Overview of Internal Controls “Internal control is a process designed to provide reasonable...

Overview of Internal Controls

“Internal control is a process designed to provide reasonable assurance regarding the achievement of effectiveness and efficiency of operations, reliability of financial reporting, and

compliance with laws and regulations.”

Source: “Understanding Internal Controls, A Reference Guide for Managing University Business Practices”, by University of California.


IC-02

Prepared and Presented by:

Dan Allen, MBA, CFE, CISA

Student Affairs Controller and Director of Fiscal Support Services

PH: 688-3318

E-mail: [email protected]


Objectives:

• How controls (internal controls) are part of the “management process”

• The purpose of internal controls

• The five interrelated components of internal controls

• The relationship between risks, costs, and controls

• University-required internal controls and sub-certification

• Other important University-related internal controls

IC-03

Define internal controls and relate it to the day-to-day management of our operations.

We will discuss:

Internal Controls OverviewKey Management Process

Many people equate controls with accountants and auditors, however, controls are part of the day-to-day management process. Internal control simply refers to the controlling activities that are performed within an organization.

“Management process is a process of planning and controlling the performance or execution of any type of activity. . . . Organization’s top management is responsible for carrying out this management process.”

Management Process (from Wikipedia)

IC-04

Internal Controls OverviewPurpose of Internal Controls


Purpose of Internal Controls:

• Keeps an organization on course toward its objectives and the achievement of its mission, and minimizes surprises along the way.

• Promotes effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to ensure compliance with laws and regulations.

• Ensures the reliability of financial reporting (i.e., all transactions are recorded and that all recorded transactions are real, properly valued, recorded on a timely basis, properly classified, and correctly summarized and posted.)

• Helps protect our students, our staff, our management, and the public.

• Safety• Integrity• Reputation

IC-05

Internal control consists of five interrelated components which all five must be present to conclude that internal control is effective.

The components include:1. Control (or operating) environment

2. Risk assessment

3. Control activities

4. Monitoring, and

5. Information and communication


Internal Controls OverviewComponents of Internal Controls

IC-06


An effective control system provides reasonable, but not absolute assurance for the safeguarding of assets, the reliability of financial information, and the compliance with laws and regulations.

Reasonable assurance is a concept that acknowledges that control systems should be developed and implemented to provide management with the appropriate balance between risk of a certain business practice and the level of control required to ensure business objectives are met.

The cost of a control should not exceed the benefit to be derived from it.

Internal Controls OverviewRelationship Between Risks, Costs and Controls

IC-07

1. Control Environment – the control consciousness of an organization. The control environment is greatly influenced by the extent to which individuals recognize that they will be held accountable.


The control environment includes technical competence and ethical commitment; it is an intangible factor that is essential to effective internal control. Management is responsible for “setting the tone” for the organization by fostering the highest levels of integrity and personal and professional standards, demonstrating a leadership philosophy and operating style which promotes internal control, and the assignment of authority and responsibility.


In a control conscious environment, all employees are responsible for implementing internal controls and for reporting or taking other corrective actions to mitigate possible control issues/weaknesses.

IC-08

2. Risk Assessment – the identification and analysis of risks associated with the achievement of operations, financial reporting, and compliance goals and objectives. This, in turn, forms a basis for determining how those risks should be managed.


Risk is the probability that an event or action will adversely affect the organization.

To achieve goals and objectives, management needs to effectively balance risks and controls. Therefore, control procedures need to be developed so that they decrease risk to a level where management can accept the exposure to that risk.

By performing this balancing act “reasonable assurance” can be attained.

Excessive Risks Excessive Controls

Loss of Assets, Donor, or Grants Increased BureaucracyPoor Business Decisions Reduced ProductivityNoncompliance Increased ComplexityIncreased Regulations Increased Cycle TimePublic Scandals Increase of No-Value Activities

To achieve a balance between risk and controls, internal controls should be proactive, value-added, cost-effective and address exposure to risk.


IC-09

2. Risk Assessment (continued)


Risk Analysis

After risks have been identified, a risk analysis should be performed to prioritize those risks:

• Assess the likelihood (or probability and threat) of the risk occurring• Estimate the potential impact if the risk were to occur; consider both quantitative and qualitative costs **• Determine how the risk should be managed; decide what actions are necessary.

** Examples of:

Quantitative costs include the cost of property, equipment, or inventory, cash dollar loss, damage and repair costs, cost of defending a lawsuit, etc.

Qualitative costs can have wide-ranging implications to the University. These costs may include loss of public trust, loss of future grants, gifts and donations, injury to the University’s reputation, increased litigation, violation of laws, etc.


IC-10

3. Control Activities – the actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks.

Controls can be classified as preventive, detective, or corrective controls.

• Preventive controls (P) - attempt to deter or prevent undesirable events from occurring. They are proactive controls that help prevent a loss.• Detective controls (D) - attempt to detect undesirable acts.• Corrective controls (C) - are procedures that fix an error or control situation

Control activities generally include • approvals, authorizations, and verifications• reconciliations, • reviews of performance, • security of assets, • segregation of duties, • training, and • controls over information systems.



IC-11

3. Control Activities (continued)

Control Activities – Approvals (Preventive)


Approvers should review supporting documentation, question unusual items, and make sure that necessary information is present to justify the transaction – before they sign it. Signing blank forms is never allowed. Approval authority is delegated in writing and may be linked to specific dollar levels. Transactions that exceed the specified dollar level would require approval at a higher level.

Key approval controls:• Written policies and procedures• Limits to authority• Supporting documentation• Question unusual items• No “rubber stamps”, and• No blank signed forms


IC-12


Control Activities – Reconciliations (Detective)


A reconciliation is a comparison of different sets of data to one another, identifying and investigating differences, and taking corrective action, when necessary

Reconciliations help to ensure the accuracy, completeness of transactions, and that transactions were properly approved, that have been charged to a department’s accounts.

A critical element of the reconciliation process is to resolve differences.

Reconciliations should be documented and approved by management.


IC-13


Control Activities – Reviews (Detective)


Reviewing reports, statements, reconciliations, and other information by management is an important control activity. Management should review such information for consistency and reasonableness.

Management reviews should generally include• Budget to actual comparison• Current to prior period comparison• Performance indicators• Follow-up on unexpected results or unusual items

Reviews of performance provide a basis for detecting problems.

Management should compare information about current performance to budgets, forecasts, prior periods or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions which require follow-up.

Management’s review of reports, statements, reconciliations, and other information should be documented as well as the resolution of items noted for follow-up.


IC-14


Control Activities – Asset Security (Preventive and Detective)


Assets, such as cash, checks, credit cards, laptops, vital documents, critical systems, and confidential information must be safeguarded against unauthorized use or disposition. Typically, access controls are the best way to safeguard these assets.

Examples of access controls are• Locked doors• Card key systems• Locked filing cabinet• Guard• Computer password• Data encryption

Departments with capital assets or significant inventories should establish perpetual inventory control over these items by recording purchases and issuances.

Periodically, items should be physically counted by a person who is independent of the purchase, authorization and asset custody functions, and the counts should be compared to balances per perpetual records.

Missing items should be investigated, resolved, and analyzed for possible control deficiencies; perpetual records should be adjusted to physical counts if missing items are not located.


IC-15


Control Activities – Segregation of Duties (Preventive and Detective)


Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions. In general, the approval function, the accounting/reconciling function, and the asset custody function should be separated among employees. Segregation of duties is a deterrent to fraud because it requires collusion with another person to perpetrate a fraudulent act.

No one person should . . . • Initiate the transaction• Approve the transaction• Record the transaction• Reconcile balances• Handle assets• Review reports

At least two sets of eyes required of all transactions


IC-16


Control Activities – Segregation of Duties (Preventive and Detective)


Specific examples of segregation of duties include:

• The person who requisitions the purchase of goods or services should not be the person who approves the purchase.

• The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports.

• The person who approves the purchase of goods or services should not be able to obtain custody of checks.

• The person who maintains and reconciles the accounting records should not be able to obtain custody of checks.

• The person who opens the mail and prepares a listing of checks received should not be the person who makes the deposit.

• The person who opens the mail and prepares a listing of checks received should not be the person who maintains the accounts receivable records.


IC-17

4. Monitoring – the assessment of internal control performance over time; it is accomplished by ongoing monitoring activities and by separate evaluations of internal control such as self-assessments, peer reviews, and internal audits.


The purpose of monitoring is to determine whether internal control is adequately designed, properly executed, and effective.

Internal control is effective if management and interested stakeholders have reasonable assurance that:

• They understand the extent to which operations objectives are being achieved.• Published financial statements are being prepared reliably.• Applicable laws and regulations are being compiled.

While internal control is a process, its effectiveness is an assessment of the condition of the process at one or more points in time.


IC-18

5. Information and Communication – information about an organization’s plans, control environment, risks, control activities, and performance must be communicated up, down, and across an organization.


When assessing internal control, the key questions to ask about information and communication include:

• Does the department get the information it needs from internal and external sources – in a form and timeframe that is useful?

• Does the department get information that alerts it to internal or external risks (e.g., legislative, regulatory, and developments)?

• Does the department get information that measures its performance-information that tells the department whether it is achieving its operations, financial reporting, and compliance objectives?

• Does the department identify, capture, process, and communicate the information that others needs (e.g., information used by our customers or other departments) in a form and timeframe that is useful?

• Does the department provide information to others that alerts them to internal or external risks?

• Does the department communicate effectively – internally and externally?


IC-19

Internal Controls OverviewUniversity’s Internal Control Questions

What are the primary internal controls that the University has specified as being required?

IC-20

In an effort to assess and improve the University’s internal controls, beginning in FY2006, the University requested operations to annually assess whether sufficient internal control structures are in place to effectively identify weaknesses in financial processes and systems, and to sub-certify compliance on 16 key internal controls.

The controls status is based on the following criteria:

• Green – generally complies with policies and control activities• Yellow – partially complies with policies and control activities; opportunities for improvement exist• Red – routinely does not comply with policies and control activities; improvement is needed.

Areas assessed as “yellow” or “red” require action plans to resolve the control gaps.

By being required to be assessed annually, these 16 controls (or control processes) should be assumed to be required University controls.


IC-21

1. Require staff with fiscal responsibilities to attend system training offered by OIT and financial training offered by the Controller’s Office?

2. Follow personnel and payroll policies set forth by the Office of Human Resources?

3. Have an effective control structure that includes monitoring activities, to ensure compliance with University policies regarding use of Procurement Cards?

4. Have processes and monitoring activities in place to ensure compliance with the guidelines on alcohol, meals, entertainment, recruiting, cellular phones, employee recognition events, professional dues and subscriptions, and payment for services set forth in the University Expenditure Policies?

5. Have processes and monitoring activities in place to ensure compliance with University Travel Policies?

Does the College/Office . . .


IC-22


6. Coordinate all gift and fundraising activities with the Office of University Development?

7. Process all sponsored research proposals and agreements through the OSU Research Foundation?

8. Submit proposed rates and earnings budgets to Resource Planning for all operations that sell goods or services?

9. Maintain supporting documentation for its financial transactions, in accordance with retention guidelines set forth by University Archives?

10. Perform monthly reconciliations of transactions appearing in its general ledger reports (e.g. payroll, purchasing, travel, etc.) to internal source documents?

11. Have an established process for reporting financial errors, problems, etc. to senior administrators within the college?


IC-23


12. Reconcile all non-cash assets and liabilities to supporting detail on a monthly basis?

13. Have processes and monitoring activities in place to ensure compliance with fund restrictions imposed by donors, granting agencies and other resource providers?

14. Have processes and monitoring activities in place to ensure compliance with University Treasurer policies on cash handling (including separation of duties, timely preparation of deposits, rules on petty cash/change funds, management review of deposit corrections, and reporting of cash shortages to Internal Audit and OSU Police)?

15. Require faculty and staff with fiscal responsibilities to understand and observe the Ohio Ethics Law?

16. Have processing and monitoring activities in place to ensure effective custody over non-cash assets, including maintenance of accurate equipment inventory records, measures to prevent loss/theft of items, and compliance with University surplus/disposal policies?


IC-24

Internal Controls OverviewOther University Internal Controls

The following are other important University-related internal controls or requirements

• Emergency Management and Business Continuity Plans.

• PeopleSoft access security, limiting access and functionality.

• Conflict of Interest disclosures completed annually.

• University error/violation reporting procedures and anonymous reporting line.

• Dollar limits for transactions, such as for purchases and authorizations.

• Requirement for budgets and frequent comparisons of “budget to actuals.”

• Requirement of submission of fees and rates, and approval by BOT.

• Payroll certifications.

IC-25

Internal Controls OverviewOther University Internal Controls

Other important University-related internal controls (continued):

• Requirement to “tag” all items purchased over a dollar threshold.

• Maintain listings of “delegation of authorities.”

• Requirements for background checks for staff (based on responsibilities).

• Multiple ways to perform purchasing, reducing risk of not being able to purchase items that are needed.

• Independent controls monitoring and reporting by the Department of Internal Audit.

• Independent controls monitoring and reporting by external auditors (for the State).

(just to name a few . . . )

IC-26

This completes the course material, now let’s summarize.

Summary – Management Process:

Effective internal control is a built-in part of the management process of planning and controlling.

• Keeps an organization on course toward its objectives and the achievement of its mission, and minimizes surprises along the way.

• Promotes effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to ensure compliance with laws and regulations.

• Ensures the reliability of financial reporting (i.e., all transactions are recorded and that all recorded transactions are real, properly valued, recorded on a timely basis, properly classified, and correctly summarized and posted.)

• Helps protect our students, our staff, our management, and the public.

• Safety• Integrity• Reputation

Internal Controls OverviewSummary

Summary – Purpose of Internal Controls:

IC-27

Internal control consists of five interrelated components which all five must be present to conclude that internal control is effective. The components include:

1. Control (or operating) environment

2. Risk assessment

3. Control activities

4. Monitoring, and

5. Information and communication


Summary – 5 Components of Internal Controls:


IC-28

Summary – Overall Purpose


Thank you for your participation!!

IC-29

The purpose of this class was to provide an overview of internal controls and to relate internal controls to the day-to-day management of operations.

Have we achieved our objective?

If you have questions about internal controls, please contact:

• Your Senior Fiscal Officer or other appropriate unit staff• University Controller’s Office, or• Internal Audit

Please complete the course review questions. Successful completion of the review questions is required to indicate completion of the course.

Overview of Internal Controls “Internal control is a process designed to provide reasonable...

Documents

Transcript of Overview of Internal Controls “Internal control is a process designed to provide reasonable...