Internal Control Presentation

advertisement
INTERNAL CONTROL
Internal control basics
Processes to review
Tracking tools
INTERNAL CONTROL
Internal control is a process – effected by those charged with governance,
management, and other personnel designed to provide reasonable assurance
about the achievement of an entity’s objectives which may fall into 3 categories:
Reliability of financial reporting
Effectiveness and efficiency of operations
Compliance with applicable laws and regulations
WHY ARE INTERNAL CONTROLS IMPORTANT?
Effective internal controls
• Safeguard public resources
• Protect employees
• Assist in fraud prevention
FIVE COMPONENTS OF INTERNAL CONTROL
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
CONTROL ENVIRONMENT
• Starts at the top and sets the tone. Functions well if Management believes
that controls are important and communicates that view to employees at all
levels.
• Foundation for all other components of internal control providing discipline
and structure.
• Key managers responsibilities clearly defined.
• Reflective of managements respect for and adherence to compliance
requirements.
EVALUATION OF GENERAL CONTROL ENVIRONMENT
• The person assigned to perform the internal control review must be or become, if not already
familiar with the day-to-day activities of the entity.
• Organizational charts
• Planning and budget documents
• Job descriptions
• Inventory of statutory responsibilities and authorities
• Policies and procedures manuals
• Reports
• Audits, management reviews, program evaluations
• Internal control policies and procedures
RISK ASSESSMENTS
• Identify the vulnerability of each assessable entity to waste, loss, unauthorized use or misappropriation.
• Consider Internal as well was External Events. (change in personnel)
• Consider Controls that have not been reviewed for a period of time.
• Analyze for possible effect, considering the likelihood and impact.
• Consider factors unique to your agency
•
Past experience
•
Staffing levels and experience
•
Complexity of activities in relation to your mission
• Determine how to respond to each risk and who is responsible.
STEP 1: IDENTIFY EVENTS(RISKS) ASK
• What practices are being questioned by auditors and other oversight agencies?
• What information is critical to the agency’s operations and how vulnerable is it?
• What activities are regulated by the federal or state government?
• Are assets (cash, inventory, fixed assets) adequately protected?
• What circumstances may endanger future funding of your programs?
• New personnel.
• Incorporation of new technology.
STEP 2: ANALYZE IDENTIFIED RISKS
• How important is this risk?
• How likely is it that this risk will occur (likelihood)?
• How large is the dollar amount involved (impact)?
• To what extent does the risk potential of one activity affect other activities?
• Are existing controls (policies and procedures) sufficient to manage this risk?
• To what degree are secondary controls in place?
SPEAK THEIR LANGUAGE
• What is the mission?
• What will stop you from completing that mission?
• What preventative steps are you taking to reduce or eliminated that risk?
STEP2 CONTINUED: PRIORITIZE IDENTIFIED RISKS
• Likelihood = the possibility that a given event will occur.
• Impact the result or effect of an event.
• 3= High Risk – Mitigate or reduce the risk.
• 2= Medium Risk – Manage the risk.
• 1= Low Risk – Accept the risk.
DETERMINE A RISK RESPONSE
• Identify possible response
•
Accept and Monitor
•
Transfer (Share)
•
Reduce the likelihood
•
Reduce the impact
•
Avoid
• Evaluate the risk responses
•
Consider the likelihood and impact
•
Consider costs and benefit
• Select a response
CONTROL ACTIVITIES ARE THE POLICIES AND PROCEDURES
THAT HELP ENSURE THAT MANAGEMENT DIRECTIVES ARE
CARRIED OUT.
• Policies and Procedures
• Management objectives (clearly written and communicated throughout the agency)
• Approvals and Authorizations
• Verifications
• Reconciliations
• Segregation of duties
• Physical and access controls
• Education, training and coaching
CONTROL ACTIVITIES IN A STRONG SYSTEM OF
INTERNAL CONTROL
• Pre-numbering Documents
• Authorization of transactions
• Independent Checks to maintain asset accountability
• Documentation
• Timely and appropriate performance reviews
• Physical controls for safeguarding assets
• Segregation of duties
INFORMATION AND COMMUNICATION
• Risk communication creates a dialog about the existence, nature and severity
or acceptability of risks.
• Communication can be formal through reports, training, written policy
manuals, accounting and financial reporting manuals
• Communication can be informal through e-mail, speech, and actions of
management.
• Most effective when travels in all directions.
MONITORING
• The process that assesses the quality of internal control performance over
time by assessing the design and operation of controls on a timely basis and
taking the necessary corrective actions.
• Allows an agency to react dynamically to change.
• Ensures things are working as planned
• Ongoing – Supervisory review of reconciliations, reports and processes.
• Periodic – internal audit sampling and at least annual reviews of high-risk
business processes.
LIMITATIONS ON INTERNAL CONTROL
• Human Error which may include errors in the design or use of automated
controls.
• Deliberate circumvention of controls by collusion of two or more people.
• Management override of internal controls.
• Segregation of duties issues.
RECOMMENDATIONS/ REPORTING
• A brief narrative of potential subsequent actions.
•
Develop a new policy and/or procedure.
• Provide additional training.
• Functionally realign responsibilities to improve the segregation of duties.
• Schedule a detailed internal control review.
• Give any reasons why subsequent action should not be taken. For example: cost implement corrective
action exceeds the value of the relative risk; legal mandate requires that the controls be in place even
though costs exceeds perceived benefits.
BALANCE SHEET REVIEWS
• Cut-off procedures for Liabilities – Payroll and A/P
• Controls over Assets in FAE – How are new assets communicated to finance, depreciation
calculations, disposal of assets.
• Matching/Timeliness – Expenses recorded in the proper period.
• Accuracy of tuition revenues – resident, non-resident, who gets a waiver.
• Who prepares and reviews your journal entries?
• Investments – Who controls? Who reviews?
EVENT CYCLE
• Determine the event cycle. Review the series of processes which initiate and achieve an end
product. Each have a defining beginning and ending point.
•
Examples
• The disbursement cycle begins with the submission of the A-19 ends with a check
printed.
• A student loan event cycle begins with the receipt of an application and
concludes with the disbursement of the loan.
DOCUMENT EACH EVENT CYCLE
• Interview the person(s) involved in the cycle
• Review existing documentation
• Observe the activity
• Prepare either a narrative explanation documenting personnel performing the
procedures, the forms and records developed and maintained, the number or
dollar value processed.
• Walkthrough of the process from start to finish by tracing transactions from
start to finish.
PROPER SEGREGATION OF DUTIES
• Properly segregate duties so that no one person performs two or more of
these functions
• Processes/records transactions
• Authorizes/Approves transactions
• Has custody of asset related records
INCOMPATIBLE DUTIES
• Payroll – process payroll, employee file maintenance, receive/distribute
checks/ prepare bank reconciliation
• A/R – prepare deposit, access cash and check/ perform cash application in HP/
prepare bank reconciliation
• A/P – setting up vendors/ processing payments/ printing checks/preparing
bank reconciliation
• Journal entries/Reconciliations – Prepare, sign, date must have a second
reviewer sign and date.
AREAS OF EXPOSURE
• Employees who control a transaction, process or function from beginning to end. Not the entire system
of cash receipts or disbursements, but rather a small slice.
• Primarily serves as bank account custodian but also performs the monthly reconciliation.
• Primarily acts as a cashier but also prepares the daily bank deposit.
• Primarily prepares input in account payable, but also has access to the checks.
• Prepares customer A/R cancellations and adjustments (write-offs) but also acts as a relief cashier.
• Primarily acts a cashier, but also reconciles the bank deposit information with the organizations
accounting records.
• Employee with custody of assets, authorization or approval affecting those assets and reporting of
related transactions.
PREVENTION OF SOD ISSUES
Hire additional staff
Split the responsibility between two existing staff members
Establish a monitoring program for this key employee that effectively
accomplishes a segregation of duties without hiring or using 2 employees to do
the job, such as having an independent party monitor key employee tasks.
DON’T FORGET ABOUT THE HP
• Documented procedure to remove terminated employees and periodically
verify terminated users have been removed.
• Appropriate approval of new users and new menu access.
• Review current menu access for segregation issues.
• Be mindful of back up personnel. Make sure their additional duties to not
create segregation of duties issues.
• Don’t share passwords.
POP QUIZ
• The 2012 Association of Certified Fraud Examiners Report to the Nations on Occupational Fraud and
Abuse analyzed where fraud is occurring and at what frequency by industry. Where do you think
government and public administration cases rank?
• A. 7th
• B. 1st
• C. 2nd
• D. 15th
CASH RECEIPTING LOSS PREVENTION AND DETECTION
• Adequate SOD
• Compare Bank deposits to cash receipts records and verify the mode of payment agrees – deposits are intact.
• Review voided transactions to ensure they are supported
• Verify inventory records agree to usage
• Review bank reconciliations
• Perform surprise cash counts
• Look for missing deposit slips
• Look for unusual activity by employee or department
• Look for unusual journal entries
ADDITIONAL CASH RECEIPTING CONTROLS
• Safeguard and limit access to receipts awaiting deposit. How long has it been since the safe combination was
changed?
• Perform a periodic “look back” of revenues. Do they make sense given your understanding of operations?
• Review receipt sequence. Are receipts used in sequential order? Are all receipt numbers accounted for?
• Review bank reconciliations. Are they timely? Do the reconciling items make sense?
• Get a handle on unanticipated revenues
• Create and review error reports
• Know who is receiving the billing complaint calls
• Mandatory vacations
• Cross train duties
PURCHASE CARD REVIEW
• Ensure second signature on all submitted P-card logs.
• Ensure detailed credit card receipt is received, summary only is not
acceptable.
• Statements paid without detail receipt to support purchase.
• Ensure items that were purchased are received and on-site.
• Review purchases for unusual vendors.
• Expense greatly exceeds what was budgeted or prior year totals.
ACCOUNTS PAYABLE CHECK REVIEW
• Review Travel Expense Report – Require conference agendas/registration be included in submission to
ensure per diem is not submitted.
• Support is originals and not photocopies.
• Review vendor lists for unusual vendors or excessive payments.
• Reports are approved by budget authority or someone other than employee submitting for
reimbursement.
• Ask follow up questions on unusual items. Confirm with a third party if necessary.
• Ensure reimbursement is not for expenses paid by college credit card.
ADDITIONAL PAYMENT CONTROLS
• Ensure items purchased are on site.
• If you use positive pay make sure you know what the bank is verifying.
• Review for expenses that end in round numbers.
• Have an expectation of reasonable expenses and compare it to actual payments entered into the
system.
• Checks should never go back to the department or person that initiated the payment.
PAYROLL INTERNAL CONTROLS
• Review payroll expenses for unusual fluctuations and amounts that are outside of your expectation,
including benefit line items and overtime.
• Review personnel files to ensure you are not paying ghost employees.
• Look for unusual journal entries.
• Look for employees that rarely or never take leave.
• Review payroll reports for employees that use a PO box.
DOCUMENTATION/EVIDENCE OF REVIEW
• Required to have adequate written documentation of activities conducted in connection to risk
assessments, review of internal control activities and follow-up actions.
• Completed risk assessments
• Spreadsheets
• Write up of process
• Testing documentation
Check
Number
Proper
Coding
Vendor
Amount
PO attached
8/11/2014 802155
Filter LLC
40295
#45179
8/11/2014 802171
Taylor Associates Communications, Inc
4000
45659
8/11/2014 802162
PNTA
5549.68
45476
8/11/2014 802173
USA International
39880
45872
8/11/2014 802156
Hotel Murano
730.86
N/A
8/21/2014 802355
Clarus Corporation
8989.03
a-19-1a
8/25/2014 802218
Talakai Construction
2479
45855/45586/
148.085.K1X.E
R.89
148.041.1Z00.
EY
149.011.1C05.
JA.00
148.061.1N74.
ER.89
149.061.1K25g
f00/522.264.1
149.85.1L10.E
G.30
503.S09.935.1
x20.SF.89
8/25/2014 802214
Kelly Paustain
1170.92
n/a
149.082.1P15
8/25/2014 802404
Apple Computer
64976.2
45694
8/27/2014 802372
Eric Nelson
706
45909
9/11/2014 802779
Ata Karim
995.74
TEV
9/11/2014 802783
Alberto Magana
854.23
TEV
149.061.31K00
522.264.1977.
GA00
9/11/2014 802792
Snohomish Publishing Co
2921.89
46005
Watchdog
9/18/2014 802967
Arista catering
368.25
n/a
DATE
meals with
meetings
form/travel
request
Proper Approval
n/a
Y
Y
winning bid on RFP14-001
n/a
Y/Teri Hull
y
Y
n/a
Y
subscription no quote necessary
no quotes attached/ with in state guidelines
multiple items
no quote necessary
n/a
yes/ off
campus
Y
y
No
Y
n/a
Y / Bart Becker
Y
Y
n/a
yes/ off
campus
Y
Y/ Ray white?
n/a
Teri Hull
Y
n/a
Gayle Solberg
Y
n/a
Y/ Dr Rule
Y
n/a
Y Bill O'conner
n/a
yes/ off
campus
Y/Ata Karim
no, appears not set over to A/P timely, Billing from 6/7;7/9;7/18;7/22;7/29;8/05;
Russ Beard
food service check there
n/a
Myra Van Vector
n/a
n/a
paid timely
Signed by Fisal who is an assistant Dean not a Dean
Y
on contract
148.014.1M04.
ER.89
149.051.1J05.J
a.00
9/18/2014 802981
Andrew's Fixture Co
5201.25
45986
9/24/2014 803107
Pete Smith
1850
n/a
9/24/2014 803122
CUSP
7525
a-19-1a
refund
s22 264 181 EG
89
9/24/2014 803143
Poppinjay's café
242.28
n/a
1H07
yes/ off
campus
9/24/2014 803151
Sharp Electronics
3194.7
no
ed 2/ ee 50
n/a
not pre-authorized
Yes
exception addressed with Myra See Newbook
9/23/2014 SID
950557147-S receipt # 8510140990
y
student registration for CUSP student leadership conference
Y/Fiasal Jaswal
Y/Carla Boyum one not
signed after event sent back for additional information
signed
Bev Lucas
Y
contract from 2010, pull to verify rates
HOW TO KEEP TRACK OF IT ALL
• Survey Monkey
• Binders
• One - Note
• Data Base
Download