Internal Controls - Idaho State University
Download
Report
Transcript Internal Controls - Idaho State University
Risk Management
•Internal
Audit
•Internal Controls
•Management Oversight
•Ethics
•Conflicts of Interest
•FERPA/HIPAA
Internal Audit
Who We Are
What We Do
How We Can Help
Charter
Our mission is to assist the University in the
accomplishment of its goals. We do this by
providing a systematic, disciplined, approach to
evaluating, advising, and improving the
processes of resource application, risk
management, control and governance
throughout the University.
Organization & Reporting
ISU Internal Audit Office consists of three
employees: director, senior auditor, and staff auditor.
Also utilize two student auditors when funding is
available.
Director reports functionally to the State Board of
Education Audit Committee and administratively to
the University President.
Staff are ISU employees.
Internal Audit reports are submitted to the President
and in summary form to the Audit Committee.
Objectives
Appraise the economy and efficiency of operations
Identify and evaluate significant risk exposures
Verify the existence of and control over University
assets
Ascertain compliance with policies, regulations, and
laws
Provide guidance for new policies, procedures,
processes, and systems
Investigate fiscal misconduct, fraud, conflicts of
interest, waste, and abuse
Act as a liaison with external audit organizations
Services We Provide
Risk-based operational audits
Compliance audits
Special request reviews
Investigations
Purchase card audits
Verification of assets
Consultative services
Assistance to external auditors
How We Help
We are a constructive link between policymaking and operational levels of the
University
Early warning system to identify financial or
other risks
Identify opportunities for fiscal and
operational improvement
An independent, internal entity for employees
and students to address concerns or present
ideas for improvement
Where is Internal Audit?
We are located in the Continuing Education
Building - 1001 N. 7th Ave, Suite 202
ISU Stop 8093
282-3182
Internal Controls
What They Are &
Why I Should Care
What are Internal Controls?
Internal controls are processes designed to
provide reasonable assurance regarding the
achievement of an organization’s objects
related to:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws, regulations
and policies
What is Risk?
Risk can be defined simply as
anything that could prevent an
organization from accomplishing its
goals and objectives.
Internal Controls are Designed to
Minimize Risk by:
Protecting assets.
Ensuring records are accurate.
Promoting operational efficiency.
Encouraging adherence to policies, rules,
regulations, and laws.
Reducing the opportunity for fraudulent
activity.
Components of Internal Control –
COSO Model
Control Environment
Control Activities
Risk Assessment
Information and Communication
Monitoring
Control Environment
Sets the tone for an organization – “Tone at the
Top”. Establishes the organizational culture.
Provides discipline and structure.
Is the foundation of the organization’s control
system.
Key factors include:
–
–
–
–
Integrity and ethical values.
Competence of institutional personnel.
Leadership philosophy and management style.
How management assigns authority & responsibility
and organizes and develops its people.
Control Activities
Policies and procedures established to ensure
management directives are carried out.
Actions taken to address risk.
Include a range of activities:
–
–
–
–
–
–
Authorizations
Verifications (e.g. physical inventory)
Reconciliations
Physical security of assets
Access limitations
Segregation of duties
Risk Assessment
Identification and analysis of relevant risks (e.g.
operational, financial, and compliance).
After risks have been identified they must be
evaluated using a formal/informal process which
includes:
–
–
–
Estimating the significance of a risk.
Assessing the likelihood (or frequency) of the risk
occurring.
Assess the actions that could be taken to manage risk
and their associated costs.
Is an on-going process.
Information and Communication
Information systems produce reports containing
operational, financial and compliance-related information.
Information must flow down, across and up within in the
organization.
The effectiveness of information systems depends on
many factors:
–
–
–
–
–
Information systems must be based on a strategic plan.
Adequate resources must be allocated to the system.
Information must reach the right people.
Information must be in sufficient detail and be timely.
Reports must be accurate and provide necessary information.
Information and Communication
The effectiveness of communication systems also
depends on many factors:
–
–
–
–
–
–
–
Employees’ duties and control responsibilities must be effectively
communicated.
Channels of communication must exist for employees to report
suspected improprieties.
Management should be receptive to employee suggestions for
improvement.
Communication must be effective across departmental lines.
Communication must be timely and sufficient for individuals to
effectively discharge their responsibilities.
Outside parties should be made aware of the institution’s standards.
Their must be timely and appropriate follow-up to information
feedback.
Monitoring
Monitoring is a process that assesses the quality of the
internal control system through on-going monitoring
activities and separate evaluations.
On-going monitoring activities include:
–
–
–
–
Review of operating and financial reports to identify significant
inaccuracies or exceptions.
Investigation of information received from external parties.
Organizational structure and supervisory activities.
Comparison of data recorded in the information system to physical
assets. Periodic confirmations by personnel that they understand
and are complying with the institution’s code of conduct.
Separate evaluations can be conducted by management
or by internal and external auditors.
Internal Control Objectives
A good system of internal controls will accomplish the
following objectives:
Authorization: All transactions are approved by responsible
personnel.
Completeness: All valid transactions are included in the
accounting records.
Accuracy: All valid transactions are accurate, consistent with the
originating transaction data, and information is recorded in a
timely manner.
Validity: All recorded transactions fairly represent the economic
events that actually occurred, are lawful in nature, and have been
executed in accordance with management’s general
authorization.
Internal Control Objectives
Physical Safeguards and Security: Access to physical assets
and information systems are controlled and properly restricted to
authorized personnel.
Error Handling: Errors detected at any stage of processing
receive prompt corrective action and are reported to the
appropriate level of management.
Segregation of Duties: Duties are assigned to individuals in a
manner that ensures that no one individual can control both the
recording function and the procedures relative to processing a
transaction.
Who is responsible for internal control?
Management:
The President provides leadership and direction to
senior administrators.
Vice presidents provide direction to senior administrators
responsible for major functional areas.
Deans and department heads have line responsibility for
designing and implementing control systems at detailed
levels.
Who else is responsible?
All employees should:
Read and understand the policies and procedures which
affect their jobs.
Evaluate the propriety of transactions (legal and ethical?)
Safeguard assets.
Evaluate the economy and efficiency of operations.
Follow the established internal controls.
Notify management when internal controls are not
effective or are being circumvented.
Limitations of Internal Control
Internal controls, no matter how well designed and executed,
can only provide reasonable assurance regarding the
achievement of objects. Limitations include:
Judgment – Decisions must be made constrained by available
time, information at hand and under the pressures of getting a job
done.
Breakdowns – Employees may misunderstand instructions. Errors
may occur from new technology or due to complex systems.
Management override – High level personnel may be able to
overrule controls for personal gain or advantage.
Collusion – Two or more individuals may work together to bypass
controls. No internal control system is immune from collusion!
Is cost of control consideration?
Yes! In determining whether a particular control should be
established, the risk of failure and the potential effect must
be considered along with the cost of establishing the control.
Excessive control is costly and counterproductive.
Too little control presents undue risk.
There should be a conscious effort made to strike an
appropriate balance.
Management Oversight
The Key to Control &
Risk Management
Management – The buck stops here!
As a manager, you are responsible for:
Establishing the “tone at the top” and promoting an ethical
business environment by providing structure, feedback, and
discipline.
Assessing risks specific to your operations and developing a
control system to address risks that could prevent achieving
established goals (see handouts).
Establishing and maintaining control activities such as
reconciliations, approvals, and review of operating activities.
Ensuring appropriate access to and use of University information
and systems.
Monitoring control system and activities to identify and correct
breakdowns timely.
Management – Best Practices
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Read all requests to spend University funds before approving them.
Develop written procedures for critical operations.
Develop measurable departmental goals based on strategic plans.
Create an action plan that is communicated to all employees.
Ensure every transaction involves at least two people.
Review departmental transactions monthly and investigate concerns.
Deposit funds daily (properly secure cash, check and CC info).
Review processes on a continuous basis (a better way?).
Ensure all expenditures have a clear business purpose.
Maintain good supporting documentation for all expenditures.
Make sure time sheets are reviewed and approved by a supervisor
who is familiar with the employee’s work hours.
Propriety of University Expenditures
University expenditures will be considered proper if they
meet all of the following seven tests:
1.
2.
3.
4.
5.
6.
7.
Are in the best interest of the University and for official business only.
Comply with all applicable federal and state laws, and University
regulations, policies and procedures.
Do not appear to or actually provide a personal benefit to employees.
Are within approved budgets.
Are necessary to accomplish University business.
Are reasonable. Quality and quantity are sufficient to meet but not
exceed identified need.
Approved by the appropriate level of management.
Ethics
The Foundation
What Does Ethics Mean to You?
Sociologist Raymond Baumhart asked some
business people this question. Replies included:
"Ethics has to do with what my feelings tell me is
right or wrong.”
"Ethics has to do with my religious beliefs.”
"Being ethical is doing what the law requires.”
"Ethics consists of the standards of behavior our
society accepts.”
"I don't know what the word means."
What is Ethics?
Simply stated, ethics refers to the standards of
behavior that tell us how human beings ought to act in
many situations in which they find themselves as
friends, parents, children, citizens, employees,
teachers, professionals, etc.
What Ethics is Not
Ethics is not:
The same as feelings
Religion
Just following the law
Following culturally accepted social norms
Science
Why is Identifying Ethical Standards
Difficult?
Two fundamental problems:
On what do we base our ethical
standards?
How do those standards get applied to
specific situations?
Framework for Ethical Decision Making
Recognize an Ethical Issue
Get the Facts
Evaluate Alternative Actions
Make a Decision and Test It
Act and Reflect on the Outcome
Recognize an Ethical Issue
Could this decision or situation be damaging to
someone or to some group?
Does this decision involve a choice between a
good and bad alternative; between two “goods”; or
between two “bads”?
Is this issue about more than about what is legal or
what is most efficient. If so, how?
Get the Facts
What are the relevant facts of the situation?
What facts are not known?
Do I have enough information to make a decision?
What individuals and groups have an important
stake in the outcome?
Are some concerns more important? Why?
What are the options for acting?
Have I identified creative options?
Evaluate Alternative Actions
Ask yourself the following questions:
Which option will produce the most good and do the least
harm (Utilitarian Approach)?
Which option best respects the right of all who have a
stake (Rights Approach)?
Which option treats people equally (Justice Approach)?
Which option best serves the community as a whole
(Common Good Approach)?
Which option leads me to act as the sort of person I want
to be (Virtue Approach)?
Make a Decision and Test It
Considering all these approaches, which option best
addresses the situation?
Would I make the same decision if I knew it would be
public—in a newspaper article or on a TV news
report (newspaper test)?
Would mom approve?
Could I rationally and honestly defend my decision?
If a colleague made the same decision, would I
support him or her?
Are there laws, policies, rules or directives governing
or restricting my decision?
Act and Reflect on the Outcome
How can my decision be implemented with the
greatest care and attention to the concerns of all
stakeholders?
Reflect on how the decision turned out and what
you learned from the situation.
Be willing to reassess your decision if more facts
become available.
Obstacles to Ethical Decision Making
Rationalizations:
If it’s necessary, it’s ethical
If it’s legal and permissible, it’s proper
It’s just part of the job
It’s all for a good cause
I was just doing it for you
I’m fighting fire with fire
It doesn’t hurt anyone
Everyone’s doing it
It’s okay if I don’t gain personally
I’ve got it coming
It’s just politics
Ethical Rules Pertaining to ISU
ISU currently does not have a comprehensive code of conduct or
ethical policy. Have individual policies that need to be updated.
State Board of Education Conflict of Interest and Ethical Conduct
policy (Section II, Subsection Q).
Idaho Statutes:
–
–
–
Bribery and Corrupt Practices Act (Title 18, Chapter 13)
Prohibitions Against Contracts with Officers (Title 59, Chapter 2)
Ethics in Government Act (Title 59, Chapter 7)
State Board of Education Compliance Program policy (not finalized
yet). Institutions must establish:
–
–
–
–
A code of ethics that applies to all employees.
A published list of all major compliance areas categorized by risk.
A mechanism for coordinating compliance oversight, monitoring, and
enforcement.
A means of assuring institutional policies are regularly reviewed for
compliance with federal and state laws and regulations and Board policies.
SBoE – Ethical Conduct
All employees of the institutions and agencies shall:
Not hold financial interests that are in conflict with the conscientious performance of their
official duties and responsibilities;
Not engage in any financial transaction in order to further any private interest;
Put forth honest effort in the performance of their duties;
Make no unauthorized commitments or promises of any kind purporting to bind the Board or
any Board-governed entity;
Not use their public offices for private gain;
Act impartially and not give preferential treatment to any private or public organization or
individual;
Protect and conserve public property and shall not use it for other than authorized activities;
Not engage in outside employment or activities, including seeking or negotiating for
employment, that conflicts with official duties and responsibilities;
Promptly disclose to their chief executive officer waste, fraud, abuse, or corruption;
Endeavor to avoid any actions that would create the appearance that they are violating the
law or the ethical standards of the Board or the relevant Board-governed entity;
k. shall disclose potential conflicts of and avoid conflicts of interest, potential conflicts of
interest, and circumstances giving rise to the appearance of a conflict of interest.
Current ISU Policies
Academic Freedom/Faculty Ethics
Employment of Relatives/Nepotism
Faculty/Student Relationships
Outside Employment
Private Consulting Outside the University
Sexual Harassment
Misconduct in Research and Scholarship
Research Conflict of Interest
Financial Interest Disclosure Form
How do you create an ethical work
environment?
Establish an enforceable code of conduct
Ensure executive modeling – tone at the top
Provide initial and on-going training
Encourage regular communication
Maintain an anonymous hotline
Take action – hold individuals accountable
Reward employees that maintain an ethical work
environment
Implement equitable policies that are communicated
Provide fair compensation and reasonable working
conditions.
Code of Ethical Conduct
Driven by the University’s mission of teaching, research
and public service:
Sets expectation of highest standards of ethical conduct.
Commits to upholding the reputation of the University.
Encourages compliance with applicable laws, regulations, and
University policies.
Does not condone retaliation for any good faith report of
improper activity.
Be honest, ethical, truthful.
Obey the law.
Follow University policies and procedures.
What is Fraud?
A dishonest and deliberate course of action
that results in the obtaining of money, property
or an advantage to which the person
committing the action would not normally be
entitled. Intentional misleading or deceitful
conduct that deprives another of his/her
resources or rights. Fraud always involves
intent and some violation of trust.
What is Waste?
Waste occurs when someone makes careless
or extravagant expenditures, incurs
unnecessary expenses, or grossly mismanages
resources. This activity results in unnecessary
costs. It may or may not provide the person
with personal gain. Waste is almost always the
result of poor management decisions and
practices or poor accounting controls.
What is Abuse?
Abuse most often involves an employee
exploiting “loopholes” in policies and
procedures for personal benefit. Abuse is very
close to fraud, but often is not prosecutable as
such. Abuse includes, but is not limited to the
misuse or destruction of resources, using the
powers of an official position inappropriately, or
any other seriously improper practice that
cannot be prosecuted as a fraud or other illegal
act.
Examples of Fraud, Waste and Abuse
An employee purchases a meal for a meeting which has a valid
business purpose. The meal meets University policy, all
receipts are provided and the proper form is completed.
(Acceptable)
The employee has a meeting with a valid business purpose. A
meal is purchased, receipts are provided and required forms
are completed. However, the meeting could have taken place
without a meal. (Waste)
The employee purchases a meal over a casual meeting with
colleagues. The business purpose and necessity of the meeting
is questionable. (Abuse)
The employee purchases lunch for himself/herself and friends
using University funds. (Fraud)
How Costly is Fraud?
Association of Certified Fraud Examiners (ACFE) 2010
Report to the Nations concluded:
The typical organization is estimated to lose 5% of its annual
revenues to fraud.
Applied to the estimated 2009 Gross World Product, this
translates to a potential total fraud loss of $2.9 trillion
worldwide.
What Other Costs of Fraud?
Damages to the University go beyond dollars &
cents:
Reputation
Loss of public confidence
Detrimental to attracting new potential donors &
volunteers
Damage to relationships
Sagging staff morale
Distraction from the mission
The Fraud Triangle
There are three factors that must be present in
order for an ordinary person to commit fraud:
Pressure
Perceived opportunity
Rationalization
How Can Fraud be Prevented?
An effective fraud deterrence and prevention program
should address the fraud triangle by:
Reducing pressures on employees that might push them
into committing fraud.
Reducing perceived opportunities to commit fraud –
strong internal controls.
Dispelling rationalizations for engaging in fraudulent
conduct.
Create a sense of honesty and ethics in your area.
Report fraud, waste, and abuse when it is detected.
What are Potential Red Flags?
Although this list is not exhaustive, the following conditions may be
indicators of fraud:
Accounts not reconciled and reviewed in a timely manner
Continuous or unusual account transfers
Employee wanting to control too much of a given process or procedure
Frequent or unusual related party transactions
Lack of interest in compliance with policies
Unrecorded transactions or missing records
Altered or counterfeit documents
Excessive voids, credits, over-rings
Unexpected results, i.e., revenue decreasing & attendance increasing
Inadequate screening of new employees
Employee with lifestyle beyond their means
Employee refusing to take time off and/or unwilling to share duties with co-workers
Employee in close relationship with suppliers
How Do I Report Concerns?
The following options for reporting fraud, waste, abuse
and non-compliance are available for ISU employees:
Share your concern with your supervisor.
Contact ISU Internal Audit.
Utilize ISU’s anonymous hotline:
–
–
–
–
Call MySafeCampus at 800-716-9007
Utilize www.MySafeCampus.com, 24 hours a day, seven
days a week.
Confidential reports go to me and Brad Hall.
Can communicate anonymously though online tool.
How Can I Be Protected from Retribution?
The “Idaho Protection of Public Employees Act” (Title 6,
Chapter 21) provides protections from “adverse action”
for state employees who, in good faith, provide
information concerning the waste of public funds,
resources or manpower or who report potential
violations of laws and regulations (both state and
federal).
Conflicts of Interest
Perception is Reality
What is a Conflict of Interest?
The State Board of Education policy (Section II, Q)
states:
A conflict of interest occurs when a person's private interests
compete with his or her professional obligations to the Boardgoverned entity to a degree that an independent observer might
reasonably question whether the person's professional actions or
decisions are materially affected by personal considerations,
including but not limited to personal gain, financial or otherwise.
Examples of Conflicts of Interest?
Let’s discuss:
Perceived
Potential
Actual
Potential Costs of Conflicts
If conflicts of interest are not managed:
Protection of human subjects may be compromised.
Integrity of research may be at risk.
The public may lose trust in the University and its research findings.
The investigator/faculty member may lose the respect of the academic
community.
May violate terms of research grants and contracts (including failure to
disclose COI) and federal regulations.
Potential loss of research funding.
University may lose public support and funding.
Students may be negatively impacted: inability to pursue their research
interests.
University resources may be improperly used.
Increased government regulations may result.
Scandals or negative media attention may occur..
Applicable Policies & Regulations
ISU Policies (need to be updated):
–
–
–
–
–
–
State Board Policies:
–
–
Conflicts of Interest and Ethical Conduct – All Employees (Section II, Q)
Conflict of Interest (Section I, G)
State of Idaho Statutes:
–
–
Employment of Relatives/Nepotism
Outside Employment
Private Consulting Outside the University
Research Conflict of Interest
Financial Disclosure Form
Academic Freedom/Faculty Ethics
Ethics in Government Act
Bribery and Corrupt Practices Act
Applicable Federal Regulations:
–
Example: New NIH regulations
How to Handle Conflicts?
Conflicts of interest must be:
– Disclosed
– Reviewed
– Managed
How to Manage Conflicts of Interest?
Management plans may include:
Avoidance
Public disclosure
Balance-third party interest participation
Mediation-oversight by immediate supervisor
Abstention-employee recuse him or herself
Divestiture-employee forfeits outside interests
Prohibition
FERPA/HIPAA
Must Protect
Information
What is FERPA?
FERPA (Family Education Rights and Privacy Act) was
enacted in 1974. It is a set of regulations that applies to
those institutions that receive funding from the Department
of Education. FERPA was written specifically for students
and guarantees them the right to inspect and review their
education records, the right to seek to amend education
records, and the right to have some control over the
disclosure of information from those education records.
What is an Educational Record?
An education record is defined as any record that directly
identifies a student and is maintained by the institution or
educational agency or by a party acting for the institution or
educational agency. A key distinction of education records is that
education records are shared. Education records can exist in any
medium including the following: handwritten, typed, computer
generated, videotape, audiotape, film, microfilm, microfiche, email, and others.
FERPA – Public Information
The following is referred to as directory information (can be
shared without the student’s consent – unless specifically
blocked):
–
–
–
–
–
–
–
–
Name
Address
Telephone number
E-mail address
Enrollment status
Major
Degrees & awards received
Most recent previous school attended
FERPA – Protected Information
The following student information can not be shared without
the student’s written authorization:
–
–
–
–
–
–
–
–
–
–
–
–
Student number
Grades/Exam Scores
Grade Point Average
Social Security Number
Parent Address/Phone
Detail of Registration Information (i.e., courses, times)
Race, Ethnicity, or Nationality
Gender
Date of Birth
Total Credits
Number of Credits Enrolled in a Quarter
Emergency Contact
FERPA – Information at ISU
Detailed information is available from the Registrar’s Office
at http://www.isu.edu/areg/ferpafacts.shtml including:
– General FERPA information
– ISU Student Rights
– ISU Faculty/Staff & FERPA
– FERPA General Guidance for Students – available from
the U.S. Department of Education
What is HIPAA?
HIPAA stands for the Health Insurance Portability and
Accountability Act of 1996. A major component of HIPAA
addresses the privacy of individuals’ health information by
establishing a nation-wide federal standard concerning the privacy
of health information and how it can be used and disclosed. This
federal standard will generally preempt all state privacy laws
except for those that establish stronger protections. The HIPAA
privacy laws are effective April 14, 2003.
HIPAA at ISU
ISU maintains “individually identifiable health information” in
accordance with the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) (45 CFR Parts 160, 162, and
164). According to HIPAA, ISU is a “Hybrid Entity” which means it
has specific areas, i.e., ISU health care clinics, designated to
comply with the Rule. Other ISU units may have access to and/or
receive certain health information and also have responsibilities
under HIPAA, (for example, those units performing research and
education).
HIPAA at ISU
The HIPAA Privacy Rule protects all “individually identifiable health information”
held or transmitted by a covered entity or its business associate, in any form or
media, whether electronic, paper, or oral. The Privacy Rule calls this information
“protected health information (PHI).” The Security Rule calls this information
“electronic protected health information (EPHI).” The Security Rule also extends to
individual remote use of EPHI such as: (1) the use of portable media/devices (such
as USB flash drives) that store EPHI; and (2) offsite access or transport of EPHI via
laptops, personal digital assistants (PDAs), home computers, or other non
corporate equipment. “Individually identifiable health information” is information,
including demographic data, that relates to:
The individual’s past, present or future physical or mental health or condition,
The provision of health care to the individual, or
The past, present, or future payment for the provision of health care to the
individual, and that identifies the individual or for which there is a reasonable
basis to believe can be used to identify the individual.
HIPAA Resources at ISU
Please refer to the following information available at
isu.edu:
–
–
–
–
–
–
Summary of the HIPAA Privacy Rule – General Counsel
ISU Statement of HIPAA – General Counsel
Health Programs Guide – General Counsel
Other information at: http://www.isu.edu/ucounsel/hipaa.shtml
Privacy Practice Notice (HIPAA) – Student Health Center
HIPAA training – available from Workforce Training – CoT
Contact Sandi Rich – ISU HIPAA Privacy & Security Officer