Transcript Document 7196097

Overview of Internal Controls
“Internal control is a process designed to provide reasonable
assurance regarding the achievement of effectiveness and
efficiency of operations, reliability of financial reporting, and
compliance with laws and regulations.”
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
Overview of Internal Controls
Prepared and Presented by:
Dan Allen, MBA, CFE, CISA
Student Affairs Controller and Director of Fiscal Support Services
PH: 688-3318
E-mail: [email protected]
IC-02
Overview of Internal Controls
Objectives:
Define internal controls and relate it to the day-to-day management of our operations.
We will discuss:
• How controls (internal controls) are part of the “management process”
• The purpose of internal controls
• The five interrelated components of internal controls
• The relationship between risks, costs, and controls
• University-required internal controls and sub-certification
• Other important University-related internal controls
IC-03
Internal Controls Overview
Key Management Process
Many people equate controls with accountants and auditors, however, controls are part of the
day-to-day management process. Internal control simply refers to the controlling activities
that are performed within an organization.
Management Process (from Wikipedia)
“Management process is a process of planning and controlling the performance or execution of
any type of activity. . . . Organization’s top management is responsible for carrying out this
management process.”
IC-04
Internal Controls Overview
Purpose of Internal Controls
Purpose of Internal Controls:
• Keeps an organization on course toward its objectives and the achievement of its mission, and
minimizes surprises along the way.
• Promotes effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to
ensure compliance with laws and regulations.
• Ensures the reliability of financial reporting (i.e., all transactions are recorded and that all
recorded transactions are real, properly valued, recorded on a timely basis, properly classified,
and correctly summarized and posted.)
• Helps protect our students, our staff, our management, and the public.
• Safety
• Integrity
• Reputation
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-05
Internal Controls Overview
Components of Internal Controls
Internal control consists of five interrelated components which all five must be
present to conclude that internal control is effective.
The components include:
1. Control (or operating) environment
2. Risk assessment
3. Control activities
4. Monitoring, and
5. Information and communication
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-06
Internal Controls Overview
Relationship Between Risks, Costs and Controls
An effective control system provides reasonable, but not absolute assurance for the safeguarding of
assets, the reliability of financial information, and the compliance with laws and regulations.
Reasonable assurance is a concept that acknowledges that control systems should be developed and
implemented to provide management with the appropriate balance between risk of a certain business
practice and the level of control required to ensure business objectives are met.
The cost of a control should not exceed the benefit to be derived from it.
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-07
Internal Controls Overview
Components of Internal Controls
1.
Control Environment – the control consciousness of an organization. The control environment is
greatly influenced by the extent to which individuals recognize that they will be held accountable.
The control environment includes technical competence and ethical commitment; it is an intangible
factor that is essential to effective internal control. Management is responsible for “setting the tone” for
the organization by fostering the highest levels of integrity and personal and professional standards,
demonstrating a leadership philosophy and operating style which promotes internal control, and the
assignment of authority and responsibility.
In a control conscious environment, all employees are responsible for implementing internal controls
and for reporting or taking other corrective actions to mitigate possible control issues/weaknesses.
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-08
Internal Controls Overview
Components of Internal Controls
2. Risk Assessment – the identification and analysis of risks associated with the achievement of
operations, financial reporting, and compliance goals and objectives. This, in turn, forms a basis
for determining how those risks should be managed.
Risk is the probability that an event or action will adversely affect the organization.
To achieve goals and objectives, management needs to effectively balance risks and controls. Therefore,
control procedures need to be developed so that they decrease risk to a level where management can
accept the exposure to that risk.
By performing this balancing act “reasonable assurance” can be attained.
Excessive Risks
Excessive Controls
Loss of Assets, Donor, or Grants
Poor Business Decisions
Noncompliance
Increased Regulations
Public Scandals
Increased Bureaucracy
Reduced Productivity
Increased Complexity
Increased Cycle Time
Increase of No-Value Activities
To achieve a balance between risk and controls, internal controls should be proactive, value-added,
cost-effective and address exposure to risk.
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-09
Internal Controls Overview
Components of Internal Controls
2. Risk Assessment (continued)
Risk Analysis
After risks have been identified, a risk analysis should be performed to prioritize those risks:
• Assess the likelihood (or probability and threat) of the risk occurring
• Estimate the potential impact if the risk were to occur; consider both quantitative and
qualitative costs **
• Determine how the risk should be managed; decide what actions are necessary.
** Examples of:
Quantitative costs include the cost of property, equipment, or inventory, cash dollar loss, damage and
repair costs, cost of defending a lawsuit, etc.
Qualitative costs can have wide-ranging implications to the University. These costs may include loss
of public trust, loss of future grants, gifts and donations, injury to the University’s reputation,
increased litigation, violation of laws, etc.
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-10
Internal Controls Overview
Components of Internal Controls
3.
Control Activities – the actions, supported by policies and procedures that, when carried out
properly and in a timely manner, manage or reduce risks.
Controls can be classified as preventive, detective, or corrective controls.
•
•
•
Preventive controls (P) - attempt to deter or prevent undesirable events from occurring.
They are proactive controls that help prevent a loss.
Detective controls (D) - attempt to detect undesirable acts.
Corrective controls (C) - are procedures that fix an error or control situation
Control activities generally include
•
approvals, authorizations, and verifications
•
reconciliations,
•
reviews of performance,
•
security of assets,
•
segregation of duties,
•
training, and
•
controls over information systems.
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-11
Internal Controls Overview
Components of Internal Controls
3.
Control Activities (continued)
Control Activities – Approvals (Preventive)
Approvers should review supporting documentation, question unusual items, and make sure that
necessary information is present to justify the transaction – before they sign it. Signing blank forms
is never allowed. Approval authority is delegated in writing and may be linked to specific dollar
levels. Transactions that exceed the specified dollar level would require approval at a higher level.
Key approval controls:
• Written policies and procedures
• Limits to authority
• Supporting documentation
• Question unusual items
• No “rubber stamps”, and
• No blank signed forms
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-12
Internal Controls Overview
Components of Internal Controls
3.
Control Activities (continued)
Control Activities – Reconciliations (Detective)
A reconciliation is a comparison of different sets of data to one another, identifying and investigating
differences, and taking corrective action, when necessary
Reconciliations help to ensure the accuracy, completeness of transactions, and that transactions
were properly approved, that have been charged to a department’s accounts.
A critical element of the reconciliation process is to resolve differences.
Reconciliations should be documented and approved by management.
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-13
Internal Controls Overview
Components of Internal Controls
3.
Control Activities (continued)
Control Activities – Reviews (Detective)
Reviewing reports, statements, reconciliations, and other information by management is an important
control activity. Management should review such information for consistency and reasonableness.
Management reviews should generally include
• Budget to actual comparison
• Current to prior period comparison
• Performance indicators
• Follow-up on unexpected results or unusual items
Reviews of performance provide a basis for detecting problems.
Management should compare information about current performance to budgets, forecasts, prior
periods or other benchmarks to measure the extent to which goals and objectives are being
achieved and to identify unexpected results or unusual conditions which require follow-up.
Management’s review of reports, statements, reconciliations, and other information should be
documented as well as the resolution of items noted for follow-up.
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-14
Internal Controls Overview
Components of Internal Controls
3.
Control Activities (continued)
Control Activities – Asset Security (Preventive and Detective)
Assets, such as cash, checks, credit cards, laptops, vital documents, critical systems, and
confidential information must be safeguarded against unauthorized use or disposition. Typically,
access controls are the best way to safeguard these assets.
Examples of access controls are
• Locked doors
• Card key systems
• Locked filing cabinet
• Guard
• Computer password
• Data encryption
Departments with capital assets or significant inventories should establish perpetual inventory control
over these items by recording purchases and issuances.
Periodically, items should be physically counted by a person who is independent of the purchase,
authorization and asset custody functions, and the counts should be compared to balances per
perpetual records.
Missing items should be investigated, resolved, and analyzed for possible control deficiencies;
perpetual records should be adjusted to physical counts if missing items are not located.
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-15
Internal Controls Overview
Components of Internal Controls
3.
Control Activities (continued)
Control Activities – Segregation of Duties (Preventive and Detective)
Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and
inappropriate actions. In general, the approval function, the accounting/reconciling function, and the
asset custody function should be separated among employees. Segregation of duties is a deterrent
to fraud because it requires collusion with another person to perpetrate a fraudulent act.
 No one person should . . .
• Initiate the transaction
• Approve the transaction
• Record the transaction
• Reconcile balances
• Handle assets
• Review reports
 At least two sets of eyes required of all transactions
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-16
Internal Controls Overview
Components of Internal Controls
3.
Control Activities (continued)
Control Activities – Segregation of Duties (Preventive and Detective)
Specific examples of segregation of duties include:
• The person who requisitions the purchase of goods or services should not be the person who
approves the purchase.
• The person who approves the purchase of goods or services should not be the person who
reconciles the monthly financial reports.
• The person who approves the purchase of goods or services should not be able to obtain custody
of checks.
• The person who maintains and reconciles the accounting records should not be able to obtain
custody of checks.
• The person who opens the mail and prepares a listing of checks received should not be the person
who makes the deposit.
• The person who opens the mail and prepares a listing of checks received should not be the person
who maintains the accounts receivable records.
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-17
Internal Controls Overview
Components of Internal Controls
4. Monitoring – the assessment of internal control performance over time; it is accomplished by
ongoing monitoring activities and by separate evaluations of internal control such as selfassessments, peer reviews, and internal audits.
The purpose of monitoring is to determine whether internal control is adequately designed, properly
executed, and effective.
Internal control is effective if management and interested stakeholders have reasonable assurance
that:
• They understand the extent to which operations objectives are being achieved.
• Published financial statements are being prepared reliably.
• Applicable laws and regulations are being compiled.
While internal control is a process, its effectiveness is an assessment of the condition of the process
at one or more points in time.
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-18
Internal Controls Overview
Components of Internal Controls
5. Information and Communication – information about an organization’s plans, control environment,
risks, control activities, and performance must be communicated up, down, and across an
organization.
When assessing internal control, the key questions to ask about information and communication
include:
• Does the department get the information it needs from internal and external sources – in a form and
timeframe that is useful?
• Does the department get information that alerts it to internal or external risks (e.g., legislative,
regulatory, and developments)?
• Does the department get information that measures its performance-information that tells the
department whether it is achieving its operations, financial reporting, and compliance objectives?
• Does the department identify, capture, process, and communicate the information that others needs
(e.g., information used by our customers or other departments) in a form and timeframe that is useful?
• Does the department provide information to others that alerts them to internal or external risks?
• Does the department communicate effectively – internally and externally?
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-19
Internal Controls Overview
University’s Internal Control Questions
What are the primary internal controls that the University has specified as
being required?
IC-20
Internal Controls Overview
University’s Internal Control Questions
In an effort to assess and improve the University’s internal controls, beginning in FY2006,
the University requested operations to annually assess whether sufficient internal
control structures are in place to effectively identify weaknesses in financial processes
and systems, and to sub-certify compliance on 16 key internal controls.
The controls status is based on the following criteria:
•
•
•
Green – generally complies with policies and control activities
Yellow – partially complies with policies and control activities; opportunities for improvement exist
Red – routinely does not comply with policies and control activities; improvement is needed.
Areas assessed as “yellow” or “red” require action plans to resolve the control gaps.
By being required to be assessed annually, these 16 controls (or control processes)
should be assumed to be required University controls.
IC-21
Internal Controls Overview
University’s Internal Control Questions
Does the College/Office . . .
1.
Require staff with fiscal responsibilities to attend system training offered by OIT
and financial training offered by the Controller’s Office?
2.
Follow personnel and payroll policies set forth by the Office of Human Resources?
3.
Have an effective control structure that includes monitoring activities, to ensure
compliance with University policies regarding use of Procurement Cards?
4.
Have processes and monitoring activities in place to ensure compliance with the
guidelines on alcohol, meals, entertainment, recruiting, cellular phones, employee
recognition events, professional dues and subscriptions, and payment for services
set forth in the University Expenditure Policies?
5.
Have processes and monitoring activities in place to ensure compliance with
University Travel Policies?
IC-22
Internal Controls Overview
University’s Internal Control Questions
Does the College/Office . . .
6.
Coordinate all gift and fundraising activities with the Office of University
Development?
7.
Process all sponsored research proposals and agreements through the OSU
Research Foundation?
8.
Submit proposed rates and earnings budgets to Resource Planning for all
operations that sell goods or services?
9.
Maintain supporting documentation for its financial transactions, in accordance
with retention guidelines set forth by University Archives?
10.
Perform monthly reconciliations of transactions appearing in its general ledger
reports (e.g. payroll, purchasing, travel, etc.) to internal source documents?
11.
Have an established process for reporting financial errors, problems, etc. to senior
administrators within the college?
IC-23
Internal Controls Overview
University’s Internal Control Questions
Does the College/Office . . .
12.
Reconcile all non-cash assets and liabilities to supporting detail on a monthly
basis?
13.
Have processes and monitoring activities in place to ensure compliance with fund
restrictions imposed by donors, granting agencies and other resource providers?
14.
Have processes and monitoring activities in place to ensure compliance with
University Treasurer policies on cash handling (including separation of duties,
timely preparation of deposits, rules on petty cash/change funds, management
review of deposit corrections, and reporting of cash shortages to Internal Audit and
OSU Police)?
15.
Require faculty and staff with fiscal responsibilities to understand and observe the
Ohio Ethics Law?
16.
Have processing and monitoring activities in place to ensure effective custody over
non-cash assets, including maintenance of accurate equipment inventory records,
measures to prevent loss/theft of items, and compliance with University
surplus/disposal policies?
IC-24
Internal Controls Overview
Other University Internal Controls
The following are other important University-related internal controls or requirements
• Emergency Management and Business Continuity Plans.
• PeopleSoft access security, limiting access and functionality.
• Conflict of Interest disclosures completed annually.
• University error/violation reporting procedures and anonymous reporting line.
• Dollar limits for transactions, such as for purchases and authorizations.
• Requirement for budgets and frequent comparisons of “budget to actuals.”
• Requirement of submission of fees and rates, and approval by BOT.
• Payroll certifications.
IC-25
Internal Controls Overview
Other University Internal Controls
Other important University-related internal controls (continued):
• Requirement to “tag” all items purchased over a dollar threshold.
• Maintain listings of “delegation of authorities.”
• Requirements for background checks for staff (based on responsibilities).
• Multiple ways to perform purchasing, reducing risk of not being able to purchase items that are
needed.
• Independent controls monitoring and reporting by the Department of Internal Audit.
• Independent controls monitoring and reporting by external auditors (for the State).
(just to name a few . . . )
This completes the course material, now let’s summarize.
IC-26
Internal Controls Overview
Summary
Summary – Management Process:
Effective internal control is a built-in part of the management process of planning and controlling.
Summary – Purpose of Internal Controls:
• Keeps an organization on course toward its objectives and the achievement of its mission, and minimizes
surprises along the way.
• Promotes effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to ensure
compliance with laws and regulations.
• Ensures the reliability of financial reporting (i.e., all transactions are recorded and that all recorded
transactions are real, properly valued, recorded on a timely basis, properly classified, and correctly
summarized and posted.)
• Helps protect our students, our staff, our management, and the public.
• Safety
• Integrity
• Reputation
IC-27
Internal Controls Overview
Summary
Summary – 5 Components of Internal Controls:
Internal control consists of five interrelated components which all five must be present to conclude that
internal control is effective. The components include:
1.
Control (or operating) environment
2.
Risk assessment
3.
Control activities
4.
Monitoring, and
5.
Information and communication
Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.
IC-28
Internal Controls Overview
Summary
Summary – Overall Purpose
The purpose of this class was to provide an overview of internal controls and to relate internal controls to the
day-to-day management of operations.
Have we achieved our objective?
If you have questions about internal controls, please contact:
• Your Senior Fiscal Officer or other appropriate unit staff
• University Controller’s Office, or
• Internal Audit
Thank you for your participation!!
Please complete the course review questions. Successful completion of the review questions is required to
indicate completion of the course.
IC-29