Understanding Internal Controls
Download
Report
Transcript Understanding Internal Controls
Developing An Internal Control
Plan For Your LEA
SASBO Conference
April 29, 2008
Presenters:
Kathy H. Isenhour, CPA
Associate Superintendent
Hickory Public Schools
Hickory, NC
Lynne E. Hensley,
Retired CFO and Consultant
Burnsville, NC
In-ter-nal Con-trol
Internal- Of or on the inside: having to do
with or belonging to the inner
nature of a thing
Control- To exercise authority over, direct
Internal Control Defined
The plan of organization and all of the coordinate methods and measures adopted
within a business to safeguard its assets,
check the accuracy and reliability of its
accounting data, promote operational
efficiency, and encourage adherence to
prescribed managerial policies.
SAP No. 33
Internal Control Pronouncements
SAS No. 1 (SAS 104-Amendment to SAS 1)
Accounting controls: Safeguarding of
assets, reliability of financial records
Managerial controls: Promote operational
efficiency, encourage adherence to
prescribed managerial
Changes to Scope of Audit as a result of
SAS 112-Communicating Internal Control
Matters Identified in an Audit
Expands the quality and depth of the
auditor’s required understanding of the entity
and its environment including internal control
Requires the auditor to assess the risks of
material misstatements at the financial
statements
Emphasizes importance of the entity’s risk
assessment process
Overall Changes to Audit Process
in relation to Internal Control Matters
Auditor must evaluate identified control
deficiencies
Auditor required to communicate in writing
significant deficiencies and material
weaknesses to management and Board of
Education.
SAS takes away the option to communicate
orally matters related to deficiencies and
weaknesses.
Auditor to Evaluate Design
of Internal Controls
Auditor will specifically review :
Points where transactions are
Initiated
– Processed
– Recorded
– Reported
and will assess risk that errors may not be
prevented and detected
–
Examples of Deficiencies:
Inadequate design of internal control over the
preparation of the financial statements being audited
Employees or management who lack qualifications &
training to fulfill their assigned functions (unfamiliar
with GAAP)
Inadequate documentation of the components of
internal control
Inadequate design of monitoring controls
Inadequate design and control of information
technology
Q & A survey no longer adequate
Components of An Internal
Control Plan
When developing and writing an internal control plan, the
plan should address the following:
Control the environment
Define the risks
Control activities to minimize risk
Inform and communicate procedures and policies
Monitor activities
Control Environment
Controlling the environment is greatly
influenced by the extent to which individuals
recognize they will be held accountable
Control Activities
Who is responsible?
The Board of Education, Superintendent and
Chief Finance Officer are ultimately
responsible for identifying the financial and
compliance risks and for designing,
implementing and monitoring the internal
control system for the Local Education
Agency.
Tips to enhance a department’s control
environment
Administrative Procedures
Employee Handbook stating policies and procedures
Finance Department Standards of Conduct
Clearly defined job descriptions
Adequate training
Appropriate disciplinary action when an employee
does not comply
Risk Assessment
Identify the risks by determining:
What could go wrong
Where there are vulnerabilities
How theft and fraud could take place
What assets need to be protected
Expect Auditor to ask these questions
Some Examples of High Risk
Transactions
Petty Cash ( if high volumes are processed)
Cash Receipts
Travel Expenditures
Equipment Purchases
Payment to Non-Vendors
Supplies for Maintenance and Bus Garage
Characteristics of Fraud
Generally there are three requirements for fraud to
occur:
•
•
•
motivation – need for money
opportunity- weakness in internal controls
personal characteristics-willingness to commit the crime
It is difficult to have an effect on an individual’s
motivation for fraud, but having an effective internal
control plan can remove opportunities to commit
fraud.
Control Activities
General Controls include:
Access Security including data and
program security
Physical Security
Software and program change controls
Disaster Recovery
Software Application Controls
Input controls
-authorized users
-error listings
-limit checks written; dollar amounts
-self-checking digits for duplicates
Processing controls
-control totals
-audit trails
Output controls
-listing of master file changes
-distribution of registers
-review of output
Examples of Control Activities
Approvals, Authorizations, and Verifications ( Preventive)
Reconciliations –Bank Statements, External Reports
(Detective)
Access to Equipment, Inventories, cash is limited and
periodically counted and compared to previous inventory
(Preventive and Detective)
Segregation of Duties (Preventive)
Segregation of Duties
No one person should
Initiate the transaction
Approve the transaction
Record the transaction
Reconcile balances
Handle assets
Review reports
Even in the smallest LEAs –at least
Two Sets of EYES
Balancing Risk and Control
Internal controls should be proactive,
value added, cost-effective and address the
exposure to risk.
The cost of a control should not exceed the
benefit to be derived from it.
Information and Communciation
Information and communication are
essential to effecting control.
Reliable and relevant information from both
internal and external sources must be
identified, processed and communicated to
people in a timeframe that is useful.
Communication
Communication can be formal or informal
Communication as simple as staff meetings can
provide input and feedback relative to the LEAs
operations, financial reporting and compliance
reporting.
Employees often provide some of the most critical
information needed to identify risks and
opportunities for wrong doing.
Monitoring
Monitoring is the assessment of internal control
performance over time; it is accomplished by ongoing
monitoring activities such as:
Annual evaluation of personnel
Conduct periodic internal audits
Review applicable laws and regulations to ensure
compliance
Effectiveness of Internal Control Plan
Internal control is effective and adequately
designed if all internal control components are
properly executed and functioning as planned:
Control of the environment
Assessment of the Risks
Control the Activities
Information and Communication
Monitoring
What is the Price for NOT Having Good
Internal Controls?
Loss of public trust
Loss of future grants
School system’s reputation
Violation of laws
Elements To Use in Internal Control
Exercise
Bank Statement Reconciliation
Plumbing Contractor
Vending Machine Change
Cafeteria Daily Cash Collection
Payroll Master File
Maintenance
Superintendent’s Sister-in-Law
Individual School Fund Raising
Receipts
Parts for School Bus Garage
Facsimile Signature (Rubber
Stamp)
Travel Reimbursement Claim
Sample Internal Control Plan
Control Activities for Budget
I.
II.
III.
Hickory Public Schools
Control Activities for Budget
The Board of Education adopts an annual budget
for all funds in accordance with state statutes.
Budget amendments over $10,000 are required to
be approved by the Board of Education.
Accounting principals used in the budget
preparation are the same as those used in
preparing the financial statements.
Sample Internal Control Plan
Control Activities for Cash Receipts
I.
II.
III.
IV.
V.
VI.
Hickory Public Schools
Control Activities for Cash
Mail is opened and a list of daily receipts is prepared by the
receptionist.
Checks are forwarded to accounts receivable to process
daily deposits.
Deposits are made daily when cash/checks exceed $50.
Cash receipts are promptly and accurately recorded as to
the account, amount and date.
Petty Cash is permissible not to exceed $25 at reception
area for change when citizens request transcripts.
Reconciliation is done monthly to reconcile cash collected to
receipts.
Questions
?
?
?
?
?
[email protected]
[email protected]
?
?