Controls 101 v6
-
Upload
lumadede-adolwa -
Category
Documents
-
view
222 -
download
0
Transcript of Controls 101 v6
-
8/8/2019 Controls 101 v6
1/17
1
1
FM Controls 101Internal Controls What are they and why should I care?
Donald Harvey, CPA,CIA
-
8/8/2019 Controls 101 v6
2/17
2
-
8/8/2019 Controls 101 v6
3/17
3
Course Objective
3
1. Understand what internal control is and define thevarious types of internal controls.
2. Understand the approach you should use to identify
controls within your work stream.
-
8/8/2019 Controls 101 v6
4/17
4
What is Internal Control?
Internal control is a process, effected by an entitys
board of directors , management and other
personnel, designed to provide reasonable
assurance regarding the achievement of the following
objectives: Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Reasonable Assurance: includes the understanding that there is a remote likelihood that material misstatements willnot be prevented or detected on a timely basis.
-
8/8/2019 Controls 101 v6
5/17
5
11/1/2010
Internal Control Key Concepts
Internal control is a process. Its a means to an end, not
an end in itself.
Internal control is affected by people. Its not merely
policy manuals and forms, but people at every level of the
organization.
Management, not auditors, must establish and maintain the
entitys controls
No system can be regarded as completely effective
Should be applied to both manualand computerized
systems
-
8/8/2019 Controls 101 v6
6/17
6
Elements of Internal Controls
6
Internal Controls consists offive interrelated components
1.Control Environment
2.Risk Assessment
3.ControlActivities
4.Information and Communication
5.Monitoring
-
8/8/2019 Controls 101 v6
7/17
7
Elements of Internal Controls
7
1. ControlEnvironment: The control environment establishes the overall tone forthe organization and is the foundation for all other components of internal control.
There are seven sub-components of the control environment:
Integrity and ethical values
Commitment to competence and development of people
Managements philosophy and operating style Organizational structure
Assignment of authority and responsibility
Human resources policies and procedures
Participation by those charged with governance (i.e. board of directors, audit
committee)
-
8/8/2019 Controls 101 v6
8/17
8
Elements of Internal Controls (cont.)
8
2.Risk Assessment: For an entity to exercise effective control, it must establishobjectives and understand the risks it faces in achieving those objectives.
The process of identifying and analyzing risks is an ongoing iterative process. The
sub-components for the risk assessment include:
Entity-wide objectives: Does the entity have approved entity-wide objectivesthat are aligned with the strategic plan?
Activity-level objectives: Are activity-level objectives consistent with entity-
wide objectives and are the relevant?
Risk Analysis: Are there mechanisms to identify risks and to prevent the
entity from achieving its objectives from both internal and external sources?
Is the process thorough and relevant? Mechanisms for change: Are there adequate mechanisms to identify change
for routine events and for events that may have a pervasive impact on the
entity?
-
8/8/2019 Controls 101 v6
9/17
9
Elements of Internal Controls (cont.)
9
3.Control Activities: Control activities are the controls implemented to prevent or
detect errors or fraud that could result in material misstatement in financial
statements. Control activities occur throughout the organization, at all levels, and in
all functions. Physical Safeguards and
Security Access to physical
assets and information systems
are controlled and properly
restricted to authorized personnel Error Handling Errors detected
at any stage of processing receive
prompt corrective action and are
reported to the appropriate level of
management.
Segregation of Duties Duties
are assigned to individuals in amanner that ensures that no one
individual can control both the
recording function and the
procedures relative to processing
a transaction.
Authorization & Approvals All
transactions are pre-approved by
responsible personnel
Completeness All valid
transactions are included in theaccounting
Accuracy All valid transactions are
accurate, consistent with the
originating transaction data, and
information is recorded in a timely
manner
Validity All recorded transactionsfairly represent the economic events
that actually occurred, are lawful in
nature, and have been executed in
accordance with managements
general authorization.
-
8/8/2019 Controls 101 v6
10/17
10
Elements of Internal Controls (cont.)
10
4. Information and Communication: Pertinent information must be identified,captured and communicated in a form and timeframe that enables people to
carry out their responsibilities.
Types of information to consider when evaluating the information and
communication component of a companys internal control.
Accounting Systems Policy Manuals (including financial reporting manuals)
Managements Reports
Accounting Policy Updates
Technical Updates
Training
Newsletters
Staff Meetings
-
8/8/2019 Controls 101 v6
11/17
11
Elements of Internal Controls (cont.)
11
5. Monitoring: Effective monitoring is a process that assesses the quality of the
systems performance over time. It includes the regular management activities
as well as separate evaluations by central units, Internal Audit, or other
independent parties.
Examples of monitoring controls:
Management Reviews Internal Audits
Audit Committee Activities
Disclosure Committee Activities
Self-Assessment Review
-
8/8/2019 Controls 101 v6
12/17
12
Types of Internal Controls
12
There are two primary types of internal controls:
Preventive Controls: designed to keep errors or irregularities from
occurring in the first place
Detective Controls: designed to detect errors or irregularities that may
have occurred
-
8/8/2019 Controls 101 v6
13/17
13
How Do I Use This?
13
When documenting sub-processes make sure that both preventive and detective
controls are in place for each of the seven control activities.
Control Activities
1. Authorization & Approvals
2. Completeness
3. Accuracy
4. Validity
5. Physical Safeguards and Security
6. Error Handling
7. Segregation of Duties
ControlTypes1. Preventive Controls
2. Detective Controls
-
8/8/2019 Controls 101 v6
14/17
14
Workstream Approach -What Can Go Wrong
14
Use the What Can Go Wrong Approach to identify and document the controls
related to your workstream.Proposed Workstream Approach:
1. Identify and document controls related to the A-133 Audit Findings for your
workstream (first priority)
2. Identify and document other primary controls for your workstream by using the
control activities (second priority)
Process What Can Go Wrong Control Activity Controls (P-Preventive; D-Detective)
What ensures that timecards correctly
summarize time worked?Completeness Time reports are reviewed & approved before payment (P)
What ensure that payments are not
made for time not worked?Validity
-Access to data/transaction files is appropriately restricted (P)
-System will not generate paychecks for terminated employees (P)
-Time reports are reviewed & approved before payment (P)
-Costs by department are compared to budget (D)
Expenditures What ensures that expenditures are real? Validity
-Approvals is required for changes to vendor master files (P)
-Disbursements greater than specified dollar amounts require
additional approval (P)
-System matches purchase order, receiving report, and invoice prior
to payment (P)
Payroll
-
8/8/2019 Controls 101 v6
15/17
15
15
Management!!!!
Who is accountable for assurance that
appropriate internal controls are in place?
-
8/8/2019 Controls 101 v6
16/17
16
16
Everyone!!!!
Who is responsible for the performance of
internal control activities?
-
8/8/2019 Controls 101 v6
17/17
17
17
Questions!