Add to collection(s) Add to saved
  1. Business
  2. Management

DFS - Internal Control Presentation

advertisement 
Florida Association of State Agency
Administrative Services Directors
August 29, 2014
1
 ‘Internal
control gets us where we want to go,
without surprises along the way. Internal
control is everyone’s responsibility … Internal
control is me.’
- from Cargill Corporation’s Internal Control Statement
 ‘Control
... Support(s) people in the
achievement of the organization’s objectives …
Control is what makes an organization reliable
in achieving its objectives.’
- from Guidance on Control, The Canadian Institute of Chartered Accountants
2
Myths
“Internal control is a money
(financial resources) thing. We do
what the CFO tells us to do.”
“Internal controls are essentially
negative, like a list of ‘thou shall nots.’”
“Internal control starts with a strong
set of policies and procedures.”
and
FACTS
- Although the financial aspect of control is
very important, observable, and
measureable; internal control effects
every aspect of the organization’s
activities, such as suitable enforcement of
regulations, health and safety, efficient use
of resources, and our reputation.
1. Internal controls helps the right thing
happen the first time.
2. Repeat step 1
Helps people avoid making poor decisions.
Reduces the need for error correction.
- Control environment comes first.
3

Internal control is defined as:
Internal control is a process, effected by an entity's board of directors, management,
and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting, and compliance.

This definition emphasizes that internal control is:
• Geared to the achievement of objectives in one or more separate but overlapping
•
•
•
•
categories - operations, reporting, and compliance
A process consisting of ongoing tasks and activities - a means to an end, not an end
in itself
Effected by people - not merely about policy and procedure manuals, systems, and
forms, but about people and the actions they take at every level of an organization
to effect internal control
Able to provide reasonable assurance - but not absolute assurance, to an entity's
senior management and board of directors
Adaptable to the entity structure - flexible in application for the entire entity or for a
particular subsidiary, division, operating unit, or business process.
4


A common objective is to efficiently safeguard assets with limited resources
When you are unable to assign the tasks of receiving assets separately from
those of asset custodian, create additional controls to reduce risks to an
acceptable level. Examples could include:
 Ensure procedures are well documented, understood, and followed:
 Leave the quantity to be received blank on the receiving report.
 The receiver/custodian states the number of items received and forwards the
report to the person who approves the invoice.
 The invoice is compared to the number ordered from the PO and the number
received;
 Secure the assets so only the custodian has access to them;
 Conduct frequent (small) inventories of the assets the custodian has under their
control.
 Have the supplier ship directly to end users as needed instead of to the custodian.
Use directive, preventive, detective, and mitigating
controls in combination with one another.
5




The Internal Control Framework sets out three categories of objectives, which
allows organizations to focus on separate aspects of internal control.
Operations Objectives - includes operational and financial performance goals,
and safeguarding assets against loss through
• Effectiveness and
• Efficiency of the entity’s operations.
Reporting Objectives - encompassing reliability, timeliness, transparency, or
other terms as set forth by regulators, standard setters, or the entity’s policies
for
• internal financial and non-financial reporting
• external financial reporting and
• external non-financial reporting.
Compliance Objectives - these pertain to adherence to laws and regulations to
which the entity is subject.
6
Supporting the organization in its efforts to achieve objectives are five
components of internal control:
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring Activities
These components are relevant to the entire entity and to its organization, its
subsidiaries, divisions, or any of its individual operating units, functions, or other
subsets of the entity.
7
Depicted in a cube, the
relationships between categories of
internal control objectives,
components of internal control, and
the entity structure may be viewed
as:
Vertical columns providing width
are the three categories of
objectives
Horizontal rows providing height
are the five components of internal
control
Vertical bands or layers
providing depth represent the
entity structure, beginning at the
principal level and moving through
the organization structure to the
lowest level operating unit.
8

Written for Government
• Leverages the COSO Framework
• Uses government terms


May be an acceptable framework for internal control for state and local
government use under OMB Uniform Guidance for Federal Awards
In addition to the 17 principles included in the COSO Internal Control framework,
the Green Book extends the principles with attributes
• In general, all components, principles, and relevant attributes are required for
an effective internal control system
• Management needs to document the circumstances if a principle or attribute is
not relevant; to include the rationale of how in its absence, the associated
component can be designed, implemented, and operated effectively.
* Comptroller General of the Untied States,
Standards for Internal Control in the Federal Government, 2013 Exposure Draft
9



Attributes contribute to the design, implementation, and effectiveness of
principles that make up internal control
For example Control Environment Component
• Principle 4: Demonstrate Commitment to Competence
 Attributes:
o Establish expectation of competence
o Attract, develop, and retain individuals, and
o Plan and prepare for succession
The attributes are presented as part of management’s responsibilities
o Management should establish expectations of competence throughout
the organization
o Management should attract, develop, and retain competent personnel,
and
o Management should define succession and contingency plans for key
roles in the organization.
10




The Green Book defines an internal control system as “a continuous built-in
component of operations, effected by people, that provides reasonable
assurance, not absolute assurance, that an organization’s objectives will be
achieved.”
An effective internal control system requires that each of the five components,
17 principles, and relevant attributes are:
• Effectively designed, implemented, and operating
• Operating together in an integrated manner
It is management’s responsibility to evaluate the effect of deficiencies on the
internal control system
A component is not likely to be effective if the related principles and
attributes are not effective.
11
The control environment is the set of standards, processes, and structures that
provide the basis for carrying out internal control across the organization. The
board of directors and senior management establish the tone at the top
regarding the importance of internal control and expected standards of
conduct.
 Principle 1: Demonstrates Commitment to Integrity and Ethical Values
 Principle 2: Exercises Oversight Responsibility
 Principle 3: Establishes Structure, Authority, and Responsibility
 Principle 4: Demonstrates Commitment to Competence
 Principle 5: Enforces Accountability
12
Risk assessment involves a dynamic and iterative process for identifying and
analyzing risks to achieving the entity's objectives, forming a basis for
determining how risks should be managed. Management considers possible
changes in the external environment and within its own business model that
may impede its ability to achieve its objectives.
 Principle 6: Specifies Suitable Objectives
 Principle 7: Identifies and Analyzes Risk
 Principle 8: Assesses Fraud Risk
 Principle 9: Identifies and Analyzes Significant Change
13
Control activities are the actions established by policies and procedures to help
ensure that management directives to mitigate risks to the achievement of
objectives are carried out. Control activities are performed at all levels of the
entity and at various stages within business processes, and over the
technology environment.
 Principle 10: Selects and Develops Control Activities
 Principle 11: Selects and Develops General Controls over Technology
 Principle 12: Deploys through Policies and Procedures
14
Information is necessary for the entity to carry out internal control
responsibilities in support of achievement of its objectives. Communication
occurs both internally and externally and provides the organization with the
information needed to carry out day-to-day controls. Communication enables
personnel to understand internal control responsibilities and their importance
to the achievement of objectives.
 Principle 13: Uses Relevant Information
 Principle 14: Communicates Internally
 Principle 15: Communicates Externally
15
Ongoing evaluations, separate evaluations, or some combination of the two are
used to ascertain whether each of the five components of internal control,
including controls to effect the principles within each component, is present
and functioning. Findings are evaluated and deficiencies are communicated
in a timely manner, with serious matters reported to senior management and
to the board.
 Principle 16: Conducts Ongoing and/or Separate Evaluations
 Principle 17: Evaluates and Communicates Deficiencies
16
• Financial Reporting Management Representation
letter(s) assuring agency compliance for financial
reporting
• Florida Statutes
• Federal Regulations
GAO Standards for Internal Control in the
Federal Government (Green Book) (exposure
draft)
GAO Government Auditing Standards (Yellow
Book)
OMB Uniform Guidance for Federal Awards
Federal Sentencing Guidelines
17

Florida Statutes provide that agencies establish and maintain
internal controls in
• Section 215.86 Management systems and controls, and
• Section 20.55 Agency inspectors general, subsection (5).


Federal Regulations provide that internal controls be
established and maintained in the Uniform Administrative
Requirements, Cost Principles, and Audit Requirements for
Federal Awards, dated Dec. 26, 2013.
2 CFR, part 200.303. The Federal Regulation anticipates that
the internal controls comply with guidance in the
• GAO Standards for Internal Control in the Federal Government, and
• COSO Internal Control Integrated Framework.
18
Financial statement audits performed in accordance with generally
accepted governmental auditing standards also includes reports on
internal controls over financial reporting and on compliance with
provisions of laws, regulations, contracts, and grant agreements that
have a material effect on the financial statements. (GAO Yellow Book)
The Sarbanes-Oxley Act of 2002, directed the U.S. Sentencing
Commission to review and amend, the federal sentencing guidelines
to ensure that guidelines applicable to organizations “are sufficient to
deter and punish criminal misconduct.” In Chapter 8 – Sentencing for
Organizations, factors weighing on the level of punishment includes
the extent the organization exercises due diligence and the promotion
of an organizational culture that encourages ethical conduct and a
commitment to compliance with the law. This includes establishing
standards of conduct and internal controls that are reasonably capable
of reducing the likelihood of criminal conduct.
19

In conformance with Auditing Standards1, The Chief
Financial Officer (CFO) is required to make specific
written representations to the Auditor General that
management has fulfilled its responsibility in the
preparation of the Consolidated Annual Financial Report
(CAFR) financial statements and administration and
reporting of Federal awards.

The Agency Representation Letter is used as a means for the agency,
in turn, to certify to the CFO that they are incompliance with all of the
applicable information provided within the CFO’s representations.

The applicable time period covered by the letter is from the
beginning of the period that financial information is provided to the
CFO through the CAFR issuance date.

It should be noted that management’s responsibility for internal
controls are the first two topics in the agency letter and the second
topic in the Federal awards representation letter.
20
A Closing Thought
When someone tells you they already have internal controls,
as in “We have Segregation of Duties”; put this statement into context.
Segregation of Duties is one example of four types of Control Activity categories
(Preventive, Directive, Detective, and Mitigating or Compensating.) Control
Activities is one of the five internal control Components.
Put differently, with just using Segregation of Duties, you’re let’s say 4% to
completion.
Components
Categories
Control Environment
Risk Assessment
Control Activities
Directive
Control Activities
Detective
Control Activities
Mitigating
Control Activities
Preventive
Control Activities
Preventive
Control Activities
Preventive
Control Activities
Preventive
Information & Communication
Monitoring Activities
Examples of
categories
Segregation of Duties
Physical Safeguards
Authorizations
Passwords
Illustrative
Weighting
20
18
6
5
5
4
2
2
2
18
18
100
21
Related documents
1 The best definition of an accounting system is: a Journals, ledgers
1 The best definition of an accounting system is: a Journals, ledgers
Dear Sir,
Dear Sir,
YOU HAVE THE RIGHT TO NOT REMAIN SILENT
YOU HAVE THE RIGHT TO NOT REMAIN SILENT
Assumptions on our ER diagram
Assumptions on our ER diagram
Self-disclosure for the commercial suitability review (docx, 0.09
Self-disclosure for the commercial suitability review (docx, 0.09
Download
advertisement