Internal Controls - Purdue University

Internal Control Workshop
Kenneth Wilson, Associate Comptroller
Deb Martin, Internal Auditor
Quiz on what you know
Movie on applying internal control concepts in
higher education
Review answers to quiz
Presentation reviewing concepts, objectives,
and risk assessment
Case studies
Internal Control Quiz
Internal Control Concepts &
Why have Internal Controls?
Promote operational efficiency and
Provide reliable financial information
Safeguard assets and records
Encourage adherence to prescribed
Comply with regulatory agencies
Basic Concepts of Internal Controls
Management, not auditors, must establish
and maintain the entity’s controls
Internal controls structure should provide
reasonable assurance that financial reports
are correctly stated
No system can be regarded as completely
Should be applied to manual and
computerized systems
Detailed Internal Control Objectives
Recorded transactions are valid
Transactions are properly authorized
Existing transactions are recorded
Transactions are properly valued
Transactions are properly classified
Detailed Internal Control Objectives
Transactions are recorded at the proper time
Transactions are properly included in
subsidiary records and are correctly
Ensure compliance with policy
Safeguard Assets
What are Control Activities?
Control activities are the policies and
procedures that help ensure that actions
identified as necessary to manage risks
are carried out properly and in a timely
Policies should be implemented thoughtfully,
conscientiously, and consistently
Mechanical procedures are not useful without
focus on policies
Control Activities Include:
Reviews of
Security of Assets
Segregation of
Controls over
Information Systems
Approval, Authorization, & Verification
Management authorizes activities and
transactions within limited parameters.
Management specifies when prior supervisory
approval is needed.
A supervisor’s approval implies that he/she
verified conformance with policies and
Relate different sets of data to one
Identify and investigate differences.
Take corrective action when necessary.
Reviews of Performance
Management compares information about current
To budgets
Prior periods, competitors
Other benchmarks
Measures against achievement of goals and objectives.
Identify unexpected results or conditions which require
Security of Assets
Access to assets such as equipment,
inventories, and cash is restricted.
Periodically assets are counted and
compared to control records.
Segregations of Duties
Duties are segregated to reduce the risk of
error or inappropriate action.
Normally the responsibilities of the following
should be separated:
Initiating, approving, & recording transactions
Handling the related assets
Reconciling balances
Reviewing reports
One person cannot steal and conceal.
Controls over Information Systems
General controls include data center, system
software acquisition & maintenance, security
access, and system development &
General controls support the functioning of
application controls.
Application controls are programmed steps
designed to control application processing.
Risk Assessment: Creating the
Right Balance and
Understanding the Limitations
of Internal Controls
Risk Assessment is a process to
Identify significant risks
Assess risks
What is the likelihood of occurrence?
What is the potential impact?
Manage these risks through:
Acceptance and Sharing (Insurance)
Mitigate with Controls
What are risks?
A risk is anything that could jeopardize the
achievement of your organization’s objective.
 Achieve our goals
 Operate effectively and efficiently
 Protect the university’s assets from loss
 Provide reliable financial data
 Comply with applicable laws, policies, and
Questions to ask yourself:
What can go wrong?
How could someone steal from us?
What policies are we most affected by?
What types of transactions in our area
provide the greatest risk?
How can someone bypass the internal
What potential risk areas could cause
adverse publicity?
Limitations on Internal Controls
Employees can make mistakes or exercise
poor judgment
There can be collusion – where two or more
individuals work together to steal
Management may inappropriately override
established policies or procedures
To: Faculty, Staff, and Students
Fr: A. V. Diaz
Executive Vice President for Business and Finance, Treasurer
Re: Fraud Reporting Program
Best practices provide for a fraud reporting program as an important part of a healthy business environment. Purdue University has in
place controls to provide reasonable assurance that fraudulent, illegal, or dishonest activity on the part of University employees, officers, or
business contacts is prevented or detected, but the potential for inappropriate transactions and behavior still exists within the University, as
it does in any organization. therefore, consistent with best business practices, Purdue University has implemented a fraud reporting
program to ensure that the University provides a mechanism for reporting improper or inappropriate acts.
This is an important program, and I encourage you to use it when appropriate and to communicate the existence of this program to your
Colleagues in the University community. Please help us make the program a success by using it for its intended purpose, reporting
suspected improper or illegal acts affecting Purdue University that you have witnessed or of which you might have knowledge. Personal
complaints regarding harassment or issues other than fraud should be filed according to existing University policies.
The Internal Audit Office is responsible for the administration of the Purdue University fraud reporting program. For additional information
on the program, please visit A Disclosure Form for Anonymous Reporting is available at the Web site. If you have
specific questions about the program, please contact Peggy Fish, Director of Audits, at (765) 494-7588 or [email protected]
To anonymously report suspected fraud or other wrongdoings, call (765) 494-6999, toll-free (866) 818-2620, or mail information to Purdue
University, Internal Audit Office, Freehafer Hall of Administrative Services, 401 S. Grant Street, West Lafayette, IN 47907-2024.
Thank you for your assistance and commitment to this effort.
c: President France A. Córdova
Hovde Hall, Room 230 • 610 Purdue Mall • West Lafayette, IN 47907-2040 Phone (765) 494-9705 • Fax (765) 494-9062
Reportable Activities Include
Improper reporting of time
Questionable payments
Misuse or questionable use of cash/p-cards
Diversion of or lack of timely deposit of revenues
Credit card fraud
Inappropriate communication of confidential
Any other illegal or questionable acts
Fraud Reporting Program
Not Intended for:
Monitoring personnel issues:
address through departmental management or Human Resources
Direct to the Office of the Vice President for Ethics and
Compliance or to the Office of Institutional Equity Issues
related to:
affirmative action
equal access
equal employment
educational opportunity
Mechanisms to Report
Suspicious Acts
Fraud Reporting Hotline
a) is anonymous
b) has no caller ID
c) has no call back option
Anonymous Form
a) available through Internal Audit’s homepage
Call Internal Audit Direct
Internal Control
Case Studies
New Business Manager
 2 employees
 Payroll Clerk, 20 yrs. exp., does own payroll/HR
processing, does all follow-up review, knows new system,
everyone is happy with her, wants to be left alone,
schedules vacation around payroll, will call you when she
needs you
 Accounting Clerk, 18 months exp. at PU, prior exp., no
training except invoice vouchers, does work by category
once a month (Cash receipts, funds transfers, billings,
Budget Adjustments, Error Corrections.) Purchasing done
as needed. Works well with giving academic
administrators what they need.
 BA has senior role with Dean, does not look at monthly
statements since staff is so competent and has delegated
all signature authority without further review.
Procurement Cards
 One clerk for procurement card transactions – extensive
use of the card occurs. People love its ease.
 Only has one card so not does need a check-out process.
 Distribution document is quickly reviewed and approved.
Does account allocation but never changes object code.
 Users have 90 days to turn in receipts – meets
requirement to turn in reconciliation within 90 days.
 Validates amount of receipt matches the reconciliation.
 Missing receipts are not pursued – she finds that the BM
accepts certain explanations for missing receipts and she
always uses these standard reasons.
 The clerk is newly graduated from high school and is upto-date on desktop computer skills. Saves the
department from having to train her. They are very
 PI has federal grant that requires a lot of travel.
 Car travel primarily to 3 locations.
 PI is account manager and has chosen who the delegate will be
– a clerk reporting to them.
 Business Manager delegated signature authority, but delegate
insists on signing Bus Managers name – BM agreed to this.
 PI/delegate make travel arrangements and process all
 Delegate knows of instance where PI was in town during “travel”
 BM just found out exception to policy routinely filed – no receipts
for travel since PI stays with colleagues.
 Cuts down on grants travel costs – everyone is happy.
 It bothers BM, but you are reviewing monthly statements and feel
as good as you can about it.
Asset Control
 Inventory of capital assets is hard to make a priority.
 New capitalization limit is wonderful, assets went from
500 to 150.
 Inventories have never really been completed in past.
 Lot of movement in departmental equipment – a lot of
take home.
 Student hourly is performing inventory with scanning
 125 of 150 items found – BM is very happy with this #
but is being asked to resolve the remaining 25,
 Not really BM problem since she is new since last
inventory 2 years ago.
 Will be hard to resolve since equipment taken home is
not recorded and equipment has been disposed of.
 Property Accounting is requiring police reports on
unresolved items.
Receipting of Revenue
 ½ day workshop developed for 300 people, at $50 per person.
 Chair has decided to deposit the revenue in a restricted fund to
maintain control.
 Documentation for registration states that fee is a donation – although
the donation is required for registration.
 Department secretary is in charge of process and will receive and
process all registrations and payments.
 Chair is not interested in details, only wants final list.
 Cash and checks coming via mail and hand delivered.
 Registration information is entered into a database and registration
forms are then destroyed because of lack of storage space.
 Receipts are not being issued because mailed-in registrations would
be too much trouble and expense.
 Secretary accumulated all receipts before processing CRV.
 Business Manager found out about this when transaction showed up
on the monthly operating statements.
Internal Controls
 Thank you for your time and participation
 If questions please contact Ken Wilson at
47366 or [email protected] or Deb
Martin [email protected]