School Board Audit Committee Training
Module 3
Evaluation of Internal Controls
1
Session Objectives
After completing this session you will:
Understand the Audit Committee’s responsibilities related to internal controls
Understand internal controls and why they are important
Distinguish between preventative and detective controls
Appreciate the competing demands of process efficiency and effectiveness
Understand how internal controls moderate inherent risk, reducing the likelihood and /or
significance of a risk (resulting in residual risk)
Be Familiar with the COSO Framework
• Control Environment
• Risk Assessment
• Internal Controls
• Information & Communication
• Monitoring
2
Audit Committee Duties related to Internal Controls
[ON Regulation 361/10 9(2)]
• To review the overall effectiveness of internal controls.
• To review the scope of the internal and external auditor’s
reviews of internal controls, as well as the findings,
recommendations and management’s responses.
• To discuss with School Board officials the significant
financial risks and the measures the officials have taken to
monitor and manage these risks.
3
A definition of the internal control process
It is a “process effected by an entity’s
board of directors/trustees,
management, and other personnel,
designed to provide reasonable
assurance regarding the achievement
of business objectives”
Operations
Effective and
efficient use of
resources
Compliance
Compliance
with law and
regulations
Financial
Preparation of
reliable
financial
statements
Internal controls are needed to help achieve key business objectives
4
Internal control objectives
The objectives of an internal control system are as follows:
1. Enforce organizational policies and rules
2. Promote the effectiveness and efficiency of operations and
optimize the use of resources
3. Increase the reliability of financial/management/ministry
reporting
4. Ensure compliance with applicable laws and regulations
5
“The system of Internal Control is dependent on people”
•
•
•
•
Whereas manuals and forms are tools used by people, it is people that
make or break the internal control system.
Without proper control education and motivation, people cannot and will not
make the internal controls system work.
Individuals will support the internal control system when they understand
the system’s benefits to their personal interests and then to the
organization. Without such an understanding, employees are apathetic at
best and at worst, will fight the system.
A control must have Substance over Form, and NOT Form over Substance.
Example: Directors are required to review and approve invoices prior to payment.
However; if the director approves a stack of invoices at the end of a week in a five
minute period, you must question whether the control is not operating effectively.
6
“Internal controls can be expected to provide only
reasonable assurance, not absolute assurance”
•
•
•
•
Internal controls should not be expected to guarantee that risks are
mitigated or that undesirable conditions are prevented.
Internal controls do not prevent failures caused by poor management
judgment, or changing economic conditions.
Management should not expect that all potential losses can be avoided.
On the other hand, no entity should fail to install proper controls. A system
of internal controls will provide the discipline and structure to provide the
checks and balances to reduce risk exposure and enhance achievement
of organizational (process) objectives.
Example: Only overtime that has been approved can be paid by payroll. However, there
is a possibility that employees may claim overtime to which they are not entitled, which
could be potentially approved and paid.
7
“Effectiveness is doing the things that achieve results,
and efficiency is doing these things the right way”
•
•
•
An organization must operate both effectively and efficiently, otherwise it
risks failure.
When an organization is effective, it is serving its stakeholders well. In the
context of a school board, this includes serving students, parents, teachers,
and the community at large.
When an organization is efficient, it is wisely using the resources entrusted
to it and achieving the best outcomes possible.
8
Types of internal controls
Preventative
controls
Detective
controls
Preventive Controls are designed to prevent an error
or misappropriation from occurring. They are
considered to be before-the-fact controls that will
prevent an undesirable outcome from occurring.
Detective controls are designed to detect errors after
they have occurred and spur a prompt investigation.
They are considered after-the-fact controls as they
will not identify an undesirable outcome until after it
has occurred. However, effective detective controls
will help identify issues in a timely manner and may
reduce severity of losses.
9
Discussion – Control type exercise
1. An accounting department receives a listing of aged accounts receivable that details the amount
and number of days the account has been past due.
a) Preventative
b) Detective
2. School board facilities may be rented for community use, after school hours. The custodian of the
school whose facilities were rented, performs a site inspection after community use and reports
any damages he/she finds.
a) Preventative
b) Detective
3. Beth works in the accounting department and can process payments for employee expense
reports that have been approved in the system. However, Beth does not have the ability to
approve expense reports.
a) Preventative
b) Detective
4. Purchase Orders are required in order to allow the School Board to purchase goods or services.
Buyers cannot obtain a purchase order from procurement unless 3 quotes are submitted.
a) Preventative
b) Detective
10
Other types of internal controls
Compensating
controls
Directive
controls
Monitoring
controls
At times what appears to be a weakness in control may not be a
problem. The weakness is offset by compensating controls found
elsewhere in the control structure. These controls are intended to
compensate for system shortcomings and are a back-up
approach to limiting risk exposure.
Organizations use directive controls to guide management
behavior and decisions, as well as to direct organization policy
and activities.
Monitoring Controls (usually a management control) to monitor
effectiveness of an entity’s internal controls and help in identifying
problems in a proactive, rather than reactive manner.
11
Discussion – Control exercise
Within your groups, perform the following:
1. Consider various business cycles in your School Board (i.e. payroll,
expenditures/payments/revenues) . What do you think some of the key
controls are in this business cycle?
2. How would you classify these controls? (preventative, detective,
compensating, directive or monitoring).
3. As an audit committee member what are some examples of due diligence
activities you could perform relating to the oversight of internal controls.
12
Internal controls can aid in the reduction of the
likelihood and significance of risk
A quick refresher…
• Inherent risk is the assessed level of risk before considering controls.
• Residual risk is the assessed level of risk once internal controls are assessed.
Process
Inherent risk
Significance of risk
•
Process
Residual risk
Likelihood of occurrence
13
How can internal controls add value to the organization?
Internal controls help provide reasonable
assurance that the organization:
•
•
•
•
•
Adheres to laws, regulations, and
provincial directives
Promotes orderly, economical, efficient,
and effective operations that achieve
planned outcomes
Safeguards resources against fraud,
waste, abuse, and mismanagement
Develops and maintains reliable financial
and management information and fairly
discloses that data through timely
reporting
Demonstrates appropriate care of tax
payer funds
Internal controls DO NOT provide absolute
assurance over the appropriateness,
efficiency and effectiveness of business
processes as there is a risk of:
•
Bad judgment
•
Error / mistake
•
Collusion
•
Cost / benefit constraints
14
COSO framework
The process which
ensures that relevant
information is identified
and communicated in a
timely manner
The evaluation
of internal and
external factors
that impact an
organization’s
performance
The process to determine
whether internal control is
adequately designed,
executed, effective and
adaptive
The policies and
procedures that help
ensure that actions
identified to manage risk
are executed and timely
The control conscience
of an organization. The
“tone at the top”
15
Control environment
•
The control environment is the foundation for the internal
control system. Without the control environment, the other
components will collapse like a house built without a
foundation.
A number of elements influence the control environment:
•
– Governance model
Monitoring
– Organizational structure
– Management’s philosophy and operating style
– Assignment of authority and responsibility
– Integrity and ethical values
– Human Resource policies and practices
– Commitment to competence
•
Control
activities
Risk
assessment
Control
environment
People are the critical aspect of the internal control system.
16
1
Risk assessment
•
•
As discussed in Module 2, Risk
assessment is identifying and
analyzing the events and conditions
(risks) that may prevent the
achievement of the entity's objectives.
Every entity faces both internal and
external risks from a variety of
sources. Through proper assessment,
the entity can determine how to reduce
or eliminate the impact of those risks.
Monitoring
Control
activities
Risk
assessment
Control
environment
17
Control activities
• Control activities provide the means
to prevent the occurrence of identified
risks, or if they cannot be prevented,
to detect them as early as possible.
• Control policies and procedures must
be established and executed to help
ensure that the actions identified by
management as necessary to
address risks are effectively carried
out.
Monitoring
Control
activities
Risk
assessment
Control
environment
• Includes both manual and automated
controls, internal and external.
18
Information and communication
•
Relevant information needed to conduct,
manage and control operations is
captured and communicated throughout
the organization.
•
Information systems produce reports
containing operational, financial and
compliance related information that
make it possible to run and control the
organization.
Relevant information must be identified,
captured and communicated in a form
and timeframe that enables people both
inside the organization and external
stakeholders to carry out their
responsibilities.
•
Monitoring
Control
activities
Risk
assessment
Control
environment
19
Monitoring
•
•
•
Internal control systems need to be
monitored. Monitoring is a process that
assesses the quality of the internal
control system's performance over
time
The purpose of the monitoring activity
is to assure the ongoing quality of the
internal control system. This function
monitors the internal control system.
Monitoring is the capstone component
covering all the other components.
Monitoring
Control
activities
Risk
assessment
Control
environment
20
Monitoring Activities
•
Ongoing monitoring activities are built into the normal recurring activities of
the entity . Examples are as follows:
̶
Regular managerial activities (e.g. variance analysis)
̶
Code of conduct compliance statements
̶
Internal feedback (e.g., internal audit reports)
̶
External feedback (e.g. Ministry communications/questions)
̶
Training seminars and planning sessions
21