OFM Accounting Division Kim Thompson, CPA kim.thompson@ofm.wa.gov (360) 725-0224 Resources Web Site http://www.ofm.wa.gov/resources/default.asp SAAM Web Site http://www.ofm.wa.gov/policy/default.asp July and August 2009 2 Objective: 1. To give an overview of SAAM Chapter 20 Internal control 2. With a focus on risk and control Intro & Basics 11. Please describe what training and communication activities, if any, are being conducted with financial management and program staff to help ensure that they understand what is expected of them regarding RA funds and program management. If not covered in response, probe for top management communications concerning support for positive control environment. 18. What general and specific internal control activities are in place to provide reasonable assurance of compliance with the requirements of the RA? What, if any, additional internal controls or accountability requirements have been put in place or are planned for RA funds? What internal control monitoring processes are viewed as critical to successful management of RA funds? July and August 2009 3 Internal Control Definition Intro & Basics that the following objectives are being achieved: reasonable assurance A process effected by those charged with governance, management and other personnel designed to provide July and August 2009 4 Internal Control Definition effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and procedures. Intro & Basics United States Office of Management and Budget (Circular No. A-133) 17. How will recipients be held accountable for use of RA funds? July and August 2009 5 Washington State has requirements for internal control 1. Statute - RCW 43.88.160 (4) 2. SAAM Ch. 20 Internal Control a) Internal control officer SAAM 20.15.30.b b) Annual assurance c) Financial Disclosure Certification SAAM 90.40.95.a In part: We are responsible for establishing and maintaining effective internal control over financial reporting. Our agency's system of internal controls complies with the prescribed requirements as contained in Chapter 20 of SAAM. d) Federal Assistance Certification SAAM 95.20.90 Intro & Basics July and August 2009 6 Practice True or False 1. Chapter 20 does not require an agency-wide annual risk assessment. 2. Because state agencies are similar, a single method and plan of internal controls is universally applicable, except for higher ed. 3. The Recovery Act requires stronger internal controls. 4. Objectives are determined before risks. 5. It is okay to have the same person involved in recording asset transactions and maintaining custody of those assets. True False False True False July and August 2009 7 Fraud and Internal Control Fraud triangle Poor internal control can create opportunity It can _______ rather than just ______ fraud. Opportunity Incentive Attitude FRAUD Intro & Basics promote permit July and August 2009 8 The Objectives of Internal Control are Interrelated Intro & Basics Financial Reporting Compliance Operations Safeguard Assets July and August 2009 9 Internal Control Multiple stakeholders care about internal control. Intro & Basics July and August 2009 10 Principles: Internal control 1. Is a process 2. Is achieved by people 3. Gives reasonable assurance 4. Benefits the agency * 5. Is tailored to the environment 6. Is built in 7. Must be cost-effective Intro & Basics * Agency refers to the entity being considered program, division, local government, etc. July and August 2009 11 Limitations: 1. Human J udgment 2. Control Breakdowns 3. Management Override 4. Collusion 5. Cost vs. Benefits 6. Lack of Resources Intro & Basics July and August 2009 12 Internal Control Framework Components Monitoring Information and Communication Control Activities Risk Assessment Control Environment Framework July and August 2009 13 Key Concept 1. To identify the correct control, you must know what risks are present. 2. To know what risks are present, you need to understand what objectives are being sought. 3. Therefore, Objectives Risks Controls Framework July and August 2009 14 Control Environment Set objectives Framework Control Activities Information and Communication Monitoring Risk Assessment Internal control components fit together. Control environment is the operating context. July and August 2009 15 Internal Control Framework Components Monitoring Information and Communication Control Activities Risk Assessment Control Environment Framework July and August 2009 16 Control Environment: 1. Sets the tone of an agency 2. Influences the effectiveness of internal controls 3. Is intangible and pervasive 4. Is the foundation for all other components 5. Provides discipline and structure 6. Encompasses technical competence and ethical commitment Framework July and August 2009 17 Control Environment Core Factors 1. Managements a) ________ about internal control b) Integrity and ethical values c) Commitment to competence d) ________ ____________ policies and practices e) Philosophy and operating style f) Assignment of responsibility and authority g) Design of the ______________ ____________ 2. Direction and attention of governing body **** Practice **** Framework Attitude Human resource organizational structure July and August 2009 18 Internal Control Framework Components Monitoring Information and Communication Control Activities Risk Assessment Control Environment Framework July and August 2009 19 Enterprise Risk Management (ERM) 1. Broader conceptual framework. 2. Applied to whole entity & individual units. 3. A process designed to Identify potential events that may affect the entity Keep risk within the entitys risk appetite Provide reasonable assurance regarding the achievement of the entitys objectives. 4. ERM encompasses internal control. 5. This does not change what we just learned about internal control. ERM Internal Control Framework July and August 2009 20 What is a Risk Assessment? It is: 1. J udgmental 2. Ongoing 3. Considers _______ Risks _______ Risks 14. Please describe what risk-based approaches or assessments, if any, are being done or planned in relation to implementation of the RA requirements. What new or pre-existing risks, if any, have been identified that could impact implementation of and compliance with RA requirements with regard to accountability, effective internal controls, and reliable reporting? What is being done to manage/mitigate these risks? 15. Please describe what assessments, if any, of risks at recipients have been or will be done relating to recipients capacity to account for and use funds for their intended purposes and in compliance with the program and the RA. Internal External July and August 2009 21 Steps in the Risk Assessment Component Prior to: Set goals and objectives. 1. Identify events. **** These are risks. **** 2. Analyze and prioritize risks. 3. Decide how to respond to risks. After: Implement response by controlling, monitoring, reviewing, refining, and repeating the process. Framework July and August 2009 22 Step 1: To identify events (risk), ask: 1. What practices are being questioned by auditors and other oversight agencies? 2. What information is critical to the agencys operations and how vulnerable is it? 3. What activities are regulated by the federal government? 4. Which areas are the most susceptible to fraud? 5. Are assets (cash, inventory, fixed assets) adequately protected? 6. What circumstances might endanger future funding of agency programs? Framework July and August 2009 23 Step 1: When identifying risk, consider these factors: 1. Periods of change. 2. Inherent risk the risk to an entity in the absence of any actions management might take to alter the risks likelihood or impact. Framework July and August 2009 24 Step 2: Analyze identified risks 1. How important is this risk? 2. How likely is it that this risk will occur (likelihood)? 3. How large is the dollar amount involved (impact)? 4. To what extent does the risk potential of one activity affect other activities? 5. Are existing controls (policies and procedures) sufficient to manage this risk? 6. To what degree are secondary controls in place? Framework July and August 2009 25 Step 2: Prioritize identified risks Framework Low Impact Medium Impact High Impact High Likelihood 2 3 3 Medium Likelihood 1 2 3 Low Likelihood 1 1 2 Likelihood = the possibility that a given event will occur. Impact = the result or effect of an event. 3 = High Risk Mitigate or reduce the risks. 2 = Medium Risk Manage the risks. 1 = Low Risk Accept the risks. July and August 2009 26 Step 3: Decide on a risk response 1. Identify possible responses Avoid Accept and monitor Transfer (Share) Reduce the likelihood Reduce the impact 2. Evaluate the risk responses Consider likelihood and impact Consider costs and benefit 3. Select a response Framework July and August 2009 27 Document Risk Assessments 1. Use risk questionnaires, memorandums or notes to document a risk assessment. 2. Document objectives and assumed risks. 3. Summarize assessment assumptions and results. Estimate the significance of each identified risk. Note any needed action or inaction for each risk. Framework July and August 2009 28 Practice True or False 1. The subject of internal control may not apply to you because management is responsible for internal control. 2. The best controls can overcome a bad environment. 3. The best internal controls guarantee that fraud will be prevented or detected. 4. Internal controls only apply to Recovery Act areas. Framework False False False False July and August 2009 29 Internal Control Framework Components Monitoring Information and Communication Control Activities Risk Assessment Control Environment Framework July and August 2009 30 Control Activities 1. Policies, procedures, techniques, and mechanisms that help ensure ________ _____________ are carried out. 2. Help reduce the likelihood or impact of risks. 3. Occur throughout the organization, at all levels and in all functions. 4. Address risks identified as part of the risk assessment. 5. Include approvals, authorizations, verifications, reconciliations, security measures, segregation of duties, procedure/policy manuals and many others. Framework risk responses July and August 2009 31 The relationship between risk and control activities Risk = Control Framework The greater the risk, the greater the control needed. July and August 2009 32 Seven Categories of Errors and Frauds 1. Invalid transactions are recorded. 2. Valid transactions are omitted from the accounts. 3. Unauthorized transactions are executed and recorded. 4. Transaction amounts are ___________. 5. Transactions are classified in the wrong accounts. 6. Transaction accounting and posting is incorrect. 7. Transactions are recorded in the _______ _______. Framework inaccurate wrong period July and August 2009 33 Prevent or Detect We can divide controls into 2 groups: 1. Preventive 2. Detective Are these examples of controls that prevent or detect? 1. Authorizations 2. Properly designed records 3. Segregation of incompatible duties 4. Security of assets and records 5. Periodic reconciliations 6. Periodic verifications 7. Analytical review Framework 1. Prevent 2. Prevent 3. Prevent 4. Prevent 5. Detect 6. Detect 7. Detect July and August 2009 34 Segregation of Duties 1. Authorization to execute transactions. 2. Recording transactions. 3. ___________ of assets involved in the transactions. 4. Periodic reviews and reconciliation of existing assets to __________ amounts. Framework To have segregation of duties, these functional responsibilities are performed by different work units or different persons within the same unit: Custody recorded July and August 2009 35 Segregation of Duties - Personnel and Payroll 1. Staff responsible for _______________, _____________, and _____________ promotions should not be directly involved in preparing payroll or personnel transactions or inputting data. 2. Managers should review and approve payroll deductions and time sheets before data entry, but __________ _____ be involved in entering payroll transactions. 3. Staff involved in payroll data entry should not have payroll _____________ _____________. Staff who are part of the payroll staff should not enter changes to their own data files. 4. Staff not involved in the payroll process should periodically ______________ all personnel salaries and wage rates. 5. Gross pay adjustment reports should be received and reviewed by an individual _______________ of the payroll function. Framework hiring, terminating approving should not payroll approval verify outside July and August 2009 36 Segregation of Duties - Expenditure Activities 1. Individuals responsible for _______ _______________ functions should be segregated from those responsible for cash receipts. 2. Individuals responsible for data entry of encumbrances and payment vouchers should not be responsible for __________ these documents, nor ______________ ________________. 3. A department should not delegate expenditure transaction approval to ___________ ___________ personnel. 4. Individuals responsible for acknowledging the receipt of goods or services should not also be responsible for purchasing or __________________ _________________ activities. Framework cash disbursement approving batch release data entry accounts payable July and August 2009 37 Segregation of Duties - Revenue Activities 1. Individuals responsible for cash receipts functions should be segregated from those responsible for ____ ____________. 2. Individuals who receive cash into the office should not be involved in preparing ________ _____________. 3. Individuals who receive cash or make deposits should not be involved in reconciling the bank accounts. 4. Individuals responsible for issuing agency billings should not be involved in estimating, budgeting, collecting or processing cash receipts and should not be directly involved in maintaining accounts receivable. 5. Individuals responsible for maintaining accounts receivable records should not be directly involved in the billing process or _______ _______________. Framework cash disbursement bank deposits cash receipting July and August 2009 38 Control over and physical security of assets 1. Secured facilities 2. Limited access to Assets and important records Documents and blank forms Inventory of items held for sale Information systems Multilevel security User identification Regularly changed passwords Limited access rooms Firewalls, encryption 3. Periodic physical counts reconciled to control records Framework July and August 2009 39 Periodic Reconciliations 1. Periodic comparison of recorded amounts with independent evidence of existence and valuation. Reconciliation of bank statements Inventory counting Confirmation of accounts receivable and payable 2. Remember to _______ ________ when differences are found. Framework take action July and August 2009 40 Other Control Activities 1. Periodic performance comparisons 2. Authority 3. Documentation Internal control system Internal control assessments, risk analyses All transactions Significant events 4. Supervision Managers should Assign tasks Review staff work Approve work at critical points Guide, train staff as necessary Document supervision and review Framework July and August 2009 41 How the process fits together Accounts Payable Unit Objective No. 1: Compliance with statewide bill paying policies. Risk No. 1: Accounts payable staff does not have required knowledge, skills, and ability. Control Activity No. 1: All accounts payable employees receive training within 2 weeks of hire. Control Activity No. 2: The accounts payable accounting manager designates staff for cross-training. Risk No. 2: Payments are made too late to take vendor discounts. Control Activity No. 1: All invoices are date-stamped upon receipt in the financial services office. Control Activity No. 2: Monthly reports are generated that help identify and investigate reasons for late payments. Framework July and August 2009 42 Practice True or False 1. The state auditor is often used as a compensating control; they are happy to do this. 2. When designing an internal control system, segregation of duties is not considered in every area. 3. Internal controls are not required in non- Recovery Act areas. 4. Risk is likely to be increased when there are audit findings in the prior audit. Hint: See GAO question 16. False False False True July and August 2009 43 Internal Control Framework Components Monitoring Information and Communication Control Activities Risk Assessment Control Environment Framework July and August 2009 44 Information and Communication The goal is _________ and relevant information identified, captured, and exchanged (communicated) in a timely manner to those who need it. Information and communication variables: Multi-directional up, down, across Internal and external Manual and computerized Formal Informal Framework accurate July and August 2009 45 Communication Effective Internal Communication Encourages employee involvement. Is a means to report exceptions to the appropriate higher level. Is used to distribute new policies. Open external communication Engages stakeholders. Provides input. Increases transparency and accountability. Framework July and August 2009 46 Internal Control Framework Components Monitoring What were the other ones? Framework July and August 2009 47 Monitoring Monitoring was not fully understood or used so COSO developed the publication Guidance on Monitoring Internal Control Systems. Determine: What controls to monitor. What monitoring procedures to employ. How often to employ them. Framework July and August 2009 48 Monitoring an example of the concept Assume: A reconciliation control is deemed important to financial reporting. (This is the control activity.) The supervisor of the area performs an appropriately detailed review of the reconciliation each time it is prepared. The supervisor's review accomplishes two things: Tells him or her whether the control is working. Encourages continued effective operation of the control. Framework July and August 2009 49 Monitoring 2 Types 1. Ongoing Built into operations Some monitoring is automated Focuses on deviations from norms Provides continual feedback on controls Should lead to investigation May lead to system changes Framework July and August 2009 50 Monitoring 2 Types 2. Separate Evaluates effectiveness of ongoing monitoring Take an objective look from time to time Scope of monitoring is based on significance of risks Uses an objective and competent evaluator Internal audit plays a vital role Framework July and August 2009 51 Monitoring - Resolution of deficiencies Are there more than two options? 1. ________ the control its design or use. 2. ________________ the control if it is duplicative, not cost effective, etc. ______ ____________ in response to a deficiency. Framework Correct Eliminate Do something July and August 2009 52 Practice True or False 1. Risk assessments are important to control activities and monitoring. 2. How duties are segregated depends, in part, on risk appetite, nature of operations, risk assessment, and day of the week. 3. OFM SWA Resource site materials are binding. 4. OFM SWA Resource site materials should normally be used as is. 5. Internal controls only apply to Recovery Act areas. Framework True False False False False