Fiscal Officer Development Series September 11, 2008 Risks, Controls, & Ethics Terry Radke, CPA...

Fiscal Officer Development Series Fiscal Officer Development Series September 11, 2008 September 11, 2008

Session ObjectivesSession Objectives

• Understand and apply Understand and apply INTERNAL INTERNAL CONTROLCONTROL concepts to accomplish concepts to accomplish your organization’s objectivesyour organization’s objectives

• RISK RISK Assessment and Management Assessment and Management

• ETHICALETHICAL VALUESVALUES and and CONDUCTCONDUCT


Why should you care?Why should you care?

Internal Controls Internal Controls minimize the minimize the RISKS to your RISKS to your Organization!!!Organization!!!


RISKS your Organization RISKS your Organization facesfaces

•Financial ReportingFinancial Reporting

•ComplianceCompliance

•OperationalOperational

•Loss of AssetsLoss of Assets


Financial Institutional Policy Financial Institutional Policy I-1I-1

Role of Fiscal Officer, Account Manager, and Role of Fiscal Officer, Account Manager, and Account SupervisorAccount Supervisor..

• Account Supervisor has a Account Supervisor has a leadershipleadership or or executiveexecutive role. role.

• Account Manager has an Account Manager has an operationaloperational role.role.

• Fiscal Officer has an Fiscal Officer has an oversightoversight role. role.


It’s your JobIt’s your Job

Financial Institutional Policy I-1Financial Institutional Policy I-1“…“…trained and hired for the purpose of trained and hired for the purpose of

providing fiscal, policy, and internal providing fiscal, policy, and internal control managementcontrol management of all funds...” of all funds...”

“…“…responsible for ensuring that processes responsible for ensuring that processes and related controls have been and related controls have been established to achieve the mission and established to achieve the mission and objectives of their organization(s). “objectives of their organization(s). “


What is Internal ControlWhat is Internal Control

Internal control is a Internal control is a PROCESSPROCESS of specific of specific policies and procedures designed to provide policies and procedures designed to provide reasonable assurancereasonable assurance that organization’s that organization’s objectivesobjectives will be met will be met

•Provide Provide reliable financial reportingreliable financial reporting

•Promote Promote efficient and effectiveefficient and effective operations operations

•Helps ensure Helps ensure compliancecompliance with policy with policy

•ProtectProtect University University AssetsAssets


Internal Control ComponentsInternal Control Components

EstablishControl

Environment

ImplementControl

Activities

PerformRisk

Assessment

Goals &Objectives

MonitorPerformance

Information

Communication

an

d

an

d


Control EnvironmentControl Environment

TONE AT THE TOPTONE AT THE TOP– Integrity, Integrity, ethical valuesethical values, and behavior of , and behavior of

managementmanagement– Management’s control consciousnessManagement’s control consciousness– Management’s commitment to competenceManagement’s commitment to competence

It’s the way you do BusinessIt’s the way you do Business– Organization structureOrganization structure– Assignment of authority and responsibilityAssignment of authority and responsibility– Policies and practicesPolicies and practices


What do we mean by What do we mean by “Tone at the Top” ? “Tone at the Top” ?

• Promote ethical Promote ethical values & conductvalues & conduct

• Walk the walkWalk the walk

• Lead by exampleLead by example

• Be approachableBe approachable

• Compliance Compliance w/Policyw/Policy

• Don’t circumvent Don’t circumvent rulesrules

• Full disclosureFull disclosure

• Fix problemsFix problems

• Equal treatment for Equal treatment for equal offensesequal offenses

• Reward things that Reward things that are done rightare done right

• Hug your AuditorHug your Auditor


QuestionsQuestions

•Which attributes of a Super Fiscal Which attributes of a Super Fiscal Officer can be useful in exhibiting Officer can be useful in exhibiting a strong a strong “Tone at the top”?“Tone at the top”?

•When should you be When should you be demonstrating a strongdemonstrating a strong “Tone at “Tone at the top”?the top”?


Defining Ethics?Defining Ethics?

eth·iceth·ic Pronunciation: 'e-thik Function: Pronunciation: 'e-thik Function: nounnoun from Greek from Greek Éthos, DÉthos, Date: 14th centuryate: 14th century

11 the discipline dealing with what is the discipline dealing with what is good good and badand bad and with moral duty and and with moral duty and obligationobligation2 2 a: a a: a set of moral principles or valuesset of moral principles or values b : the principles of conduct governing an b : the principles of conduct governing an individual or a group <professional individual or a group <professional ethicsethics>>


Defining Ethics?Defining Ethics?

””Doing the right thing”Doing the right thing”


What’s the Right Thing?What’s the Right Thing?

““What are the Rules”What are the Rules”


Ethical Rules?Ethical Rules?

• Is it legal and in compliance Is it legal and in compliance with IU policy?with IU policy?

• Is it fair? Is it fair? – Honest, truthful, responsible, Honest, truthful, responsible,

trustworthy, respect individualtrustworthy, respect individual

• Would it pass the newspaper Would it pass the newspaper test (or the Mom test)?test (or the Mom test)?


Why Ethics are important to Why Ethics are important to your Organization?your Organization?

RResponsibilityesponsibility

RRegulatory requirementsegulatory requirements

RReturn on integrity (the other ROI)eturn on integrity (the other ROI)


RResponsibility/esponsibility/RRegulatory egulatory requirementsrequirements

• Expected to be good stewards of $ Expected to be good stewards of $ given to us bygiven to us by– State/FedsState/Feds– StudentsStudents– ParentsParents– DonorsDonors


Return on integrity (the other Return on integrity (the other ROI)ROI)Good Ethics = Good BusinessGood Ethics = Good Business

– Better employee decision makingBetter employee decision making– Greater employee commitment to the Greater employee commitment to the

organizationorganization– Reduced unethical or illegal behaviorReduced unethical or illegal behavior– Better work environmentBetter work environment– Better reputation and image for IUBetter reputation and image for IU


ETHICSETHICS

Closing ThoughtsClosing Thoughts


•Speak out!Speak out!

•Be outraged!Be outraged!

•Silence implies your Silence implies your consent!!consent!!

Silence is NOT GoldenSilence is NOT Golden


Important to talkImportant to talk

•TransparencyTransparency

•Get other perspectives/inputGet other perspectives/input

•Hopefully ConsensusHopefully Consensus


Who you going to call?Who you going to call?

• SupervisorSupervisor

• Human ResourcesHuman Resources

• PurchasingPurchasing

• Accounting/FMSAccounting/FMS

• University Legal CounselUniversity Legal Counsel

• Internal AuditInternal Audit

• PolicePolice


Causes of Ethical FailuresCauses of Ethical Failures

1.1. NO “Tone at the Top”NO “Tone at the Top”

2.2. NO ConsistencyNO Consistency

3.3. Train WrecksTrain Wrecks

4.4. Fear of RetaliationFear of Retaliation

5.5. No Reporting MechanismsNo Reporting Mechanisms

6.6. No Education, Communication or No Education, Communication or ToolsTools


Factors of an Ethical Factors of an Ethical EnvironmentEnvironment• Integrity of senior managementIntegrity of senior management

– Are they leading by example? Are they leading by example? Walking the talk?Walking the talk?

• Clear ethical expectationsClear ethical expectations– Stake in the ground (Code of Ethical Stake in the ground (Code of Ethical

Conduct, discussions)Conduct, discussions)– Understand whyUnderstand why

• ConsistencyConsistency– Doesn’t count unless price is paidDoesn’t count unless price is paid

• What else?What else?


QUESTIONQUESTION

What specifically are you going What specifically are you going to do to promote a strongto do to promote a strong ethical environment in ethical environment in your organization? your organization?


Written goals and Written goals and objectives?objectives?

• Internal control is pointless without Internal control is pointless without goals and objectives.goals and objectives.

• Written goals and objectives focus Written goals and objectives focus efforts toward desired outcomes.efforts toward desired outcomes.

• Written goals and objectives provide a Written goals and objectives provide a rationale for resource allocation.rationale for resource allocation.

• Written goals and objectives are Written goals and objectives are evidence of thoughtful management.evidence of thoughtful management.


What objectives do we What objectives do we need?need?

• Mission statement.Mission statement.

• Operations objectives.Operations objectives.

• Financial reporting objectives.Financial reporting objectives.

• Compliance objectives.Compliance objectives.

• Objectives for all significant Objectives for all significant activities.activities.


What are risks?What are risks?

• A risk is anything that could jeopardize the A risk is anything that could jeopardize the achievement of your organization’s achievement of your organization’s objective.objective.– Operate effectively and efficiently and Operate effectively and efficiently and

achieve our goalsachieve our goals– Provide reliable financial dataProvide reliable financial data– Comply with applicable laws, policies, Comply with applicable laws, policies,

and proceduresand procedures– Protect the university’s assets from lossProtect the university’s assets from loss


Risk Assessment is a Risk Assessment is a process toprocess to• Identify significant risksIdentify significant risks

• Assess risksAssess risks– What is the likelihood of occurrence?What is the likelihood of occurrence?– What is the potential impact?What is the potential impact?

• Manage these risks throughManage these risks through• AvoidanceAvoidance• Acceptance and Sharing (Insurance)Acceptance and Sharing (Insurance)• Mitigate with ControlsMitigate with Controls


How do we identify risks?How do we identify risks?

• You know your risks.You know your risks.

• For each objective, ask yourself:For each objective, ask yourself:– What could go wrong?What could go wrong?– What assets do we need to protect?What assets do we need to protect?– How could someone steal from us?How could someone steal from us?– What is our greatest legal exposure?What is our greatest legal exposure?– What else?What else?


Assess RisksAssess Risks

• LikelihoodLikelihood – probability of occurrence – probability of occurrence• Impact – Impact – effect on IU/your organizationeffect on IU/your organization

– Loss of resourcesLoss of resources– Loss of public trustLoss of public trust– Violation of policies, laws, regulationsViolation of policies, laws, regulations– Bad publicityBad publicity– Decreased enrollmentDecreased enrollment– What else?What else?


QUESTIONQUESTION

What are the three major RISKS What are the three major RISKS facing your school or facing your school or departmentdepartment? ?


Internal Control Internal Control ComponentsComponents

EstablishControl

Environment

ImplementControl

Activities

PerformRisk

Assessment

Goals &Objectives

MonitorPerformance

Information

Communication

an

d

an

d


Control ActivitiesControl Activities

• The policies and procedures that help The policies and procedures that help ensure that actions identified as ensure that actions identified as necessary to manage risks are carried necessary to manage risks are carried out properly and in a timely mannerout properly and in a timely manner– must be implemented thoughtfully, must be implemented thoughtfully,

conscientiously, and consistently conscientiously, and consistently – unusual conditions identified must be investigated unusual conditions identified must be investigated

and appropriate corrective action takenand appropriate corrective action taken– Should be proactive, value added, and cost Should be proactive, value added, and cost

effectiveeffective



• Approvals, Authorizations, and Approvals, Authorizations, and VerificationsVerifications– Having written policies and Having written policies and

procedures and limits to authorityprocedures and limits to authority

• ReconciliationsReconciliations– Explanations of the differences Explanations of the differences

between two different sets of databetween two different sets of data



• Reviews of PerformanceReviews of Performance– For programs, departments, and For programs, departments, and

individual employeesindividual employees

• Security of AssetsSecurity of Assets– Limiting access, keeping records, and Limiting access, keeping records, and

making periodic counts to compare to making periodic counts to compare to our recordsour records



• Segregation of FunctionsSegregation of Functions– The approval, recording/reconciling, and The approval, recording/reconciling, and

custody functions should be segregatedcustody functions should be segregated

• Controls over Information SystemsControls over Information Systems– Application and development, controls Application and development, controls

within applications, security of data and within applications, security of data and machinesmachines


What control activities do I What control activities do I need?need?

• Enough to help ensure that you are Enough to help ensure that you are managing your significant risks.managing your significant risks.

• Actions should be taken and control Actions should be taken and control activities should be performed to mitigate activities should be performed to mitigate significant risks to acceptable levels.significant risks to acceptable levels.

• An action to manage a risk can be An action to manage a risk can be anything.anything.


What needs to be approved?What needs to be approved?

• Per policy, all financial transactions must Per policy, all financial transactions must be approved by the dept Fiscal Officer.be approved by the dept Fiscal Officer.– FO can FO can delegatedelegate signature authority signature authority

• What to approve and what to What to approve and what to delegatedelegate??

• Generally, the higher the risk activities Generally, the higher the risk activities the higher level of the higher level of approval/authorization.approval/authorization.


What needs to be reconciled?What needs to be reconciled?

• Information about high risk activities Information about high risk activities should be reconciled to ensure its should be reconciled to ensure its accuracy and completeness.accuracy and completeness.

• Monthly operating reports must be Monthly operating reports must be reconciled to departmental records.reconciled to departmental records.

• Payroll voucher reports should be Payroll voucher reports should be reviewed and compared to departmental reviewed and compared to departmental records.records.

• What else?What else?


What activities should be What activities should be reviewed?reviewed?

• Information about high risk activities must be Information about high risk activities must be reviewed by management.reviewed by management.

• Generally, the Chair/Director/PI should review Generally, the Chair/Director/PI should review reports which compare budget to actual reports which compare budget to actual – To measure performance.To measure performance.– To detect problems.To detect problems.

• Performance reviews of staffPerformance reviews of staff• Management’s review should be documented.Management’s review should be documented.


What assets need to be What assets need to be secured?secured?

• Liquid assets, assets with alternative uses, Liquid assets, assets with alternative uses, dangerous assets, vital documents, critical dangerous assets, vital documents, critical systems, and confidential information systems, and confidential information need to be secured.need to be secured.

• Access to these assets should be Access to these assets should be restricted.restricted.

• Perpetual records should be maintained; Perpetual records should be maintained; periodic physical counts should be periodic physical counts should be performed--differences should be checked.performed--differences should be checked.


What duties need to be What duties need to be segregated?segregated?

• It depends on the risk assessment It depends on the risk assessment

• The approval, accounting/reconciling, The approval, accounting/reconciling, and asset custody functions should and asset custody functions should be segregated.be segregated.

• Generally, duties related to cash Generally, duties related to cash receipts, payroll and purchases are receipts, payroll and purchases are high risk and should be segregated.high risk and should be segregated.


How do we control our How do we control our computers?computers?• It depends on the risk assessment It depends on the risk assessment • If critical or confidential information then If critical or confidential information then

both the information and the computer both the information and the computer need to be controlled.need to be controlled.

• Basic controls are Basic controls are – Password protecting information.Password protecting information.– Backing-up information.Backing-up information.– Virus ScanningVirus Scanning– Practicing safe computingPracticing safe computing– What else?What else?


Internal Control Internal Control ComponentsComponents

EstablishControl

Environment

ImplementControl

Activities

PerformRisk

Assessment

Goals &Objectives

MonitorPerformance

Information

Communication

an

d

an

d


Information and Information and CommunicationCommunication• Communicate policies and proceduresCommunicate policies and procedures

– Supervisors and employees understand Supervisors and employees understand objectives and job responsibilitiesobjectives and job responsibilities

• Get the information you (and staff) Get the information you (and staff) need need

• Do performance evaluationsDo performance evaluations• Measure customer satisfactionMeasure customer satisfaction• Open door policyOpen door policy

– Hear the good and the Hear the good and the badbad news news


Monitor PerformanceMonitor Performance

• Evaluating your Internal Controls to Evaluating your Internal Controls to determinedetermine– Adequately designedAdequately designed– Properly executed, andProperly executed, and– EffectiveEffective

• How can we KNOW?How can we KNOW?


How can we KNOW?How can we KNOW?– Ongoing supervisory activitiesOngoing supervisory activities– Look at your processesLook at your processes– Periodic evaluationsPeriodic evaluations

•Self-assessmentSelf-assessment

•Peer reviewPeer review

•Internal auditInternal audit

•External auditsExternal audits


Monitor PerformanceMonitor Performance

• Internal Controls are effective if you Internal Controls are effective if you know:know:– The extent to which your organization’s The extent to which your organization’s

goals and objectives are being achievedgoals and objectives are being achieved– In compliance with relevant policies, etc.In compliance with relevant policies, etc.– Financial records are reliableFinancial records are reliable– Assets are safeguardedAssets are safeguarded– Resources are use to advance organization’s Resources are use to advance organization’s

missionmission


Who is Responsible for Who is Responsible for Control?Control?•EVERYONE• Management is responsible for establishing a controlled environment.

• Faculty and staff are responsible for carrying out internal controls by following policies and procedures.

• Internal Audit, in an advisory/consultant role, is responsible for evaluating whether appropriate controls have been implemented and if they are functioning as intended.


Internal ControlInternal Control

• Is a ProcessIs a Process

• Designed toDesigned to provide provide reasonable reasonable assuranceassurance that organization’s that organization’s objectivesobjectives will be metwill be met– Provides Provides reliable financial reportingreliable financial reporting– Promotes Promotes efficient and effectiveefficient and effective

operations operations – Helps ensure Helps ensure compliancecompliance with policy with policy– ProtectsProtects university university AssetsAssets


Why Internal Controls fail?Why Internal Controls fail?

•Human Errors - Bad JudgmentHuman Errors - Bad Judgment

•Management OverrideManagement Override

•CollusionCollusion

•Cost versus BenefitCost versus Benefit


Internal Control componentsInternal Control components


Identify & Assess Risks

Document Risk Acceptance Decision

Acceptable

Organizational Objectives

Identify Current Controls

NoYes

Action

Define Organization’s Goals and Objectives?

Define goals and objectives in relation to

Mission, Activities and

processes, Financial reporting

requirements, and Compliance issues

Identify & Assess Residual Risks




Acceptable



NoYes

Action

Identify and assess potential RISKs by asking

What Could Go WRONG ?

What must go RIGHT?

How likely is it that the risk will happen?

What will be the impact) if it happens?






Acceptable


Identify Current Control s

NoYes

Action

What controls are in place to achieve your objectives ?

Control Environment Tone at Top Competence Roles &

Responsibilities Information &

Communication Control Activities




Acceptable



NoYes

Action

What could still go wrong given existing controls ?

Look at your risks, and your existing controls to identify any gaps.





Acceptable



NoYes

Action

Can you live with the Residual Risk ?

Do your existing controls, provide reasonable assurance that you will get achieve your objectives?

Something's you can’t control (changes in government regulations, weather)

Risk acceptance decision will depend on the culture of the organization





Acceptable



NoYes

Action

Action Planning

If the level of uncontrolled risk is too high/unacceptable then action plans are developed to reduce the residual risk to an acceptable level.



Group ExerciseGroup Exercise

•Case StudyCase Study•Planning a SURPRISE 50Planning a SURPRISE 50thth

Birthday Party for your spouseBirthday Party for your spouse

•ObjectivesObjectives•identify identify

•RisksRisks•identify and assessidentify and assess


SURPRISE 50SURPRISE 50thth Birthday Party Birthday Party

• OBJECTIVESOBJECTIVES

• RisksRisks


Assess RiskAssess Risk


SURPRISE 50SURPRISE 50thth Birthday Party Birthday Party

• ControlsControls– Control Environment - Competent teamControl Environment - Competent team– Budget with authorizations and approvalsBudget with authorizations and approvals– Segregation of FunctionsSegregation of Functions– ReconcilationsReconcilations– Controls over Information SystemsControls over Information Systems

•Residual RisksRisks– ??


Identify ControlsIdentify Controls


QUIZ - Internal control is a QUIZ - Internal control is a

• PROCESSPROCESS of specific policies and of specific policies and procedures procedures

• Designed toDesigned to provide provide reasonable reasonable assuranceassurance that organization’s that organization’s objectivesobjectives will be metwill be met– Provide Provide reliable financial reportingreliable financial reporting– Promote Promote efficient and effectiveefficient and effective operations operations – Helps ensure Helps ensure compliancecompliance with policy with policy– ProtectProtect university university AssetsAssets


Who is Responsible for Who is Responsible for Control ?Control ?• In a word, everyone

• Management is responsible for establishing a controlled environment.

• Faculty and staff are responsible for carrying out internal controls by following policies and procedures.

• Internal Audit, in an advisory/consultant role, is responsible for evaluating whether appropriate controls have been implemented and if they are functioning as intended.


QUIZQUIZ

• Name Name fourfour Control Activities: Control Activities:

1.1.

2.2.

3.3.

4.4.


QUIZQUIZThe most important Internal Control The most important Internal Control

component is:component is:

1.1. Risk assessment/management Risk assessment/management processprocess

2.2. Hug your auditorHug your auditor

3.3. Positive “Tone at the Top”Positive “Tone at the Top”

4.4. Strong ethical climateStrong ethical climate

5.5. Control environment with answers 3 Control environment with answers 3 & 4& 4


QuizQuiz

Risk Assessment/Management is:Risk Assessment/Management is:

1.1. Planning a surprise birthday partyPlanning a surprise birthday party

2.2. A department at IUA department at IU

3.3. A process to assess risks and A process to assess risks and controls as they impact on the controls as they impact on the achievement of a business objectiveachievement of a business objective


QUIZQUIZ

Effective Internal Control Systems will:Effective Internal Control Systems will:

1.1. Provide reasonable assurance that your Provide reasonable assurance that your organizations objectives will be metorganizations objectives will be met

2.2. Promote reliable financial reportingPromote reliable financial reporting3.3. Provide efficient and effective Provide efficient and effective

operations operations 4.4. Help ensure compliance with policyHelp ensure compliance with policy5.5. Protect university assetsProtect university assets6.6. All of the aboveAll of the above


Quiz?Quiz?

• Short Definition of Ethics?Short Definition of Ethics?

• What are the Rules?What are the Rules?


QuizQuiz

• Short Definition of Ethics?Short Definition of Ethics?– ““Doing the Right Thing”Doing the Right Thing”

• What Are the Rules?What Are the Rules?– Moral Values (Is it fair?)? Moral Values (Is it fair?)? – Is it legal and in compliance with Is it legal and in compliance with

IU policy?IU policy?– Would it pass the newspaper test Would it pass the newspaper test

(or the Mom test)?(or the Mom test)?


Case StudyCase Study• Identify 1- 3 SMART OBJECTIVES Identify 1- 3 SMART OBJECTIVES

• Identify the 1- 3 possible RISKs that Identify the 1- 3 possible RISKs that would prevent you from achieving would prevent you from achieving your objectivesyour objectives

• List the CONTROLS you would List the CONTROLS you would implement to mitigate these risksimplement to mitigate these risks

Fiscal Officer Development Series September 11, 2008 Risks, Controls, & Ethics Terry Radke, CPA...

Documents

Transcript of Fiscal Officer Development Series September 11, 2008 Risks, Controls, & Ethics Terry Radke, CPA...