Internal Control Workshop Kenneth Wilson, Associate Comptroller Deb Martin, Internal Auditor Agenda Quiz on what you know Movie on applying internal control concepts in higher education Review answers to quiz Presentation reviewing concepts, objectives, and risk assessment Case studies Wrap-up Internal Control Quiz Internal Control Concepts & Objectives Why have Internal Controls? Promote operational efficiency and effectiveness Provide reliable financial information Safeguard assets and records Encourage adherence to prescribed policies Comply with regulatory agencies Basic Concepts of Internal Controls Management, not auditors, must establish and maintain the entity’s controls Internal controls structure should provide reasonable assurance that financial reports are correctly stated No system can be regarded as completely effective Should be applied to manual and computerized systems Detailed Internal Control Objectives Recorded transactions are valid Transactions are properly authorized Existing transactions are recorded Transactions are properly valued Transactions are properly classified Detailed Internal Control Objectives Transactions are recorded at the proper time Transactions are properly included in subsidiary records and are correctly summarized Ensure compliance with policy Safeguard Assets What are Control Activities? Control activities are the policies and procedures that help ensure that actions identified as necessary to manage risks are carried out properly and in a timely manner. Policies should be implemented thoughtfully, conscientiously, and consistently Mechanical procedures are not useful without focus on policies Control Activities Include: Approvals Authorizations Verifications Reconciliations Reviews of Performance Security of Assets Segregation of Duties Controls over Information Systems Approval, Authorization, & Verification Management authorizes activities and transactions within limited parameters. Management specifies when prior supervisory approval is needed. A supervisor’s approval implies that he/she verified conformance with policies and procedures. Reconciliations Relate different sets of data to one another. Identify and investigate differences. Take corrective action when necessary. Reviews of Performance Management compares information about current performance. To budgets Prior periods, competitors Other benchmarks Measures against achievement of goals and objectives. Identify unexpected results or conditions which require follow-up. Security of Assets Access to assets such as equipment, inventories, and cash is restricted. Periodically assets are counted and compared to control records. Segregations of Duties Duties are segregated to reduce the risk of error or inappropriate action. Normally the responsibilities of the following should be separated: Initiating, approving, & recording transactions Handling the related assets Reconciling balances Reviewing reports One person cannot steal and conceal. Controls over Information Systems General controls include data center, system software acquisition & maintenance, security access, and system development & maintenance. General controls support the functioning of application controls. Application controls are programmed steps designed to control application processing. Risk Assessment: Creating the Right Balance and Understanding the Limitations of Internal Controls Risk Assessment is a process to • • • Identify significant risks Assess risks What is the likelihood of occurrence? What is the potential impact? Manage these risks through: • Avoidance • Acceptance and Sharing (Insurance) • Mitigate with Controls What are risks? A risk is anything that could jeopardize the achievement of your organization’s objective. Achieve our goals Operate effectively and efficiently Protect the university’s assets from loss Provide reliable financial data Comply with applicable laws, policies, and procedures Risks Questions to ask yourself: What can go wrong? How could someone steal from us? What policies are we most affected by? What types of transactions in our area provide the greatest risk? How can someone bypass the internal controls? What potential risk areas could cause adverse publicity? Limitations on Internal Controls Employees can make mistakes or exercise poor judgment There can be collusion – where two or more individuals work together to steal Management may inappropriately override established policies or procedures Questions? OFFICE OF THE EXECUTIVE VICE PRESIDENT FOR BUSINESS AND FINANCE, TREASURER To: Faculty, Staff, and Students Fr: A. V. Diaz Executive Vice President for Business and Finance, Treasurer Re: Fraud Reporting Program Best practices provide for a fraud reporting program as an important part of a healthy business environment. Purdue University has in place controls to provide reasonable assurance that fraudulent, illegal, or dishonest activity on the part of University employees, officers, or business contacts is prevented or detected, but the potential for inappropriate transactions and behavior still exists within the University, as it does in any organization. therefore, consistent with best business practices, Purdue University has implemented a fraud reporting program to ensure that the University provides a mechanism for reporting improper or inappropriate acts. This is an important program, and I encourage you to use it when appropriate and to communicate the existence of this program to your Colleagues in the University community. Please help us make the program a success by using it for its intended purpose, reporting suspected improper or illegal acts affecting Purdue University that you have witnessed or of which you might have knowledge. Personal complaints regarding harassment or issues other than fraud should be filed according to existing University policies. The Internal Audit Office is responsible for the administration of the Purdue University fraud reporting program. For additional information on the program, please visit www.purdue.edu/fraud. A Disclosure Form for Anonymous Reporting is available at the Web site. If you have specific questions about the program, please contact Peggy Fish, Director of Audits, at (765) 494-7588 or plfish@purdue.edu. To anonymously report suspected fraud or other wrongdoings, call (765) 494-6999, toll-free (866) 818-2620, or mail information to Purdue University, Internal Audit Office, Freehafer Hall of Administrative Services, 401 S. Grant Street, West Lafayette, IN 47907-2024. Thank you for your assistance and commitment to this effort. c: President France A. Córdova Hovde Hall, Room 230 • 610 Purdue Mall • West Lafayette, IN 47907-2040 Phone (765) 494-9705 • Fax (765) 494-9062 Reportable Activities Include Theft Embezzlement Improper reporting of time Questionable payments Misuse or questionable use of cash/p-cards Diversion of or lack of timely deposit of revenues Credit card fraud Inappropriate communication of confidential information Any other illegal or questionable acts Fraud Reporting Program Not Intended for: Monitoring personnel issues: address through departmental management or Human Resources Direct to the Office of the Vice President for Ethics and Compliance or to the Office of Institutional Equity Issues related to: affirmative action equal access equal employment educational opportunity Mechanisms to Report Suspicious Acts Fraud Reporting Hotline a) is anonymous b) has no caller ID c) has no call back option Anonymous Form a) available through Internal Audit’s homepage Call Internal Audit Direct Internal Control Case Studies New Business Manager 2 employees Payroll Clerk, 20 yrs. exp., does own payroll/HR processing, does all follow-up review, knows new system, everyone is happy with her, wants to be left alone, schedules vacation around payroll, will call you when she needs you Accounting Clerk, 18 months exp. at PU, prior exp., no training except invoice vouchers, does work by category once a month (Cash receipts, funds transfers, billings, Budget Adjustments, Error Corrections.) Purchasing done as needed. Works well with giving academic administrators what they need. BA has senior role with Dean, does not look at monthly statements since staff is so competent and has delegated all signature authority without further review. Procurement Cards One clerk for procurement card transactions – extensive use of the card occurs. People love its ease. Only has one card so not does need a check-out process. Distribution document is quickly reviewed and approved. Does account allocation but never changes object code. Users have 90 days to turn in receipts – meets requirement to turn in reconciliation within 90 days. Validates amount of receipt matches the reconciliation. Missing receipts are not pursued – she finds that the BM accepts certain explanations for missing receipts and she always uses these standard reasons. The clerk is newly graduated from high school and is upto-date on desktop computer skills. Saves the department from having to train her. They are very happy. Travel PI has federal grant that requires a lot of travel. Car travel primarily to 3 locations. PI is account manager and has chosen who the delegate will be – a clerk reporting to them. Business Manager delegated signature authority, but delegate insists on signing Bus Managers name – BM agreed to this. PI/delegate make travel arrangements and process all transactions. Delegate knows of instance where PI was in town during “travel” BM just found out exception to policy routinely filed – no receipts for travel since PI stays with colleagues. Cuts down on grants travel costs – everyone is happy. It bothers BM, but you are reviewing monthly statements and feel as good as you can about it. . Asset Control Inventory of capital assets is hard to make a priority. New capitalization limit is wonderful, assets went from 500 to 150. Inventories have never really been completed in past. Lot of movement in departmental equipment – a lot of take home. Student hourly is performing inventory with scanning equipment. 125 of 150 items found – BM is very happy with this # but is being asked to resolve the remaining 25, Not really BM problem since she is new since last inventory 2 years ago. Will be hard to resolve since equipment taken home is not recorded and equipment has been disposed of. Property Accounting is requiring police reports on unresolved items. Receipting of Revenue ½ day workshop developed for 300 people, at $50 per person. Chair has decided to deposit the revenue in a restricted fund to maintain control. Documentation for registration states that fee is a donation – although the donation is required for registration. Department secretary is in charge of process and will receive and process all registrations and payments. Chair is not interested in details, only wants final list. Cash and checks coming via mail and hand delivered. Registration information is entered into a database and registration forms are then destroyed because of lack of storage space. Receipts are not being issued because mailed-in registrations would be too much trouble and expense. Secretary accumulated all receipts before processing CRV. Business Manager found out about this when transaction showed up on the monthly operating statements. Internal Controls Thank you for your time and participation If questions please contact Ken Wilson at 47366 or kjwilson1@purdue.edu or Deb Martin martindd@purdue.edu