Transcript Slide 1
Building a Strong Internal Control Environment Presented by: Leigh Baxter Leigh Goller © 2009 Office of Internal Audits Research Academy Credit © 2009 Office Of Internal Audits Acknowledgments Some content shared with permission from our friends and colleagues at: Duke PRMO Harvard Cornell RIT © 2009 Office Of Internal Audits Warm up exercise Can Internal Controls Mitigate/Manage Risk? http://www.dailymotion.com/video/xahspa_ risk-mitigation-for-beginners_fun © 2009 Office Of Internal Audits Course Objectives To enable and empower you to: Define and evaluate your internal control environment Discuss & apply internal control activities & responsibilities Leverage internal control understanding for effective decision making © 2009 Office Of Internal Audits Today is not about: Professional ethics Conflicts of interest Enterprise risk management (ERM) Sarbanes-Oxley Audit-proofing your business unit © 2009 Office Of Internal Audits What is stewardship? Stewards carefully and responsibly manage all things entrusted to their care We are responsible for ensuring: Duke business is executed in good faith transactions actually occurred Duke complies with laws, regulations and policies © 2009 Office Of Internal Audits Pop Quiz! True or False? Internal controls are: A. Based on trust B. Effective by pure luck C. Validated by customer feedback D. Tested by auditors E. Not my responsibility © 2009 Office Of Internal Audits A simple equation Control Activities = Risk Management Many Controls = Good Controls © 2009 Office Of Internal Audits What is risk? The possibility a negative event will occur The possibility a positive event may not occur A calculated chance Risk can be: External (economy, weather, laws) Internal (systems, personnel, initiatives) Controllable (mitigated) Uncontrollable (inherent) © 2009 Office Of Internal Audits What is control? A process to regulate Exercising influence Authority or ability to manage or direct An act to examine or verify Reducing or preventing the spread of… © 2009 Office Of Internal Audits Internal Control Types Operational Financial Promotes operational effectiveness and efficiency as well as adherence to policies and procedures. Designed to safeguard assets and ensure completeness, accuracy and reliability of financial records. Compliance © 2009 Ensures compliance with applicable laws and regulations. Office Of Internal Audits Missing or ineffective controls Operational Risks Poor decision making Asset theft or loss Effort duplication Financial Risks Misleading or inaccurate financial information False reporting to constituents Ineffective cost recovery Compliance Risks Fines or penalties Sponsor funding and program renewal Health & safety © 2009 Office Of Internal Audits Fact or fiction? Myth Fact Internal controls are a bunch of red tape Internal controls should support, not inhibit, business processes Controls are one-size fits all Controls may vary with the type of transaction, business activity or staffing level Internal controls will prevent fraud Internal controls can deter and/or detect fraud. Only good behavior prevents fraud Policies and procedures promote strong internal controls A strong control environment promotes strong internal controls Auditors own internal control effectiveness Management owns internal control effectiveness © 2009 Office Of Internal Audits More fact or fiction? Myth Fact Internal control is a finance thing Internal controls are integral to – we do what GAP tells us to do all aspects of the business – control activities should be designed to meet specific business needs Internal controls prohibit certain Internal controls enable the activities rights things to happen the first time and every time Internal controls are just extra work for me – I know how to do my job without them Internal controls promote accountability and ensure consistent performance Internal controls only protect Duke assets Internal controls protect Duke and its employees © 2009 Office Of Internal Audits Case Study I Planning a Vacation To: Egypt or South Africa When: in 6 months (Summer) How Long: for 2 weeks Who: You and at least one other person Note: All travelers have valid passports © 2009 Office Of Internal Audits Did you consider? What is a successful outcome (good trip)? What is the most critical planning activity? How many variables you want to control? Who owns what part of the vacation planning? What required double-checking? What might happen while you are on vacation? © 2009 Will you miss a flight? Will you lose anything important? Will you get sick? Office Of Internal Audits Careful Design With a carefully designed internal control environment, your department can: Operate more efficiently and effectively Provide a level of assurance that the processes, services and products for which you are responsible are adequately protected © 2009 Office Of Internal Audits Health check Does your control environment promote: Attention and direction from management? Competence in all employees? Ethical and quality operations? Communicating “tone at the top”? Appropriate assignment of responsibility and authority? Development of people and skills? Consistent practices? Timely execution of required processes and transactions? Asking questions? Asking tough questions? © 2009 Office Of Internal Audits Manager Responsibility Managers are responsible for ensuring that internal controls are established and functioning to achieve the mission and objective of your department © 2009 Office Of Internal Audits Control Categories Authorization Reconciliation Segregation of Duties System Configuration Documentation and Record Retention Monitoring Operations Key Performance Indicator Exception/ Edit Report Data Interfaces System Access © 2009 Office Of Internal Audits Authorization Transaction Approval Considers the nature and significance of the transaction Segregates duties Complies with DU and DUHS policy Access Provisions Safeguards assets and records Segregates duties © 2009 Office Of Internal Audits Reconciliation A check to determine if two items are consistent Invoices reconciled to account detail A process to identify inaccurate or missing transactions © 2009 Office Of Internal Audits Segregation of Duties No individual is responsible for more than one of the following transaction components: Authorization Custody Record-keeping © 2009 Office Of Internal Audits System Configuration Controls include “switches” that can be set by turning them on or off to secure data against inappropriate processing, based on the policies and procedures Systems can be configured to require passwords of minimum characters and symbols. © 2009 Office Of Internal Audits Documentation & Record Retention Provide reasonable assurance that assets are controlled and transactions are correctly recorded, for example, retention of: Financial Assistance Application for Charity Care patients Explanation of Benefit forms for a third party payment © 2007 Office Of Internal Audits Monitoring Operations Verification that controls are operating properly Review of activity of a person different than the preparer analyzing and performing oversight of activities performed Periodic analytical review of average charge per patient to revenue reported for the period. © 2009 Office Of Internal Audits Key Performance Indicator Financial and Non-Financial quantitative measurements that are collected by the entity and used by management to evaluate the extent of progress toward meeting defined objectives Productivity reporting for individual departments © 2009 Office Of Internal Audits Exception / Edit Report Report generated to monitor something and followed-up on through to resolution Exceptions – report detailing violation of set standard Edits – report detailing changes to master file © 2009 Office Of Internal Audits Data Interfaces The transfer of specifically defined information (data) between two computer systems, using either manual or automated means to ensure accuracy, completeness and integrity of the data The University identity management system provides a feed to the Health System Enterprise Active Directory. © 2009 Office Of Internal Audits System Access The ability that individual users or groups have within a computer information system processing environment determined and defined by authorized configuration Established based on unique position number (SAP) or individual employee identification (NetID) © 2009 Office Of Internal Audits Information & Communication Processes and systems to provide timely and appropriate information for people to carry out their responsibilities Quality information is: © 2009 Content appropriate Timely and current Accurate Accessible Communicated appropriately Office Of Internal Audits Control Limitations Internal controls provide only reasonable assurance that operational, financial reporting and compliance objectives are met. These assurances are not absolute. Limitations inherent in all internal control systems include: Collusion: Two or more individuals acting together may alter financial information in a manner that results in control failure. Return on investment: If the cost of control outweighs the benefit of implementing the control, it will not be adopted. Judgment: Humans are fallible and sometimes make errors in judgment because of pressures. Breakdowns: Personnel may misunderstand instructions or simply make mistakes. © 2009 Office Of Internal Audits Biggest threats to the Internal Control Structure Threat Vulnerability Management Override A well-designed control system, if set aside at management’s discretion, can be equivalent to no control in terms of risk. Access to Assets The best way to safeguard assets is to control access to them. Substance over Form Controls may appear to be well-designed and still lack substance. Conflicts of Interest When employee loyalty is divided there is a distinct risk that the employee will choose a course of action detrimental to the organization. Failure to Anticipate Certain Risks Management may fail to anticipate certain risks, and thus fail to design and implement appropriate controls. Collusion Two or more employees may agree to circumvent internal controls. © 2009 Office Of Internal Audits Case Study II Planning a Vacation To: Egypt or South Africa When: in 6 days How Long: for 1 week Who: You and at least one other person Note: All travelers have valid passports © 2009 Office Of Internal Audits What did you change? How did you reprioritize activities? What control activities changed? How did time constraints affect you? Did you delegate differently? Are you worried about success? © 2009 Office Of Internal Audits Building a Strong Internal Control Environment Questions? © 2009 Office Of Internal Audits