You are on page 1of 28

INTERNAL CONTROLS 101

Office of the Provincial
Controller Division

Lets start the day with a quick
refresh
 Today we have some great speakers who are internal control
experts to provide presentations and answer your questions on
Internal Controls
 Lets get the day started with some general concepts and
terminology to remind ourselves of the basics we already know
and use everyday.
 As public sector managers and employees we are accountable for
the resources entrusted to us and for ensuring our programs and
services are administered effectively and efficiently.
 A significant component in fulfilling this responsibility is ensuring
that an adequate system of internal control exists and work

Office of the Provincial
Controller Division

2

effected by an entity’s board of directors. and other personnel.The COSO* Definition of Internal Control  Internal control is a process. designed to provide reasonable assurance regarding the achievement of objectives in the following categories:    Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations * Committee Of Sponsoring Organizations of the Treadway Commission Office of the Provincial Controller Division 3 . management.

Simple Definition  Internal control is what we do to see that the things we want to happen will happen …  And the things we don’t want to happen won’t happen. Office of the Provincial Controller Division 4 .

Internal Controls Are Common Sense  What do you worry about going wrong?  What steps have been taken to assure it doesn’t?  How do you know things are under control? Office of the Provincial Controller Division 5 .

Internal Controls are everywhere: You exercise internal control principles in your personal life when you: Lock your house when you leave Keep copies of important papers in your safety deposit box Balance your checkbook Keep your ATM/debit card PIN number separate from your card Make travel plans Office of the Provincial Controller Division 6 .

 Reporting – integrity and reliability of reporting.Objectives of Internal Controls  Strategic – high-level goals and objectives. aligned with and supporting the mission. Office of the Provincial Controller Division 7 .  Operational – effective and efficient use of resources.  Compliance – compliance with applicable laws and regulations.  Stewardship – protection and conservation of assets.

 Safeguarding of assets.  Accomplishment of the entity’s mission (objectives and goals).Business analysis. program design or … think C.R.  Relevant and reliable financial reporting.  Compliance with applicable laws and regulations.  Effective and efficient operations.  Can anyone think of anything in the Public Service that is not impacted by internal controls? Office of the Provincial Controller Division 8 .E.A.S.

applied in strategy setting and across the enterprise. management and other personnel. designed to identify potential events that may affect the entity. effected by an entity’s board of directors. to provide reasonable assurance regarding the achievement of entity objectives.The big picture  Internal controls are a key component to Enterprise Risk Management (ERM) “a process. and manage risk to be within its risk appetite. FTAA etc.”  The Provincial government has embraced a risk based approach through all aspects of it’s operations Results based plans Transfer Payment Accountability Directive Quarterly risk reporting Certificate of Assurance and Audit Accountability and Transparency (Accountability Directive FAA.) Office of the Provincial Controller Division 9 .

inadequate or misleading information. Office of the Provincial Controller Division 10 .Weak Internal Controls Increase Risk Through…  Business Interruption . customers.  Erroneous Management Decisions .based on erroneous. Misuse or Destruction of Assets -unintentional loss of physical assets such as cash. vendors.system breakdowns or catastrophes.  Excessive Costs/Deficient Revenues .  Loss.  Fraud. as well as overt violations. and equipment.  Statutory Sanctions.penalties arising from failure to comply with regulatory requirements. excessive re-work to correct for errors. as well as loss of revenues to which the organization is entitled. Embezzlement and Theft -by management. or the public-at-large. employees.expenses which could have been avoided. inventory.

When looking at controls More is not necessarily better  Controls that do not work together leaving holes  Cost of duplicated or inefficient controls.But too much of a good thing….  Controls that do not align with the importance of the risks Complex and poorly implemented controls  Not understood or followed  Inconsistently applied  Control effectiveness can degrade over time No value for money  Controls cost money  Duplication of ineffective controls do not provide benefits Office of the Provincial Controller Division 11 .

COSO’S Internal Control Framework… Five Inter-Related Standards: Monitoring Risk Assessment Control Environment Information & Communication Control Activities Office of the Provincial Controller Division 12 .

Examples of soft controls:  Management philosophy  Organizational structure  Communication  Competency of employees Office of the Provincial Controller Division 13 . Control Environment     Foundation for all other standards of internal control. Effective organizations set a positive “tone at the top”. Factors include the integrity. and. management’s philosophy & operating style. ethical values and competence of employees.1. Pervasive influence on all the decisions and activities of an organization.

To establish procedures for the disclosure and investigation of wrongdoing in the public service of Ontario and to protect public servants who disclose wrongdoing from reprisals. professional.To provide a framework in law for the leadership and management of the public service of Ontario.To set out rights and duties of public servants concerning ethical conduct.To ensure that the public service of Ontario is effective in serving the public. 2. the government and the Legislature. ethical and competent. 4. 6. Office of the Provincial Controller Division 14 . 7.To ensure that the public service of Ontario is non-partisan. 3.Public Service of Ontario Act (PSOA) The following are the purposes of this Act: 1.To set out roles and responsibilities in the administration of the public service of Ontario. 5.To set out rights and duties of public servants concerning political activity.

evaluating. natural disasters. and deciding how to manage these events… What is the likelihood of the event occurring? What would be the impact if it were to occur? What can we do to prevent or reduce the risk? Have any of you been through a risk assessment with Internal Audit or an outside party? Office of the Provincial Controller Division 15 . etc.) that threaten the accomplishment of objectives. new systems.2. Risk Assessment   Risks are internal & external events (economic conditions. staffing changes. regulatory changes. Risk assessment is the process of identifying.

Occur throughout the organization. security of assets. and in all functions.3. Types of Controls   Preventative Detective Office of the Provincial Controller Division 16 . Help prevent or reduce the risks that can impede the accomplishment of objectives. approvals. authorizations. processes -designed and implemented to help ensure that management directives are carried out. at all levels. procedures. reviews of operating performance. reconciliations.policies. and segregation of duties. Includes training. Control Activities      Tools . verifications.

Effective information and communication systems enable the organization’s people to exchange the information needed to conduct. identified and communicated on a timely basis. Office of the Provincial Controller Division 17 . Communication and Information   Pertinent information must be captured.4. and control its operations. manage.

or obsolete?  Monitoring occurs in the course of everyday operations. it includes regular management & supervisory activities and other actions personnel take in performing their duties.5. Monitoring Internal control systems must be monitored to assess their effectiveness… Are they operating as intended?  Ongoing monitoring is necessary to react dynamically to changing conditions…Have controls become outdated. internal audit and external audit.  Office of the Provincial Controller Division 18 . redundant.  Periodic testing can be done by the process owner.

Ensuring priority issues are identified and addressed. less testing. and fewer demands on staff.Benefits from Strong Internal Controls      Reducing and preventing errors in a costeffective manner. resulting in shorter timelines. Protecting employees & resources. Providing appropriate checks and balances. Having more efficient audits. Office of the Provincial Controller Division 19 .

 Are cost-effective.  Benefit rather than encumber management. Office of the Provincial Controller Division 20 .Effective Internal Controls…  Make sense within each organization’s unique operating environment.  Are not stand-alone practices. they are woven into day-to-day responsibilities.

 Internal control can be expected to only provide reasonable assurance.Important Concepts…  Internal control is a process.  Internal control is effected by people.  it is a means to an end. not absolute assurance. not an end itself. Office of the Provincial Controller Division 21 . it’s not merely policy manuals and forms but people at every level of an organization.

Five Key Internal Control Activities… Office of the Provincial Controller Division 22 .

Separation of Duties   Divide responsibilities between different employees so one individual doesn’t control all aspects of a transaction. Office of the Provincial Controller Division 23 .1. Reduce the opportunity for an employee to commit and conceal errors (intentional or unintentional) or perpetrate fraud.

2..  Transactions…enables a transaction to be traced from its inception to completion. Documentation Document & preserve evidence to substantiate:  Critical decisions and significant events.  Policies & Procedures…documents which set forth the fundamental principles and methods that employees rely on to do their jobs. commitment.typically involving the use. Office of the Provincial Controller Division 24 .. or transfer of resources.

based on the level of risk to the organization. Ensure that transactions are approved and executed only by employees acting within the scope of their authority granted by management. Authorization & Approvals  Management documents and communicates which activities require approval. and by whom.  DOA  Office of the Provincial Controller Division 25 .3.

cash. etc. Perform periodic physical inventories to verify existence. the likelihood of loss. and utilization. condition. confidential information. and the potential impact should a loss occur. quantities. Office of the Provincial Controller Division 26 . Base the level of security on the vulnerability of items being secured. Security of Assets    Secure and restrict access to equipment. location. to reduce the risk of loss or unauthorized use. inventory.4.

information.5. Ensure frequency is adequate enough to detect and act upon questionable activities in a timely manner. risk. Timing of reconciliations and monitoring Office of the Provincial Controller Division 27 . and compliance. and overall importance to organization’s objectives. completeness. appropriateness. Reconciliation & Review    Examine transactions. Base level of review on materiality. and events to verify accuracy.

when ever you are providing analysis or developing policies or implementing programs  Beware of the pitfalls – more is not always better. tomorrow and the next day  Think about C.E.R.S. Office of the Provincial Controller Division 28 .Today.A. controls must be maintainable  Think about the things that worry you in your job and try to think of how internal controls could help elevate your worry.