Basics of Internal Controls

Training July and August 2009 1
Basics of Internal Control

OFM Accounting Division
Kim Thompson, CPA
kim.thompson@ofm.wa.gov
(360) 725-0224
Resources Web Site
http://www.ofm.wa.gov/resources/default.asp
SAAM Web Site
http://www.ofm.wa.gov/policy/default.asp
July and August 2009 2
Objective:
1. To give an overview of
SAAM Chapter 20
Internal control
2. With a focus on risk and control
Intro & Basics
11. Please describe what training and communication activities, if any, are being
conducted with financial management and program staff to help ensure that they
understand what is expected of them regarding RA funds and program management.
If not covered in response, probe for top management communications concerning
support for positive control environment.
18. What general and specific internal control activities are in place to provide
reasonable assurance of compliance with the requirements of the RA? What, if any,
additional internal controls or accountability requirements have been put in place or
are planned for RA funds? What internal control monitoring processes are viewed as
critical to successful management of RA funds?
Internal Control Definition
Intro & Basics
that the following objectives are being
achieved:
reasonable assurance
A process
effected by those charged with governance,
management and other personnel
designed to provide
Internal Control Definition
effectiveness and efficiency of operations,
reliability of financial reporting, and
compliance with applicable laws and procedures.
Intro & Basics
United States Office of Management and Budget (Circular No. A-133)
17. How will recipients be held accountable for use of RA funds?
Washington State has requirements for
internal control
1. Statute - RCW 43.88.160 (4)
2. SAAM Ch. 20 Internal Control
a) Internal control officer SAAM 20.15.30.b
b) Annual assurance
c) Financial Disclosure Certification
SAAM 90.40.95.a In part: We are responsible for establishing and
maintaining effective internal control over financial reporting. Our agency's
system of internal controls complies with the prescribed requirements as
contained in Chapter 20 of SAAM.
d) Federal Assistance Certification
SAAM 95.20.90
Intro & Basics
Practice True or False
1. Chapter 20 does not require an agency-wide
annual risk assessment.
2. Because state agencies are similar, a single
method and plan of internal controls is
universally applicable, except for higher ed.
3. The Recovery Act requires stronger internal
controls.
4. Objectives are determined before risks.
5. It is okay to have the same person involved in
recording asset transactions and maintaining
custody of those assets.
True
False
False
True
False
Fraud and Internal Control
Fraud triangle
Poor internal control can create opportunity
It can _______ rather than just ______ fraud.
Opportunity
Incentive
Attitude
FRAUD
Intro & Basics
promote permit
The Objectives of Internal Control are
Interrelated
Intro & Basics
Financial
Reporting
Compliance
Operations
Safeguard
Assets
Internal Control
Multiple stakeholders care
about internal control.
Intro & Basics
Principles: Internal control
1. Is a process
2. Is achieved by people
3. Gives reasonable assurance
4. Benefits the agency *
5. Is tailored to the environment
6. Is built in
7. Must be cost-effective
Intro & Basics
* Agency refers to the entity being considered program, division, local government, etc.
Limitations:
1. Human J udgment
2. Control Breakdowns
3. Management Override
4. Collusion
5. Cost vs. Benefits
6. Lack of Resources
Intro & Basics
Internal Control Framework Components
Monitoring
Information and Communication
Control Activities
Risk Assessment
Control Environment
Framework
Key Concept
1. To identify the correct control, you must know what risks
are present.
2. To know what risks are present, you need to understand
what objectives are being sought.
3. Therefore,
Objectives Risks Controls
Framework
Control Environment
Set
objectives
Framework
Control
Activities
Information
and
Communication
Monitoring
Risk
Assessment
Internal control components fit together.
Control environment is the operating context.
Monitoring
Control Activities
Risk Assessment
Control Environment
Framework
Control Environment:
1. Sets the tone of an agency
2. Influences the effectiveness of internal
controls
3. Is intangible and pervasive
4. Is the foundation for all other components
5. Provides discipline and structure
6. Encompasses technical competence and
ethical commitment
Framework
Control Environment Core Factors
1. Managements
a) ________ about internal control
b) Integrity and ethical values
c) Commitment to competence
d) ________ ____________ policies and practices
e) Philosophy and operating style
f) Assignment of responsibility and authority
g) Design of the ______________ ____________
2. Direction and attention of
governing body
**** Practice ****
Framework
Attitude
Human resource
organizational structure
Monitoring
Control Activities
Risk Assessment
Control Environment
Framework
Enterprise Risk Management (ERM)
1. Broader conceptual framework.
2. Applied to whole entity &
individual units.
3. A process designed to
Identify potential events that may affect the entity
Keep risk within the entitys risk appetite
Provide reasonable assurance regarding the achievement
of the entitys objectives.
4. ERM encompasses internal control.
5. This does not change what we just learned about
internal control.
ERM
Internal
Control
Framework
What is a Risk Assessment? It is:
1. J udgmental
2. Ongoing
3. Considers
_______ Risks
_______ Risks
14. Please describe what risk-based approaches or assessments, if any, are being done or
planned in relation to implementation of the RA requirements. What new or pre-existing risks, if
any, have been identified that could impact implementation of and compliance with RA
requirements with regard to accountability, effective internal controls, and reliable reporting?
What is being done to manage/mitigate these risks?
15. Please describe what assessments, if any, of risks at recipients have been or will be done
relating to recipients capacity to account for and use funds for their intended purposes and in
compliance with the program and the RA.
Internal
External
Steps in the Risk Assessment Component
Prior to: Set goals and objectives.
1. Identify events. **** These are risks. ****
2. Analyze and prioritize risks.
3. Decide how to respond to risks.
After: Implement response by controlling,
monitoring, reviewing, refining, and
repeating the process.
Framework
Step 1: To identify events (risk), ask:
1. What practices are being questioned by auditors and
other oversight agencies?
2. What information is critical to the agencys operations
and how vulnerable is it?
3. What activities are regulated by the federal
government?
4. Which areas are the most susceptible to fraud?
5. Are assets (cash, inventory, fixed assets) adequately
protected?
6. What circumstances might endanger future funding of
agency programs?
Framework
Step 1:
When identifying risk, consider these factors:
1. Periods of change.
2. Inherent risk the risk to an entity in the
absence of any actions management
might take to alter the risks likelihood or
impact.
Framework
Step 2: Analyze identified risks
1. How important is this risk?
2. How likely is it that this risk will occur
(likelihood)?
3. How large is the dollar amount involved
(impact)?
4. To what extent does the risk potential of
one activity affect other activities?
5. Are existing controls (policies and
procedures) sufficient to manage this risk?
6. To what degree are secondary controls in
place?
Framework
Step 2: Prioritize identified risks
Framework
Low
Impact
Medium
Impact
High
Impact
High
Likelihood
2 3 3
Medium
Likelihood
1 2 3
Low
Likelihood
1 1 2
Likelihood = the possibility that a given event will occur.
Impact = the result or effect of an event.
3 = High Risk Mitigate or reduce the risks.
2 = Medium Risk Manage the risks.
1 = Low Risk Accept the risks.
Step 3: Decide on a risk response
1. Identify possible responses
Avoid
Accept and monitor
Transfer (Share)
Reduce the likelihood
Reduce the impact
2. Evaluate the risk responses
Consider likelihood and impact
Consider costs and benefit
3. Select a response
Framework
Document Risk Assessments
1. Use risk questionnaires, memorandums or
notes to document a risk assessment.
2. Document objectives and assumed risks.
3. Summarize assessment assumptions and
results.
Estimate the significance of each identified risk.
Note any needed action or inaction for each risk.
Framework
1. The subject of internal control may not
apply to you because management is
responsible for internal control.
2. The best controls can overcome a bad
environment.
3. The best internal controls guarantee that
fraud will be prevented or detected.
4. Internal controls only apply to Recovery
Act areas.
Framework
False
False
False
False
Monitoring
Control Activities
Risk Assessment
Control Environment
Framework
Control Activities
1. Policies, procedures, techniques, and mechanisms that
help ensure ________ _____________ are carried out.
2. Help reduce the likelihood or impact of risks.
3. Occur throughout the organization, at all levels and in
all functions.
4. Address risks identified as part of the risk assessment.
5. Include approvals, authorizations, verifications,
reconciliations, security measures, segregation of
duties, procedure/policy manuals and many others.
Framework
risk responses
The relationship between risk and control activities
Risk = Control
Framework
The greater the risk, the greater the control needed.
Seven Categories of Errors and Frauds
1. Invalid transactions are recorded.
2. Valid transactions are omitted from the accounts.
3. Unauthorized transactions are executed and
recorded.
4. Transaction amounts are ___________.
5. Transactions are classified in the wrong accounts.
6. Transaction accounting and posting is incorrect.
7. Transactions are recorded in the _______ _______.
Framework
inaccurate
wrong period
Prevent or Detect
We can divide controls into 2 groups:
1. Preventive
2. Detective
Are these examples of controls that prevent or
detect?
1. Authorizations
2. Properly designed records
3. Segregation of incompatible duties
4. Security of assets and records
5. Periodic reconciliations
6. Periodic verifications
7. Analytical review
Framework
1. Prevent
2. Prevent
3. Prevent
4. Prevent
5. Detect
6. Detect
7. Detect
Segregation of Duties
1. Authorization to execute transactions.
2. Recording transactions.
3. ___________ of assets involved in the
transactions.
4. Periodic reviews and reconciliation of
existing assets to __________
amounts.
Framework
To have segregation of duties, these functional
responsibilities are performed by different work
units or different persons within the same unit:
Custody
recorded
Segregation of Duties - Personnel and Payroll
1. Staff responsible for _______________, _____________, and
_____________ promotions should not be directly involved in
preparing payroll or personnel transactions or inputting data.
2. Managers should review and approve payroll deductions and
time sheets before data entry, but __________ _____ be
involved in entering payroll transactions.
3. Staff involved in payroll data entry should not have payroll
_____________ _____________. Staff who are part of the
payroll staff should not enter changes to their own data files.
4. Staff not involved in the payroll process should periodically
______________ all personnel salaries and wage rates.
5. Gross pay adjustment reports should be received and
reviewed by an individual _______________ of the payroll
function.
Framework
hiring, terminating
approving
should not
payroll approval
verify
outside
Segregation of Duties - Expenditure Activities
1. Individuals responsible for _______ _______________
functions should be segregated from those responsible for
cash receipts.
2. Individuals responsible for data entry of encumbrances and
payment vouchers should not be responsible for __________
these documents, nor ______________ ________________.
3. A department should not delegate expenditure transaction
approval to ___________ ___________ personnel.
4. Individuals responsible for acknowledging the receipt of goods
or services should not also be responsible for purchasing or
__________________ _________________ activities.
Framework
cash disbursement
approving
batch release
data entry
accounts payable
Segregation of Duties - Revenue Activities
1. Individuals responsible for cash receipts functions should be
segregated from those responsible for ____ ____________.
2. Individuals who receive cash into the office should not be
involved in preparing ________ _____________.
3. Individuals who receive cash or make deposits should not
be involved in reconciling the bank accounts.
4. Individuals responsible for issuing agency billings should
not be involved in estimating, budgeting, collecting or
processing cash receipts and should not be directly
involved in maintaining accounts receivable.
5. Individuals responsible for maintaining accounts receivable
records should not be directly involved in the billing process
or _______ _______________.
Framework
cash disbursement
bank deposits
cash receipting
Control over and physical security of assets
1. Secured facilities
2. Limited access to
Assets and important records
Documents and blank forms
Inventory of items held for sale
Information systems
Multilevel security
User identification
Regularly changed passwords
Limited access rooms
Firewalls, encryption
3. Periodic physical counts reconciled to
control records
Framework
Periodic Reconciliations
1. Periodic comparison of recorded
amounts with independent evidence
of existence and valuation.
Reconciliation of bank statements
Inventory counting
Confirmation of accounts receivable and
payable
2. Remember to _______ ________
when differences are found.
Framework
take action
Other Control Activities
1. Periodic performance comparisons
2. Authority
3. Documentation
Internal control system
Internal control assessments, risk analyses
All transactions
Significant events
4. Supervision Managers should
Assign tasks
Review staff work
Approve work at critical points
Guide, train staff as necessary
Document supervision and review
Framework
How the process fits together
Accounts Payable Unit
Objective No. 1: Compliance with statewide bill paying
policies.
Risk No. 1: Accounts payable staff does not have required
knowledge, skills, and ability.
Control Activity No. 1: All accounts payable employees receive
training within 2 weeks of hire.
Control Activity No. 2: The accounts payable accounting
manager designates staff for cross-training.
Risk No. 2: Payments are made too late to take vendor
discounts.
Control Activity No. 1: All invoices are date-stamped upon
receipt in the financial services office.
Control Activity No. 2: Monthly reports are generated that
help identify and investigate reasons for late payments.
Framework
1. The state auditor is often used as a
compensating control; they are happy to do
this.
2. When designing an internal control system,
segregation of duties is not considered in
every area.
3. Internal controls are not required in non-
Recovery Act areas.
4. Risk is likely to be increased when there are
audit findings in the prior audit.
Hint: See GAO question 16.
False
False
False
True
Monitoring
Control Activities
Risk Assessment
Control Environment
Framework
The goal is _________ and relevant information
identified, captured, and exchanged
(communicated) in a timely manner to those who
need it.
Information and communication variables:
Multi-directional up, down, across
Internal and external
Manual and computerized
Formal
Informal
Framework
accurate
Communication
Effective Internal Communication
Encourages employee involvement.
Is a means to report exceptions to the
appropriate higher level.
Is used to distribute new policies.
Open external communication
Engages stakeholders.
Provides input.
Increases transparency and accountability.
Framework
Monitoring
What were the other ones?
Framework
Monitoring
Monitoring was not fully understood or used so
COSO developed the publication Guidance on
Monitoring Internal Control Systems.
Determine:
What controls to monitor.
What monitoring procedures to employ.
How often to employ them.
Framework
Monitoring an example of the concept
Assume:
A reconciliation control is deemed important to
financial reporting. (This is the control activity.)
The supervisor of the area performs an
appropriately detailed review of the reconciliation
each time it is prepared.
The supervisor's review accomplishes two things:
Tells him or her whether the control is working.
Encourages continued effective operation of the
control.
Framework
Monitoring 2 Types
1. Ongoing
Built into operations
Some monitoring is automated
Focuses on deviations from norms
Provides continual feedback on
controls
Should lead to investigation
May lead to system changes
Framework
Monitoring 2 Types
2. Separate
Evaluates effectiveness of ongoing
monitoring
Take an objective look from time to time
Scope of monitoring is based on significance of
risks
Uses an objective and competent
evaluator
Internal audit plays a vital role
Framework
Monitoring - Resolution of deficiencies
Are there more than two options?
1. ________ the control its design or
use.
2. ________________ the control if it is
duplicative, not cost effective, etc.
______ ____________ in
response to a deficiency.
Framework
Correct
Eliminate
Do something
1. Risk assessments are important to control
activities and monitoring.
2. How duties are segregated depends, in
part, on risk appetite, nature of operations,
risk assessment, and day of the week.
3. OFM SWA Resource site materials are
binding.
4. OFM SWA Resource site materials should
normally be used as is.
5. Internal controls only apply to Recovery
Act areas.
Framework
True
False
False
False
False

Basics of Internal Controls

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Basics of Internal Controls

Uploaded by

Copyright:

Available Formats

Training July and August 2009 1

Basics of Internal Control

You might also like