Basics of Internal Control

OFM Accounting Division Kim Thompson, CPA

kim.thompson@ofm.wa.gov (360) 725-0224

Resources Web Site

http://www.ofm.wa.gov/resources/default.asp

SAAM Web Site

http://www.ofm.wa.gov/policy/default.asp

Training July and August 2009

Objective:
1.

To give an overview of
SAAM Chapter 20 Internal control

2.

With a focus on risk and control

11. Please describe what training and communication activities, if any, are being conducted with financial management and program staff to help ensure that they understand what is expected of them regarding RA funds and program management. If not covered in response, probe for top management communications concerning support for positive control environment. 18. What general and specific internal control activities are in place to provide reasonable assurance of compliance with the requirements of the RA? What, if any, additional internal controls or accountability requirements have been put in place or are planned for RA funds? What internal control monitoring processes are viewed as critical to successful management of RA funds?
Intro & Basics

July and August 2009

Internal Control Definition

A process effected by those charged with governance, management and other personnel designed to provide reasonable assurance that the following objectives are being achieved:

July and August 2009

Intro & Basics

Internal Control Definition

effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and procedures.
United States Office of Management and Budget (Circular No. A-133)

17. How will recipients be held accountable for use of RA funds?

July and August 2009

Intro & Basics

Washington State has requirements for internal control

1. 2.
a) b) c)

Statute - RCW 43.88.160 (4) SAAM Ch. 20 Internal Control

Internal control officer SAAM 20.15.30.b Annual assurance Financial Disclosure Certification SAAM 90.40.95.a In part: We are responsible for establishing and
maintaining effective internal control over financial reporting. Our agency's system of internal controls complies with the prescribed requirements as contained in Chapter 20 of SAAM.
d)

Federal Assistance Certification SAAM 95.20.90

July and August 2009

Intro & Basics

Practice True or False

1. 2. Chapter 20 does not require an agency-wide annual risk assessment. Because state agencies are similar, a single method and plan of internal controls is universally applicable, except for higher ed. The Recovery Act requires stronger internal controls. Objectives are determined before risks. It is okay to have the same person involved in recording asset transactions and maintaining custody of those assets.
July and August 2009

True False

3. 4. 5.

False True False

6

Fraud and Internal Control

Incentive

Fraud triangle
FRAUD
Opportunity

Attitude

Poor internal control can create opportunity

promote permit It can _______ rather than just ______ fraud.

July and August 2009

Intro & Basics

The Objectives of Internal Control are Interrelated

Operations

Safeguard Assets Financial Reporting Compliance

July and August 2009

Intro & Basics

Internal Control

Multiple stakeholders care about internal control.

July and August 2009

Intro & Basics

Principles: Internal control

1. 2. 3. 4. 5. 6. 7.

Is a process Is achieved by people Gives reasonable assurance Benefits the agency * Is tailored to the environment Is built in Must be cost-effective

* Agency refers to the entity being considered program, division, local government, etc.
July and August 2009

Intro & Basics

10

Limitations:
1. 2. 3. 4. 5. 6.

Human Judgment Control Breakdowns Management Override Collusion Cost vs. Benefits Lack of Resources

July and August 2009

Intro & Basics

11

Internal Control Framework Components

Monitoring Information and Communication Control Activities Risk Assessment Control Environment

July and August 2009

Framework

12

Key Concept
1. To identify the correct control, you must know what risks are present. To know what risks are present, you need to understand what objectives are being sought. Therefore,

2.

3.

Objectives

Risks

Controls

July and August 2009

Framework

13

Internal control components fit together. Control environment is the operating context.

Set objectives

Risk Assessment

Control Activities

Control Environment

Monitoring

Information and Communication

July and August 2009

Framework

14

Internal Control Framework Components

Monitoring Information and Communication Control Activities Risk Assessment Control Environment

July and August 2009

Framework

15

Control Environment:
1. 2.

Sets the tone of an agency Influences the effectiveness of internal controls Is intangible and pervasive Is the foundation for all other components Provides discipline and structure Encompasses technical competence and ethical commitment

3. 4. 5. 6.

July and August 2009

Framework

16

Control Environment Core Factors

1.

Managements
a) b) c) d) e) f) g)

________ about internal control Attitude Integrity and ethical values Commitment to competence ________ ____________ policies and practices Human resource Philosophy and operating style Assignment of responsibility and authority organizational structure Design of the ______________ ____________

2.

Direction and attention of governing body **** Practice ****

July and August 2009

Framework

17

Internal Control Framework Components

Monitoring Information and Communication Control Activities Risk Assessment Control Environment

July and August 2009

Framework

18

Enterprise Risk Management (ERM)

1. 2.

Broader conceptual framework. Applied to whole entity & individual units. A process designed to

ERM
Internal Control

3.

Identify potential events that may affect the entity Keep risk within the entitys risk appetite Provide reasonable assurance regarding the achievement of the entitys objectives.

4. 5.

ERM encompasses internal control. This does not change what we just learned about internal control.
July and August 2009

Framework

19

What is a Risk Assessment? It is:

1. 2. 3.

Judgmental Ongoing Considers

Internal _______ Risks External Risks _______

14. Please describe what risk-based approaches or assessments, if any, are being done or planned in relation to implementation of the RA requirements. What new or pre-existing risks, if any, have been identified that could impact implementation of and compliance with RA requirements with regard to accountability, effective internal controls, and reliable reporting? What is being done to manage/mitigate these risks? 15. Please describe what assessments, if any, of risks at recipients have been or will be done relating to recipients capacity to account for and use funds for their intended purposes and in compliance with the program and the RA.

July and August 2009

20

Steps in the Risk Assessment Component

Prior to: Set goals and objectives. 1. Identify events. **** These are risks. **** 2. Analyze and prioritize risks. 3. Decide how to respond to risks. After: Implement response by controlling, monitoring, reviewing, refining, and repeating the process.
Framework

July and August 2009

21

Step 1: To identify events (risk), ask:

1. 2. 3. 4. 5. 6. What practices are being questioned by auditors and other oversight agencies? What information is critical to the agencys operations and how vulnerable is it? What activities are regulated by the federal government? Which areas are the most susceptible to fraud? Are assets (cash, inventory, fixed assets) adequately protected? What circumstances might endanger future funding of agency programs?

July and August 2009

Framework

22

Step 1: When identifying risk, consider these factors:

1.

Periods of change. Inherent risk the risk to an entity in the absence of any actions management might take to alter the risks likelihood or impact.

2.

July and August 2009

Framework

23

Step 2: Analyze identified risks

1. 2.

How important is this risk? How likely is it that this risk will occur (likelihood)? How large is the dollar amount involved (impact)? To what extent does the risk potential of one activity affect other activities? Are existing controls (policies and procedures) sufficient to manage this risk? To what degree are secondary controls in place?
July and August 2009

3.

4.

5.

6.

Framework

24

Step 2: Prioritize identified risks

Likelihood = the possibility that a given event will occur. Impact = the result or effect of an event. 3 = High Risk Mitigate or reduce the risks. 2 = Medium Risk Manage the risks. 1 = Low Risk Accept the risks.

Low Impact
High Likelihood Medium Likelihood Low Likelihood 2 1 1

Medium Impact
3 2 1
July and August 2009

High Impact
3 3 2
Framework
25

Step 3: Decide on a risk response

1. Identify possible responses

Avoid Accept and monitor Transfer (Share) Reduce the likelihood Reduce the impact

2. Evaluate the risk responses

Consider likelihood and impact Consider costs and benefit

3. Select a response
Framework

July and August 2009

26

Document Risk Assessments

1. 2. 3.

Use risk questionnaires, memorandums or notes to document a risk assessment. Document objectives and assumed risks. Summarize assessment assumptions and results.
Estimate the significance of each identified risk. Note any needed action or inaction for each risk.

July and August 2009

Framework

27

Practice True or False

1.

The subject of internal control may not apply to you because management is responsible for internal control. The best controls can overcome a bad environment. The best internal controls guarantee that fraud will be prevented or detected. Internal controls only apply to Recovery Act areas.

False False False False

2.

3.

4.

July and August 2009

Framework

28

Internal Control Framework Components

Monitoring Information and Communication Control Activities Risk Assessment Control Environment

July and August 2009

Framework

29

Control Activities
1.

Policies, procedures, techniques, and mechanisms that risk responses help ensure ________ _____________ are carried out. Help reduce the likelihood or impact of risks. Occur throughout the organization, at all levels and in all functions. Address risks identified as part of the risk assessment. Include approvals, authorizations, verifications, reconciliations, security measures, segregation of duties, procedure/policy manuals and many others.

2. 3.

4. 5.

July and August 2009

Framework

30

The relationship between risk and control activities

Risk = Control
The greater the risk, the greater the control needed.

July and August 2009

Framework

31

Seven Categories of Errors and Frauds

1. 2. 3.

Invalid transactions are recorded. Valid transactions are omitted from the accounts. Unauthorized transactions are executed and recorded. inaccurate Transaction amounts are ___________. Transactions are classified in the wrong accounts. Transaction accounting and posting is incorrect. wrong period Transactions are recorded in the _______ _______.

4. 5. 6. 7.

July and August 2009

Framework

32

Prevent or Detect

1. 2.

We can divide controls into 2 groups:

Preventive Detective

Are these examples of controls that prevent or detect?

1. 2. 3. 4. 5. 6. 7.

Authorizations Properly designed records Segregation of incompatible duties Security of assets and records Periodic reconciliations Periodic verifications Analytical review

1. 2. 3. 4. 5. 6. 7.

Prevent Prevent Prevent Prevent Detect Detect Detect

Framework

July and August 2009

33

Segregation of Duties
To have segregation of duties, these functional responsibilities are performed by different work units or different persons within the same unit:
1. 2. 3. 4.

Authorization to execute transactions. Recording transactions.

Custody ___________ of assets involved in the transactions.

Periodic reviews and reconciliation of existing assets to __________ recorded amounts.

July and August 2009

Framework

34

Segregation of Duties - Personnel and Payroll

1.

hiring, Staff responsible for _______________, terminating _____________, and approving _____________ promotions should not be directly involved in preparing payroll or personnel transactions or inputting data.
Managers should review and approve payroll deductions and should not time sheets before data entry, but __________ _____ be involved in entering payroll transactions. Staff involved in payroll data entry should not have payroll payroll approval _____________ _____________. Staff who are part of the payroll staff should not enter changes to their own data files. Staff not involved in the payroll process should periodically verify ______________ all personnel salaries and wage rates. Gross pay adjustment reports should be received and outside reviewed by an individual _______________ of the payroll function.
July and August 2009

2.

3.

4. 5.

Framework

35

Segregation of Duties - Expenditure Activities

1.

cash _______________ Individuals responsible for _______ disbursement functions should be segregated from those responsible for cash receipts.
Individuals responsible for data entry of encumbrances and approving payment vouchers should not be responsible for __________ batch release these documents, nor ______________ ________________. A department should not delegate expenditure transaction data entry approval to ___________ ___________ personnel. Individuals responsible for acknowledging the receipt of goods or services should not also be responsible for purchasing or accounts payable __________________ _________________ activities.

2.

3.

4.

July and August 2009

Framework

36

Segregation of Duties - Revenue Activities

1.

Individuals responsible for cash receipts functions should be segregated from those responsible for ____ ____________. cash disbursement

2.

Individuals who receive cash into the office should not be involved in preparing ________ _____________. bank deposits Individuals who receive cash or make deposits should not be involved in reconciling the bank accounts. Individuals responsible for issuing agency billings should not be involved in estimating, budgeting, collecting or processing cash receipts and should not be directly involved in maintaining accounts receivable. Individuals responsible for maintaining accounts receivable records should not be directly involved in the billing process cash receipting or _______ _______________.
July and August 2009

3.

4.

5.

Framework

37

Control over and physical security of assets

1. 2.

Secured facilities Limited access to

Assets and important records Documents and blank forms Inventory of items held for sale Information systems
Multilevel security User identification Regularly changed passwords Limited access rooms Firewalls, encryption

3.

Periodic physical counts reconciled to control records

July and August 2009

Framework

38

Periodic Reconciliations
1.

Periodic comparison of recorded amounts with independent evidence of existence and valuation.

Reconciliation of bank statements Inventory counting Confirmation of accounts receivable and payable

2.

Remember to _______ ________ take action when differences are found.

July and August 2009

Framework

39

Other Control Activities

1. 2. 3.

Periodic performance comparisons Authority Documentation

Internal control system Internal control assessments, risk analyses All transactions Significant events

4.

Supervision Managers should

Assign tasks Review staff work Approve work at critical points Guide, train staff as necessary Document supervision and review

July and August 2009

Framework

40

How the process fits together

Accounts Payable Unit Objective No. 1: Compliance with statewide bill paying policies.
Risk No. 1: Accounts payable staff does not have required knowledge, skills, and ability.
Control Activity No. 1: All accounts payable employees receive training within 2 weeks of hire. Control Activity No. 2: The accounts payable accounting manager designates staff for cross-training.

Risk No. 2: Payments are made too late to take vendor discounts.
Control Activity No. 1: All invoices are date-stamped upon
receipt in the financial services office. Control Activity No. 2: Monthly reports are generated that help identify and investigate reasons for late payments.

July and August 2009

Framework

41

Practice True or False

1. The state auditor is often used as a compensating control; they are happy to do this. When designing an internal control system, segregation of duties is not considered in every area. Internal controls are not required in nonRecovery Act areas. Risk is likely to be increased when there are audit findings in the prior audit. Hint: See GAO question 16.
July and August 2009

False

2.

False

3. 4.

False True

42

Internal Control Framework Components

Monitoring Information and Communication Control Activities Risk Assessment Control Environment

July and August 2009

Framework

43

Information and Communication

accurate The goal is _________ and relevant information identified, captured, and exchanged (communicated) in a timely manner to those who need it. Information and communication variables:

Multi-directional up, down, across Internal and external Manual and computerized Formal Informal

July and August 2009

Framework

44

Communication

Effective Internal Communication

Encourages employee involvement. Is a means to report exceptions to the appropriate higher level. Is used to distribute new policies.

Open external communication

Engages stakeholders. Provides input. Increases transparency and accountability.

July and August 2009

Framework

45

Internal Control Framework Components

Monitoring What were the other ones?

July and August 2009

Framework

46

Monitoring

Monitoring was not fully understood or used so COSO developed the publication Guidance on Monitoring Internal Control Systems. Determine:

What controls to monitor. What monitoring procedures to employ. How often to employ them.

July and August 2009

Framework

47

Monitoring an example of the concept

Assume:
A reconciliation control is deemed important to financial reporting. (This is the control activity.) The supervisor of the area performs an appropriately detailed review of the reconciliation each time it is prepared.

The supervisor's review accomplishes two things:

Tells him or her whether the control is working. Encourages continued effective operation of the control.

July and August 2009

Framework

48

Monitoring 2 Types
1.

Ongoing

Built into operations

Some monitoring is automated Focuses on deviations from norms

Provides continual feedback on controls

Should lead to investigation May lead to system changes

July and August 2009

Framework

49

Monitoring 2 Types
2.

Separate

Evaluates effectiveness of ongoing monitoring

Take an objective look from time to time Scope of monitoring is based on significance of risks

Uses an objective and competent evaluator

Internal audit plays a vital role

July and August 2009

Framework

50

Monitoring - Resolution of deficiencies

Are there more than two options?

1. 2.

Correct ________ the control its design or use. Eliminate ________________ the control if it is duplicative, not cost effective, etc.

Do something ______ ____________ in response to a deficiency.

July and August 2009

Framework

51

Practice True or False

1.

Risk assessments are important to control activities and monitoring. How duties are segregated depends, in part, on risk appetite, nature of operations, risk assessment, and day of the week. OFM SWA Resource site materials are binding. OFM SWA Resource site materials should normally be used as is. Internal controls only apply to Recovery Act areas.
July and August 2009

True False

2.

3.

False False False

4.

5.

Framework

52