Internal Controls
and
Best Practice
Katarina Bugariu – Associate comptroller
AA Roundup
February 24, 2016
Internal Controls Definition

Internal Control is a process designed to provide reasonable
assurance regarding the achievement of objectives in the
following three categories:
 1)
Effectiveness and Efficiency of Operations. Process are
doing what they are intended to do (i.e. achieving their
objectives) and doing so in an efficient manner, i.e. making
good use of available resources
 2)
Compliance with Laws and Regulations. Actions are
consistent with all applicable laws and regulations
 3)
Reliability of Financial Reporting. Accuracy and reliability
of Financial Statements
Real world Summary
Why Internal Controls are Important

Provides management with confidence that the
entity is operating according to standards which
are monitored-someone is watching.

Indicates to staff that what they are doing is
important and that QUALITY is important.

Sends a signal that certain behaviors will not be
tolerated.
Internal Controls are Common Sense
 What
do you worry about going
wrong?
 What
steps have you been taken to
assure it doesn’t?
 How
do you know things are under
control?
Risk and Internal Controls
 What
A
are risks?
risk is anything that could jeopardize:
Achieving
our goals
Operating
effectively and efficiently
Protecting
the college’s assets from loss
Providing
reliable financial data
Complying
with applicable laws, policies
and procedures
Risks and Internal Controls
 Questions
What
How
to ask yourself:
can go wrong? How can we fail?
can someone steal from us?
What
policies are we most affected by?
What
types of transaction in our area provide the
greatest risk?
How
can someone bypass the internal controls?
What
potential risk areas could cause adverse
publicity?
Conditions that Increase risk
 Lack
 Too
of segregation of duties
much trust
 No
Follow-up when things appear
“questionable” or “not reasonable”
 Lack
of control over cash/petty cash
 Lack
of control over purchasing of
materials/supplies
 Lack
of knowledge of policies and procedures
Risk and Internal Controls
Assess
Risks
What is the likelihood
of occurrence
What is potential
impact
Risks and Internal Controls
 What
can go wrong in your department?
Fire
breaks out
Banner/Jagnet
Key
goes down
employees call in sick
Media
Cash
becomes aware of P-card fraud
missing from departmental funds
Faculty
hires family member inappropriately
Key Risk Areas
 Federal
Compliance – All types
 Information
Technology – Security, privacy
and access
 Disaster
Planning / Recovery
 Student
/ Faculty/ Employment Safety
 Facilities
and Construction Management
Types of Internal Controls

Controls can either be automated or manual
 Automated
Controls – Incorporated into applications
logic/algorithms
 Example:
System automatically searches for a
matching PO before paying an invoice
 Manual
Controls – Performed by individuals outside of
the system or application
 Example:
Reports
Supervisor’s signature on Expense
Types of Internal Controls
 Controls
can either be preventive or detective
Types of Internal Controls - Preventive

Preventive Controls: Built into the process or system to
avoid or minimize risk. Helps make process more
efficient and can reduce cost of corrective actions.
 Discourage
Fraud
 Access
controls – Only individuals with approved
access can perform transactions in Banner
 Access
to equipment and inventories are restricted
 Segregation
of duties for authorizing transactions
(approval), recording transactions (accounting) and
handling the related access (custody)
Types of Internal Controls - Detective
 Detective
Controls: Provide a process
assessment to identify potential issues for
further review
Cash counts and bank reconciliations
Review payroll reports (review your
payroll statement)
Review actual expenditure against budget
Physical Inventories
Audits
Types of Internal Controls

Controls – particularly related to information processing –
support the following objectives or assertions

Completeness
All transactions are processed (once and
only once)

Accuracy
All transactions are processed correctly

Validity
All transactions are authorized or
approved appropriate person

Restrictiveness Access to certain functions is restricted
to appropriate persons
CAVR and Your Checkbook

When are reconcile your checkbook every month, you are
going through the CAVR steps:

Completeness
Did the bank process all the checks that I
wrote this month?

Accuracy
Did the bank process all the checks
correctly? The right amount?

Validity
Were all the checks processed by the bank
written by me?

Restrictiveness Did someone else have access to my
checkbook?
CAVR and the Gross Pay Register

Completeness
All employees that should be in the
system, are in the system?

Accuracy
The pay for a new hire starting in the
middle of a month is correct?

Validity
Additional pay was approved by
appropriate person?

Restrictiveness Person making changes to the employee
master file is not processing payroll?
Component
Internal Control Framework
General Description
Examples at STC
Control
Environment
Sets tone of Organization
Code of Conduct / Ethics training, HR &
Finance Committees and Fraud Hotline
Risk Assessment
Identification and analysis of relevant
risks
Internal Audit Risk Assessment and Risk
Management
Control Activities Polices and procedures that govern day- Account Reconciliations, Segregation of
to-day activity
Duties, Expense Report Approvals, Written
Procedures and Access Controls
Information and
Communication
Flow of timely, accessible and pertinent Management reviews, Board reports, Board
information
Meetings and Audit findings
Monitoring
Assessment of controls
Internal audit, self-assessments and External
Audit
Components of Internal Control
 To
be effective, control activities must be:
Appropriate
Functioning
consistently according to plan
throughout the period
Cost
effective, comprehensive, reasonable; and
Directly
relate to the control objective
Testing
Why controls don’t always work
 Inadequate
knowledge of policies or
governing regulations.
 Inadequate
segregations of duties.
 Inappropriate
 Form
access to assets.
over substance.
 Control
override.
 Inherent
limitations.
What is Fraud
 Fraud
– Typically requires 3
elements
 Did
something bad/wrong –
misrepresentation of facts
 Done
intentionally
 Resulted
in unauthorized
personal gain
Fraud Diamond - Explains why employees commit fraud
Incentive
 Personal Debts
 Greed
 Drug Abuse
 Organized Crime
 Inappropriate values
 Job/company
dissatisfaction
Rationalization
Opportunity
 Inadequate internal
controls
 Weak / Remote
Management
 Knowledge of systems
 Skills required to
undertake
Capability
Character Traits and Mannerisms of people
likely to commit fraud

Character Traits and Mannerisms of people likely to
commit fraud

Unwillingness to share duties or take vacations

Employees who are overly interested in the personal lives of
their co-workers

Refusal to implement internal controls or procedures.

Employees who work excessively yet keep poor accounting
records

Chronic shortage of cash

Past legal problems

Addiction problems
How does Fraud occur?






Billing – Employee submits invoice for payment to bogus vendor or for
personal expenses
Non-cash – Employee steals office supplies, stamps, business services,
identity of students/staff, etc.
Expense reimbursement – Employee files expense report claiming personal
travel, nonexistent meals, etc.
Skimming – Employee accepts payment from customer but does not record
Payroll – Employee takes unreported annual/sick leave, claims overtime for
hours not worked, adds ghost employee to payroll, continued payment of
terminated employees
Conflict of Interest (Corruption) – Board or upper level management have
financial interest from or with vendors. Misuse of influence for kickbacks.
What you can do!
When thinking about internal controls,
consider the following:
Propriety
of transactions
Reliability
and integrity of information
Compliance
with policies and
government regulations
Safeguarding
assets
What you can do!
 Economy
and efficiency of operations…is there a better way to do
the job?
 Make sure you have up-to-date policies and procedures;
 Ensure authorization limits are communicated within your
department;
 Ensure all assets (especially cash) are safeguarded at all times;
 Establish document control (especially for spreadsheets);
 Ensure approval signatures are visible (legible) on all required
documentation;
 Make sure data is only accessible by authorized personnel;
 Understand your department/function’s risks;
 Establish objectives and measures for your department/function and
for major programs; and
 Track performance to evaluate your success!
Too much of a good thing
When looking at controls



More is not necessarily better

Controls that do not work together leaving holes

Cost of duplicated or inefficient controls.

Controls that do not align with the importance of the risks
Complex and poorly implemented controls

Not understood or followed

Inconsistently applied

Control effectiveness can degrade over time
No value for money

Controls cost money

Duplication of ineffective controls do not provide benefits
Important Concepts
 Internal
It
control is a process;
is a means to an end, not an end itself.
 Internal
control is effected by people; it’s
not merely policy manuals and forms but
people at every level of an organization.
 Internal
control can be expected to only
provide reasonable assurance, not absolute
assurance.
Five Key Control Activities
1) Segregation of Duties
 Divide
responsibilities between different
employees so one individual doesn’t control
all aspects of a transaction.
 Reduce
the opportunity for an employee to
commit and conceal errors (intentional or
unintentional) or perpetrate fraud.
2) Documentation
Document & preserve evidence to substantiate:
 Critical
decisions and significant
events...typically involving the use,
commitment, or transfer of resources.
 Transactions…enables
a transaction to be
traced from its inception to completion.
 Policies
& Procedures…documents which set
forth the fundamental principles and methods
that employees rely on to do their jobs.
3) Authorization and Approvals
 Management
documents and communicates
which activities require approval, and by
whom, based on the level of risk to the
organization.
 Ensure
that transactions are approved and
executed only by employees acting within
the scope of their authority granted by
management.
4) Security of Assets
 Secure
and restrict access to equipment, cash,
inventory, confidential information, etc. to
reduce the risk of loss or unauthorized use.
 Perform
periodic physical inventories to verify
existence, quantities, location, condition, and
utilization.
 Base
the level of security on the vulnerability
of items being secured, the likelihood of loss,
and the potential impact should a loss occur.
5) Reconciliation and Review
 Examine
transactions, information, and events
to verify accuracy, completeness,
appropriateness, and compliance.
 Base level of review on materiality, risk, and
overall importance to organization’s
objectives.
 Ensure frequency is adequate enough to
detect and act upon questionable activities in
a timely manner.
Timing of reconciliations and monitoring
Today, tomorrow and the next day
 Think
about CAVR when ever you are
providing analysis or developing policies or
implementing programs
 Beware
of the pitfalls – more is not always
better, controls must be maintainable
 Think
about the things that worry you in
your job and try to think of how internal
controls could help elevate your worry.