2
CONTROL OBJECTIVES
• Effective and efficient operations in achieving organizational goals
• Reliable financial reporting
• Compliance with applicable laws and regulations
• Protection of assets
3
COSO
• Internal Control is a process
• Its effectiveness depends upon the state of that process at one or more POINTS IN TIME
• Thus, it is an ongoing process that consists of 5 interrelated components
4
COSO’s FIVE COMPONETS
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
5
CONTROL ENVIRONMENT
• Does Management set the proper “TONE AT THE TOP”?
• Are there Code of Conduct and Conflict of Interest policies?
• Does the Board of Directors include members independent of management?
• Is there an effective Compliance Program in place?
6
RISK ASSESSMENT
• The identification and analysis of risks in achieving objectives, and how to manage those risks.
• Are the objectives clear?
• Have both internal and external risks been identified?
• Are entity goals communicated?
7
CONTROL ACTIVITIES
• Policies and procedures to implement management’s directives.
• Adequate separation of duties.
• Proper safeguarding of computer system hardware & software .
8
INFORMATION & COMMUNICATION
• Timely capturing & communicating of meaningful data needed to effectively carryout the entities’ objectives, policies and procedures.
• A formalized way to report improprieties and protect those that make such reports.
• Communication to vendors concerning the entities’ policies on ethics and gifts.
• Management follow-up on information received from various sources.
9
MONITORING
• The internal and external processes of evaluating and assessing Internal Controls.
• Accumulating evidence that controls are functioning.
• Responsiveness to recommendations for improvements.
10
WHAT CAN CONTROLS DO?
• Can help an entity achieve its objectives and prevent loss of assets.
• Can help ensure reliable financial reporting.• Can help ensure compliance with laws and
regulations and the entities’ policies and procedures.
• Can help an entity avoid damage to its reputation.
11
WHAT CAN CONTROLS NOT DO?
Can only assist in the proper management of an organization—BUT CANNOT:
• Prevent management overriding controls• Prevent faulty decisions or collusion• Ensure organizational success or even its
continued existenceInternal Controls can provide only reasonable
assurances—no absolutes!
12
IN SHORT
• Internal Control is everyone’s responsibility
• But ultimately, Management must take ownership of the Internal Control process
13
THE QUESTION:
HOW DO YOU RELATE ALL THAT INFORMATION TO A DEPARTMENT DIRECTOR
WHO HAS A LOT TO DO AND IS NOT BUISNESS ORIENTED?
15
Purpose
• Ensure Good FinancialManagement
• Safeguard Assets
• Ensure Compliance with Requirements
16
In Short, Internal Controls
are intended to provide reasonable assurance that want you want to happen does indeed
happen.
17
Good Internal Controlalso means that you are able to
PREVENT PROBLEMS
before they occur or
DETECT PROBLEMS
soon after they occur.
19
FUNDS DIVERTED TO A PRIVATE BANK ACCOUNT BECAUSE:
• NO RECONCILIATION OF TICKET SALES TO REVENUE COLLECTED
• ONE PERSON WAS ALLOWED COMPLETE CONTROL OVER TICKET SALES, DEPOSITS, AND ACCOUNTING WITHOUT ADEQUATE OVERSIGHT
20
LOSS OF FUNDS BECAUSE:
• MONEY TAKEN BEFORE EVER RECORDED IN DEPARTMENT’s ACCOUNTING SYSTEM
• ONE PERSON HAD COMPLETE CONTROL OF COLLECTIONS AND ACCOUNTING PROCESS WITHOUT OVERSIGHT
21
REVENUE NEVER DEPOSITED BECAUSE:
• NO RECONCILIATION OF REVENUE PER RECEIPT BOOKS TO FUNDS ACTUALLY DEPOSITED
• ONE PERSON ALLOWED COMPLETE CONTROL WITH NO OVERSIGHT
23
But I Trust my Employees• Good Internal Control has nothing to do
with not trusting people.
• The purpose of good administrative practices is to ensure that what you want to happen does indeed happen.
• A nice side benefit is that good controls are also the best defense against intentional misconduct.
25
Major Elements ofINTERNAL CONTROL
• ATTITUDE AND INVOLVEMENT
• DOCUMENTATION
• TRAINING
• SECURITY
• SEPARATION OF DUTIES
26
MANAGEMENT ATTITUDE & INVOLVEMENT
• REQUIRE and SUPPORT POLICIES and PROCEDURES
• AUTHORIZE TRANSACTIONS
• REVIEW ACTIVITY
• REVIEW FINANCIAL REPORTS
27
DOCUMENTATION
• JOB DESCRIPTIONS
• DEPARTMENT POLICIES AND PROCEDURES (WORKFLOW)
• PRENUMBERED RECEIPTS
28
DOCUMENTATION
• TRANSFER OF FUNDS
• PROPER EXPENDITURE AUTHORIZATIONS
• FINANCIAL RECORDS & REPORTS
30
SECURITY
• SECURE CASH AND CHECKS
• DEPOSIT FREQUENTLY
• NO LOCAL BANK ACCOUNTS (WITHOUT APPROVAL)
32
SECURITY
• FIX CASH RESPONSIBILITY TO ONE PRESON AT A TIME
• ACCOUNT FOR and SECURE PROPERTY
• SECURE COMPUTER NETWORKS.
33
Separation of Duties
Don’t Allow Any One Person Complete Control Over a Process or
Activity Without Management Review or Oversight
34
THE BASICSFOR DEPT DIRECTORS
• Authorize the expenditure of department funds (purchases and employment).
• Check report of salaries paid on periodic basis.
• Review monthly financial reports.
35
Risk Categories per COSO
• Strategic - relates to high level goals of org.
• Operations - relates to effective and efficient use of resources.
• Reporting - relates to reliability of reports
• Compliance - relates to applicable laws, etc.
36
ERM
• ERM is Enterprise-wide Risk Management.• Involves the systematic identification and
prioritizing of all the risks that an organization faces in day-to-day operations.
• Best done by operating personnel using facilitators and tools to capture the information.
• Develop methods, including good internal controls, to address risks.
37
Dennis MossUniversity Director
Internal AuditUniversity of Kansas
Phone: 864-3975
Email: [email protected]