The Importance of
Internal Controls
LGC Resource April 2014
WHAT ARE INTERNAL CONTROLS?
Processes effected by an entity’s
management and other personnel
designed to provide assurance
regarding the achievement of
objectives relating to operations,
reporting, and compliance.
COSO (Committee of Sponsoring
Organizations) of the Treadway Commission
Control Environment
 The control environment is the core of any
system of internal control.
 It sets the tone for the entire organization.
 Factors include:
 ethical values
 competence of employees at all levels
 managements’ operating style and
attitude toward controls
Risk Assessment
 Risks are INTERNAL and EXTERNAL events
that threaten the accomplishment of objectives.
 Process of identifying, evaluating, and deciding
how to manage these events….. What is the
likelihood of the event occurring? What would
be the impact if it were to occur? How do we
reduce the risk?
 Consideration of Fraud
Control Activities
 Control Activities consist of the specific policies
and procedures put in place to mitigate the risk
of error, noncompliance, and fraud.
(physical inventory count, segregation of duties,
authorization of activities, proper backup
procedures)
Communication & Information
 Adequate information must be captured,
identified, and communicated on a timely basis.
 Just a reminder…….
ACTIONS SPEAK LOUDER THAN WORDS
Monitoring
Monitoring occurs in the course of
everyday operations, it includes
regular management & supervisory
activities and other actions personnel
take in performing their duties.
Simple Definition
 Internal controls are common sense
procedures that address:
 What could go wrong?
 What steps should be taken to prevent
those events from happening?
Personal Internal Control System
 Locking your car when you leave it in the
parking lot
 Comparing your receipts to your credit card
statement
 Keeping your banking PIN confidential
Why are Internal Controls Important?
 They can catch small mistakes before they
become big problems.
 They protect employees by removing
opportunities for innocent mistakes or
intentional fraud.
Why are Internal Controls Important?
 Protect the strong from temptation
 Protect the weak from opportunity
 Protect the innocent from false accusation
From Once upon Internal Control by James Ulvog,
CPA
FRAUD TRIANGLE
Opportunity
Pressure
Rationalization
FRAUD
$208,830
$202,345
$177,630
FRAUD
Frauds discovered in the recent
years.
 Committed by one person
 Trusted employee
 Internal controls were either nonexistent or
not monitored
Effective IS Controls
 Proper back-up procedures
 Section 10-7-121, TCA, requires that records
maintained electronically be copied to a
storage media daily. Storage media more
than one week old shall be stored at a
location other than at the building where the
original is maintained
Effective IS Controls (cont.)
 Proper back-up procedures
 Daily backups should be stored in a secure
location within the office.
 Weekly backups should be rotated to a
secure, fireproof off-site location.
 A backup log documenting the location of all
backups should be maintained.
 Backups should be tested.
Effective IS Controls (cont.)
 Password Maintenance
 All users should have a unique login and
password. Shared logins should not be used.
 Passwords should remain confidential.
 Passwords should be changed every 90
days.
 Passwords of former employees should be
immediately disabled.
Effective IS Controls (cont.)
 Disaster Recovery Planning
 Specific steps to follow to restore system
 Emergency phone numbers of personnel and
vendors
 Backup storage location
 Manual procedures to follow until the system
is restored
Effective IS Controls (cont.)
 Virus/Spyware Prevention
 Virus detection software should be used.
 Virus definitions should be kept current.
 All files, e-mail attachments, etc. should be
scanned.
Effective IS Controls (cont.)
 Policies and procedures manual
 Operating system and application security
 Start-up/shut down procedures
 Back-up procedures
 Hardware software maintenance procedures
 Daily, monthly, and year-end procedures
 Output distribution list
 Hardware disposal policy
 Virus prevention policy
Effective IS Controls (cont.)
 Loading Operating System Updates
 Restricting Physical Access to System
 Proper Application Controls
 Adequate audit trail exists.
 Audit logs are maintained and reviewed.
Audit Logs and Other Reports
 TnCIS
 Delete Log Report
 Out-of Court Payments Report
 Trustee
 Audit Changes By Date Report
 Unprorated Receipts Report
 Maximum Posting Date Report
 Fund Offices
 Payroll Check Change Report
 Maximum Posting Date Report
Reasons why controls don’t always
work:
 Inadequate knowledge of policies or governing
regulations.
“I didn’t know that!”
 Form over substance
“You mean I’m supposed to do something besides
initial/sign it?”
 Inadequate segregation of duties
“We trust ‘A’ who does all of these things”
The “Trusted Employee”
Per the ACFE’s 2012 Report to the Nations:
 87% of the fraudsters studied had never been
charged or convicted of a fraud related offense
 84% had never been punished or terminated by
an employer for fraud-related conduct
What is Segregation of Duties?
In general, the main incompatible duties to be
segregated are:
 Custody of Assets
 Authorization or approval of related transactions
affecting those assets
 Recording or reporting of related transactions
What is Segregation of Duties?
 No employee should be in a position to both
commit fraud or error and conceal it in their
normal course of duties.
 At least two sets of eyes are required for any
transaction
 Example: Movie Theater
What if it’s not possible to properly
segregate duties?
Use Compensating Controls
 Supervisory or other oversight procedures
designed to reduce the risk of errors or fraud
not being detected
Compensating Controls
by James Climer
@
Climercomics.com
EXAMPLES?
Effective Controls- Cash Receipts
and Deposits
 Separate cash drawers
 Prenumbered cash receipts- 9-2-103,
TCA
 Stamp checks “for deposit only” as soon
as they are received
 Drawer checkout procedures
 Deposit timely- 3 day deposit law
 Deposit Receipts Intact
Effective Controls- Cash Receipts
and Deposits (cont.)
Deposit slips should be itemized
Sign- “You must receive an official
receipt or your transaction is not
complete
 Segregate Duties- Employees
responsible for receipting should NOT
also be responsible for posting receipts to
the accounting records.
Effective Controls- Disbursements
 Disbursements by official prenumbered
checks
 Review documentation
 Do not sign blank checks
 Segregate duties between writing checks,
signing, distribution, and posting to the
accounting records
Effective Controls- Bank
Reconciliations
 One employee should be responsible for
opening the bank statement, reviewing it, and
initialing.
 A separate employee should reconcile the bank
statement monthly
 Bank reconciliations should be reviewed by an
employee not responsible for reconciling the
statement.
Effective Controls- Procurement
 Establish clear lines of authority for approving
purchases before they occur
 Purchase orders
 Verify availability of appropriations before
purchases are approved
 Payments for purchases should only be made
after documentation that the goods or services
were received
 Segregate duties between approval, payment
and updating the accounting records
Effective controls- Journal
Entries (JE’s)
 Use a standard journal entry form
 Supervisory review and approval of all journal
entries
 Segregate duties between preparation of the
JE, Approval of the JE, and posting to the
records
 Supervisory review that all JE’s were properly
posted to the records
More information?
 Comptroller’s website has internal control
checklists specifically designed for offices such
as
 Trustee
 General Sessions and Circuit Court Clerk
 Clerk and Master
 Etc.
www.comptroller.tn.gov
www.comptroller.tn.gov
INTERNAL CONTROL CHECKLISTS
Questions?
Penny Austin
Penny.Austin@cot.tn.gov
Amy Sosville
Amy.Sosville@cot.tn.gov