INTERNAL CONTROL Internal control basics Processes to review Tracking tools INTERNAL CONTROL Internal control is a process – effected by those charged with governance, management, and other personnel designed to provide reasonable assurance about the achievement of an entity’s objectives which may fall into 3 categories: Reliability of financial reporting Effectiveness and efficiency of operations Compliance with applicable laws and regulations WHY ARE INTERNAL CONTROLS IMPORTANT? Effective internal controls • Safeguard public resources • Protect employees • Assist in fraud prevention FIVE COMPONENTS OF INTERNAL CONTROL • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring CONTROL ENVIRONMENT • Starts at the top and sets the tone. Functions well if Management believes that controls are important and communicates that view to employees at all levels. • Foundation for all other components of internal control providing discipline and structure. • Key managers responsibilities clearly defined. • Reflective of managements respect for and adherence to compliance requirements. EVALUATION OF GENERAL CONTROL ENVIRONMENT • The person assigned to perform the internal control review must be or become, if not already familiar with the day-to-day activities of the entity. • Organizational charts • Planning and budget documents • Job descriptions • Inventory of statutory responsibilities and authorities • Policies and procedures manuals • Reports • Audits, management reviews, program evaluations • Internal control policies and procedures RISK ASSESSMENTS • Identify the vulnerability of each assessable entity to waste, loss, unauthorized use or misappropriation. • Consider Internal as well was External Events. (change in personnel) • Consider Controls that have not been reviewed for a period of time. • Analyze for possible effect, considering the likelihood and impact. • Consider factors unique to your agency • Past experience • Staffing levels and experience • Complexity of activities in relation to your mission • Determine how to respond to each risk and who is responsible. STEP 1: IDENTIFY EVENTS(RISKS) ASK • What practices are being questioned by auditors and other oversight agencies? • What information is critical to the agency’s operations and how vulnerable is it? • What activities are regulated by the federal or state government? • Are assets (cash, inventory, fixed assets) adequately protected? • What circumstances may endanger future funding of your programs? • New personnel. • Incorporation of new technology. STEP 2: ANALYZE IDENTIFIED RISKS • How important is this risk? • How likely is it that this risk will occur (likelihood)? • How large is the dollar amount involved (impact)? • To what extent does the risk potential of one activity affect other activities? • Are existing controls (policies and procedures) sufficient to manage this risk? • To what degree are secondary controls in place? SPEAK THEIR LANGUAGE • What is the mission? • What will stop you from completing that mission? • What preventative steps are you taking to reduce or eliminated that risk? STEP2 CONTINUED: PRIORITIZE IDENTIFIED RISKS • Likelihood = the possibility that a given event will occur. • Impact the result or effect of an event. • 3= High Risk – Mitigate or reduce the risk. • 2= Medium Risk – Manage the risk. • 1= Low Risk – Accept the risk. DETERMINE A RISK RESPONSE • Identify possible response • Accept and Monitor • Transfer (Share) • Reduce the likelihood • Reduce the impact • Avoid • Evaluate the risk responses • Consider the likelihood and impact • Consider costs and benefit • Select a response CONTROL ACTIVITIES ARE THE POLICIES AND PROCEDURES THAT HELP ENSURE THAT MANAGEMENT DIRECTIVES ARE CARRIED OUT. • Policies and Procedures • Management objectives (clearly written and communicated throughout the agency) • Approvals and Authorizations • Verifications • Reconciliations • Segregation of duties • Physical and access controls • Education, training and coaching CONTROL ACTIVITIES IN A STRONG SYSTEM OF INTERNAL CONTROL • Pre-numbering Documents • Authorization of transactions • Independent Checks to maintain asset accountability • Documentation • Timely and appropriate performance reviews • Physical controls for safeguarding assets • Segregation of duties INFORMATION AND COMMUNICATION • Risk communication creates a dialog about the existence, nature and severity or acceptability of risks. • Communication can be formal through reports, training, written policy manuals, accounting and financial reporting manuals • Communication can be informal through e-mail, speech, and actions of management. • Most effective when travels in all directions. MONITORING • The process that assesses the quality of internal control performance over time by assessing the design and operation of controls on a timely basis and taking the necessary corrective actions. • Allows an agency to react dynamically to change. • Ensures things are working as planned • Ongoing – Supervisory review of reconciliations, reports and processes. • Periodic – internal audit sampling and at least annual reviews of high-risk business processes. LIMITATIONS ON INTERNAL CONTROL • Human Error which may include errors in the design or use of automated controls. • Deliberate circumvention of controls by collusion of two or more people. • Management override of internal controls. • Segregation of duties issues. RECOMMENDATIONS/ REPORTING • A brief narrative of potential subsequent actions. • Develop a new policy and/or procedure. • Provide additional training. • Functionally realign responsibilities to improve the segregation of duties. • Schedule a detailed internal control review. • Give any reasons why subsequent action should not be taken. For example: cost implement corrective action exceeds the value of the relative risk; legal mandate requires that the controls be in place even though costs exceeds perceived benefits. BALANCE SHEET REVIEWS • Cut-off procedures for Liabilities – Payroll and A/P • Controls over Assets in FAE – How are new assets communicated to finance, depreciation calculations, disposal of assets. • Matching/Timeliness – Expenses recorded in the proper period. • Accuracy of tuition revenues – resident, non-resident, who gets a waiver. • Who prepares and reviews your journal entries? • Investments – Who controls? Who reviews? EVENT CYCLE • Determine the event cycle. Review the series of processes which initiate and achieve an end product. Each have a defining beginning and ending point. • Examples • The disbursement cycle begins with the submission of the A-19 ends with a check printed. • A student loan event cycle begins with the receipt of an application and concludes with the disbursement of the loan. DOCUMENT EACH EVENT CYCLE • Interview the person(s) involved in the cycle • Review existing documentation • Observe the activity • Prepare either a narrative explanation documenting personnel performing the procedures, the forms and records developed and maintained, the number or dollar value processed. • Walkthrough of the process from start to finish by tracing transactions from start to finish. PROPER SEGREGATION OF DUTIES • Properly segregate duties so that no one person performs two or more of these functions • Processes/records transactions • Authorizes/Approves transactions • Has custody of asset related records INCOMPATIBLE DUTIES • Payroll – process payroll, employee file maintenance, receive/distribute checks/ prepare bank reconciliation • A/R – prepare deposit, access cash and check/ perform cash application in HP/ prepare bank reconciliation • A/P – setting up vendors/ processing payments/ printing checks/preparing bank reconciliation • Journal entries/Reconciliations – Prepare, sign, date must have a second reviewer sign and date. AREAS OF EXPOSURE • Employees who control a transaction, process or function from beginning to end. Not the entire system of cash receipts or disbursements, but rather a small slice. • Primarily serves as bank account custodian but also performs the monthly reconciliation. • Primarily acts as a cashier but also prepares the daily bank deposit. • Primarily prepares input in account payable, but also has access to the checks. • Prepares customer A/R cancellations and adjustments (write-offs) but also acts as a relief cashier. • Primarily acts a cashier, but also reconciles the bank deposit information with the organizations accounting records. • Employee with custody of assets, authorization or approval affecting those assets and reporting of related transactions. PREVENTION OF SOD ISSUES Hire additional staff Split the responsibility between two existing staff members Establish a monitoring program for this key employee that effectively accomplishes a segregation of duties without hiring or using 2 employees to do the job, such as having an independent party monitor key employee tasks. DON’T FORGET ABOUT THE HP • Documented procedure to remove terminated employees and periodically verify terminated users have been removed. • Appropriate approval of new users and new menu access. • Review current menu access for segregation issues. • Be mindful of back up personnel. Make sure their additional duties to not create segregation of duties issues. • Don’t share passwords. POP QUIZ • The 2012 Association of Certified Fraud Examiners Report to the Nations on Occupational Fraud and Abuse analyzed where fraud is occurring and at what frequency by industry. Where do you think government and public administration cases rank? • A. 7th • B. 1st • C. 2nd • D. 15th CASH RECEIPTING LOSS PREVENTION AND DETECTION • Adequate SOD • Compare Bank deposits to cash receipts records and verify the mode of payment agrees – deposits are intact. • Review voided transactions to ensure they are supported • Verify inventory records agree to usage • Review bank reconciliations • Perform surprise cash counts • Look for missing deposit slips • Look for unusual activity by employee or department • Look for unusual journal entries ADDITIONAL CASH RECEIPTING CONTROLS • Safeguard and limit access to receipts awaiting deposit. How long has it been since the safe combination was changed? • Perform a periodic “look back” of revenues. Do they make sense given your understanding of operations? • Review receipt sequence. Are receipts used in sequential order? Are all receipt numbers accounted for? • Review bank reconciliations. Are they timely? Do the reconciling items make sense? • Get a handle on unanticipated revenues • Create and review error reports • Know who is receiving the billing complaint calls • Mandatory vacations • Cross train duties PURCHASE CARD REVIEW • Ensure second signature on all submitted P-card logs. • Ensure detailed credit card receipt is received, summary only is not acceptable. • Statements paid without detail receipt to support purchase. • Ensure items that were purchased are received and on-site. • Review purchases for unusual vendors. • Expense greatly exceeds what was budgeted or prior year totals. ACCOUNTS PAYABLE CHECK REVIEW • Review Travel Expense Report – Require conference agendas/registration be included in submission to ensure per diem is not submitted. • Support is originals and not photocopies. • Review vendor lists for unusual vendors or excessive payments. • Reports are approved by budget authority or someone other than employee submitting for reimbursement. • Ask follow up questions on unusual items. Confirm with a third party if necessary. • Ensure reimbursement is not for expenses paid by college credit card. ADDITIONAL PAYMENT CONTROLS • Ensure items purchased are on site. • If you use positive pay make sure you know what the bank is verifying. • Review for expenses that end in round numbers. • Have an expectation of reasonable expenses and compare it to actual payments entered into the system. • Checks should never go back to the department or person that initiated the payment. PAYROLL INTERNAL CONTROLS • Review payroll expenses for unusual fluctuations and amounts that are outside of your expectation, including benefit line items and overtime. • Review personnel files to ensure you are not paying ghost employees. • Look for unusual journal entries. • Look for employees that rarely or never take leave. • Review payroll reports for employees that use a PO box. DOCUMENTATION/EVIDENCE OF REVIEW • Required to have adequate written documentation of activities conducted in connection to risk assessments, review of internal control activities and follow-up actions. • Completed risk assessments • Spreadsheets • Write up of process • Testing documentation Check Number Proper Coding Vendor Amount PO attached 8/11/2014 802155 Filter LLC 40295 #45179 8/11/2014 802171 Taylor Associates Communications, Inc 4000 45659 8/11/2014 802162 PNTA 5549.68 45476 8/11/2014 802173 USA International 39880 45872 8/11/2014 802156 Hotel Murano 730.86 N/A 8/21/2014 802355 Clarus Corporation 8989.03 a-19-1a 8/25/2014 802218 Talakai Construction 2479 45855/45586/ 148.085.K1X.E R.89 148.041.1Z00. EY 149.011.1C05. JA.00 148.061.1N74. ER.89 149.061.1K25g f00/522.264.1 149.85.1L10.E G.30 503.S09.935.1 x20.SF.89 8/25/2014 802214 Kelly Paustain 1170.92 n/a 149.082.1P15 8/25/2014 802404 Apple Computer 64976.2 45694 8/27/2014 802372 Eric Nelson 706 45909 9/11/2014 802779 Ata Karim 995.74 TEV 9/11/2014 802783 Alberto Magana 854.23 TEV 149.061.31K00 522.264.1977. GA00 9/11/2014 802792 Snohomish Publishing Co 2921.89 46005 Watchdog 9/18/2014 802967 Arista catering 368.25 n/a DATE meals with meetings form/travel request Proper Approval n/a Y Y winning bid on RFP14-001 n/a Y/Teri Hull y Y n/a Y subscription no quote necessary no quotes attached/ with in state guidelines multiple items no quote necessary n/a yes/ off campus Y y No Y n/a Y / Bart Becker Y Y n/a yes/ off campus Y Y/ Ray white? n/a Teri Hull Y n/a Gayle Solberg Y n/a Y/ Dr Rule Y n/a Y Bill O'conner n/a yes/ off campus Y/Ata Karim no, appears not set over to A/P timely, Billing from 6/7;7/9;7/18;7/22;7/29;8/05; Russ Beard food service check there n/a Myra Van Vector n/a n/a paid timely Signed by Fisal who is an assistant Dean not a Dean Y on contract 148.014.1M04. ER.89 149.051.1J05.J a.00 9/18/2014 802981 Andrew's Fixture Co 5201.25 45986 9/24/2014 803107 Pete Smith 1850 n/a 9/24/2014 803122 CUSP 7525 a-19-1a refund s22 264 181 EG 89 9/24/2014 803143 Poppinjay's café 242.28 n/a 1H07 yes/ off campus 9/24/2014 803151 Sharp Electronics 3194.7 no ed 2/ ee 50 n/a not pre-authorized Yes exception addressed with Myra See Newbook 9/23/2014 SID 950557147-S receipt # 8510140990 y student registration for CUSP student leadership conference Y/Fiasal Jaswal Y/Carla Boyum one not signed after event sent back for additional information signed Bev Lucas Y contract from 2010, pull to verify rates HOW TO KEEP TRACK OF IT ALL • Survey Monkey • Binders • One - Note • Data Base