Internal Control
Under the
Microscope
Business Officers Meeting
March 7, 2006
Presented by Randy Van Dyke
Overview
• Quiz
• Background
• Internal Control Defined
• Internal Control Framework
• Self Assessment Checklist
Quiz – Handout Pages 2-4
“First, get your facts. Then
you can distort ‘em as you
please.”
Mark Twain
Background
A Rough Ride for Business
– War on Terrorism / Natural
Disasters
– Economic downturn / Aftermath
– Financial frauds / Business
failures
Sarbanes Oxley Act
“This law says to every
dishonest corporate
leader: you will be
exposed and punished;
the era of low standards
is over.”
George W. Bush
Sarbanes Oxley Act
• Audit Committee organization and
function
• Companies must document and
evaluate the effectiveness of internal
controls
• CEOs and CFOs must personally
certify financial statement accuracy
Sarbanes Oxley Act
• Outside audit reports must include a
statement on the effectiveness of
internal controls
• Companies must have in place
mechanisms for reporting and
investigating wrongdoing (including
anonymous reports)
Impact on U
• Board of Regents Policy
• Trustees Audit Committee
– Level of Involvement
– Scope of Oversight
Impact on U
• Ethical Conduct Guidance
• Ethics & Compliance Hotline
585-1593
hotline@admin.utah.edu
Core Process Assessments
This assessment focused
on internal controls for 15
business processes.
192 risks and related
controls were evaluated.
Core Process Assessments
Core Process Assessments
Potential Risk: Unauthorized
access to check stock and
printing capability.
Primary Control: A
secured laser printer is
used to print checks at
the time they are issued.
College-Wide Reviews
Reviewed 44 potential issues
in each of the College’s 14
organizational units.
College-Wide Reviews
Audit Follow-Up
Responsible Person: Peggy Halliday
Completion Date: March 1, 2006
Internal Control Defined
Activities undertaken to increase the
likelihood of achieving management
objectives in three areas:
– Efficiency and effectiveness of operations
– Financial accountability
– Compliance with laws and regulations
Internal Control Defined
“Internal control gets us where we
want to go, with no surprises along
the way. Internal control is
everyone’s responsibility. . . .
Internal control is me.”
Cargill Corporation
Internal Control Framework
Monitoring
Control Activities
Risk Assessment
Control Environment
Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Control Environment
•
•
•
•
•
Integrity and ethical values
Commitment to Competence
Management Operating Style
Organizational Structure
Assignment of Authority and
Responsibility
• Human Resource Policies and
Practices
Risk Assessment
• Organizational Goals and Objectives
• Risk Identification and Prioritization
• Managing Change
Control Activities
• Written Policies and Procedures
• Control Procedures
• Controls over Information Systems
Information & Communication
• Access to Information
• Communication Patterns
Monitoring
• Management Supervision
• Outside Sources
• Response Mechanisms
• Self-assessment Mechanisms
Quiz
1. Internal control starts with a
strong set of policies and
procedures.
False: Internal control starts with
a strong control environment.
Quiz
2. Internal and external auditors
are responsible to develop and
monitor internal controls.
False: While auditors play an
important role, management is
the owner of internal control.
Quiz
3. Internal controls are mostly
concerned with control over
assets, cash receipts, and cash
disbursements.
False: Internal control is integral
to every aspect of business.
Quiz
4. Internal controls are essentially
negative, like a list of “thoushalt-nots.”
False: Internal control makes the
right things happen the first
time.
Quiz
5. Internal controls take time
away from core activities, such
as serving faculty and students.
False: Internal control should be
built “into,” not “onto” business
processes.
Quiz
6. When delegating authority and
empowering employees, it is
necessary to give up a certain
amount of internal control.
False: Decentralized decisionmaking requires different forms
of control.
Quiz
7. If controls are strong, we can be
assured employees will be
prevented from committing
fraud.
False: Internal control provides
reasonable, but not absolute
assurance.
Quiz
8. What are some impediments to
establishing effective internal
controls?
• Lack of knowledge and
‘ownership’
• Lack of creativity
• Lack of interest
Links & Contact Information
• Internal Audit Department
http://www.utah.edu/Internal Audit/
• Ethics and Compliance Hotline
585-1593; hotline@admin.utah.edu
• Ethical Standards and Code of Conduct
http://www.hr.utah.edu/ethicalstandards/
• University of Utah Policies and Procedures
http://www.admin.utah.edu/ppmanual/
• COSO
http://www.coso.org/
• Randy.VanDyke@admin.utah.edu, 581-5988
• Chuck.Piele@admin.utah.edu, 581-6561
• Pamela.Mollner@admin.utah.edu, 585-3529