Transcript Slide 1
Building a Strong
Internal Control
Environment
Presented by:
Leigh Baxter
Leigh Goller
© 2009
Office of Internal Audits
Research Academy Credit
© 2009
Office Of Internal Audits
Acknowledgments
Some content shared with permission from
our friends and colleagues at:
Duke PRMO
Harvard
Cornell
RIT
© 2009
Office Of Internal Audits
Warm up exercise
Can Internal Controls Mitigate/Manage Risk?
http://www.dailymotion.com/video/xahspa_
risk-mitigation-for-beginners_fun
© 2009
Office Of Internal Audits
Course Objectives
To enable and empower you to:
Define and evaluate your internal control
environment
Discuss & apply internal control activities &
responsibilities
Leverage internal control understanding for
effective decision making
© 2009
Office Of Internal Audits
Today is not about:
Professional ethics
Conflicts of interest
Enterprise risk management (ERM)
Sarbanes-Oxley
Audit-proofing your business unit
© 2009
Office Of Internal Audits
What is stewardship?
Stewards carefully and responsibly manage
all things entrusted to their care
We are responsible for ensuring:
Duke business is executed in good faith
transactions actually occurred
Duke complies with laws, regulations and policies
© 2009
Office Of Internal Audits
Pop Quiz!
True or False?
Internal controls are:
A. Based on trust
B. Effective by pure luck
C. Validated by customer feedback
D. Tested by auditors
E. Not my responsibility
© 2009
Office Of Internal Audits
A simple equation
Control Activities
=
Risk Management
Many Controls = Good Controls
© 2009
Office Of Internal Audits
What is risk?
The possibility a negative event will occur
The possibility a positive event may not occur
A calculated chance
Risk can be:
External (economy, weather, laws)
Internal (systems, personnel, initiatives)
Controllable (mitigated)
Uncontrollable (inherent)
© 2009
Office Of Internal Audits
What is control?
A process to regulate
Exercising influence
Authority or ability to manage or direct
An act to examine or verify
Reducing or preventing the spread of…
© 2009
Office Of Internal Audits
Internal Control Types
Operational
Financial
Promotes operational effectiveness and efficiency as well
as adherence to policies and procedures.
Designed to safeguard assets and ensure completeness,
accuracy and reliability of financial records.
Compliance
© 2009
Ensures compliance with applicable laws and
regulations.
Office Of Internal Audits
Missing or ineffective controls
Operational Risks
Poor decision making
Asset theft or loss
Effort duplication
Financial Risks
Misleading or inaccurate financial information
False reporting to constituents
Ineffective cost recovery
Compliance Risks
Fines or penalties
Sponsor funding and program renewal
Health & safety
© 2009
Office Of Internal Audits
Fact or fiction?
Myth
Fact
Internal controls are a bunch of
red tape
Internal controls should support,
not inhibit, business processes
Controls are one-size fits all
Controls may vary with the type
of transaction, business activity
or staffing level
Internal controls will prevent
fraud
Internal controls can deter and/or
detect fraud. Only good behavior
prevents fraud
Policies and procedures promote
strong internal controls
A strong control environment
promotes strong internal controls
Auditors own internal control
effectiveness
Management owns internal
control effectiveness
© 2009
Office Of Internal Audits
More fact or fiction?
Myth
Fact
Internal control is a finance thing Internal controls are integral to
– we do what GAP tells us to do
all aspects of the business –
control activities should be
designed to meet specific
business needs
Internal controls prohibit certain
Internal controls enable the
activities
rights things to happen the first
time and every time
Internal controls are just extra
work for me – I know how to do
my job without them
Internal controls promote
accountability and ensure
consistent performance
Internal controls only protect
Duke assets
Internal controls protect Duke
and its employees
© 2009
Office Of Internal Audits
Case Study I
Planning a Vacation
To:
Egypt or South Africa
When: in 6 months (Summer)
How Long: for 2 weeks
Who: You and at least one other person
Note: All travelers have valid passports
© 2009
Office Of Internal Audits
Did you consider?
What is a successful outcome (good trip)?
What is the most critical planning activity?
How many variables you want to control?
Who owns what part of the vacation planning?
What required double-checking?
What might happen while you are on vacation?
© 2009
Will you miss a flight?
Will you lose anything important?
Will you get sick?
Office Of Internal Audits
Careful Design
With a carefully designed internal control
environment, your department can:
Operate more efficiently and effectively
Provide a level of assurance that the processes,
services and products for which you are
responsible are adequately protected
© 2009
Office Of Internal Audits
Health check
Does your control environment promote:
Attention and direction from management?
Competence in all employees?
Ethical and quality operations?
Communicating “tone at the top”?
Appropriate assignment of responsibility and authority?
Development of people and skills?
Consistent practices?
Timely execution of required processes and transactions?
Asking questions?
Asking tough questions?
© 2009
Office Of Internal Audits
Manager Responsibility
Managers are responsible for ensuring that
internal controls are established and
functioning to achieve the mission and
objective of your department
© 2009
Office Of Internal Audits
Control Categories
Authorization
Reconciliation
Segregation of Duties
System Configuration
Documentation and Record
Retention
Monitoring Operations
Key Performance Indicator
Exception/ Edit Report
Data Interfaces
System Access
© 2009
Office Of Internal Audits
Authorization
Transaction Approval
Considers
the nature and significance of the
transaction
Segregates duties
Complies with DU and DUHS policy
Access Provisions
Safeguards
assets and records
Segregates duties
© 2009
Office Of Internal Audits
Reconciliation
A check to determine if two items are
consistent
Invoices
reconciled to account detail
A process to identify inaccurate or missing
transactions
© 2009
Office Of Internal Audits
Segregation of Duties
No individual is responsible for more than
one of the following transaction
components:
Authorization
Custody
Record-keeping
© 2009
Office Of Internal Audits
System Configuration
Controls include “switches” that can be set
by turning them on or off to secure data
against inappropriate processing, based
on the policies and procedures
Systems
can be configured to require
passwords of minimum characters and
symbols.
© 2009
Office Of Internal Audits
Documentation & Record
Retention
Provide reasonable assurance that assets
are controlled and transactions are
correctly recorded, for example, retention
of:
Financial
Assistance Application for Charity
Care patients
Explanation of Benefit forms for a third party
payment
© 2007
Office Of Internal Audits
Monitoring Operations
Verification that controls are operating
properly
Review of activity of a person different
than the preparer analyzing and
performing oversight of activities
performed
Periodic
analytical review of average charge
per patient to revenue reported for the period.
© 2009
Office Of Internal Audits
Key Performance Indicator
Financial and Non-Financial quantitative
measurements that are collected by the
entity and used by management to
evaluate the extent of progress toward
meeting defined objectives
Productivity
reporting for individual
departments
© 2009
Office Of Internal Audits
Exception / Edit Report
Report generated to monitor something
and followed-up on through to resolution
Exceptions
– report detailing violation of set
standard
Edits – report detailing changes to master file
© 2009
Office Of Internal Audits
Data Interfaces
The transfer of specifically defined
information (data) between two computer
systems, using either manual or
automated means to ensure accuracy,
completeness and integrity of the data
The
University identity management system
provides a feed to the Health System
Enterprise Active Directory.
© 2009
Office Of Internal Audits
System Access
The ability that individual users or groups
have within a computer information
system processing environment
determined
and defined by authorized
configuration
Established based on unique position number
(SAP) or individual employee identification
(NetID)
© 2009
Office Of Internal Audits
Information &
Communication
Processes and systems to provide timely
and appropriate information for people to
carry out their responsibilities
Quality information is:
© 2009
Content appropriate
Timely and current
Accurate
Accessible
Communicated appropriately
Office Of Internal Audits
Control Limitations
Internal controls provide only reasonable assurance that
operational, financial reporting and compliance objectives
are met. These assurances are not absolute.
Limitations inherent in all internal control systems include:
Collusion: Two or more individuals acting together may alter
financial information in a manner that results in control failure.
Return on investment: If the cost of control outweighs the
benefit of implementing the control, it will not be adopted.
Judgment: Humans are fallible and sometimes make errors in
judgment because of pressures.
Breakdowns: Personnel may misunderstand instructions or
simply make mistakes.
© 2009
Office Of Internal Audits
Biggest threats to the
Internal Control Structure
Threat
Vulnerability
Management Override
A well-designed control system, if set aside at management’s
discretion, can be equivalent to no control in terms of risk.
Access to Assets
The best way to safeguard assets is to control access to them.
Substance over Form
Controls may appear to be well-designed and still lack
substance.
Conflicts of Interest
When employee loyalty is divided there is a distinct risk that the
employee will choose a course of action detrimental to the
organization.
Failure to Anticipate
Certain Risks
Management may fail to anticipate certain risks, and thus fail to
design and implement appropriate controls.
Collusion
Two or more employees may agree to circumvent internal
controls.
© 2009
Office Of Internal Audits
Case Study II
Planning a Vacation
To:
Egypt or South Africa
When: in 6 days
How Long: for 1 week
Who: You and at least one other person
Note: All travelers have valid passports
© 2009
Office Of Internal Audits
What did you change?
How did you reprioritize activities?
What control activities changed?
How did time constraints affect you?
Did you delegate differently?
Are you worried about success?
© 2009
Office Of Internal Audits
Building a Strong Internal
Control Environment
Questions?
© 2009
Office Of Internal Audits