School Board Audit Committee Training Module 3 Evaluation of Internal Controls 1 Session Objectives After completing this session you will: Understand the Audit Committee’s responsibilities related to internal controls Understand internal controls and why they are important Distinguish between preventative and detective controls Appreciate the competing demands of process efficiency and effectiveness Understand how internal controls moderate inherent risk, reducing the likelihood and /or significance of a risk (resulting in residual risk) Be Familiar with the COSO Framework • Control Environment • Risk Assessment • Internal Controls • Information & Communication • Monitoring 2 Audit Committee Duties related to Internal Controls [ON Regulation 361/10 9(2)] • To review the overall effectiveness of internal controls. • To review the scope of the internal and external auditor’s reviews of internal controls, as well as the findings, recommendations and management’s responses. • To discuss with School Board officials the significant financial risks and the measures the officials have taken to monitor and manage these risks. 3 A definition of the internal control process It is a “process effected by an entity’s board of directors/trustees, management, and other personnel, designed to provide reasonable assurance regarding the achievement of business objectives” Operations Effective and efficient use of resources Compliance Compliance with law and regulations Financial Preparation of reliable financial statements Internal controls are needed to help achieve key business objectives 4 Internal control objectives The objectives of an internal control system are as follows: 1. Enforce organizational policies and rules 2. Promote the effectiveness and efficiency of operations and optimize the use of resources 3. Increase the reliability of financial/management/ministry reporting 4. Ensure compliance with applicable laws and regulations 5 “The system of Internal Control is dependent on people” • • • • Whereas manuals and forms are tools used by people, it is people that make or break the internal control system. Without proper control education and motivation, people cannot and will not make the internal controls system work. Individuals will support the internal control system when they understand the system’s benefits to their personal interests and then to the organization. Without such an understanding, employees are apathetic at best and at worst, will fight the system. A control must have Substance over Form, and NOT Form over Substance. Example: Directors are required to review and approve invoices prior to payment. However; if the director approves a stack of invoices at the end of a week in a five minute period, you must question whether the control is not operating effectively. 6 “Internal controls can be expected to provide only reasonable assurance, not absolute assurance” • • • • Internal controls should not be expected to guarantee that risks are mitigated or that undesirable conditions are prevented. Internal controls do not prevent failures caused by poor management judgment, or changing economic conditions. Management should not expect that all potential losses can be avoided. On the other hand, no entity should fail to install proper controls. A system of internal controls will provide the discipline and structure to provide the checks and balances to reduce risk exposure and enhance achievement of organizational (process) objectives. Example: Only overtime that has been approved can be paid by payroll. However, there is a possibility that employees may claim overtime to which they are not entitled, which could be potentially approved and paid. 7 “Effectiveness is doing the things that achieve results, and efficiency is doing these things the right way” • • • An organization must operate both effectively and efficiently, otherwise it risks failure. When an organization is effective, it is serving its stakeholders well. In the context of a school board, this includes serving students, parents, teachers, and the community at large. When an organization is efficient, it is wisely using the resources entrusted to it and achieving the best outcomes possible. 8 Types of internal controls Preventative controls Detective controls Preventive Controls are designed to prevent an error or misappropriation from occurring. They are considered to be before-the-fact controls that will prevent an undesirable outcome from occurring. Detective controls are designed to detect errors after they have occurred and spur a prompt investigation. They are considered after-the-fact controls as they will not identify an undesirable outcome until after it has occurred. However, effective detective controls will help identify issues in a timely manner and may reduce severity of losses. 9 Discussion – Control type exercise 1. An accounting department receives a listing of aged accounts receivable that details the amount and number of days the account has been past due. a) Preventative b) Detective 2. School board facilities may be rented for community use, after school hours. The custodian of the school whose facilities were rented, performs a site inspection after community use and reports any damages he/she finds. a) Preventative b) Detective 3. Beth works in the accounting department and can process payments for employee expense reports that have been approved in the system. However, Beth does not have the ability to approve expense reports. a) Preventative b) Detective 4. Purchase Orders are required in order to allow the School Board to purchase goods or services. Buyers cannot obtain a purchase order from procurement unless 3 quotes are submitted. a) Preventative b) Detective 10 Other types of internal controls Compensating controls Directive controls Monitoring controls At times what appears to be a weakness in control may not be a problem. The weakness is offset by compensating controls found elsewhere in the control structure. These controls are intended to compensate for system shortcomings and are a back-up approach to limiting risk exposure. Organizations use directive controls to guide management behavior and decisions, as well as to direct organization policy and activities. Monitoring Controls (usually a management control) to monitor effectiveness of an entity’s internal controls and help in identifying problems in a proactive, rather than reactive manner. 11 Discussion – Control exercise Within your groups, perform the following: 1. Consider various business cycles in your School Board (i.e. payroll, expenditures/payments/revenues) . What do you think some of the key controls are in this business cycle? 2. How would you classify these controls? (preventative, detective, compensating, directive or monitoring). 3. As an audit committee member what are some examples of due diligence activities you could perform relating to the oversight of internal controls. 12 Internal controls can aid in the reduction of the likelihood and significance of risk A quick refresher… • Inherent risk is the assessed level of risk before considering controls. • Residual risk is the assessed level of risk once internal controls are assessed. Process Inherent risk Significance of risk • Process Residual risk Likelihood of occurrence 13 How can internal controls add value to the organization? Internal controls help provide reasonable assurance that the organization: • • • • • Adheres to laws, regulations, and provincial directives Promotes orderly, economical, efficient, and effective operations that achieve planned outcomes Safeguards resources against fraud, waste, abuse, and mismanagement Develops and maintains reliable financial and management information and fairly discloses that data through timely reporting Demonstrates appropriate care of tax payer funds Internal controls DO NOT provide absolute assurance over the appropriateness, efficiency and effectiveness of business processes as there is a risk of: • Bad judgment • Error / mistake • Collusion • Cost / benefit constraints 14 COSO framework The process which ensures that relevant information is identified and communicated in a timely manner The evaluation of internal and external factors that impact an organization’s performance The process to determine whether internal control is adequately designed, executed, effective and adaptive The policies and procedures that help ensure that actions identified to manage risk are executed and timely The control conscience of an organization. The “tone at the top” 15 Control environment • The control environment is the foundation for the internal control system. Without the control environment, the other components will collapse like a house built without a foundation. A number of elements influence the control environment: • – Governance model Monitoring – Organizational structure – Management’s philosophy and operating style – Assignment of authority and responsibility – Integrity and ethical values – Human Resource policies and practices – Commitment to competence • Control activities Risk assessment Control environment People are the critical aspect of the internal control system. 16 1 Risk assessment • • As discussed in Module 2, Risk assessment is identifying and analyzing the events and conditions (risks) that may prevent the achievement of the entity's objectives. Every entity faces both internal and external risks from a variety of sources. Through proper assessment, the entity can determine how to reduce or eliminate the impact of those risks. Monitoring Control activities Risk assessment Control environment 17 Control activities • Control activities provide the means to prevent the occurrence of identified risks, or if they cannot be prevented, to detect them as early as possible. • Control policies and procedures must be established and executed to help ensure that the actions identified by management as necessary to address risks are effectively carried out. Monitoring Control activities Risk assessment Control environment • Includes both manual and automated controls, internal and external. 18 Information and communication • Relevant information needed to conduct, manage and control operations is captured and communicated throughout the organization. • Information systems produce reports containing operational, financial and compliance related information that make it possible to run and control the organization. Relevant information must be identified, captured and communicated in a form and timeframe that enables people both inside the organization and external stakeholders to carry out their responsibilities. • Monitoring Control activities Risk assessment Control environment 19 Monitoring • • • Internal control systems need to be monitored. Monitoring is a process that assesses the quality of the internal control system's performance over time The purpose of the monitoring activity is to assure the ongoing quality of the internal control system. This function monitors the internal control system. Monitoring is the capstone component covering all the other components. Monitoring Control activities Risk assessment Control environment 20 Monitoring Activities • Ongoing monitoring activities are built into the normal recurring activities of the entity . Examples are as follows: ̶ Regular managerial activities (e.g. variance analysis) ̶ Code of conduct compliance statements ̶ Internal feedback (e.g., internal audit reports) ̶ External feedback (e.g. Ministry communications/questions) ̶ Training seminars and planning sessions 21