- Prayer and Worship
- Beliefs and Teachings
- Issues and Action
- Catholic Giving
- About USCCB
|Committee on Budget and Finance
National Conference of Catholic Bishops
United States Catholic Conference
The revised Code of Canon Law, effective November 27, 1983, addresses extensively the responsibilities of bishops as administrators of the Church's temporal goods. Canon 1284 states that all administrators are to perform their duties with the diligence of a "good householder." The bishop can delegate the authority but not the responsibility. He has the duty to ensure that no abuses exist in the administration of church goods within the diocese.
A recent survey, conducted by inter-national accounting firm KPMG Peat Marwick, of the top companies in the United States determined that "fraud is a significant problem for business." However, it has become painfully obvious that businesses are not the only organizations experiencing this problem. Unfortunately, even the Church has been plagued by embezzlement more and more during the past several years.
The frequency and the severity of fraud in the Church has prompted a request from the United States Catholic Conference and the Diocesan Fiscal Management Conference to initiate an internal control project study. This task was given to the Accounting Practices Committee of the United States Catholic Conference. The directive was to provide the United States Catholic Conference with a comprehensive paper whose overall objective would be to alert the bishops of the United States to the growing problem of management fraud and deceptive financial practices in their dioceses and to offer specific guidelines on how they can minimize risk.
This document provides such guidelines, which can alert bishops to areas of concern and steps they can take to minimize diocesan risks of fraudulent financial reporting and other improprieties, such as embezzlement. Note that the latter do not necessarily cause financial statements to be materially inaccurate.
The guidelines are approached from a managerial perspective and acknowledge the functions and relationships of the bishops, the finance officer, the finance council, and the independent outside auditor. The document addresses concerns at a diocesan level and does not specifically deal with issues at a parish or other institutional level. The guidance, however, may be useful for all organizations in a diocese.
Finally, the document concludes with descriptions of fraudulent activities that have occurred in many organizations, as well as examples of fraud and irregularities that have affected the Catholic Church in the United States. The document presents rules for detection of such fraud in order to minimize their occurrence in a diocese.
Most Reverend Thomas J. Murphy
Archbishop of Seattle
Internal control is a process designed to ensure that a diocese's goals are met with respect to effective and efficient operations, reliable financial reporting, and compliance with laws and regulations. However, because of inherent limitations (e.g., human error, possible collusion, and intentional disregard), an effective internal control system can provide only reasonable, not absolute, assurance that these goals are met. Internal controls will vary based upon the size of a diocese and should be established only if the costs of the controls do not exceed their potential benefits.
There must be a close coordination of internal control objectives with the mission of a diocese. Keeping in mind the mission, a diocese will also develop business objectives for operating the modern-day church. Therefore, the relationship among the objectives of a diocese and the formulation of strategy and control mechanisms must be properly coordinated to have effective control. In a small diocese these relationships are usually close, since there are fewer people responsible for coordination. In larger dioceses where respon-sibilities are more divided and narrow, coordination of these relationships requires more effort for the objectives and mission to be achieved.
Since internal controls deal with operations, development, and finances, the bishop is ultimately responsible for their establishment and implementation. Although the bishop will not become too involved in the details of the internal control system, he is the only person who has the power to ensure that each area of a diocese carries out its responsibility for the system. The proper tone must be set at the top of the organization, and for a diocese, this is the bishop.
Depending on the organizational structure in a diocese, the key people supporting the bishop may be personnel fulfilling the roles of the moderator of the Curia, chancellor, chief financial officer, the bishop delegates or secretaries, the finance council, and the priests council. Each plays an integral part in ensuring the effectiveness of an internal control system.
All systems must contain certain basic elements to prevent or detect errors and omissions and to safeguard assets. There are also common business cycles that must be controlled with specific procedures. Controls for these business cycles will help prevent or detect common varieties of fraud. Dioceses must recognize that their organizations are different, and thus the suggestions included here must be tailored to meet their specific needs.
After an internal control system is established, it must be periodically evaluated. A risk assessment project should be undertaken to consider the potential effect of these risks, and then cost-effective controls to mitigate them should be devised. Key project steps include (1) establishing a project com-mittee, (2) performing and documenting a study of the controls in place, and (3) periodically reviewing the status of implementing the study's recommendations. Many of these steps at a diocesan level may already be taking place, particularly if there is an active internal audit group in a diocese or if a paid/volunteer staff is performing the internal audit function.
Despite the strength of a system of internal controls, breakdowns can occur because of irregularities perpetrated by individuals. One part of a diocese protection system is a periodic review of fidelity coverage, which allows some mechanism for recovery in the event of a defalcation. Examples of irregularities are provided at the end of the document to illustrate ways to prevent and detect such irregularities in the future.
Internal Control: A Definition
Until one achieves a grasp of the fundamentals and what internal control is one cannot reliably form value judgments about internal control in a diocese. In short, it is necessary to take the time to learn about internal control before deciding how to utilize it to protect a diocese. It is especially necessary to have expectations, because internal control is not a panacea.
A recent comprehensive definition of internal control is set forth in the September 1992 document , published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. These sponsoring organizations were the American Institute of Certified Public Accountants, Financial Executives Institute, Institute of Internal Auditors, National Association of Accountants, and the American Accounting Association. The objective of COSO was to provide internal control guidance an internal control framework that all of the constituencies could use in designing or assessing internal control systems.
The COSO Framework defined internal control as follows:
Fundamentally, internal control deals with the safeguarding of assets, both physical and monetary.
The COSO Framework further presented four basic concepts underlying the definition:
Internal control is a process. It is a means to an end, not an end in itself.
Internal control is effected by people. It is not merely policy manuals and forms, but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
Internal control is geared to the achievement of objectives in separate but over-lapping categories.
COSO then went on to divide the internal control process into five elements, as follows:
Control Environment. The core of any business is its people their individual attributes, including integrity, ethical values, and competence and the environment in which they operate.
Risk Assessment. The entity must be aware of and deal with the risks it faces. It must set objectives, integrated with the sales, production, marketing, financial, and other activities so that the organization is operating in concert. It also must establish mechanisms to identify, analyze, and manage the related risks.
Control Activities. Control policies and procedures must be established to ensure that management's responses to risks are effectively carried out.
Information and Communication. Information and communication systems surround all of these activities. They enable people to capture and share the information needed to conduct, manage, and control operations.
Monitoring. The entire process must be monitored, and modifications must be made as necessary. In this way, the system can react dynamically, changing as conditions warrant.
Some Examples of Controls
A few examples of the foregoing controls in the context of a diocese may be helpful.
Clear lines of authority and accountability that emphasize the importance of internal controls.
A documented code of conduct/ethical standards.
A formal budget process and prompt variance analysis.
A plan to attract and retain competent personnel.
An effective audit committee and internal audit functions.
Clear objectives regarding operating, financial reporting, and law compliance functions.
An entity-wide review to assess and evaluate risk (see Chapter 4 for a detailed example).
Segregation of duties: collections of cash contributions counted by two or more people.
Independent counting and/or confirmation of investments.
Controlled access to electronic data processing operations and adequate back-up (disaster recovery) in place.
Management support for developing and maintaining effective financial management information systems.
The sharing of information on emerging risk issues with other dioceses.
Channels of communication for employees and church workers to report suspected irregularities or illegal acts.
Regular receipt and prompt acting on reports of problems in internal controls (from external/internal auditors, etc.).
Prompt follow-up on unusual variances from budget.
Periodic comparison of physical inventories of saleable items (textbooks, cemetery lots, etc.) and permanent assets (sacred vessels, historical treasures, office equipment) to accounting records and the reconciliation of differences.
It is important to focus on what internal control is not, lest any expectations be unrealistic. It should be recognized that any system of internal control has substantive inherent limitations that can work to completely frustrate the control objectives. These limitations are well recognized, both in the professional auditing standards literature utilized by CPAs and in COSO's aforementioned Framework.
Specifically, the inherent limitations of any internal control system include the following:
Mistakes and human errors in applying the established policies and procedures.
Circumvention of controls by collusion of two or more people (e.g., an employee and a vendor).
Intentional disregard of controls (e.g., management override, falsifying documents, forgery, etc.).
These limitations should serve as a sobering "reality check."
In other words, even the best system can be defeated innocently or intentionally. However, one can expect that a good system of controls will provide the diocese and its leadership with "reasonable assurance" that its control objectives are attained. It is important to be able to demonstrate that an entity made reasonably prudent efforts to achieve its internal control objectives, rather than complacently "assumed" or "trusted" that the objectives would be achieved by "good people."
A final limitation of internal control to consider is cost. Common sense dictates that controls should not cost more than their potential benefit. Balancing this cost-benefit equation frequently involves considerable judgment, especially in placing a value on such benefits as the avoidance of scandalous publicity or the efficient handling of contri-butions and donor relations. Nonetheless, stewardship over assets and the spiritual mission of the diocese should recognize that the value (as each diocese defines it) of any control benefit exceeds the costs of related control implementation efforts.
The chart represented below graphically depicts the goals and components of the internal control process:
Internal Control as a Process
Operational Efficiency and Effectiveness
Financial Reporting Reliability
Compliance with Laws
Information and Communication
To be effective, internal control policies and procedures must be properly followed by personnel, regardless of responsibility level. People, not policies, determine whether a system will function properly. People at different levels have different backgrounds, technical skills, needs, and priorities. Therefore, it is important that they be properly trained in their responsibilities and limits of authority.
Depending on the structure of a diocese, typically the people involved include personnel fulfilling the responsibilities of the bishop, moderator of the Curia, chancellor, chief financial officer, internal auditor, bishop's delegates or secretaries, and other employed personnel, as well as members of the diocesan finance council or the priests council and volunteers. Just about everyone in a diocese has some responsibility for internal control. Everyone also has an expressed or implied responsibility to report a breakdown in internal control. Personnel must always believe they can report a problem to a responsible member of management, where the ultimate responsibility for the internal control system of a diocese lies. The responsibilities of the various levels of authority in a diocese are discussed below, under the headings of "Management and Personnel," "Committees," and "External Auditors."
Management and Personnel
The bishop, as the head of the organization, should assume ownership of the system of internal control. He is responsible for ensuring integrity, ethics, competence, and other factors of a positive control environment. The bishop fulfills his responsibilities by providing leadership to his senior management team, who shape the values, principles, and operating policies that are the basis for a strong internal control system. He should meet periodically with his management team and review their areas of responsibility to see that the diocese is being properly controlled. The bishop and his representatives, therefore, establish a control environment that ensures effective communications and sets up monitoring procedures.
Finance officers and their staffs are important in the monitoring process. Their activities cut across the operating and other activities of a diocese. They are involved in developing diocese-wide budgets and plans. They produce reports that analyze performance from operational, compliance, and financial perspectives. The chief financial officer (CFO) and other finance officers are central to the way management exercises control. The CFO plays a key role in setting the tone of a diocese's ethical conduct. The CFO should be a key player when a diocese's objectives are established and strategies are decided for risk assessments and changes affecting the diocese. The CFO provides valuable input and direc-tion and should be an equal partner with the other functional heads in a diocese. Any attempt by management to have the CFO more narrowly focused (limited to areas of financial reporting, treasury, and internal audit) could prevent a diocese from succeeding in its business objectives.
The primary objective of internal auditing is to provide an evaluation and test of a diocese's controls. Internal auditors should take the following steps to appraise the internal control system:
Review the reliability and integrity of financial and operating information.
Review compliance with diocesan policies, plans, and procedures and compliance with laws and regulations.
Review the means for safeguarding assets.
Review the means by which resources are used effectively and economically.
Ascertain that operations and programs have accomplished established objectives and goals.
The functions of internal auditors may not always be fulfilled by paid staff employees but can be performed by others in an organization or by volunteers who are trained in such functions.
Other Diocesan Personnel
Internal control is the responsibility of all the personnel in a diocese. Examples of personnel activities include generating invoices, ordering, reporting expenses, preparing time cards or time sheets, and preparing requisitions. Personnel should generally be aware of the diocese's mission and corporate code of ethics.
To the extent volunteers are involved in an organization, they should be made aware of its control consciousness. Personnel who volunteer need to understand the business implications of their activities. While the organization is grateful for their volunteerism, there may be occasions when accepting their help would be inappropriate because of church or personal conflicts of interest.
Every organization is assisted by either paid or volunteer committees. Certain committees may be able to help the bishop and management carry out their responsibilities over internal controls. Although committees are not necessary, their existence typically provides another deterrent to incidents of fraud. Some of the responsibilities of these committees are described below.
The finance council of a diocese should have a significant role in the internal control function of a diocese and in providing direction, guidance, and oversight to the bishop. In addition to its advisory capacity, the finance council has specific rights and duties under canon law. Members must be objective and competent. To be effective, the diocesan finance council should carry out its responsibilities through committees. Some of the committees may include audit committee, financial or project review committee, properties committee, investment committee, employee benefits and compensation committee, and insurance committee.
Membership on the finance council should be diverse with respect to areas of technical competence, covering areas such as accounting, financing activities, real estate, construction, insurance, and investments. Committees should include clergy as well as lay persons.
The responsibilities of the various com-mittees of the finance council may be as follows:
The audit committee is responsible for reviewing the annual diocesan budget, the financial results throughout the year (monthly or quarterly), the results of the annual audit, the activities of the internal auditor, the adequacy of the accounting system, the overall adequacy of the internal control system, and the functioning of the system.
The financial or project review committee reviews the financial feasibility of any con-struction project or property acquisition in the diocese. This review should include any related debt acquisition.
The properties committee advises the bishop on properties acquired, held, and alienated. Members should be concerned with the quality of construction on purchased property, since quality may ultimately involve future financial outlay. They could also be charged with assessing the need for a proposed project and ensuring the liturgical correctness of the project when appropriate.
The investment committee sees that there are proper controls over the invested funds of a diocese. They should establish diocesan investment guidelines and review the ade-quacy of investments from financial and ethical viewpoints. On a periodic basis they should review the investment performance of managed funds against diocesan guidelines and other criteria that are commonly used to evaluate the effectiveness of money managers.
The employee benefits and compensation committee ensures that controls are in place with respect to employee benefit programs and compensation arrangements. Members should see that fiduciary responsibilities over employee benefit programs are being properly discharged. They should work with the finance officers to determine that compensation scales do not jeopardize the diocese's objectives by emphasizing short-term results at the expense of long-term performance.
The insurance committee ascertains that there are proper controls over a diocese's retained and insured risk management programs. The committee is responsible for reviewing the programs with respect to cost, adequacy of coverage, and implementation of risk management activities.
External auditors (independent public accountants) can be helpful in reporting material deficiencies in internal control systems and their implementation. A diocesan entity should not, however, rely on external auditors to identify all weaknesses unless the auditors are specifically engaged to review the system. External auditors who are engaged to audit and issue an opinion on the financial statements design their procedures to provide reasonable assurance of detecting errors and irregularities that are material to the financial statements. However, there are inherent limitations in the auditing process. For example, audits are based on the concept of selective testing of the data being examined and are therefore subject to the risk that errors and irregularities may not be detected. Also, because of the characteristics of irregularities, including attempts at concealment through collusion and forgery, a properly designed and executed audit may not detect a material irregularity.
Establishing Internal Controls:
Specific Practices, Procedures, and Techniques
The purpose of this chapter is to identify some areas where weak controls could lead to employee fraud and to offer guidance to dioceses/parishes/institutions on the establishment of specific internal controls to improve these areas. The areas identified are common to every organization. The chapter is not intended to describe internal control procedures for every business transaction. Basically, all of the procedures discussed in this chapter have two major aims:
To protect assets (e.g., cash, investments, and property)
To ensure that the accounting records are accurate and complete
Since all dioceses and their related organizations are different in size and in organizational structure, application of the policies, practices, procedures, and techniques discussed will vary. There are, however, a number of basic elements of internal control that should be part of any system. Each diocese should evaluate its business cycles to design elements of an internal control system.
Once the basic elements are covered, organizations need to design internal controls for the following business cycles:
Financial planning and control
The elements of a "revenue" cycle in a church structure are covered in the cash management cycle noted above since most types of revenue are converted to cash very quickly.
Basic Elements of Internal Control
Honest and Capable Employees
Recent frauds perpetrated on dioceses have been committed by employees having a great deal of trust. Certainly, any system is critically dependent on the people who use it. If the people are dishonest or incompetent, even the finest system will not perform properly. Honest and capable employees can and do function effectively even in situations where other elements of internal control are lacking. The following suggestions may help in deterring employee dishonesty and apply to volunteers as well as paid employees:
Require annual vacations of employees to help ensure that any fraud requiring their constant attention would be discovered during their absence. This requires cross-training to ensure work continues during such absences.
Bond or secure fidelity insurance on employees in positions of trust. A fidelity bond is insurance protecting the organization from losses resulting from employee dishonesty.
Establish and educate personnel on the conflict-of-interest policy to prevent potential abuse.
Know your personnel. Watch for signs that an employee is spending more than his/her salary would seem to allow.
Investigate all employees adequately before their employment as part of the hiring process.
Employees must know what they are to do and what others are responsible for. Establishing an organizational chart is clearly important for defining responsibility lines. Job descriptions should be used to further explain proper delegation.
Most important is a clear separation of duties. The system should provide for an appropriate segregation of duties between the custody of and the accountability for assets. This segregation should preclude any one person from performing all aspects of a function. Custody of assets must be separated from the record-keeping of those assets. Also, authorizing transactions must be segregated from recording the transactions. Generally, involving more people in the accounting system reduces the potential for fraud, unless, of course, there is collusion. In situations where this is impractical due to financial constraints, a responsible officer, finance council member or trustee who is not involved in the daily record-keeping should oversee the accounting activities.
Procedures for the Processing of Transactions
Specific procedures will be discussed later as they relate to business cycles. In general, a basic element of internal control is proper authorization. It is imperative that the day-to-day operating authority be delegated to the appropriate manager(s) with specific guidelines to follow (for example, the maximum amount to be borrowed without authorization or the maximum amount of a disbursement to be approved).
Suitable Documents and Accounting Records
Accounting records and documents should be maintained to provide an audit trail. One major objective of an internal accounting control system is to provide reasonable assurance that the financial records reflect all financial transactions that have occurred. The recording of all transactions must be correct as to quantity and dollar amount, and must be made in the proper accounting period. The supporting documentation should be
simple and easy to use to help reduce error;
numbered to help keep physical control over the documents;
as few in number as possible to minimize confusion; and
designed to ensure that they will be properly completed.
The safeguarding of assets is an important aspect of a system of internal control. Accounting records can be protected by physical barriers, such as locked rooms or drawers accessible only to select individuals. The safeguarding of assets, however, is much more than just establishing physical control. The system should also provide documentation authorizing the movement of assets into or out of an organization.
In addition to accounting records, all physical assets should be properly secured. For example, furniture and equipment should be numbered and inventoried.
An important subset of physical controls is security for the information system. It is crucial that access to computer equipment and the computer software necessary to process accounting information be controlled. Computer files should be backed up and stored off-site, and fireproof safes should be used to store important documents. Given the rapid changes being made in this information age, management must be cognizant of the importance of emphasizing controls over the use of its information technology.
Independent Verification of Performance
Procedures to reconcile actual transactions with those transactions that have been recorded are another element of internal control. The taking of a physical inventory or the reconciling of a bank account to the general ledger are two methods for such activity.
No one can objectively evaluate his/her own performance effectively, and no one can record large numbers of transactions with perfect accuracy. Supervisors must periodically assess the performance of their subordinates to help ensure that any accounting and internal control system is functioning properly. If internal auditors are used, they should report to the audit committee or finance council. Additionally, an annual audit should be performed by an outside independent accounting firm.
Financial Planning and Control Cycle
Diocesan and parish officials must insist that their financial managers have an adequate system of planning and control. Generally, they must have mechanisms in place to ensure that the diocese or parish can meet unexpected financial obligations and has the resources to take advantage of unexpected opportunities that may arise. Specifically, all entities should be required to adhere to a prescribed budget process, resulting in an annual budget at a minimum. Furthermore, periodically entities should report operating results versus bud-geted amounts. Additionally, it is recommended that a long-range budget be adopted, typically a five-year financial plan. Proper planning also dictates that cash-flow forecasts be prepared periodically, and all excess cash placed in reasonably safe long-term investment vehicles.
With regard to financial control, managers have the responsibility of ensuring that adequate accounting records are maintained and that the financial operations are running smoothly, as planned and anticipated. The following features should be used to achieve these goals:
These reports must be prepared on a timely basis so that appropriate action can be taken should the actual results of operations vary materially from the budget.
The chart of accounts should contain a list of accounts, numbers, and names for all asset, liability, fund balance, revenue, and expense accounts. Additionally, the chart should contain a description of each account and guidance on when each should be used.
These manuals are necessary to train new employees in the operation of any accounting system and to ensure that similar transactions are handled in similar manners.
The controls to be discussed for the cash management cycle will include those over cash/non-cash assets that are readily convertible into cash (e.g., marketable securities, receivables, and liabilities whose liquidation will require the use of cash, such as accounts payable and notes payable).
The number of bank accounts should be strictly limited to those absolutely required. Obviously, the fewer the accounts, the greater the control and the smaller the opportunity for errors or wrongdoing.
All accounts should be opened in the name of an entity, never an individual. The mailing address should not be a private residence. Only officials designated by board resolution should be permitted to open and close bank accounts. Those permitted should be specifically named in writing to job title or office in the organization procedures manual.
Authorized check signers should be very limited. Checks in excess of a certain dollar amount (e.g., $1,000) should require the signature of two responsible individuals. Facsimile signatures should be prohibited unless controlled by a check-signing machine with a numerical sequence counter. No signature stamps should be allowed.
Bank statements should be reconciled to the accounting records each month in a timely manner. This is essential to determine if any unauthorized checks were issued or receipts stolen. The statement should be reconciled by someone other than the check signers and those controlling the checking account. The individual responsible for reconciling the account should receive the bank statement unopened. The actual reconciliation should be compared with the financial statements by a separate responsible individual (e.g., internal auditor, finance council member) at least annually.
All wire transfers should be pre-authorized by two responsible individuals.
All cash disbursements should be made with prenumbered checks, with the exception of petty cash. Using checks for all major cash payments ensures that the disbursement is authorized and there is a permanent receipt. The check should be prenumbered so that it is accounted for properly. This procedure helps to prevent the issuance of a check that is not recorded in the cash disbursement journal. Additionally, presigned checks should not be allowed.
If a mistake is made when preparing a check, the check should be voided before preparing a new one. The voided check should then be altered to prevent its use, retained to make sure all prenumbered checks are accounted for, and filed with other checks for a permanent record. The stock of unused checks should be safeguarded and regularly inventoried.
Check signing should be the responsibility of individuals having no access to the accounting records.
Checks should be drawn according to procedures prescribing adequate supporting documentation. To ensure that disbursements are supported by invoices that have been properly authorized, this documentation should include at least (1) a proper original invoice; (2) evidence that the goods or services were received; and (3) evidence that the purchase transaction was properly authorized.
All supporting documents should be canceled or marked "paid" once a disbursement is made to avoid double payments. Payments should not be made on statements or balance-due billings unless underlying invoices are included.
All checks should be mailed promptly and directly to the payee. The person mailing the check should be independent of those requesting, writing, and signing it.
When the mail is opened, a list of collections should be made. The person opening the mail and preparing the list should be independent of the accounting function. A responsible official should periodically compare the list with the journal record and the bank deposit.
Cash and check receipts should be deposited intact daily.
Billing invoices should be prenumbered to make sure they are all accounted for. There must also be physical control over invoices so that they are not improperly used.
An imprest petty cash fund with one custodian should be used. The imprest fund involves replenishing petty cash only when properly approved vouchers are presented justifying all expenditures. For accountability, only one person should be in charge of the fund.
The custody of marketable securities should be segregated from accounting for marketable securities. Also, physical safeguards should be established for investments on hand.
Independent custodians and investment managers should be utilized whenever possible. An investment policy that identifies those authorized to buy/sell securities, as well as specific guidelines on the organization's portfolio mix (e.g., percentage of fixed income vs. equity), should also be on hand. Additional diligence should be exercised for funds held or managed by monitoring performance through independent published data or by obtaining services of independent professionals.
Two individuals should be present whenever securities or other valuables are inspected, and securities should be periodically compared with a schedule of marketable securities or valuables.
Activity of purchases/sales should be reconciled with brokers' or managers' statements.
All handling of cash should be segregated from the maintenance of receivable records. Checks should be restrictively endorsed upon opening prior to processing accounts receivable applications.
Periodically, the detail of the accounts receivable/notes receivable/pledges receivable subsidiary records should be compared with the control account and reconciled by an independent person. Accounts should also be periodically confirmed by the debtor.
All adjustments for discounts or allowances should have specific approval.
All adjustments for bad debts should have special approval. Additionally, a record of all bad debts written off should be maintained and periodically reviewed to minimize the danger of collections being received and not recorded.
The accounts should be aged regularly and the delinquent accounts periodically reviewed by a responsible official.
Custodial accounts and amounts received for others should be adequately segregated in the activity records and transmitted to the ultimate recipient on a timely basis. Whenever possible, amounts reported by contributors (such as parishes forwarding special collections) should be reconciled or compared with amounts ultimately disbursed to the agency.
The accounts payable/notes payable procedures are clearly related to the procedures for cash disbursements and payroll. The control concern is to make certain that all liabilities are properly recorded and ultimately paid. Controls are also necessary to ensure that account distributions are proper. There should be a proper segregation of duties over the performance of the functions of comparing receiving reports, purchase orders and invoices and the handling of the actual disbursement functions. For disbursements that are not normally accompanied by an invoice (e.g., payment on a note), the authorization should come from a responsible official.
Still another important element of a well-designed system of internal control involves the people who perform and execute the established policies and procedures. Personnel policies should be adopted to ensure that only reasonably competent and honest persons are hired and retained. While the selection of honest, capable employees does not ensure that errors or irregularities will not occur, such selection will enhance the likelihood that they will not.
Typically, there are four functions that are accomplished through the payroll cycle. They are:
Personnel administration and employment file maintenance
Timekeeping and payroll preparation
Payment of payroll
Preparation of payroll tax returns and payment of taxes
This function includes interviewing candidates, checking references, and hiring qualified personnel. The process produces personnel records and wage information. The most important internal controls in personnel involve the formal method of informing the timekeeping and payroll preparation personnel of the authorization of new employees, the authorization of initial and periodic changes in pay rates, and the establishment of termination dates for employees. Segregation of duties over these procedures is particularly important. No individual with access to payroll records or checks should also be permitted access to personnel records.
Timekeeping and Payroll Preparation. This function directly affects payroll expense for the period. It includes preparation of time cards by employees, if required; the summarization and calculation of gross pay, deductions, and net pay; the preparation of payroll records; and the preparation of payroll checks.
Of primary concern is control over the preparation of payroll checks. Anyone who is responsible for preparing the checks or for inputting data should be prevented from summarizing the records and signing or distributing payroll checks.
The summarization and calculation of the payroll can be controlled by well-defined policies. For example, payroll policies should require that an independent person recalculate actual hours worked, review for the proper approval of overtime, and recheck pay rate and calculations. This can be done through spot checks.
Adequate control over posting time on the time cards includes the use of a time clock or the signature of a supervisor on the employee's timesheet attesting to the number of hours worked.
Payment of Payroll. The signing and distribution of the checks must be properly handled to prevent their theft. The controls should include limiting the authorization for signing the checks to a responsible employee who does not have access to timekeeping or the preparation of the payroll, the distribution of the payroll by someone who is not involved in the other payroll functions, and the immediate return of unclaimed checks for redeposit. If a check-signing machine is used, the same controls are required; in addition, the check-signing machine must be carefully monitored.
It is advisable that the organization use an imprest payroll account to prevent the payment of unrecorded payroll transactions. An imprest payroll account is a separate checking account in which a small balance is maintained. A check for the exact amount of each net payroll is transferred from the general account to the payroll checking account immediately prior to the distribution of the payroll. The advantages of an imprest account are that it limits the organization's exposure to payroll fraud, allows the delegation of payroll check-signing duties, separates routine payroll expenditures from other expenditures, and facilitates cash management.
Preparation of Payroll Tax Returns and Payment of Taxes. The careful, timely preparation of all payroll tax returns and the payment of taxes are necessary to avoid penalties and criminal charges. The most important control is the preparation of these returns based on a well-defined set of policies that carefully indicate when each form must be filed, as well as when specific payroll taxes are due. Independent verification by a competent individual is also an important control to prevent errors and potential liability for additional taxes and penalties.
There are typically four primary functions in the purchasing or acquisition cycle. They are
Processing purchase orders
Receiving goods and services
Recognizing the liability Processing and recording cash disbursements
The request for goods or services is the starting point for the cycle. Proper authorization for acquisitions is an essential part of the function because it ensures that the goods or services purchased are for an authorized purpose, and it prevents the purchase of excessive or unnecessary items. It is essential, therefore, that purchasing authority be established.
For capital or other major expenditures, a competitive bidding process should be established.
After the acquisition request has been approved, the order must be initiated to purchase the goods or services. Where it is cost beneficial, a purchase order system should be used. All purchase orders should be prenumbered and should include sufficient columns and spaces to minimize the likelihood of unintentional omissions on the form when goods are ordered. A responsible official should check to see if available budget dollars remain to support the purchase.
Receiving Goods and Services. The receipt of goods or services from the vendor is a critical point in the cycle, because it is the point when the associated liability is usually first recognized. When goods are received, adequate control requires an examination for descriptions, quality, and condition. The individual responsible for the examination should prepare a receiving report verifying that all is in order.
Recognizing the Liability. The proper recognition of the liability for the receipt of goods and services requires accurate and prompt recording. The accounts payable disbursements personnel are responsible for verifying the propriety of acquisitions and for recording them in the accounts payable register or system. When the vendor's invoice is received, the descriptions, price, quantities, terms and freight on the invoice should be compared with the information on the purchase order and, where applicable, the receiving report. Typically, extensions and footings are verified, and an account distribution is entered on the invoice. Budget authorization and availability should also be examined.
Processing and Recording Cash Disbursements. As previously discussed, the most important controls in the cash disbursement function include the signing of checks by an individual with proper authority, separation of responsibilities for signing the checks and performing the accounts payable function, and careful examination of the supporting documentation by the check signer.
The checks should be prenumbered and care should be taken to physically control blank, voided, and signed checks before they are mailed. Finally, it is important to have a method of canceling the supporting documents to prevent their reuse as support for another check at a later time. A common method is to have a "paid" stamp for the supporting document that includes the number of the account the disbursement is charged to and the check number.
As noted, a system of internal controls consists of both general and specific policies. The system should be documented so that all personnel will know what is expected of them and will be properly trained to carry out their responsibilities. The policies should become part of a permanent corporate record along with such supplementary policies as an accounting manual and travel policies. Of course, such documents are useful only if they are periodically updated.
Guidelines for a Diocesan Internal Controls Review
The purpose of this chapter is to help a diocese start reviewing the adequacy of its internal controls in an orderly fashion.
Risk Assessment and Evaluation
Answering the questions of how well a diocese has designed its internal control system and how well it has achieved the goals of effectiveness requires a risk assessment and evaluation.
A diocese must determine whether the components of the internal control process are in place and are effective to achieve the three control objectives: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Remember that if the objectives are not met, assets can be lost and the perception of diocesan stewardship is seriously eroded.
Risk assessment means identifying the various risks a diocese faces, considering their potential impact, and devising cost-effective controls to mitigate such risks.
There are numerous published resources to serve as guides to the risk assessment process, in addition to those developed for this manual (see Chapter 1). These resources range from questionnaires and checklists to published texts and guidelines. For example, the COSO Framework includes an entire volume (entitled "Evaluation Tools"), and public accounting firms also have similar "help" tools readily available for reference. Furthermore, the American Institute of Certified Public Accountants has issued its Statement on Auditing Standards No. 55 (April 1988), Consideration of the Internal Control Structure in a Financial Statement Audit, which contains useful guidance. However, the most important thing is to get started!
Suggested Steps for a Controls Review
Start at the top with the chief executive officer, the bishop, setting the tone by endorsing and supporting a systematic project to assess and evaluate control risks. Without this pervasive support and understanding, the project may not succeed in improving internal controls.
A risk assessment project for a diocese should include the following steps:
A project committee should be established (perhaps a subcommittee of the diocese's finance council) composed of, at a minimum:
The chief financial officer
Representative(s) of the finance council
The internal auditor (if the position has been established)
The external auditor
The committee should be charged with undertaking and documenting a study of the diocesan internal control process and making recommendations for improvement. Its chair should regularly report to the bishop on progress. (Items 3-8 refer to the study/review.)
The committee should assess the overall control environment, including
Organization of the diocese
Communication of policy (methods in place)
Lines of authority
Supervision of financial matters
Budgeting control process
The committee should divide the entity into natural business cycles (see Chapter 3), such as
Financial planning and control (management)
The committee should review the flow of transactions through these cycles to understand each processing system and its controls.
The committee should determine whethercontrol techniques in place in each cycle achieve the defined internal control objectives (see Chapter 3).
Where objectives are not met, the committee should assess the resultant risks and make specific recommendations to im-prove internal controls at a cost below the value of the related benefit to be attained.
The committee should draft a report summarizing the project and detailing the recommendations.
The implementation of the recommendations should be periodically reviewed to ensure the desired results are achieved and to promote the diocesan culture of appreciating and embracing the value of internal controls.
Defining internal controls (and their inherent limitations) is an essential starting point. Further, it should be understood that the risk assessment and evaluation process is a major undertaking, likely to extend for many months in view of the increasingly diverse facets and entities comprising the diocesan sphere of control. However, the benefits can be substantial both in obtaining documented reasonable assurances that controls are in place and in preserving an unblemished image in pursuit of the diocese's sacred mission.
Fraud and Irregularities: Concepts,
Examples, and Detection Rules
Even if internal controls are well designed, they can break down. Personnel may mis-understand instructions or make judgment mistakes or errors due to carelessness, distraction, or fatigue. An accounting department supervisor responsible for investigating exceptions might simply forget or fail to pursue an investigation far enough to be able to make appropriate corrections. Temporary personnel executing control duties for vacationing or sick employees might not perform them correctly. System changes may be implemented before personnel have been trained to react appropriately to signs of incorrect functioning.
In addition to mistakes or misunderstanding, fraud may be perpetrated by individuals who choose to deliberately circumvent the process of internal control. This chapter presents the varieties of fraud, or intentional defalcations, and concludes with examples of fraud committed against the Catholic Church in the United States.
Pervasive in any organization is the possibility of management override. A system of internal control can only be as effective as the people who are assuming ownership of the system's continued functioning. Even in effectively controlled entities those with generally high levels of ethical behavior, integrity, and control consciousness a senior manager might be able to improperly override internal control. It is useful to consider the reasons why override occurs and how it is done.
Management override can occur for any number of reasons some legitimate, others illegitimate with the intent of personal gain or of an enhanced presentation of an entity's financial condition. A manager of a division or unit, or a member of top management, might override the control system to increase reported revenue to cover an unanticipated increase in expenses, to enhance reported earnings to meet unrealistic budgets, to meet revenue or expenditure projections to bolster bonus payouts tied to performance, or to appear to cover violations of debt covenant agreements.
Management override can be carried out in a number of ways, ranging from subtle to egregious. It can be as simple as an inten-tionally misstated journal entry or as egregious as writing one's own termination check for disputed vacation time.
Management's practices of "denial" (not wanting to listen to bad or unexpected news) or "shooting the messenger" result in a form of override that can mask an impending problem. Less obvious override practices include delib-erate misrepresentations to bankers, lawyers, accountants, and vendors, and intentional issuance of false documents such as purchase orders and sales invoices.
The Varieties of Fraud
The collusive activities of two or more individuals can result in control failures. Individuals acting collectively to perpetrate and conceal an action from detection can alter financial data or other management information in a manner that cannot be identified by the control system. For example, there may be collusion between an employee performing an important control function and a customer, a supplier, or another employee. On a different level, management might collude in circumventing controls so that reported results meet budgets or fundraising goals.
Lapping is one of the most common types of employee fraud. It is the postponement of entries for the collection of receivables to conceal an existing cash shortage. The fraud is perpetrated by a person who records cash in both the cash receipts journal and subsidiary accounts receivable journal. The employee defers the recording of cash receipts from one source and covers the shortage with receipts from another source. The employee must continue to cover the shortage through repeated lapping, replace the stolen money, or find another way to conceal the shortage.
Theft is the diversion of cash, checks, or other assets before they are recorded by the accounting system of a diocese, parish, school, or other operating entity. It can take the form of removing cash from the collection basket or mail, diverting checks or securities to a branch bank or brokerage account, or even taking for personal use cash or goods donated for corporate purposes.
Accounts Payable Fraud
The employee may falsify payments to real vendors or create phony vendor addresses to which checks are sent. Alternatively, an employee may intentionally overpay an invoice, take the refund from the supplier, and pocket it.
Payroll Ghosts and Unauthorized Pay Charges
Padding the payroll is another common form of fraud. With this, an employee might either keep paying checks for employees after their employment has terminated or add nonexistent employees to the payroll. Unauthorized pay charges and the non-recording of vacations used are frequent occurrences when there are not ongoing monitoring mechanisms or procedures in place.
An employee may take bribes or kickbacks from vendors and suppliers. This is very difficult to detect, since there are no records; the deals are usually made in cash. However, price comparisons can help detect kickback situations, because vendors involved in these schemes charge more to help "finance" the illegal payments and also to increase their profit.
Supplies or Inventory Fraud
The employee uses the organization's money to place a phony order or to order more than the organization needs; or the employee simply absconds with inventory from a store or other storage locations. The merchandise is then sold or kept for the employee's gain.
Other Fraudulent Activities
Other fraudulent activities include all types of petty or small thefts. These include submitting phony invoices, inflating reimbursable personal expense items, misappropriating petty cash, or using diocesan tax identification numbers for sales tax exemptions on personal purchases. Although the amounts stolen are relatively small with these activities, they may be the most common types of employee fraud.
Breakdowns in internal controls do occur, both intentionally and unintentionally. It is the intentional error or fraud that worries those in leadership positions.
Information supplied by the Federal Bureau of Investigation reveals the following statistics regarding incidents of fraud.
Electronic data processing
|% of Incidents
|% of Losses
As noted, there is rarely any predictable pattern of defalcation. However, one thing is clear: a poor system of internal controls, collusion between employees and third parties, and management override are present in a vast majority of fraud incidents, according to information supplied by international accounting firm KPMG Peat Marwick.
Certain examples of defalcations that have occurred within the Catholic Church in the United States appear below. In many cases the employee or volunteer was a trusted individual. This is supported by data supplied by the FBI on the profile of an embezzler, who is described as an employee with 5-6 years of experience, often described as good-to-above-average, highly desirable, reliable, bright, motivated, trustworthy, and an achiever with good self-control. The typical motive is the need for money caused by a specific problem. Opportunities to defraud existed because of weak supervision.
Handling of Collections
In this scenario, one person is responsible for counting the Sunday collection, making out the deposit ticket, taking the deposit to the bank, and recording amounts to parishioner records. This case is easy to detect and can be prevented by requiring a number of safeguards, including involvement of more than one individual in handling collections, dual counts and signatures evidencing concurrence of counts, segregation of the count procedures from deposit preparation, and recording of cash receipts. Furthermore, someone who is not part of the cash receipt function should double-check the receipted bank deposit ticket with an initial control log of cash receipts. Additional controls may include an independent review of bank statements and pre-paration of bank reconciliations, and a recheck of envelope receipts to parishioner records.
Tuition Amounts That Are Delinquent
In one instance of defalcation, a clerk was responsible for collecting old accounts and for writing off bad debts. In this circumstance, the clerk could write off an account with no approval, subsequently collect the past-due amount, acknowledge the receipt, but divert the money to personal use. Routinely checking write-offs with supporting documentation may prevent this irregularity.
Gifts and Bequests
Particularly difficult to control is the manner of receipt for gifts and bequests. Contributing factors are unpredictability, varied methods of submission, and often anonymous donors. Adequate control requires a strong system of checks and balances to minimize the opportunity for abuse. One diocesan official received numerous gifts directly and diverted the funds for other than intended purposes. This was possible because the official had responsibility for receiving the gift, even perhaps acknowledging the gift, and had depositing responsibility. Funds were being deposited into an account which was not part of the diocesan chart of accounts. The official had responsibility for disbursement over these accounts, so the money could easily be diverted for personal purposes. There should be proper segregation of duties to prevent the same individual from receiving, acknowledging, and depositing corporate assets.
A Large Capital Project Over a Number of Years
At one diocese, expenditures were routinely approved, and through a series of exchange checks, evidence was presented to the accounting clerks showing that amounts were paid from "diocesan named" accounts but were not part of the diocesan chart of accounts. The invalid accounts were therefore reimbursed for phony expenditures, and money was diverted. Expenditures were charged to the large capital project but were never large enough to cause significant budget-to-actual variations, thus preventing management from questioning the overages. Periodically checking expenditures to budgeted amounts may detect this occurrence.
In one case, the diocesan finance officer wrote a check payable to a fictitious vendor set up at a bank in his name. Once again, tight budgetary controls may have prevented this from occurring. Since the check was for a substantial dollar amount, dual signatures may have been used to prevent this occurrence.
A recent issue involved the commingling of personal bills with parish bills by the parish secretary. The secretary had responsibility to disburse all parish funds and had signature authority over the checking account, so the personal bills were concealed from the pastor. The pastor's routine checking of the support for expenditures would have prevented this occurrence.
Due to the lack of internal controls over the establishment of bank accounts, a school principal was able to open and control several checking accounts that were not on the books. The principal routinely wrote checks payable to himself; his explanation was that the funds were reimbursements for expenses he incurred on behalf of the school. Because he controlled the accounts, no one questioned his explanations, nor did anyone have access to the bank statements or receipts. The principal voluntarily left the position. The fraud was first suspected by his successor, and through a subsequent audit the suspicions were confirmed. External auditors can assist in this area by requesting that banks confirm all open accounts directly to the auditor.
One parish had a policy of allowing the youth minister to maintain a separate checking account for religious education. The account was funded by the parish at the beginning of each fiscal year. In addition, field trip funds, etc., were placed in the account. The youth minister reconciled the bank statements, made deposits, and controlled the disbursements from the account. No one in the parish business office questioned the youth minister about the account activity until the bank started calling the parish because checks were bouncing. When the youth minister was asked to produce the checkbook and receipts, it was evident that the youth minister was involved in a lapping scheme. This could have been detected by having some oversight over the minister's activities.
In another case, a parish priest routinely wrote checks payable to "cash" or to himself over an extended period. Through an audit it was determined that the priest paid lay employees by cash, but the majority of the checks were tendered by the priest and there was no documentation to substantiate expenses. The bookkeeper was not comfortable with asking the priest for documentation and routinely accepted verbal explanations for expenses. This was clearly a case for ensuring that all employees receive instruction in the proper procedures to follow for reporting a suspicion of wrongdoing to a higher authority.
False Invoices and Nonexistent Companies
A parish had a small staff with only one clerk. Segregation of duties was not possible but was only one cause of a significant defalcation, because of other weaknesses in handling checks.
The clerk perpetrated a fraud using two confederates, A and B. Confederate A worked in a printing company and could easily use the equipment to prepare invoice forms from real companies listed in the telephone directory. The clerk told Confederate A the kinds of firms with which the church office was dealing and which firms were actually being used; the false invoices were never printed using these firms' names but only similar firms with which the church office had never dealt. The false invoices were printed with a different company's name on each one.
Confederate B was the owner of a small company. After a batch of checks was signed, the clerk mailed them to the payees. Checks for false invoices were separated and mailed to Confederate B who would endorse the checks with an endorsement stamp that said: "Pay to the order of Confederate B d.b.a. (insert name on invoice) for deposit only." Each endorsement stamp was used only once. Later Confederate B would withdraw currency and pay an amount to the clerk and to Confederate A.
As part of a normal routine the clerk would open all mail, including the bank statements and canceled checks, and put a date stamp on all statements, invoices, and letters. With the bank statements, the clerk took the further step of removing all checks pertaining to the false invoices.
An external CPA firm conducted the annual audits of the church office, rendering a "clean" opinion. Management letters from the CPA firm noted that bank reconciliations were no longer available except on a full-year basis instead of monthly, and that there was increasing carelessness in the handling of checks returned from the bank. But these comments did not prevent a clean opinion.
Prior to a new audit, the CPA firm insisted that the church office get additional help so that all bank reconciliations would be ready when the auditors arrived. The office then hired a second clerk to fill in for the first who was on vacation. The second clerk began by making a list of all outstanding checks from the year-end reconciliations. No payees were ever repeated. Although the checks eventually cleared the bank, the dates on the bank statements did not coincide with the dates of the reconciliations. When this was explained to the associate he asked the bank for photocopies of both sides of all of these checks. Investigation revealed that many checks had been fraudulently signed by the clerk.
The auditors suggested a number of improvements, including
separating duties in the parish;
discontinuing use of rubber stamps for signing checks;
requiring two manual signatures on all checks; and
prohibiting the signing of blank checks or checks only partially completed.
As one can observe, no system of internal controls can uncover every defalcation. However, there are other indicators or red flags that managers should be aware of as predictors of problem areas. These include
Changes in employee's lifestyle, spending habits, or behavior
Ignoring of internal/external policies or audit recommendations
Unusual banking activities
Decline in employee morale/attendance
Exceedingly high expenses/purchases
Unexplained budget variances
Managers must constantly be alert to the potential of employee or volunteer fraud. The detection rules below are not all-inclusive but serve as a reminder that the work is never done.
Keep it simple.
Don't overlook the obvious.
Concentrate on fraud elements: * Theft * Concealment * Conversion
Know the weakest points of the system, since these are most likely to be exploited.
Consider fraud detection a routine part of business, not a once-in-a-while exercise. It is continuous hard work to be diligent.
Don't try to detect all frauds at one time.
Concentrate on those who had the access, skill, time, and position to commit the fraud.
Assign resources to detect fraud.
AICPA Professional Standards, Statement on Auditing Standards No. 55, June 1990.
Arthur Anderson & Co., Evaluation of Internal Controls A Guide for Studying and Evaluating Internal Accounting Controls, February 1987.
Barber, Barry and Mimi Blanco-Best. "SAS No. 55 Help Has Arrived," Journal of Accountancy, September 1990, pp. 107-110.
Committee of Sponsoring Organizations on the Treadway Commission (COSO), Internal Control Integrated Framework, September 1992.
Guerico, John P., E. Barry Rice, and Martin F. Sherman. "Old-Fashioned Fraud by Employees Is Alive and Well: Results of a Survey of Practicing CPAs," The CPA Journal, September 1988, pp. 74-77.
KPMG Forensic and Investigative Services, 1994 Fraud Survey, 1994.
National Association of Treasurers of Religious Institutes (NATRI), Financial Management and Accounting Manual for Religious Institutes, 1993.
Neebes, Donald L., Dan M. Guy, and O. Ray Whittington. "Illegal Acts: What Are the Auditor's Responsibilities?" Journal of Accountancy, January 1991, pp. 82-93.
Diocesan Internal Controls: A Framework is available in a print edition and may be ordered by telephoning (800) 235-8722. Ask for publication number 5-056; the cost is $3.95 for a single copy. Please add 10% shipping and handling ($3.00 minimum) per order.
Copyright 1995 United States Catholic Conference, Inc., Washington, DC. All rights reserved. Neither this work nor any part of it may be reproduced, distributed, performed or displayed in any medium, including electronic or digital, without the permission of the USCC.
ISBN 1-57455-056-X.At the request of Most Reverend Donald W. Trautman, Episcopal Moderator of the Diocesan Fiscal Management Conference (DFMC), the USCC Accounting Practices Committee (APC) commenced, in 1992, a project to study and propose better internal diocesan financial controls. The APC completed a manual entitled Diocesan Internal Controls: A Framework, which was unanimously approved by the Board of the DFMC, by the NCCB/USCC Committee on Budget and Finance, and in September 1995 by the USCC Administrative Board. Publication of Diocesan Internal Controls: A Framework is authorized by the undersigned.
Monsignor Dennis M. Schnurr
Mr. Wayne A. Schneider, Chairman
Archdiocese of Milwaukee
Mr. Thomas J. Baker
Diocese of St. Paul and Minneapolis
Sr. Barbara Brown, CPPS
Sisters of the Precious Blood
Rev. Henry T. Chamberlain, SJ
Missions of the Society of Jesus
Mr. William Daly
Archdiocese of New York
Mr. Anthony G. Depenbrock
Diocese of Covington
Sr. M. Pius Fahlstrom, OSF
Sisters of St. Francis
Bro. Joseph Fisher, CPPS
Missionaries of the Precious Blood
Mr. Joseph LiPari
Diocese of Paterson
Mr. Michael J. McNamara
Archdiocese of Atlanta
Mr. John R. O'Brien
Diocese of Buffalo
Mr. Philip J. Ries
Diocese of Orange
Mr. Paul A. Ward
Diocese of St. Petersburg
Mr. Ken Korotky
By accepting this message, you will be leaving the website of the
United States Conference of Catholic Bishops. This link is provided
solely for the user's convenience. By providing this link, the United
States Conference of Catholic Bishops assumes no responsibility for,
nor does it necessarily endorse, the website, its content, or