Professional Documents
Culture Documents
Objective:
1.
To give an overview of
SAAM Chapter 20 Internal control
2.
11. Please describe what training and communication activities, if any, are being conducted with financial management and program staff to help ensure that they understand what is expected of them regarding RA funds and program management. If not covered in response, probe for top management communications concerning support for positive control environment. 18. What general and specific internal control activities are in place to provide reasonable assurance of compliance with the requirements of the RA? What, if any, additional internal controls or accountability requirements have been put in place or are planned for RA funds? What internal control monitoring processes are viewed as critical to successful management of RA funds?
Intro & Basics
True False
3. 4. 5.
Fraud triangle
FRAUD
Opportunity
Attitude
Internal Control
Is a process Is achieved by people Gives reasonable assurance Benefits the agency * Is tailored to the environment Is built in Must be cost-effective
* Agency refers to the entity being considered program, division, local government, etc.
July and August 2009
10
Limitations:
1. 2. 3. 4. 5. 6.
Human Judgment Control Breakdowns Management Override Collusion Cost vs. Benefits Lack of Resources
11
Framework
12
Key Concept
1. To identify the correct control, you must know what risks are present. To know what risks are present, you need to understand what objectives are being sought. Therefore,
2.
3.
Objectives
Risks
Controls
Framework
13
Internal control components fit together. Control environment is the operating context.
Set objectives
Risk Assessment
Control Activities
Control Environment
Monitoring
Framework
14
Framework
15
Control Environment:
1. 2.
Sets the tone of an agency Influences the effectiveness of internal controls Is intangible and pervasive Is the foundation for all other components Provides discipline and structure Encompasses technical competence and ethical commitment
3. 4. 5. 6.
Framework
16
Managements
a) b) c) d) e) f) g)
________ about internal control Attitude Integrity and ethical values Commitment to competence ________ ____________ policies and practices Human resource Philosophy and operating style Assignment of responsibility and authority organizational structure Design of the ______________ ____________
2.
Framework
17
Framework
18
Broader conceptual framework. Applied to whole entity & individual units. A process designed to
ERM
Internal Control
3.
Identify potential events that may affect the entity Keep risk within the entitys risk appetite Provide reasonable assurance regarding the achievement of the entitys objectives.
4. 5.
ERM encompasses internal control. This does not change what we just learned about internal control.
July and August 2009
Framework
19
14. Please describe what risk-based approaches or assessments, if any, are being done or planned in relation to implementation of the RA requirements. What new or pre-existing risks, if any, have been identified that could impact implementation of and compliance with RA requirements with regard to accountability, effective internal controls, and reliable reporting? What is being done to manage/mitigate these risks? 15. Please describe what assessments, if any, of risks at recipients have been or will be done relating to recipients capacity to account for and use funds for their intended purposes and in compliance with the program and the RA.
20
21
Framework
22
Periods of change. Inherent risk the risk to an entity in the absence of any actions management might take to alter the risks likelihood or impact.
2.
Framework
23
How important is this risk? How likely is it that this risk will occur (likelihood)? How large is the dollar amount involved (impact)? To what extent does the risk potential of one activity affect other activities? Are existing controls (policies and procedures) sufficient to manage this risk? To what degree are secondary controls in place?
July and August 2009
3.
4.
5.
6.
Framework
24
Low Impact
High Likelihood Medium Likelihood Low Likelihood 2 1 1
Medium Impact
3 2 1
July and August 2009
High Impact
3 3 2
Framework
25
Avoid Accept and monitor Transfer (Share) Reduce the likelihood Reduce the impact
3. Select a response
Framework
26
Use risk questionnaires, memorandums or notes to document a risk assessment. Document objectives and assumed risks. Summarize assessment assumptions and results.
Estimate the significance of each identified risk. Note any needed action or inaction for each risk.
Framework
27
The subject of internal control may not apply to you because management is responsible for internal control. The best controls can overcome a bad environment. The best internal controls guarantee that fraud will be prevented or detected. Internal controls only apply to Recovery Act areas.
2.
3.
4.
Framework
28
Framework
29
Control Activities
1.
Policies, procedures, techniques, and mechanisms that risk responses help ensure ________ _____________ are carried out. Help reduce the likelihood or impact of risks. Occur throughout the organization, at all levels and in all functions. Address risks identified as part of the risk assessment. Include approvals, authorizations, verifications, reconciliations, security measures, segregation of duties, procedure/policy manuals and many others.
2. 3.
4. 5.
Framework
30
Risk = Control
The greater the risk, the greater the control needed.
Framework
31
Invalid transactions are recorded. Valid transactions are omitted from the accounts. Unauthorized transactions are executed and recorded. inaccurate Transaction amounts are ___________. Transactions are classified in the wrong accounts. Transaction accounting and posting is incorrect. wrong period Transactions are recorded in the _______ _______.
4. 5. 6. 7.
Framework
32
Prevent or Detect
1. 2.
Authorizations Properly designed records Segregation of incompatible duties Security of assets and records Periodic reconciliations Periodic verifications Analytical review
1. 2. 3. 4. 5. 6. 7.
33
Segregation of Duties
To have segregation of duties, these functional responsibilities are performed by different work units or different persons within the same unit:
1. 2. 3. 4.
Framework
34
hiring, Staff responsible for _______________, terminating _____________, and approving _____________ promotions should not be directly involved in preparing payroll or personnel transactions or inputting data.
Managers should review and approve payroll deductions and should not time sheets before data entry, but __________ _____ be involved in entering payroll transactions. Staff involved in payroll data entry should not have payroll payroll approval _____________ _____________. Staff who are part of the payroll staff should not enter changes to their own data files. Staff not involved in the payroll process should periodically verify ______________ all personnel salaries and wage rates. Gross pay adjustment reports should be received and outside reviewed by an individual _______________ of the payroll function.
July and August 2009
2.
3.
4. 5.
Framework
35
cash _______________ Individuals responsible for _______ disbursement functions should be segregated from those responsible for cash receipts.
Individuals responsible for data entry of encumbrances and approving payment vouchers should not be responsible for __________ batch release these documents, nor ______________ ________________. A department should not delegate expenditure transaction data entry approval to ___________ ___________ personnel. Individuals responsible for acknowledging the receipt of goods or services should not also be responsible for purchasing or accounts payable __________________ _________________ activities.
2.
3.
4.
Framework
36
Individuals responsible for cash receipts functions should be segregated from those responsible for ____ ____________. cash disbursement
2.
Individuals who receive cash into the office should not be involved in preparing ________ _____________. bank deposits Individuals who receive cash or make deposits should not be involved in reconciling the bank accounts. Individuals responsible for issuing agency billings should not be involved in estimating, budgeting, collecting or processing cash receipts and should not be directly involved in maintaining accounts receivable. Individuals responsible for maintaining accounts receivable records should not be directly involved in the billing process cash receipting or _______ _______________.
July and August 2009
3.
4.
5.
Framework
37
3.
Framework
38
Periodic Reconciliations
1.
Periodic comparison of recorded amounts with independent evidence of existence and valuation.
Reconciliation of bank statements Inventory counting Confirmation of accounts receivable and payable
2.
Framework
39
4.
Framework
40
Risk No. 2: Payments are made too late to take vendor discounts.
Control Activity No. 1: All invoices are date-stamped upon
receipt in the financial services office. Control Activity No. 2: Monthly reports are generated that help identify and investigate reasons for late payments.
Framework
41
False
2.
False
3. 4.
False True
42
Framework
43
accurate The goal is _________ and relevant information identified, captured, and exchanged (communicated) in a timely manner to those who need it. Information and communication variables:
Multi-directional up, down, across Internal and external Manual and computerized Formal Informal
Framework
44
Communication
Encourages employee involvement. Is a means to report exceptions to the appropriate higher level. Is used to distribute new policies.
Framework
45
Framework
46
Monitoring
Monitoring was not fully understood or used so COSO developed the publication Guidance on Monitoring Internal Control Systems. Determine:
What controls to monitor. What monitoring procedures to employ. How often to employ them.
Framework
47
Framework
48
Monitoring 2 Types
1.
Ongoing
Framework
49
Monitoring 2 Types
2.
Separate
Take an objective look from time to time Scope of monitoring is based on significance of risks
Framework
50
Correct ________ the control its design or use. Eliminate ________________ the control if it is duplicative, not cost effective, etc.
Framework
51
Risk assessments are important to control activities and monitoring. How duties are segregated depends, in part, on risk appetite, nature of operations, risk assessment, and day of the week. OFM SWA Resource site materials are binding. OFM SWA Resource site materials should normally be used as is. Internal controls only apply to Recovery Act areas.
July and August 2009
True False
2.
3.
4.
5.
Framework
52