Some savvy supervisors call a site long AFTER
processing license fees or child support the worker should have concluded his/her work.
payments. One worker may log in $20,000 When told that their inspector left there an hour
every week, the other only $10,000. Before you ago, they just say “thanks, I’ll catch him/her at
go pointing fingers or calling in the Inspector the next site”.
While they may have certain staff in mind when

making these calls, they are also wise enough to
follow this procedure for all staff, so that no one
feels singled out. Old Russian proverb: Trust,
but verify.
Are your internal control

procedures adequate?
Situation: You are responsible for transporting
defendants (in criminal court proceedings) from
the county jail to the court house for trial.
Those jailed pre-trial are generally individuals
with few financial assets and limited roots in the
community. They could not make bail (or
This is not to make light of the recent tragedy in
qualify for ROR – Release on Own
Atlanta. It is to show you that common sense
Recognizance), so many of them have been
and policy may clash on occasion. Fulton
waiting for three to six months for trial.
County (Atlanta) had a long established practice
since the Civil War that shackles were
The accused is innocent until proven guilty, so
considered demeaning and onerous. Still, the
you may not do anything to compromise the
sheriff’s office could have delivered the prisoner
defendant before a jury. Hence, defendants
in a more secure fashion (e.g. two deputies as
must enter the courtroom un-cuffed, and in
escort) without compromising the trial or
street clothes (not orange coveralls). Plea
influencing the jury.
bargains for violent felonies are rare in your
jurisdiction.
I might add that the Governor of Georgia had
recently removed the sheriff of that county due
On a given day, you must transport a six foot,
to a $3 million accounting “anomaly”. That
200 lb. former college football player to court
county had also experienced recruiting
for a new trial on a rape charge that could carry
difficulties resulting in hiring of inexperienced
with it a 20 year sentence. On the previous day,
staff who also lack the proper training to
the defendant had attempted to smuggle two
compensate for their limited physical
“shanks” (hand-made knives) into the court
capabilities.
house (in his shoes). Do you:
I mention the fact that the deputy was female
(a) Assign two equally large, armed deputies
because this could have been a source of
to escort the handcuffed and leg-shackled
antagonism to the defendant (due to the nature
prisoner to court,
of the charges before him). One might wonder
(b) Search the prisoner thoroughly before he
if sending her alone up the elevator with the
leaves the holding pen,
defendant might have been a form of hazing for
(c) Keep the prisoner in handcuffs until he is
a new staffer, or retribution to a whistle blower.
at the door of the specific courtroom, or
(d) Send the un-cuffed prisoner up the
Film at eleven.
elevator with one armed 5 ft 3 inch, 130
lb. female deputy, and hope for the best.
Case Study #1 Case Study #2

Agency X is located in a multi-storied building, You are in charge of a
occupied by various state agencies that are open to six-county region of the
the public (including the main lobby, and elevator state, dealing with
areas on each floor). However, access to Agency licensed day care
X itself is controlled by employee's key card access centers.
and video surveillance monitors located on the
receptionist's desk. Entry can only be gained In a significant
through two locked doors, one of which requires percentage of cases the
entering the reception area, the other opens directly families involved may
into the hallway out of view of the receptionist be eligible for Federal
where a number of offices are located. These doors subsidies (based on
can be propped open. Rest rooms are in the elevator family size and
areas and have coded entry locks, but the code for income).
rest rooms is the same for all floors of the building.
Rest room doors automatically close and Each county has established a different per diem
lock after being opened, but can be rate structure (including different rates for different
propped open. ages), and each county determines eligibility of its
Within the Agency X location, all residents.
employee offices are open and You are under pressure to recruit additional
accessible during working hours day care resources, to meet local needs and
except the main computer room. encourage unemployed parents to pursue gainful
Support staff has open architecture offices, employment.
but only the receptionist can view people entering
the reception area. Employees' personal offices have At the same time, you are under pressure to ensure
doors that maybe locked when the agency is not that those day care centers licensed by the State
open for business. meet health and safety standards (staffing ratios,
background checks, educational qualifications of
Many employees work on sensitive information, lead staff, hygiene and sanitation, food and fire
much of which can be accessed through designated safety) as well as accounting requirements (no
employees' PCs. Additionally, as do most subsidies for no-shows). Of course, there are plenty
employees, this agency's employees keep personal of unlicensed operations out there (beyond your
belongings, including wallets, purses, radios, etc. in control), which give the licensed centers a bad
their work areas. name.
Employees, on occasion, leave their Of all your competing demands, which one is your
identification/key cards on their desks or remove number one priority? How do you make that
them in the rest rooms and leave them on the happen?
shelves. Also, on occasion, one employee may lend
his or her card to another employee who has Fortunately, you have a staff of six (one per county)
forgotten to bring his or her card to work or that who visit current and fledgling day care centers, to
employee may prop open the entry door when inspect their physical plant (for fire safety,
making short trips to other floors of the building or cleanliness, heating and ventilation, and adequate
the rest room. square footage per child), their staff to child ratio,
and observation of child interaction.
Following the principles of triage, you have Case Study #3

informally divided day care centers into three
categories: You are responsible for
transporting defendants (in
• Terrific - I’d send my own kids there criminal court proc-eedings)
• Passable – You can send your kids there from the county jail to the
court house for trial.
• Terrible – Don’t go there
Those jailed pre-trial are generally individuals with
Of your six staff, three have been on board for more few financial assets and limited roots in the
than ten years (the “old China hands”), two have community.
been with you for three years, and one just started
six month ago (“new kid on the block”). Does this They could not make bail (or qualify for ROR –
mean your office qualifies as a “stable operation?” Release on Own Recognizance), so many of them
have been waiting for three to six months for trial.
Monthly inspection reports from five of your
counties are about the same – 10 percent of the The accused is innocent until proven guilty, so you may
not do anything to compromise the defendant before a
reports are negative, requiring a remediation plan
jury. Hence, defendants must enter the courtroom un-
and follow-up visits (which usually yield the proper cuffed, and in street clothes (not orange coveralls). Plea
results). License revocation usually involves a bargains for violent felonies are rare in your jurisdiction.
small-scale operation, where the owner is unwilling
to make the investment in physical plant and On a given day, you must transport a six foot, 200
staffing (and may even decide to drop out of the lb. former college football player to court for a new
business, rather than fight the revocation). trial on a rape charge that could carry with it a 20
year sentence. On the previous day, the defendant
Your newest staff person has just completed two had attempted to smuggle two “shanks” (hand-made
months of on-site inspection of the day care centers knives) into the court house (in his shoes). Do you:
in her county, and reported to you that fully one-
third of these centers should be closed for serious • Assign two equally large, armed deputies to escort
compliance issues. Can these allegations be true? the handcuffed and leg-shackled prisoner to court,
She also claims that in half a dozen cases, there was • Search the prisoner thoroughly before he leaves
nobody at home (staff or client). the holding pen,
• Keep the prisoner in handcuffs until he is at the
door of the specific courtroom, or
• Send the un-cuffed prisoner up the elevator with
one armed 5 ft 3 inch, 130 lb. female deputy, and
hope for the best.
This is not to make light of the recent tragedy in
Atlanta. It is to show you that common sense and
How can her experience in this one county differ so policy may clash on occasion. Fulton County
markedly from the other five counties? Does she (Atlanta) had a long established practice since the
realize that shutting down so many centers would Civil War that shackles were considered demeaning
hurt the families affected (e.g. employability)? Is and onerous. Still, the sheriff’s office could have
she misconstruing the regulations, or playing delivered the prisoner in a more secure fashion (e.g.
hardball with the centers? What other possibilities two deputies as escort) without compromising the
can you imagine? trial or influencing the jury.
What do you do about it?
DOCUMENTING INTERNAL CONTROL PROCEDURES
A. INTRODUCTION
As a manager, you need to know, in detail, what procedures your unit employs to meet each
of its major functional responsibilities effectively, efficiently, and legally.
For the purposes of the Internal Control Act, we need to document procedures that touch on
staff responsibility and accountability, accuracy of records, chain of command in the decision
process, protection of assets and management oversight of each major function.
It does take time to review, document, and update these procedures, but the ultimate
beneficiary of this effort is your own organization. Well-documented procedures have
considerable value in training new staff, cross-training current staff, establishing work plans,
devising annual budgets to keep pace with workload responsibilities, and identifying new ways
to meet those responsibilities in a changing world.
A well-documented set of internal control procedures should also prove invaluable in

communicating problems outside your organization, where other bureaus or agencies need to
become involved in rectifying a problem or improving an operation.
The procedures you document for each major function should address the following questions:
• Who or what gave you the authority to conduct this function?

(e.g. State law, executive order, agency policy, administrative directive)
• What activities or transactions need to occur to meet the function's objectives?
• Is there a mandated timetable for completing key elements of this activity?

(e.g. quarterly billing, monthly reconciliation, annual report, prompt payment legislation)
• What system of checks and balances is employed to prevent fraud or abuse?

(e.g. separations of duties, prior approval for travel/purchasing, outside review)
• What documentation is maintained for each transaction, and who maintains these
records?
(e.g. shift logs, ledgers, computer entries, monthly reports, statements)
• Do you test your system periodically? If so, how??

(e.g. sampling, inspection, testing, outside audit)
The procedures should reflect key steps from beginning to end, noting any interim reports, files
created, supervisory authorization, and individuals or units involved at each step. This
information should help you manage your operation by determining where accountability lies
for each component of the overall function.
NOTE: From an audit standpoint, it is evident that documentation of activities mandated in

Law, policy, or rules and regulations is vital. It is standard practice for OSC auditors to
criticize an agency's function by making the assumption that "if it is not documented, it did not
happen".
B. SAMPLE INTERNAL CONTROL PROCEDURES

In our earlier example of Perform Fiscal Audits of Agency-Operated Programs/Services,
we noted two major objectives - ensuring that programs/services operate in accordance with
policy & procedures; and assisting management in compliance through analysis, appraisal and
recommendation concerning activities audited. Internal Audit meets these objectives through a
number of procedures:
CONTROL PROCEDURES
a) The Audit Director and Assistant Director develop an annual Audit Plan.
b) Executive request audits are scheduled as received by the Audit Director.
c) Audit request procedures and protocols are outlined in the Internal Audit Procedures
Manual, including the following phases:
Pre-On Site - This phase is characterized by the identification of specific audit

projects, assignment of audit staff, development of audit purpose and scope,
preparation of audit instruments, review of background information and
coordination of audit logistics (travel/scheduling of field work).
On-Site - This phase includes entrance meeting, on-site data collection, daily
debriefings and phone contact with Central Office supervision, and exit meeting
with facility director.
Post On-Site - This phase includes debriefings with Central Office units, pre-
release meeting with Central Office units, and preparation/transmittal of the
audit report to the facility director and appropriate Deputies.
Follow-Up - This phase involves on-site verification of implementation of the

facility's action plans, including on-site interviews, daily debriefing meetings, exit
meeting, and preparation/distribution of follow-up audit report to the facility
director and appropriate Deputies.
Procedures developed in greater detail can be used for such management purposes as new
employee orientation and training, as well as performance standards for employee evaluations.
Internal Control Act and organizational structures are designed to provide

Information Technology ‘reasonable assurance’ that business objectives
will be achieved and that undesired events will
Since the inception of New York State’s be precented or detected and corrected.”
Internal Control Act (formal name Government As might be expected, COBIT depends on:
Accountability, Audit and Internal Control Act),
each state agency has been required to review its • Systemization
major programs and administrative functions on • Documentation
a periodic basis, to arrive at a “reasonable • Standards & Defined Expectations
• Measurement
assurance” that such programs or functions
were operating efficiently and effectively, with • Appropriate Risk Assessment
sufficient controls in place to protect assets, A full-fledged COBIT review of OCFS IT
ensure compliance with applicable laws, rules or operations would be beneficial, but would also
regulations, and to produce financial/ be very costly and time-consuming. Following
management reports in an accurate/timely and the principle of “walk before you run”, it is
relevant manner. suggested that your agency develop a modified
COBIT approach, incorporating some of the
The Office of the State Comptroller and the basic elements of COSO Control Self-
Division of the Budget are the two control Assessment and Division of the Budget
agencies most involved in oversight of the guidance on the Internal Control Act. The
Internal Control Act – OSC by audits of state survey instrument for OCFS IT operations will
operations, DOB by an annual reporting and need be more detailed than that instrument used
certification process. for other agency operations, but far less
complex than the COBIT instrument.
For many years, the Information Systems Audit
and Control Association (ISACA) has been As Division of the Budget has instructed, it all
promoting COBIT – Control Objectives for starts with the plan of organization of the
Information Technology as a more structured agency or operation. Accountability depends on
and detailed audit tool. COBIT takes into human beings in place, planning, implementing
consideration those issues most relevant to the and monitoring program performance. First step
in the IT Internal Control Review will be a
information technology environment, including:
description of the staffing, consultants/ contractors
• Computer Systems Security and system (hardware/software) resources. This will
• Data Integrity and Reliability also entail a description of the division of labor and
• Cost-Effectiveness of Data Processing responsibilities of the major bureaus within your
Operations agency, and cost estimates of the annual
• Timeliness/Relevance/Availability of expenditures in each category, plus an estimate of
Information to serve management and the cumulative assets (e.g. file servers,
program needs network/transmission lines, desktop computers,
• Increasing Dependence on IT for program etc.). The old adage “If you can’t measure it, you
and management can’t manage it.” holds true.
• Increasing Vulnerability to organized and COBIT audits look (at varying levels of detail) at
individual attacks on computing systems. 34 items, detailed below. All such issues need
to be examined on a global IT basis, but some of
Like COSO’s Control Self-Assessment and these issues may only affect one or two bureaus
OCFS’s Internal Control Review process, within IT. They include the following Control
COBIT’s – Control Objectives are goal-oriented. Objectives:
“The policies, procedures, practices and
PLANNING AND ORGANIZATION

PO-1 Define a strategic IT Plan Long and short-range plans relevant to agency
mission and information needs
PO-2 Define the information architecture e.g. data dictionary & classification framework;
security levels
PO-3 Determine technological direction Monitor future trends; plan future acquisitions
PO-4 Define organization and relationships Ownership of system; segregation of duties
PO-5 Manage the investment Annual operating budget; cost-benefit analysis
PO-6 Communicate management aims & direction Including security awareness, commitment to quality,
management responsibilities
PO-7 Manage human resources Employees and SUNY contractors; recruitment,
retention, cross-training, succession planning
PO-8 Ensure compliance with external requirements e.g. Social Service Law & Family Court
confidentiality requirements; site safety, ergonomics
PO-9 Assess risk Define acceptable level of risk
PO-10 Manage projects Request/approval process; phased-in implementation;
testing and training; link to strategic plan
PO-11 Manage quality Quality assurance, coordination and communication;
adherence to IT standards & procedures
ACQUISITION AND IMPLEMENTATION

AI-1 Identify automated solutions Define information requirements; third-party services;
procurement control; acquisition and acceptance
AI-2 Acquire & maintain application software e.g. CITRIX Solutions, Cognos; design approval and
documentation; liabilities of proprietary software;
availability and integrity ofdata
AI-3 Acquire & maintain technology architecture e.g. Windows 2000 Server; assess new
hardware/software; system security software;
software maintenance; preventative maintenance
AI-4 Develop & maintain procedures Operations manual, user guides, training materials
AI-5 Install & accredit system Training, system and data conversion, testing and
final acceptance and production
AI-6 Manage changes Change request process; software release policy;
distribution of software; system compatibility
DELIVERY AND SUPPORT

DS-1 Define service levels Define service level agreements; monitoring and
reporting
DS-2 Manage third party services Telecommunications providers; contractor
reliability/qualifications; security relationship
DS-3 Manage performance & capacity Availability and performance requirements; workload
forecasting; performance measurement; resources
DS-4 Ensure continuous service Continuity plan, critical resources, training; back-up
and off-site
DS-5 Ensure system security Hardware & software protection; management review
of user accounts, security surveillance; authentication;
encryption, firewall,
DS-6 Identify & allocate costs e.g. state vs. county, shared services; chargeable
items; billing/chargeback procedures
DS-7 Educate & train users Training organization; security awareness, training
needs
DS-8 Assist & advise customers e.g. ENTERPRISE help desk, customer query
escalation (job ticket), clearances of queries
DS-9 Manage the configuration Configuration baseline, unauthorized software,

software accountability
DS-10 Manage problems & incidents Disaster & security response teams; problem
management and escalation; tracking and audit trail
DS-11 Manage data Backup, backup, backup; data entry error handling;
source document retention; authorization procedures;
output distribution and retention; protection of
sensitive information; authentication, media library
DS-12 Manage facilities Physical security, visitor escort, uninterruptible power
supply; environmental protections; employee health
and safety; low profile of IT site
DS-13 Manage operations 24/7 operation; procedures and operations manuals;
job scheduling, operations logs; remote operations;
MONITORING
M-1 Monitor the process Collect and assess information; user satisfaction;
assess performance
M-2 Assess internal control adequacy Timely operation of internal controls; operational
security and quality assurance
M-3 Obtain independent assurance Accreditation of IT services; proactive audit
involvement; independent evaluation of effectiveness;
compliance with applicable laws/rules/regulations
M-4 Provide for independent audit Professional ethics and standards; audit charter,
independence
Yes, this is a very demanding, comprehensive It is interesting to note that the fourth “domain”
list. It also requires: of COBIT objectives – Monitoring is very
similar to COSO Control Self-Assessment and
• Identification of the primary party OCFS Internal Control Review. ISACA has
responsible for each of these IT Control provided a 155 page document detailing these
Objectives 34 COBIT objectives, but a review of the table
• IT resources applicable above is informative enough for our purposes.
o People
A full-fledge COBIT review would entail
o Applications
o Technology considerable training of both auditor and
o Facilities auditee. A more workable alternative is for the
o Data internal control officer to initiate a series of
management consultations with IT executives
• Information criteria applicable and managers, following the general framework
o Effectiveness & Efficiency of a COBIT audit, though taking into account the
o Confidentiality incremental nature of such a review, since we
o Integrity are starting from the ground up.
o Availability
o Compliance It is also important for IT staff to take
o Reliability ownership of the need for such a review. As
agencies become increasingly reliant on
information technology there is a greater need
for self-reliance in the development,
maintenance and improvement of all its
information systems. Where necessary, there
will also need to be mutual agreement between
the internal control officer and IT regarding
terminology used, and degree of detail required However, the current fiscal/staffing climate may
to fulfill annual reporting/certification interfere with such eventuality (at least on a
requirements of the Internal Control Act. short-term basis).
Past experience with internal control review The following chart from the COBIT manual
processes in most agencies indicates that the bears an uncanny resemblance to Canada’s own
internal control review process is of greater internal control approach (CICA, vs. COSO),
value to those in charge or a program or indicating it is a constant renewal process, as we
function, when they fully embrace such process, learn by doing.
and document systems to a level of detail in
excess of minimum Internal Control Act
requirements.
PO1 define a strategic IT plan

PO2 define the information architecture
PO3 determine the technological direction
PO4 define the IT organization & relationships
M1 monitor the processes PO5 manage the IT investment
M2 assess internal control adequacy PO6 communicate management aims & direction
M3 obtain independent assurance PO7 manage human resources
M4 provide for independent audit PO8 ensure compliance with external requirements
INFORMATION PO9 assess risks
PO10 manage projects
PO11 manage quality
• effectiveness
• efficiency
• confidentiality
• integrity
• availability
• compliance
• reliability
MONITORING PLANNING &
ORGANIZATION
IT RESOURCES
• people
• application
systems
• technology
• facilities
• data
DELIVERY &
SUPPORT
ACQUISITION &
IMPLEMENTATION
DS1 define & manage service levels
DS2 manage third-party services
DS3 manage performance & capacity AI1 identify automated solutions
DS4 ensure continuous service AI2 acquire & maintain application software
DS5 ensure systems security AI3 acquire & maintain technology
DS6 identify & allocate costs infrastructure
DS7 educate & train users AI4 develop & maintain procedures
DS8 assist & advise customers AI5 install & accredit systems
DS9 manage the configuration AI6 manage changes
DS10 manage problems & incidents
DS11 manage data
DS12 manage facilities
DS13 manage operations
INTERNAL CONTROL
Grants and subsidies to ultimate recipients and
PERFORMANCE STANDARDS sub-recipients are made with proper
Source: Ernst & Young authorization and in compliance with legal
REVENUES requirements.
Grants and subsidies to ultimate recipients and
Grants, shared revenues and entitlements are
sub-recipients are recorded correctly as to fund,
accepted and received in compliance with
account, amount, and period.
program and legal provisions.
Physical loss of property and equipment is
Interfund transactions are authorized and
prevented; disposals/retirements/trade-ins are
recorded correctly as to fund, account, amount,
identified, authorized and are recorded correctly
and period.
as to fund, account, amount, and period.
Services rendered are billed promptly, in the
Indirect cost allocation plans are appropriately
correct amount.
developed and used to properly allocate
Revenues are recorded correctly as to account, overhead.
amount, and period.
Commitments and contingencies are identified,
Uncollectible/delinquent accounts are promptly monitored, and if appropriate, recorded or
identified for follow-up action. disclosed.
EXPENDITURES FINANCE
Budgets are prepared and approved in Cash receipts are recorded correctly as to fund,
accordance with legal requirements. account, amount, and period.
Budgetary compliance is monitored, and Cash disbursements are for goods and services
noncompliance is prevented or detected and or properly-supported claims authorized and
properly corrected. received.
Expenses are incurred only with proper Cash disbursements are recorded correctly as
authorization. to fund, account, amount, and period.
Expenses and related liabilities are recorded Debt, leases and other similar obligations and
correctly as to account, amount and period. related expenditures/expenses are authorized
and
Salaries, wages, and benefits are incurred only
for work authorized and performed. Fund segregations and transactions are
properly authorized and are recorded correctly
Salaries, wages, and benefits are calculated at
as to fund, account, amount, and period.
the proper rate.
Salaries, wages, benefits and related liabilities INVESTMENTS
are recorded correctly as to fund, account,
amount, and period. Investment transactions are authorized and are
recorded correctly as to fund, account, amount,
Goods or services are purchased with proper
and period.
authorization and in compliance with legal
requirements. Income earned on investments is recorded
correctly as to account, amount, and period.
Goods or services received (and related
liabilities) are recorded correctly as to fund, Investment assets are protected from loss or
account, amount, and period. misappropriation.
INVENTORY
Costs are assigned to inventory in accordance Hiring, retention and promotional practices
with the stated valuation method. comply with Affirmative Action requirements.
Usage and movement of inventory is recorded Policies and procedures are issued only with
correctly as to account, amount (quantities and proper management review and authorization.
dollars) and period.
Physical loss of inventory is prevented or COMPUTER SYSTEMS
promptly detected.
Computer programs are authorized, tested and
Obsolete, slow-moving, and overstock inventory approved prior to being placed into production.
is prevented or promptly detected and provided
for. Computer operations are separated from
applications development/programming.
CONTRIBUTIONS Data processing personnel are independent of
user department, and have no access to cash,
Contributions by employers and participants are investments or other similar assets.
at authorized or required amounts.
Changes to existing program applications
Contributions are recorded correctly as to fund, require authorization and approval.
account, amount, and period.
Systems documentation provides programmers
with information required to correctly maintain
BENEFIT PLAN OBLIGATIONS applications.
Benefit payments are to valid participants, are Physical access to data files is controlled;
determined in accordance with plan provisions, access to data files is restricted to authorized
and are processed only with proper users and programs; passwords are changed
authorization. periodically.
Benefit payments are recorded correctly as to Physical security precautions are taken for fire,
fund, account, amount, and period. flood and other applicable hazards.
Participant data accumulated for actuarial Appropriate backup procedures exist for data
valuation is complete and accurate. files/programs.
Uncharacteristic (unusually heavy) use of
INTERNAL ADMINISTRATION computer resources is investigated promptly.
Audits are properly planned and supervised;
audit findings are supported by evidential Obsolete or unnecessary programs/files are
matter. evaluated periodically and purged from system
or production schedules as appropriate.
Audit reports are issued only with proper
management review and authorization. User participation, approval and acceptance is
sought in the applications development
Research studies are properly planned and process.
supervised; reports are supported by evidential
matter. Formal documents of production schedules and
actual processing are maintained and reviewed;
Request for legal assistance are authorized and deviations from planned or usual processing
controlled by management; legal assistance is are identified/evaluated promptly.
supported by evidential matter.
Financial forecasts, cash flow projections and
status reports are developed from appropriate
information sources.
Internal Control - • Effectiveness and efficiency of operations.

Integrated Framework • Reliability of financial reporting.
• Compliance with applicable laws and
Executive Summary regulations.
Senior executives have long sought ways to better The first category addresses an entity's basic
control the enterprises they run. Internal controls are business objectives, including performance and
put in place to keep the company on course toward profitability goals and safeguarding of resources.
profitability goals and achievement of its mission, The second relates to the preparation of reliable
and to minimize surprises along the way. They published financial statements, including interim and
enable management to deal with rapidly changing condensed financial statements and selected
economic and competitive environments, shifting financial data derived from such statements, such as
customer demands and priorities, and restructuring earnings releases, reported publicly. The third deals
for future growth. Internal controls promote with complying with those laws and regulations to
efficiency, reduce risk of asset loss, and help ensure which the entity is subject. These distinct but
the reliability of financial statements and compliance overlapping categories address different needs and
with laws and regulations. allow a directed focus to meet the separate needs.
Because internal control serves many important Internal control systems operate at different levels of
purposes, there are increasing calls for better effectiveness. Internal control can be judged
internal control systems and report cards on them. effective in each of the three categories,
Internal control is looked upon more and more as a respectively, if the board of directors and
solution to a variety of potential problems. management have reasonable assurance that:
• They understand the extent to which the entity's

What Internal Control Is operations objectives are being achieved.
Internal control means different things to different • Published financial statements are being
people. This causes confusion among prepared reliably.
businesspeople, legislators, regulators and others. • Applicable laws and regulations are being
Resulting miscommunication and different complied with.
expectations cause problems within an enterprise.
Problems are compounded when the term, if not While internal control is a process, its effectiveness
clearly defined, is written into law, regulation or rule. is a state or condition of the process at one or more
points in time.
This report deals with the needs and expectations of
management and others. It defines and describes Internal control consists of five interrelated
internal control to: components. These are derived from the way
management runs a business, and are integrated
• Establish a common definition serving the needs with the management process. Although the
of different parties. components apply to all entities, small and mid-size
• Provide a standard against which business and companies may implement them differently than
other entities--large or small, in the public or large ones. Its controls may be less formal and less
private sector, for profit or not--can assess their structured, yet a small company can still have
control systems and determine how to improve effective internal control. The five components are:
them.
Internal control is broadly defined as a process,
1. Control Environment
--The control environment sets the tone of an
effected by an entity's board of directors,
organization, influencing the control consciousness
management and other personnel, designed to
of its people. It is the foundation for all other
provide reasonable assurance regarding the
components of internal control, providing discipline
achievement of objectives in the following
and structure. Control environment factors include
categories:
the integrity, ethical values and competence of the
entity's people; management's philosophy and
operating style; the way management assigns
authority and responsibility, and organizes and
develops its people; and the attention and direction
provided by the board of directors.
5. Monitoring
2. Risk Assessment --Internal control systems need to be monitored--a
--Every entity faces a variety of risks from external process that assesses the quality of the system's
and internal sources that must be assessed. A performance over time. This is accomplished
precondition to risk assessment is establishment of through ongoing monitoring activities, separate
objectives, linked at different levels and internally evaluations or a combination of the two. Ongoing
consistent. Risk assessment is the identification and monitoring occurs in the course of operations. It
analysis of relevant risks to achievement of the includes regular management and supervisory
objectives, forming a basis for determining how the activities, and other actions personnel take in
risks should be managed. Because economic, performing their duties. The scope and frequency of
industry, regulatory and operating conditions will separate evaluations will depend primarily on an
continue to change, mechanisms are needed to assessment of risks and the effectiveness of
identify and deal with the special risks associated ongoing monitoring procedures. Internal control
with change. deficiencies should be reported upstream, with
serious matters reported to top management and the
3. Control Activities board.
--Control activities are the policies and procedures
that help ensure management directives are carried There is synergy and linkage among these
out. They help ensure that necessary actions are components, forming an integrated system that
taken to address risks to achievement of the entity's reacts dynamically to changing conditions. The
objectives. Control activities occur throughout the internal control system is intertwined with the entity's
organization, at all levels and in all functions. They operating activities and exists for fundamental
include a range of activities as diverse as approvals, business reasons. Internal control is most effective
authorizations, verifications, reconciliations, reviews when controls are built into the entity's infrastructure
of operating performance, security of assets and and are a part of the essence of the enterprise. "Built
segregation of duties. in" controls support quality and empowerment
initiatives, avoid unnecessary costs and enable
4. Information and Communication quick response to changing conditions.
--Pertinent information must be identified, captured There is a direct relationship between the three
and communicated in a form and timeframe that categories of objectives, which are what an entity
enable people to carry out their responsibilities. strives to achieve, and components, which represent
Information systems produce reports, containing what is needed to achieve the objectives. All
operational, financial and compliance-related components are relevant to each objectives
information, that make it possible to run and control category. When looking at any one category--the
the business. They deal not only with internally effectiveness and efficiency of operations, for
generated data, but also information about external instance--all five components must be present and
events, activities and conditions necessary to functioning effectively to conclude that internal
informed business decision-making and external control over operations is effective.
reporting. Effective communication also must occur
in a broader sense, flowing down, across and up the The internal control definition--with its underlying
organization. All personnel must receive a clear fundamental concepts of a process, effected by
message from top management that control people, providing reasonable assurance--together
responsibilities must be taken seriously. They must with the categorization of objectives and the
understand their own role in the internal control components and criteria for effectiveness, and the
system, as well as how individual activities relate to associated discussions, constitute this internal
the work of others. They must have a means of control framework.
communicating significant information upstream.
There also needs to be effective communication with
external parties, such as customers, suppliers,
regulators and shareholders.
What Internal Control Can Do Roles and Responsibilities

Internal control can help an entity achieve its Everyone in an organization has responsibility for
performance and profitability targets, and prevent internal control.
loss of resources. It can help ensure reliable
financial reporting. And it can help ensure that the Management
enterprise complies with laws and regulations, The chief executive officer is ultimately responsible
avoiding damage to its reputation and other and should assume "ownership" of the system. More
consequences. In sum, it can help an entity get to than any other individual, the chief executive sets
where it wants to go, and avoid pitfalls and surprises the "tone at the top" that affects integrity and ethics
along the way. and other factors of a positive control environment.
In a large company, the chief executive fulfills this
What Internal Control Cannot Do duty by providing leadership and direction to senior
Unfortunately, some people have greater, and managers and reviewing the way they're controlling
unrealistic, expectations. They look for absolutes, the business. Senior managers, in turn, assign
believing that: responsibility for establishment of more specific
internal control policies and procedures to personnel
• Internal control can ensure an entity's success-- responsible for the unit's functions. In a smaller
that is, it will ensure achievement of basic entity, the influence of the chief executive, often an
business objectives or will, at the least, ensure owner-manager, is usually more direct. In any event,
survival. in a cascading responsibility, a manager is
effectively a chief executive of his or her sphere of
Even effective internal control can only help an entity responsibility. Of particular significance are financial
achieve these objectives. It can provide officers and their staffs, whose control activities cut
management information about the entity's progress, across, as well as up and down, the operating and
or lack of it, toward their achievement. But internal other units of an enterprise.
control cannot change an inherently poor manager
into a good one. And, shifts in government policy or Board of Directors
programs, competitors' actions or economic Management is accountable to the board of
conditions can be beyond management's control. directors, which provides governance, guidance and
Internal control cannot ensure success, or even oversight. Effective board members are objective,
survival. capable and inquisitive. They also have a knowledge
of the entity's activities and environment, and
• Internal control can ensure the reliability of commit the time necessary to fulfill their board
financial reporting and compliance with laws and responsibilities. Management may be in a position to
regulations. override controls and ignore or stifle communications
from subordinates, enabling a dishonest
This belief is also unwarranted. An internal control management which intentionally misrepresents
system, no matter how well conceived and operated, results to cover its tracks. A strong, active board,
can provide only reasonable--not absolute-- particularly when coupled with effective upward
assurance to management and the board regarding communications channels and capable financial,
achievement of an entity's objectives. The likelihood legal and internal audit functions, is often best able
of achievement is affected by limitations inherent in to identify and correct such a problem.
all internal control systems. These include the
realities that judgments in decision-making can be
Internal Auditors
faulty, and that breakdowns can occur because of
Internal auditors play an important role in evaluating
simple error or mistake. Additionally, controls can be
the effectiveness of control systems, and contribute
circumvented by the collusion of two or more people,
to ongoing effectiveness. Because of organizational
and management has the ability to override the
position and authority in an entity, an internal audit
system. Another limiting factor is that the design of
function often plays a significant monitoring role.
an internal control system must reflect the fact that
there are resource constraints, and the benefits of
controls must be considered relative to their costs.
Other Personnel
Internal control is, to some degree, the responsibility
Thus, while internal control can help an entity of everyone in an organization and therefore should
achieve its objectives, it is not a panacea. be an explicit or implicit part of everyone's job
description. Virtually all employees produce
information used in the internal control system or
take other actions needed to effect control. Also, all surprises. This study suggests that the chief
personnel should be responsible for communicating executive initiate a self-assessment of the control
upward problems in operations, noncompliance with system. Using this framework, a CEO, together with
the code of conduct, or other policy violations or key operating and financial executives, can focus
illegal actions. attention where needed. Under one approach, the
chief executive could proceed by bringing together
A number of external parties often contribute to business unit heads and key functional staff to
achievement of an entity's objectives. External discuss an initial assessment of control. Directives
auditors, bringing an independent and objective would be provided for those individuals to discuss
view, contribute directly through the financial this report's concepts with their lead personnel,
statement audit and indirectly by providing provide oversight of the initial assessment process
information useful to management and the board in in their areas of responsibility and report back
carrying out their responsibilities. Others providing findings. Another approach might involve an initial
information to the entity useful in effecting internal review of corporate and business unit policies and
control are legislators and regulators, customers and internal audit programs. Whatever its form, an initial
others transacting business with the enterprise, self-assessment should determine whether there is
financial analysts, bond raters and the news media. a need for, and how to proceed with, a broader,
External parties, however, are not responsible for, more in-depth evaluation. It should also ensure that
nor are they a part of, the entity's internal control ongoing monitoring processes are in place. Time
system. spent in evaluating internal control represents an
investment, but one with a high return.
Organization of this Report
This report is in four volumes. The first is this Board Members
Executive Summary, a high-level overview of the Members of the board of directors should discuss
internal control framework directed to the chief with senior management the state of the entity's
executive and other senior executives, board internal control system and provide oversight as
members, legislators and regulators. needed. They should seek input from the internal
and external auditors.
The second volume, the Framework, defines internal
control, describes its components and provides Other Personnel
criteria against which managements, boards or Managers and other personnel should consider how
others can assess their control systems. The their control responsibilities are being conducted in
Executive Summary is included. light of this framework, and discuss with more senior
personnel ideas for strengthening control. Internal
The third volume, Reporting to External Parties, is a auditors should consider the breadth of their focus
supplemental document providing guidance to those on the internal control system, and may wish to
entities that report publicly on internal control over compare their evaluation materials to the evaluation
preparation of their published financial statements, tools.
or are contemplating doing so.
Legislators and Regulators
The fourth volume, Evaluation Tools, provides
Government officials who write or enforce laws
materials that may be useful in conducting an
recognize that there can be misconceptions and
evaluation of an internal control system.
different expectations about virtually any issue.
Expectations for internal control vary widely in two
What to Do respects. First, they differ regarding what control
Actions that might be taken as a result of this report systems can accomplish. As noted, some observers
depend on the position and role of the parties believe internal control systems will, or should,
involved: prevent economic loss, or at least prevent
companies from going out of business. Second,
Senior Management even when there is agreement about what internal
Most senior executives who contributed to this study control systems can and can't do, and about the
believe they are basically "in control" of their validity of the "reasonable assurance" concept, there
organizations. Many said, however, that there are can be disparate views of what that concept means
areas of their company--a division, a department or and how it will be applied. Corporate executives
a control component that cuts across activities-- have expressed concern regarding how regulators
where controls are in early stages of development or might construe public reports asserting "reasonable
otherwise need to be strengthened. They do not like assurance" in hindsight after an alleged control
failure has occurred. Before legislation or regulation Purchasing Information

dealing with management reporting on internal COSO publications are available through the
control is acted upon, there should be agreement on American Institute of Certified Public Accountants
a common internal control framework, including (www.aicpa.org). For further information about
limitations of internal control. This framework should COSO products or to order, contact AICPA at 888-
be helpful in reaching such agreement. 777-7077 or visit the CPA2BIZ Web site.
Professional Organizations Internal Control — Integrated Framework, 2 Vols.

Rule-making and other professional organizations Product number 99009
providing guidance on financial management, Internal Control Issues in Derivatives Usage—An
auditing and related topics should consider their Information Tool, Product number 990010
standards and guidance in light of this framework.
To the extent diversity in concept and terminology is
eliminated, all parties will benefit.
Educators
This framework should be the subject of academic
research and analysis, to see where future
enhancements can be made. With the presumption
that this report becomes accepted as a common
ground for understanding, its concepts and terms
should find their way into university curricula.
We believe this report offers a number of benefits.

With this foundation for mutual understanding, all
parties will be able to speak a common language
and communicate more effectively. Business
executives will be positioned to assess control
systems against a standard, and strengthen the
systems and move their enterprises toward
established goals. Future research can be leveraged
off an established base. Legislators and regulators
will be able to gain an increased understanding of
internal control, its benefits and limitations. With all
parties utilizing a common internal control
framework, these benefits will be realized.
INTERNAL CONTROL TESTING agencies have placed the internal control

A Jargon-Free1 Guide oversight function within their internal audit
shops. The three main techniques of testing
“Internal Control”, also known as management AND auditing include:
control, refers to the combination of systems,
processes and procedures in place that provide Observation – this is part of good supervision,
applicable to factory assembly lines, residential
“reasonable assurance” that risks will be programs, the classroom, workshop, kitchen, or office
minimized, and results maximized – whether environments. It is especially useful when training a new
this refers to a far-reaching social program, or a employee to ensure results match expectations, and
routine administrative task. instructions are clear.
“Reasonable assurance” means just that. Any Interview – asking questions – of staff, customers,
program or administrative task has inherent clients, vendors, or peer professionals is often the only
way to get to the bottom of a situation in a non-
risks – the cost of doing business, and managers adversarial way.
must take such risks into consideration in a cost-
effective fashion. The cost of a management Documentation – this includes a review of items such
control must be proportionate to the risk. For as elevator inspection certificates, fire extinguisher
recharging tags, time sheets, vouchers, program
example a pharmacy would keep serious applications, day care center inspection reports, or even
narcotics (controlled substances) under lock and computer access logs.
key, but stock the public shelves with
antihistamines and aspirin. What differentiates internal audit from internal
control testing (or program monitoring, for that
Annual-salaried employees are trusted to keep matter), is auditor independence. If you’ve
track of their time and attendance, but additional followed the scandals of Enron, WorldCom,
management oversight is required for overtime Parmalat and the like, you understand the
payments. Program applicants submit temptation to tell the boss what he/she wants to
qualifying information to caseworkers, but such hear, overlook shortcomings, or downplay fiscal
information is subject to independent irregularities. Even with auditor independence,
verification where appropriate. collusion can occur (with adequate financial
Testing is a key ingredient in each state incentive).
agency’s “Internal Control Review”, i.e., a Testing is a management responsibility of
review of management controls systems in place each division and bureau, but an Internal
governing key program and administrative Control Officer needs to review the methods
functions of the agency. Such testing is employed to determine if they constitute
generally of two types: “reasonable assurance” that results are being
• Ongoing testing/monitoring – built into achieved as responsibly as possible, while
standard procedures, supervisory oversight, minimizing the downside of fraud, waste and
employee evaluation and case review; mismanagement.
• Periodic evaluation – e.g., on a quarterly Yes, we must recognize that anytime large sums
or annual basis, often conducted by a of money are involved, there is the potential for
consultant or independent body, with fraud – by an applicant, vendor/provider or
emphasis on program results, cost-benefit employee. And the damages resulting from
analysis, and timeliness of services. such fraud may be more than monetary. A
daycare center bribes an inspector to overlook a
Internal Control Testing and Internal Auditing
building code or fire safety violation. A
have much in common, which is why most state
mechanic uses substandard parts to replace the
brakes on a facility van. A computer vendor
1
Almost
1
contracts out hard disk manufacturing to a Commission. Applying the control self-
shoddy cousin (where does lost data go?). A assessment approach for auditing, testing and
defective smoke alarm causes a house fire. evaluating program performance is an ideal
process for reviewing office operations and
Internal Control Testing must keep in mind the
residential programs.
two sides of the coin:
Observation
• What are we trying to achieve? Have you ever sat at a traffic light, and
• What are we trying to avoid? wondered if it would ever change. Most lights
change on a 30 to 45 second cycle, but the light
If a risk does not interfere with results, one at the corner of Fuller Road and Washington
needs to ask “why spend money and time trying Avenue can take an eternity to cycle through all
to control such a risk.” Similarly, if the risk (or its choices.
“vulnerability”) is highly improbable (like a
Martian invasion2), we would only invest in If you’ve observed something happen more than
controls where the impact of such a long-shot once, you develop expectations. The shop
would be devastating. foreman on the automobile assembly line
expects you to install one bumper every 4
Plain Talk About Testing minutes and 19 seconds. The chief account
On a periodic basis, the Internal Control Officer clerk expects you to process 15 vouchers per
(ICO) will ask you how your specific program hour, regardless of their illegibility. A
or administrative function is going. The Survey crackerjack typist should be able to clock 90
form is quite simple, but as anyone knows, words per minute, provided the network doesn’t
trying to sum up anything into twenty-five crash.
words or less is no small task. As Mark Twain As a manager, you have had to justify staffing
once said “Please forgive this long letter, I based on a work plan that estimates the volume
didn’t have time to write a short one.” and complexity of activities, including
You are the expert when it comes to your individual unit times to complete an activity,
program or function, so the ICO will not dictate with total turnaround goals established to
what you have to do to verify things are going provide timely and accurate service.
as they should. But the ICO will review your Observation is one way to determine if reality
submission to determine if the frequency and is in sync with that work plan.
extent of testing you describe is proportionate to Interview
the scale and significance of the operation. Interviewing starts when you select someone to
The ICO should also meet with bureaus on a join your operation. Of course you will also
selective basis to review testing efforts, and check their credentials and references, but the
provide suggestions for improved testing, based interview is the final determinant in hiring.
on experience with comparable functions, and Interviewing doesn’t stop once a new employee
based on state and nationally recognized signs on. During his/her probation period you
standards for internal control and internal audit. will use the interviewing technique to reinforce
training, to verify the employee’s understanding
“Control self-assessment” is one such standard, of the processes/procedures employed, provide
expounded by the COSO3 or Treadwell an opportunity for the employee to ask
questions about his/her role and your
2
Them coming here, not NASA’s rover.
perceptions if his/her performance.
3
Committee of Sponsoring Organizations – including
the American Institute of Certified Public Accountants, Executives International, the Institute of Internal
the American Accounting Association, Financial Auditors, and the Institute of Management Accountants
2
Once an employee is well-established in an Other types help control the processing of a

organization, interviewing continues to be used transaction from start to finish. Paper files may
as a management technique. Changes occur – include signatures, date stamps, original
be it new trends, new technology, new documents such as purchase orders or vouchers,
mandates, staff shortages, increased workload, inspection certificates, and facsimiles of official
or new procedures. As a manager it is your job records such as birth certificates, college
to make sure things are going as well as can be diplomas, pay stubs and tax filings.
expected. Are you keeping pace with quality
control and turnaround time? Are you The modern office is in transition from paper to
delegating functions and authorizations a paperless environment. Rather than store
appropriately. Are your customers happy? Xerox copies of documents, many offices now
Who are your customers? People will volunteer scan digital images, for on-line storage that
information verbally that they will never put in automatically links the images with other related
writing – for a variety of legitimate or files (e.g. MS Word documents, Adobe PDF
illegitimate reasons. reports or Excel spreadsheets). More and more
companies now make lengthy bills available
As a manager, you will need to filter the
digitally, be it an EZ-Pass account or cell phone
information received, compare it to observations
minutes. Such digital information has many
of what is really happening on the job, then
added benefits. You can “filter” a lengthy
checking the Documentation to determine if
report, looking for certain occurrences (e.g.,
allegations or suspicions are well-founded.
dollar amounts over $50, weekend use of cell
Documentation phones or EZ-Passes), or sort data in various
Ever since the time of Moses, documentation ways to structure specialized reports without re-
has been viewed as a necessary evil. Ethicists keying of data.
rely on the Ten Commandments (yes, even in
Sampling is a common technique for reviewing
Alabama). Accountants and bookkeepers have
documentation. Perhaps you want to check 10%
followed the Code of Hammurabi longer than
of a new employee’s output on a weekly basis to
agency employees have followed their Policy
ensure they are doing the job right. Then you
and Procedures Manual. The Bill of Rights and
may do a 5% sample of a senior staffer on a
US Constitution continue to be relied on,
monthly basis. Research analysts and auditors
interpreted, argued and re-argued. The best
may also select a random sample of specific
ideas get written down – on clay or stone
types of records during an evaluation or audit.
tablets, papyrus, vellum, paper, and now the
When records are maintained in electronic
new electronic media.
format, you can even look for exceptions in
Your office files, be they on paper or a 100% of the records, letting your personal
computer hard drive, follow a long trend in computer do all the grunt work.
human history. Properly maintained, they can
Most managers prepare monthly reports,
help you maintain a semblance of order in your
identifying trends/problems, quantifying any
operation, faithfully and accurately record what
backlog in processing (is it increasing or
happened, and when. Or you can “cook your
decreasing?), seeking clearance for procedural
books” in support of alternative theories of
changes to cope with changing times or growing
reality (deficit, what deficit?).
workload, even quantifying the error rate in
Your first responsibility as a manager is to make input and output materials. Are you coping with
sure such documentation is useful and demands of prompt payment legislation?
necessary. Some types of documentation are
required by law or procedure.
3
WHAT ARE CONTROL OBJECTIVES?

A Control Objective is a written statement related to the function which focuses on minimizing
risks, sets function-specific performance standards and directs protection of resources.
National bodies such as the American Institute of Certified Public Accountants, US General
Accounting Office and major consultant firms have compiled a growing list of internal control
performance standards. One such list (from Ernst & Young) is included in this Guide (as
Appendix A), but it could all be summarized simply:
We must do our job responsibly - effectively, efficiently and legally. This includes
protecting the State's assets, providing services to clients according to recognized
standards, minimizing the State's exposure to lawsuit for improper or inadequate
activities, operating the agency without bias or favoritism, investing resources wisely in
activities which fulfill our mission.
Internal control objectives strengthen the management process by developing performance

criteria by which each function is carried out in a responsible manner.
The following examples of internal control objectives pertinent to major functions are not
intended to be exhaustive, but rather offer several useful examples of control objectives
relevant to a wide range of agency functions:
FUNCTION INTERNAL CONTROL OBJECTIVE
Personnel To recruit only qualified staff, in keeping with Civil Service Law rules
Recruitment and regulations, Affirmative Action policies and agency policies
regarding verification of credentials.
Payroll To ensure that salary, wages and benefits are incurred only for work
duly authorized and actually performed.
Inventory To safeguard physical assets which support agency mission;

to record inventory movement correctly; to prevent loss of materials/
equipment or promptly detected such loss.
Purchasing To ensure that goods or services are purchased with proper authoriza-
tion and in compliance with legal requirements.
Capital To verify that new construction and building repairs meet all applicable
Construction building/fire codes
Vehicle To ensure that all vehicles are maintained in safe working order,
Management inspected annually, and operated only by authorized, licensed staff.
Surplus To ensure that overstock inventory (supplies and equipment) is

Inventory identified periodically, and transferred to other /more suitable
offices/facilities.
Computer To ensure appropriate precautions are taken for fire, flood and other
Security hazards. To ensure that access to data files is limited to authorized
users
Physical To verify that direct care staff are trained in restraint techniques and
Restraint procedures before physical encounter with clients.
Universal To ensure direct care staff are trained in and use universal
Precautions precautions when dealing with client during accidents, illness or
routine health care.
Equipment To ensure that power tools are maintained in keeping with

Safety manufacturer's specifications and OSHA standards, and supervised to
minimize accidents to clients or staff.
Contraband To ensure that facility practices are followed to prevent client access
Control to legal drugs, alcohol, tobacco products, weapons and inappropriate
amounts of cash.
Whenever someone talk to you about rules and We are NOT talking about the painful, but
regulations, policies and procedures, or internal necessary controls placed upon us by Civil
controls, your body has an inevitable response. Service, OGS, OSC, or Division of the Budget.
Eyes glaze over, ulcers start percolating, Hiring and firing, purchasing, payroll, budgeting
respiration and circulation decelerate. Your – all have administrative requirements to
brain goes to its happy place until the maintain integrity and accountability.
conversation slides to a more scintillating topic,
We ARE talking about the kind of management
like gout or tax reform.
controls your own agency puts in place to
Yes, there are rule and regulations that frustrate. control risk and monitor performance.
Policies and procedures that obstruct. And
Controls that are tailored to meet the needs of
overzealous controls that interfere with
your programs, your staff and the population
performance. How then do we translate vision
they serve. We can arbitrarily divide internal
into action? How then do we achieve our
control into four major categories:
goals while avoiding unacceptable risks?
• Hardware controls – like locks on doors,
As a leader in government service, your primary
combinations on safes, smoke detectors
concerns are not rules and regulations. You are
looking for results. Results that are achievable, • Software controls – like passwords on
affordable and accountable. Whether you are computer systems or edit routines to
fighting disease, poverty, ignorance or crime, reduce data entry errors
there are people counting on you to make a • Procedural controls – including
difference. And if you can do so without accounting procedures, instructions to
encouraging a visit from Mike Wallace or staff, form designs and documentation
Geraldo Rivera, so much the better. requirements
• “Soft” controls – knowledgeable, trained,
You may find this hard to believe, but: ethical staff who are dedicated to your
programs, honestly seeking to meet
agency goals without resort to slipshod
practices or dangerous shortcuts.
With good, honest, and dedicated staff (soft
controls), you can rely less on the other three
categories. For example, most of us have the
intellectual acumen to assemble peanut butter
and jelly sandwiches1 without referring to
detailed, step-by-step, illustrated instructions.
1
Believe it or not, it is possible to purchase frozen, pre-
assembled, crust-free PB&J sandwiches.
We know the value of separate knives for the Now the average fax may only cost 3 cents per
two main ingredients. When we join the two page, you can buy a home machine for $50, and
slices of bread together, we ensure the filling is faxes themselves are being supplanted by e-mail
on the inside. Chances are, we didn’t have to and MS Word attachments. No more logs. No
use a keypad to open the refrigerator, and the more over-control in one instance.
jars opened without password protection.
What about under-control? We all know the
Of course, the cost factor value of locking the barn door after the horses
involved in such an operation escape. There are times we are unwilling (or
is negligible. Beluga caviar, un-prepared) to impose new controls in a new
on the other hand, requires setting, because we have had no negative
special handling. (Hey kids, experience controlling that risk. When
don’t try this at home) computers were all kept in air-conditioned
You’ve probably seen the PBS commercial rooms, with raised floors and locked doors,
where a young child scoops out some sturgeon entrusted to a few wizards, the rest of us did not
roe, and dumps it into her aquarium, reasoning it need Palm Pilots to hold all our passwords.
is just fish eggs, after all. Maybe you have no Then PCs started showing up on all our desks,
caviar at home2, but if you did you probably and passwords evolved from our pet’s birth date
rethought where to store it away from such to complex algorithms with letters and numbers
innocent intellects. and control characters.
Internal controls are developed over time, in For the record, your agency’s internal control
response to risk and experience. Risk officer is NOT a control character (though it
assessment is an ongoing process (part formal, takes a special breed to devote every waking
part informal). Experience tells us (if we are hour to this benighted profession).
paying attention) the likelihood of occurrence,
At this point, we could “sit on the ground and
and the negative impact of such occurrence (be
tell sad stories of the death of kings.”3 Better
it frequent or infrequent).
we should talk about the circumstances on our
And years of negotiating (battling) with the own agency, examine the over-controls that
control agencies tells us whether controls are have outlived their usefulness, and consider the
affordable (DOB) and adequate (OSC). You possible risks we are exposed to due to under-
may not be responsible for a warehouse full of control.
caviar, but you may have been assigned a
All in all, we are just looking for a reasonable
$2,000 laptop computer. Ever wonder where
assurance that no one will die on our watch,
you left it?
none of our staff will wind up involuntary
While we have divided internal controls into clients of another State agency, and Mike
four major categories, some folks just divide Wallace and Geraldo Rivera will focus their
them into two categories – over-control and attentions elsewhere, at least for the next two
under-control. weeks.
When fax machines were a novelty, some
agencies/offices inflicted users with sign-in
sheets or onerous logs when sending a fax. Of
course no one filled out a form when receiving a
fax.
2 3
Of course you do – you are a leader, aren’t you? William Shakespeare, Richard II, Act III. Scene ii.
KNOW YOUR VENDORS • It would help if Finance kept an unduplicated

database of vendors (including their EINs and
Are you are in a position to order supplies, mailing addresses).
contract for services, retain a consultant, or • Keep in mind that it is the policy of the state to
even recommend a vendor to someone else? encourage (where possible) business with
WMBs (women-owned or minority-owned
If so, then you need to consider a lot of factors – to businesses). Your Equal Opportunity office
do your job right, and protect your reputation. may be of assistance in identifying candidates
Sometimes it is the little things that can bite you for such business.
when (and where) you least expect it. • When receiving goods or services, check on
the quality and quantity received, and make
You don’t have to be a high-ranking executive, or an sure invoices are processed promptly. This is
elected official to suffer the “slings and arrows” of especially important where small businesses
outrageous journalism. To help you avoid the are concerned.
appearance of impropriety, consider the following: • Ask your finance office about the impact on
• Even if the goods are services are small enough Prompt Payment legislation – even if you are
that they can be purchased off state contract, buying on state contract, delays in payment
you need to be careful in choosing the vendor; could carry an interest penalty.
• A series of purchases over time might trigger • Don’t be afraid to shop around for more than
interest from an internal auditor (or external one price quote (even if it is not absolutely
auditor) if it crosses the threshold for contract necessary). You don’t want to develop a
purchasing (dollar limits on competitive reputation for being lazy or wasteful.
bidding change periodically – check with your • Ask yourself “Would I buy this item at this
finance office); price, if it were my own money?” You have a
• If you are under pressure from someone in lot of experience being a savvy consumer – put
your organization to choose a particular vendor it to work for the State.
(e.g., family, friend or political contributor), • Share your purchasing expertise with other
beware; bureaus (verbally). Be careful what you put in
• If you are encouraged to tailor your RFP or writing – even in an e-mail (it could be FOIL-
purchase request to benefit a particular source able). But it is appropriate to compare notes
or brand, beware; with other bureaus/supervisors when making a
• Has your agency done business with the vendor spending decision.
in the past (perhaps another bureau)? What • Oh yes, be wary of scam artists (they used to
experience has your agency had with the call them boiler room operations, but now they
vendor? use the Internet). Don’t authorize payment for
• Is it a real company, or one of those ephemeral something you never ordered, never received,
DBA’s (Doing Business As) with a mailing and never signed for (like brand x copier
address that is either a P.O. Box or Suite, or toner).
worse yet, the home address of one of your • And if you do sign for something, verify the
agency’s employees? quality and quantity (count those laptops).
• Be wary of an address that is c/o (in care of) Don’t wait until inventory time to find out you
another entity – or worse yet, in care of one of are missing the goods!
your own agency’s employees!
All this information is brought
• The Employer Identification Number (EIN) is
to your attention, not to
9 digits, just like a Social Security Number.
frighten you away from
Maybe it is a Social Security Number! Ask
purchasing activities, but to
Audit or Finance to double check to make sure
help you meet your agency or
you are not inadvertently doing business with a
program needs at a fair price,
co-worker.
without charges of favoritism
or influence peddling.
On The Take: your visit to a vendor’s booth – and these

would have no influence on your decision to
When is a gratuity1 not a gratuity? There steer business their way. But a lavish meal
are times when organizations or vendors (and you can still dine quite fine on $74.99
offer gifts or free products, either to reward – it even rhymes) is what some theologians
you for past actions, or influence you in a call a “proximate occasion of sin”. Whether
current or future action. The State Ethics or not you believe in the concept of sin, you
Commission’s Advisory Opinion No. 94-162 do believe in the concept of Mike Wallace
set a limit of $74.99 on the dollar value of and 60 Minutes. Andy Warhol may have
any such gift – be it a “free lunch”, promised each of us 15 minutes of fame,
handsome plaque, software, hospitality at a but this would be better earned competing
convention, or pen and pencil set. with Ken Jennings on Jeopardy.
The Public Officers Law §73(5). It reads as
follows: It “could reasonably be inferred” that a
sales representative intends to influence
No statewide elected official, state you with theatre tickets, single malt scotch
officer or employee, member of the or cable modem. Free sample software is
legislature or legislative employee shall, more of a gray zone. As a “perk” you might
directly or indirectly, solicit, accept or receive a free working copy of an expensive
receive any gift having a value of computer program – with the hope that you
seventy-five dollars or more whether will use it at work, judge its value, then
in the form of money, service, loan,
decide to order a hundred copies for all
travel, entertainment, hospitality, thing
or promise, or in any other form, under
your staff. Of course competing vendors
circumstances in which it could may provide the same inducement. Such
reasonably be inferred that the gift was items should remain the property of your
intended to influence him, or could agency, even though the vendor attaches
reasonably be expected to influence no strings to the product.
him, in the performance of his official
duties or was intended as a reward for
The risk you take when accepting such trial
any official action on his part. No person software is a competitor’s complaint when
shall, directly or indirectly, offer or make you make your final choice. There are
any such gift to a statewide elected those with inferior products who sell
official, or any state officer or employee, through intimidation. There are also those
member of the legislature or legislative insidious boiler-room operations (now
employee under such circumstances. outsourced overseas) that will plague you
with unsolicited copier toner, newsletter
This is not to say that a $50 dinner, or a subscriptions, etc. Stand your ground
$29.95 pocket calculator is an acceptable against such tactics by holding yourself
gift. You might pick up a stress-ball or above suspicion. “Where there’s smoke,
other advertising gimmick at a computer there’s fire.” Or so it is said. Don’t add fuel
convention – items which seek to prolong to a fire. Don’t encourage negative
speculation by engaging in questionable
1 activities.
Gratuity (noun) A relatively small amount of
money given for services rendered (as by a And remember –
waiter); An award (as for meritorious service) there is no such
given without claim or obligation. thing as a free
2
http://www.dos.state.ny.us/ethc/opinions/AO94-16.htm lunch.
A PLACE FOR ETHICS And on occasion you probably brought in your

own floppy disks when the office supply ran
Back in the time of the Cold War, when school short – so taking home a low-bidder ballpoint is
children practiced “duck & cover”, Senator not likely to earn you a place in Dante
McCarthy saw pink, and Sputnik beeped Alighieri’s Inferno.
overhead, the United States relied on a Distant
Early Warning System, consisting of a series of No, common sense
radar installations in Northern Canada. Also is still an option.
known as the DEW Line, these installations The old quote about
were intended to give the U.S. advance warning “dipping your pen
of a missile attack from the Soviet Union. in company ink” is
Check your geography, the North Pole was a about more than
shortcut from Siberia to any U.S. city. social improprieties
with staff. It is
Fortunately, we never had to “duck & cover”, and
about abusing a
the Soviet Union will soon be a footnote in global
history. However, the U.S. is now installing a
position of trust.
missile defense system in Alaska, focused on North Taking advantage of your employer – and the
Korea. The enemy changes, but the risks continue. taxpayer, for personal gain, monetary
enrichment, or securing special advantages for
WHY AM I MENTIONING THIS? yourself or a favored group.
New York State has an Ethics Commission, There is no guarantee that you will not be
charged with the impossible task of identifying falsely accused of impropriety – character
potential conflicts of interest among State assassination is always in season. But you are
policy-makers and high elected or appointed more likely to lead an uneventful life if you set
officials. Some of you may have to go through an ethical example – for yourself, your family,
the tedious and boring task of telling the Ethics your staff, your agency, and your community.
Commission that you have no investments of If you are really lucky, you will only need a
value, no financial interests in businesses that lawyer to write your will. Choose a good one.
seek State custom, no relatives on the payroll of
agencies or businesses regulated by your own Ethics does not depend on a vengeful deity, or an
altruistic spirit. It’s a simple equation. The more
agency. If you are lucky enough to have a
you stray from ethical behavior, the more likely you
significant stock portfolio, you must fill out the will face the consequences. Check out the 2005
lengthy details to satisfy the Commission that award-winning film Sideways. It’s kind of an “odd
you are above suspicion, there is not even the couple” story – reminiscent also of Aesop’s Fable of
slightest hint of impropriety, and that you the grasshopper and the ant. Then think back to
subscribe to the noble (Civil War) sentiment of your teenage years, when you were invulnerable.
“Death before dishonor”. How many of your friends never made it to the NY
State retirement age (55 in Tier One)? How many
As we try to avoid any hint of scandal, conflict of
thought they could handle drugs or alcohol? How
interest, impropriety, fraud, waste or
many thought their GTO would beat Amtrak to the
mismanagement, we should look upon ethics not as
grade crossing?
a hindrance, but as a valuable ally. A first line of
defense against civil litigation or criminal If you are going to steal, steal big, but practice
indictment. ethical behavior until you find that million
This is not to badger you to be overly scrupulous. dollar opportunity. Keep your nose clean, and
On April 14th, everyone in the public or private they will never suspect you, until you fly off to
sector finds it necessary to make copies (we used to Brazil (first class, no less)!
call them Xeroxes) of their tax returns.
MANAGEMENT INFORMATION If you have total

disinterest in
SYSTEMS information, then you
are not a manager,
Once upon a time, ADP and EDP were the and you may even be
acronyms for computer data processing. dead. Because
(Automated Data Processing and Electronic “inquiring minds
Data Processing). Then a guru somewhere want to know”.
decided to call it MIS (Management Information Maybe you manage a
Systems), implying that the data was collected, fantasy baseball team,
processed, sifted and regurgitated to inform and constantly update the statistics on your batters
managers so they could manage their operations and pitchers (rbi’s, era’s, bob’s, etc.). Maybe you
keep track of all the numbers picked each night by
efficiently and effectively.
Yolanda Vega. Daily statistics like the Dow Jones,
At the turn of the last century, someone decided barometric pressure readings or wind chill may
to call the whole thing IT (Information influence your investments, gardening or skiing.
Technology), taking management out of the A new TV show, NUM3ERS tells us that
picture entirely. This may have been done out numbers are all around. Insurance actuaries
of spite, as computer programmers expressed know a few things about numbers. Economists
frustration when managers ignored the data claim to know even more things about numbers,
staring them in the face, making decisions based and most of us know that you cannot balance
on tea leaves or I Ching readings. your checkbook with little lead weights.
But make no mistake, data can only become Still, you may ask “When does data become
“information” only when it is assembled in a information?”
coherent form, and provided to the appropriate
people, in a timely and relevant fashion. A number of years ago IBM ran a color print
advertisement that looked something like this:
If you have the soul of a manager, then you
clamor for data. Depending on your responsibilities, 01010101010101010101010101010101
you have an insatiable need to know where things 10101010101010101010101010101010
stand in a hundred areas. Teachers and school 01010FIND10101010101010101010101
principals need to know if their students are 10101010101010101010101010101010
learning. Parole officers need to know if their 01010101010101010101010101010101
parolees are keeping out of trouble (gainfully 101010101THE10101010101010101010
employed, or earning passing marks in school or job 01010101010101010101010101010101
training). Medical professionals monitor vital signs 01010101010101010101010101010101
of their patients (sometimes on a minute-by-minute 10101010101010HIDDEN101010101010
basis with the help of computer technology).
01010101010101010101010101010101
Finance officers need to know if there is enough
money left in their budget to pay that voucher. 10101010101010101010101010101010
01010101010101010MESSAGE01010101
Maybe you don’t care about staff turnover, 10101010101010101010101010101010
retirement eligibility, client recidivism in the justice 01010101010101010101010101010101
system (adult criminal or juvenile). Maybe you
don’t care whether a voucher is processed in a At the time, they were trying to sell color
timely fashion (it’s not your money that pays the monitors (a luxury then, a run-of-the-mill
interest penalty). Maybe you don’t care if a major commodity now). The point was without
traffic intersection has a disproportionate number of special treatment, we can all drown in the sea of
accidents. And you don’t care if the train is late data that is out there.
from New York City.
I would make an additional point – unless you Keep a paper log of transactions. Start
make it clear to your IT (information numbering incoming correspondence. Maintain
technology) people what you need to know – the key statistics on 3 X 5 cards.
kind of decisions you need to make, the Start a checklist. Include key statistics in your
resources to be invested in such decisions, the monthly report. It might impress your boss, but
impact of such decisions on world peace, the it will help whoever follows you in your
economy or good dental hygiene, then your IT position.
people will just be alienated technologists – who
will look upon you “surface Establish realistic goals, set
people” as Eloi, while they deadlines, then monitor results. If
work in the dark, underground the NYS Education Department can
as Morlochs. See H.G. Wells renew an RN’s certification in 24
Time Machine for details. hours, maybe you can inspect and
recertify that day care center in 30
Of course, the IT folks will not days.
make your data needs a priority
unless they see evidence that you Do you need to expand your RFP
1) care about the data; 2) make mailing list? Try “Googling”
valid decisions based on the data; potential vendors via the Internet.
and 3) your decisions make a
positive impact on the people of
Network with peers in other/
New York State. Yes, they can also help the people comparable agencies (we are all in
of Ohio or Vermont, but they have their own way of this together – maybe they know something
doing things. useful). Boldly go where none have gone
before (just be sure to get competitive bids, and
If you have the soul of a manager, you will have save your receipts).
an insatiable need for more data, faster data, more
relevant data, data you can synthesize into Here is where you have to do a little
INFORMATION. Maybe you are monitoring something on your own: Make a list of your
ground water contamination levels around a landfill, key functions.
PCBs in the Hudson River, or acid rain in the What are the
Adirondacks (most of which comes from Ohio, I
goals? What
think). Or then there is the alarming incidence of
asthma in our next generation. Or the paucity of
risks must you
engineers graduating from our universities. Or the avoid in order to
number of potholes on I-90. meet those goals?
Then make a list
There is an old axiom (there are rarely new of the kinds of
axioms) “If you can’t measure it, you can’t data that would help achieve positive results.
manage it.” Some folks just throw in the towel, Are there mandated deadlines? Will delay in
and assert the second half of the axiom. These processing hurt a citizen, client, patient, student,
are called “experienced managers”. It is too late taxpayer, applicant or vendor? Who can you
for them – they’ve burned out from years of assign to handle those key functions? Do you
inadequate data support. But there is hope for have useful procedures written down, or have
you IF you start clamoring now for timely and you got trained staff to rely on? When is Louise
relevant information. retiring? Can you get out before she does?
Maybe you will need to start collecting it the If you don’t have the soul of a manager, pass
old-fashioned way. Ask people questions. this two-page treatise on to someone who does.
Wouldn’t you like to have one of these? A way to monitor your agency’s
performance. Current status on budget balance, purchasing and contract
expenditures, computer system stability, personnel turnover, succession
planning, program performance?
While you wait and hope for IT (information technology) to craft a real-time
feedback system, the grains of sand keep dripping through the hourglass.
Have you considered gathering information the old-fashioned way – by talking
to people? The annual Internal Control Review process can help you do just
that! It’s not a chore, it’s a proven method to facilitate two-way
communication, identify goals and objectives, and recognize the inherent risks
and administrative weaknesses that interfere with achievement.
An integrated database would be ideal, though absorbing huge amounts of data out of context can be a
daunting proposition. Instead, consider the merits of 5 X 7 index cards, or simple one-page forms
covering all your critical functions. Who is in charge? How do you measure success or failure? What
“Checkpoint Charlies” have you installed to track performance. Who are the gatekeepers for quality
control? Who are the protectors of resources? What procedures have you built in to control the flow of
money, data, supplies and materials? Where are the gaps in your armor where fraud or theft could
occur?
The Association of Certified Fraud Examiners developed the following chart to capture all the possible
ways staff, vendors, applicants, clients or grantees could take advantage of your resources, and
compromise your integrity. While some of these apply only to commercial ventures (e.g., stock market
manipulations), the majority can affect government and not-for-profit entities:
ANATOMY OF FRAUD - Uniform Occupational Fraud Classification System1
MAJOR CATEGORIES
I. CORRUPTION
• Conflicts of Interest
Purchase Schemes (split vouchers to avoid competitive bidding)
Sales Schemes
Other
• Favoritism and nepotism in hiring, purchasing or client services
• Governance in-breeding
• Bribery
Invoice Kickbacks (vendor collusion)
Bid Rigging (phony bids or no bids)
Other (bogus inspections, licenses granted)
Political (votes promised, nominations & endorsements)
• Illegal Gratuities
Christmas Presents
Theatre Tickets (Broadway)
Free Travel & Lodging (conventions)
Expensive Dinners or Country Club Greens Fees
Free Product Samples (laptops or cocaine)
Gift to Favorite Charity
• Economic Extortion (Political Extortion too?)
“By me, or I’ll sue”
“I’ll tell them about the freebies”
“I have the negatives”
II. ASSET MISAPPROPRIATION

• Cash
Larceny (outright theft or embezzlement)
Skimming (cash receipts, charitable donations – cash or goods)
Fraudulent Disbursements
• Billing Schemes (shell company, personal purchases, collusion, fictitious goods)
• Payroll Schemes (no-shows, phony overtime, attendance abuse, workers comp)
• Expense Reimbursement Schemes (multiple and/or padded travel vouchers)
• Check Tampering (altered payee, diverted checks, forgeries)
• Cash Register Disbursements (false refunds, false voids)
• Company Credit Card (personal use)
• Inventory and Other Assets
Misuse
• Cell Phones, Gasoline, Vehicles, Computers, Copiers, Long Distance
Larceny
• Asset Requisition & Transfer
1
Source: Association of Certified Fraud Examiners
2004 Report To The Nation On Occupational Fraud And Abuse.
• False Sales & Shipping
• Purchasing & Receiving
• Unconcealed Larceny
III. FRAUDULENT STATEMENTS

• Financial
Asset/Revenue Overstatements
• Timing Differences (fiscal year roll-overs, delayed payments)
• Fictitious Revenues (inflated sales figures, bogus bonuses)
• Concealed Liabilities (stockholders will never know)
• Improper Disclosures (insider trading, trade secrets)
• Improper Asset Valuations (conceal company’s true value)
Asset/Revenue Understatements
• Tax Avoidance
• Deflate Sales Staff Commissions (favoritism/revenge)
• Non-Financial
Employment Credentials (often unverified, liars win)
• Diploma Mill PhD’s
• Forged Licenses or Degrees
• Fake Identification (criminals / illegal aliens)
• Concealed criminal history
• Padded Resumes, bogus references
Internal Documents (employee evaluations, vendor ratings, applicant vetting)
External Documents (IPO filings, puffed-up press releases, misrepresentations)
DETECTING FRAUD
The ACFE has recognized that “internal controls” come in fourth place when it comes to detecting
fraud. Experience from 2002 to 2004 shows this has improved somewhat, but government and industry
still have a ways to go, implementing appropriate and affordable controls to minimize risk. Within
government agencies, internal controls detected less that 12% of all frauds during the survey period.
SHRINKAGE
No, it’s not about making your kids smaller. Nor
is it about a mid-life crisis requiring professional
help. It’s not about fast food or hot water making
your clothing feel tight.
It’s about inventory disappearing – either through
shoplifters, employee theft, poor security or even
bad accounting.
And things are not always as they seem.
I offer into evidence two case studies – one retail,
one manufacturing. The thoughts provoked herein
should be applicable to any setting, public or
private.
The Case of the Incredible
Shrinking Chicken Wire
A number of years ago, a manufacturer in

Kentucky or Tennessee (considering we are
talking about chicken wire, Kentucky is a more
likely choice, though Arkansas should not be ruled
out of contention), was concerned that the quantity
of wire being used to produce poultry fencing
appeared to be increasing, while production was
decreasing.
The managers, convinced that employee theft was the culprit, called on a famous consultant to review
their plant security. His initial observations focused on shrinkage, and the facility with which
employees could smuggle out the precious commodity. He noted that all employees drove through a
gate, and parked inside the perimeter, within walking distance of the factory. It would have been
relatively easy to transport fencing in a car trunk, since security staff did not screen outgoing vehicles.
The consultant recommended the fence be moved, so that employees would need to file past the guard
on foot, thereby limiting the potential for pilfering. Lunch boxes are not known for their ability to
conceal large quantities of chicken wire.
However, the real issue was not shrinkage. The consultant being rightly famous and astute discovered
the real culprit was bad accounting. All scraps of wire too short to be fed into the fence-making
machinery were sold to a scrap dealer, who promptly and dutifully paid a fair price for these remnants.
All the money went into a special headquarters account that was overlooked by the local plant managers.
The company did move the fence, just in case a lucrative chicken wire black market ever developed.
And the employees all breathed a sigh of relief when the consultant returned to the big city to ferret out
other evil doers and malingerers.
THE OLD DISAPPEARING MUSTARD TRICK
A gourmet deli in upstate New York prided itself on its real-time
inventory system. Every purchase at the register was fed into their
computer system upstairs, so that managers would know what was
selling, and when to reorder favored items.
The system did have its drawbacks. During peak shopping periods
(e.g., Christmas, New Year’s, Kentucky Derby, Saratoga summer),
the undersized computer could not keep pace with all the data, and
the cash registers crawled, infuriating customer and clerk alike.
Come the annual physical inventory, and staff were dismayed to

discover untold amounts of missing (and expensive) stock.
Considering that a gourmet bottle of mustard or a wedge of cheese made in the Himalayas by elves
could cost $10 or $20 (crackers extra), the missing stock was eating heavily into the store’s profit
margin.
The prime suspects were ravenous employees or larcenous customers. Little did anyone realize that the
real culprit was the “state of the art” computerized inventory system, and a little thing called “returns”.
It seems the bookkeeper was authorized to entire a certain kind of transaction into the system – at her
office desk, far from prying eyes, and far from the disappearing mustard. When a customer returned
merchandise, it would have to be entered into the inventory system – with a refund to the customer. It
turns out the bookkeeper was creating phantom returns to generate personal revenue to support her
lavish lifestyle. Thousands of dollars later, the flaw in the system was discovered – bad software,
inadequate separation of duties, and a dishonest manager. It didn’t help that the owner of the business
spent most of his time in Florida, trying to sell his real-time inventory control software to other stores.
The company in question sold out to a pair of restaurateurs who drove what was left of the business into
the ground, encouraging local supermarkets to go upscale with specialty items.
One could suggest the gourmet enterprise could have survived had it tended to its core mission (fantastic
vittles) and leave the high tech malarkey to geeks. One could also suggest that the time to get to know
your employees is AFTER they are hired. When employees start dressing better than the bosses, driving
nicer automobiles, and vacationing overseas, it’s time for the bosses to get nervous.
Tim O’Toole of Albany, NY is approaching his 20th year in harness overseeing internal control
activities in his home state. You can find more of his writings at www.1ceman.com and
www.internal_control.us
TEAM-BUILDING, NATION-BUILDING AND COMMUNITY
In his long career as healer and author, M. Scott Peck penned a series of books under the “Road Less
Traveled” banner. One of these popular works, “A World Waiting to Be Born: Civility
Rediscovered” dealt with human organizational dynamics. His observations can be related to any
human organization, be it the fledgling republic in Iraq, the boardrooms of corporate America, or the
austere cubicles of state and local government.
When we talk of “soft controls” we are PARTICIPATORY

talking about those tangible and Why are we A less common style of leadership in
intangible elements of a human talking which the secure manager encourages
organization. Not computer pass- about this? subordinates to collaborate in the
words, or combination locks. Not decision-making process. Two-way
elaborate procedures or inspection Because communication flows in every
stickers. direction, perhaps even crossing
it’s outside organizational boundaries.
Dr. Peck described four styles of important!
leadership that can apply in various CONSENSUAL
venues, and in different proportions. This is a style of decision-making that
transcends democracy. All the members of an
AUTHORITARIAN organization participate collectively in the
A traditional and common style – the one we process, with communication flowing in all
grew up with, and the one we first experienced directions regardless of pay grade or hierarchy.
in government service. Managers make Actions are then taken based on group
decisions, then inform subordinates to consensus. This style of leadership is based
implement them flawlessly without complaint. heavily on trust and talent.
In COSO terms, the direction of information
and communication is one way – down. “No one of these four management styles is ‘the
best’.... The truly competent manager, therefore, will
CONSULTATIVE have all four of these styles at her command.”
Peck, pp. 261-264
The manager is still calling the shots, but
consults with affected staff before making the
decision. Communication flows up and down,
though most likely on a one-to-one basis Because it’s important. If you’ve been awake
between manager and subordinate(s). Of course for the past 30 or 40 years, you should have
there are those authoritative managers who go noticed that the reality of “community” has
through the motions of consulting with eroded. Suburban bedroom communities pop
subordinates, then make the decision they up like mushrooms. Strangers commute in
planned all along. droves over long distances. PTAs and volunteer
fire departments have difficulty recruiting
volunteers.
IS YOUR OFFICE A COMMUNITY?

You spend 40 hours a week, 2,000 hours per year surrounded by strangers sharing common goals and
tasks. Are they a second family to you, or the less-than-hidden source of your distemper? Let’s
examine the concept of “pseudo-community”.
In “A World Waiting to Be Born: changes in procedure or organization, with
Rediscovering Civility”, M. Scott Peck defined minimal input from staff.
the four stages of Community Development:
Alumni - those who have either aged out, or
1. Pseudo-community - a group pretends to be burned out of the Wheeler-Dealer ranks, whose
a community, denying conflict or individual involvement may be reflected in token
differences. Manners and etiquette are used to attendance at meetings, nostalgia for the good-
derail conversations that may be painful or old days (before computers). “We’ve always
antagonistic - yielding superficial, inauthentic, done it this way” is their motto.
sterile and unproductive communication.
Frustrated Upstarts - newcomers to the
2. Chaos - a group accepts individual organization who may try to worm their way
differences, but may self-destruct in an attempt into the Wheeler-Dealer ranks. If they don’t
to convert/heal/fix each other. This may lead to succeed, they may go elsewhere, or become
win/lose negotiations that get nowhere, and only alumni prematurely, content to be mere
irritate one another thoughtlessly and rapidly. spectators - expecting the Wheeler-Dealers to
tend to the details, since “they know best”.
3. Emptiness - A transition period that is
seldom dramatic, but often prolonged. Some
members may risk authentic conversation, only There is probably not much chance of inspiring
to be rejected by the rest of the group. Only the wheeler-dealers to loosen their strangle-
when the entire group has emptied itself of petty hold on power - even though it has been proven
concerns, jealousy, hatred or fear can there be that shared power increases the total power of
hope of evolution into the final stage of true an organization.
community. But it may be possible to rekindle the interest of
4. Community - shift to this final stage can be alumni in reconnecting with the place they
sudden and dramatic - a spirit of peace may spent so many years – by facilitating meaningful
pervade the room. There is more silence, less involvement of those frustrated upstarts, who
nay-saying, one can almost taste the fresh air, or are underemployed and underutilized.
the team spirit inspiring the gathering - which TONE AT THE TOP
can then go to work, making decisions, planning Building a true community involves risk-taking.
and negotiating effectively. A commissioner, deputy or director must see the
Source: Peck, pp. 274-276 & passim. value of embracing a more collaborative
approach to running an agency, division or
True community is rare in our society and the bureau. Then a vision must be communicated to
world, not easily constructed, and can easily all staff that encourages participation, by
disintegrate without continued energy of its showing the direction the enterprise wishes to
participants. take.
A true community must be one of participants, When America sent people to the Moon, it
not spectators. Unfortunately most pseudo- kindled a team spirit and pride in
communities (and this is where most of us spend accomplishment. It may have only been a
our 9-to-5 existences) can be divided into three pseudo-community (as we ignored the grim
groups that I call: realities in Vietnam, and the continued failure of
the war on poverty), but it was a start.
Wheeler-Dealers - at it daily jockeying for
power, forming cartels and cliques, second- In the coming year, New York State government
guessing one another, albeit often well- will undergo transformation in countable and
intentioned. Back-stabbing upstarts, pooh- uncountable ways. Time for the next rank of
poohing subordinates, making unilateral commissioners to set the tone at the top.
SOFT CONTROL thing” is in a biker gang, or that tattooed Goth
The conventional wisdom that pervades the sings in a choir – not a rock band.
internal control literature (bedtime reading for
What relevance does this have for internal
accountants when PBS is fund-raising), speaks
control? Well, if the position involves access to
of staff competence, integrity, shared purpose,
valuable resources (be it revenue, inventory or
dedication and experience. Each of these values
confidential data), the wise supervisor will key
can make a difference, fostering effectiveness
in on dramatic changes in lifestyle.
and efficiency in the absence of formal
monitoring systems. When an entry-level person takes a European
vacation, then shows up for work in a bright red
Such glowing realities need not pervade an
Ferrari (parking next to the supervisors Dodge
organization, though clusters of clarity and
Dart), a few questions are in order.
honesty may occur in the nooks and crannies of
any bureaucracy. When an employee seems to have hay fever
year round, is it a sign that the office air quality
When a supervisor has the luxury of recruiting
is hazardous, or is petty cash being siphoned to
new staff, he/she has the opportunity to define
pay for nose candy?
what office life will be like for years to come.
Affirmative action officers may Is the new employee fully integrated
agonize over limitations of the merit into the team, or are some of the
system, or subconscious tendency of Your co-workers staff resistant for inappropriate
people to select staff based on are more than reasons?
external characteristics (“will he/she interchangeable Then there is the question of your
fit in?”). Is the supervisor a “good parts. own style of leadership. Do you
judge of horse flesh”, or is he/she
encourage open communications?
under pressure to make a quick
decision and fill a critical vacancy
Do you share important information with staff,
while the list is still valid - or budget approval in
and solicit their feedback?
force?
Do you communicate instructions clearly, then
Sometimes, time pressures lead to shortcuts in
take the time to review assignments? Do staff
“vetting”1 the new hire. Doctored transcripts,
consider they are making contributions to a
diploma mills, and unchecked references. Snap
larger purpose, or do they see their work as a
decisions based on a twenty-minute interview.
mere chore that pays the bills? Can you relate
Then that new employee will need training. Are your own work to a higher purpose?
procedures well-documented and up-to-date? Is
Do your co-workers collaborate on a project, or
the right kind of training available and
act individually/sequentially? Have you
affordable? How will other staff accept the
segregated duties adequately, to reduce the
newcomer? Was an insider passed over for
chance or fraud, forgery or embezzlement?
promotion? Are the newcomer’s tasks and
What about cross-training so that work is not
standards legitimate and current?
interrupted by illnesses and vacations?
In the hiring process, questions about religion,
Do you value all your co-workers, or did you
sex and politics are taboo. Likewise questions
inherit some goldbricks from the previous
about family and hobbies. Once hired, the
supervisor?
challenge is to determine if that “sweet young
Take the time to get to know your people, and you
are on your way to learn what motivates them.
1
I delight in telling you that “vetting” has its roots in
horse racing. Wikipedia claims it relates to a veterinarian You can find author Tim O’Toole at
carefully inspecting a horse before a race. Winners are www.1ceman.com and www.internal_control.us
then subjected to drug tests. Losers can keep their secret.

Compleat Works

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Compleat Works

Загружено:

Авторское право:

Доступные форматы

INTERNAL

HOW TO BE A BETTER MANAGER • Do you have a hundred or a thousand

We tend to procrastinate regarding unpleasant damage in dollars or lives lost, illness or

hygienically – not to comfort the bat’s next of

conclusions about malingerers. Check your

By Interview we are talking

MASTERS OF THE UNIVERSE The key provision of the Executive Order

PLAUSIBLE DENIABILITY proportionate to the risks identified. You have

Yes, that is a mouthful. But all these goals can

Work smarter, not harder

In some instances, you need to take calculated

In other instances, you need to explore new

Right now a major power sharing experiment is Be Ruthless

The Internal Control Act insists that you

IDENTITY THEFT While acknowledging that the Secret Service1

John Sennett referred to something called the

WHAT KIND OF LEADER

Middle of Some may view this style as

manner. Here’s a few practical hints:

• Cell phones are not toys. Sure it may be

Internal you cannot point back to such a mandate, then it’s

Five Components of Internal Control 3. Control Activities

5. Monitoring Be on the lookout for changing conditions. Staff

(you may think the Northway is intolerable at rush Case Studies

An internal control system, no matter how well

“WE NEVER SAW IT COMING”

FAMOUS DISASTER WARNINGS IGNORED

The O-Ring Failure on the Space Shuttle

Flight School Training for Arab Terrorists

The Walker Spy Family

COOKING THE BOOKS

Other luminaries in creative accounting:

Urban League of Albany

Capital Region BOCES

BOCES RETIREE GOING TO PRISON

William Cabin and the Lieutenant Governor’s Office

Billie Sol Estes and the Magic Silos

ALBANY TIMES-UNION ARCHIVES

MORE SCANDALS IN THE NEWS (Various Internet Sources)

WHY DOES INTERNAL • A dedicated and talented MSW stretches things

II. ASSET MISAPPROPRIATION

• Inventory and Other Assets

III. FRAUDULENT STATEMENTS

External Documents (examples?)

Source: Association of Certified Fraud Examiners

; CHECK YOUR STANDARDS

a) Are documents (paper files or computer records) readiliy available for

a) Is access to information limited to authorized individuals?

2. Accountability a) Are individuals assigned/accountable for specific assets (e.g. stores,

COSO’S New Definition

Internal Reflects an entity’s philosophy on risk management, considering performance and

Objective Based on an entity’s mission, management sets strategic objectives, which if

Risk Management assesses likelihood and impact of negative events

COSO’s draft ERM Framework is available at www.coso.org.

PROTECTING YOUR Even if you are beyond reproach, could

IF YOU SUPERVISE General, you may want to examine other

While they may have certain staff in mind when

Are your internal control

Case Study #1 Case Study #2

Following the principles of triage, you have Case Study #3

DOCUMENTING INTERNAL CONTROL PROCEDURES

A well-documented set of internal control procedures should also prove invaluable in

• Who or what gave you the authority to conduct this function?

• What activities or transactions need to occur to meet the function's objectives?