5Which of the following is not a true statement? Putting controls in place will always cost more moneyControls help to ensure compliance with policiesControls will help the organization achieve its missionControls will help protect the organization's assets
6The most important component of internal controls is:
7The most important component of internal controls is: Segregation of dutiesFollowing policiesThe integrity, ethical values, and competence of an organization’s employeesTheft prevention
8Who has the primary responsibility for internal controls in your school/department/college?
9Who has the primary responsibility for internal controls in your school/department/college? The school/department/college dean or directorThe school/department/college Business ManagerThe Internal Audit departmentAccounting Services
11Segregating duties is important because: An employee should not be put in a position where they are able to “steal and conceal”Having too many duties overburdens an employeeRequired by Purdue policy in processing payrollThe auditors may write you up if you don’t do itAll of the above
12Which of the following is not an example of internal controls?
13Which of the following is not an example of internal controls? Maintain adequate recordsCombine recordkeeping and custody of assetsApply technological controlsMake deposits daily or per policy
14Which of the following is true regarding internal controls?
15Which of the following is true regarding internal controls? Are only needed to keep dishonest people from stealingAre not needed in a small office where everyone knows each otherAre not needed if the staff is honestAre always necessary regardless of the staff involvedAre only required in situations when the Business Manager is located away from the office
17Which is not an example of internal controls? Approval of documents by the Business Manager (or delegate)Training in various systems: SRM, Banner, SAP,BEXProtecting office and lab equipment in secured areasCreating and communicating to staff policies and operating proceduresRequiring one person to handle all payroll to minimize exposure to confidential information
18The Business Manager of the School of DeArts wants to make sure the controls that were implemented are still effective. The Business Manager should:
19The Business Manager of the School of DeArts wants to make sure the controls that were implemented are still effective. The Business Manager should:Ask all of the other school Business Managers if they have had any money stolenChange the locks on the doorsSpot-check transactions, records, and reconciliations to ensure they meet expectationsAsk for an Internal Audit of the school’s internal controlsAll of the above
20The Business Manager for the School of BigBucks is trying to decide the best way to receive and process the money from conference attendance. Which of the following ideas would have adequate controls?
21The Business Manager for the School of BigBucks is trying to decide the best way to receive and process the money from conference attendance. Which of the following ideas would have adequate controls?Have money delivered/mailed to the department, create CRV, and walk deposit to the BursarHave funds sent directly to PRF and put in one of the departments accounts, to be used at departments discretion in the futureBill through the PSCD system – funds are sent to a lockbox that automatically records the receipt in the GLHave funds sent directly to Business Manager for deposit in outside bank account.
22The Business Manager for the School of LearningStuff is trying to decide the best way to process payroll for their ten non-exempt (hourly) lab techs who work for the school’s only researcher. Which of the following ideas would have adequate controls?
23The Business Manager for the School of LearningStuff is trying to decide the best way to process payroll for their ten non-exempt (hourly) lab techs who work for the school’s only researcher. Which of the following ideas would have adequate controls?Each employee would fill out their time card, compute total regular and overtime hours, then give it to the school secretary for input into the system.Each employee would fill out their time card, then give it to the school secretary who would calculate hours and input it into the system.The school secretary would keep track of lab tech hours, compute total hours and input them into the system.All of the above contain adequate controls.None of the above contain adequate controls.
24One critical element in the internal controls of any department, school, or college is:
25One critical element in the internal controls of any department, school, or college is: Background checks for all employeesLevel of education of staffIntegrity and ethics of the chair, dean, or directorThe number of policies and procedures
26No matter how well designed and executed, internal controls can fail because:
27No matter how well designed and executed, internal controls can fail because: Employees can make mistakes or exercise poor judgmentThere can be collusion – where two or more individuals work together to stealManagement may override established policies or proceduresAll of the above
28What a great job it is to be the Business Manager for Bugs-n-Bees Studies! You are reviewing the receipts agreeing to the monthly procurement card statements. You notice that one of your researchers, who has a P-card, has been ordering stuff from itbeatsworking.com on a regular basis, about $500 per month. The receipts for these purchases look unusual. What do you do?
29What a great job it is to be the Business Manager for Bugs-n-Bees Studies! You are reviewing the receipts agreeing to the monthly procurement card statements. You notice that one of your researchers, who has a P-card, has been ordering stuff from itbeatsworking.com on a regular basis, about $500 per month. The receipts for these purchases look unusual. What do you do?Immediately disapprove it and call the copsCommunicate with the account manager, PI, and discuss the purchases and support being providedApprove itCall Accounts PayableCall Internal Audit
30You have accepted a position whose duties include the role of Business Manager for several departments in your school. One of your first decisions is to delegate your signature authority and the review of the payroll reports for fiscal transactions to a fiscal approver for one of the departments. Of the list of potential candidates, who should you not chose to be a fiscal approver?
31You have accepted a position whose duties include the role of Business Manager for several departments in your school. One of your first decisions is to delegate your signature authority and the review of the payroll voucher reports for fiscal transactions to a fiscal approver for one of the departments. Of the list of potential candidates, who should you not chose to be a fiscal approver?The account manager for the departmentAdministrative support staff who have no payroll processing dutiesAdministrative support staff who are payroll processorsAdministrative support staff who have no payroll processing duties but who are outside of the departmentYou would not choose: a, c, or d from above
33Why have Internal Controls? Promote operational efficiency and effectivenessProvide reliable financial informationSafeguard assets and recordsEncourage adherence to prescribed policiesComply with regulatory agencies
34Basic Concepts of Internal Controls Management, not auditors, must establish and maintain the entity’s controlsInternal controls structure should provide reasonable assurance that financial reports are correctly statedNo system can be regarded as completely effectiveShould be applied to manual and computerized systems
35Detailed Internal Control Objectives Recorded transactions are validTransactions are properly authorizedExisting transactions are recordedTransactions are properly valuedTransactions are properly classified
36Detailed Internal Control Objectives Transactions are recorded at the proper timeTransactions are properly included in subsidiary records and are correctly summarizedEnsure compliance with policySafeguard Assets
37What are Control Activities? Control activities are the policies and procedures that help ensure that actions identified as necessary to manage risks are carried out properly and in a timely manner.Policies should be implemented thoughtfully, conscientiously, and consistentlyMechanical procedures are not useful without focus on policies
38Control Activities Include: ApprovalsAuthorizationsVerificationsReconciliationsReviews of PerformanceSecurity of AssetsSegregation of DutiesControls over Information Systems
39Approval, Authorization, & Verification Management authorizes activities and transactions within limited parameters.Management specifies when prior supervisory approval is needed.A supervisor’s approval implies that he/she verified conformance with policies and procedures.
40Reconciliations Relate different sets of data to one another. Identify and investigate differences.Take corrective action when necessary.
41Reviews of Performance Management compares information about current performance.To budgetsPrior periods, competitorsOther benchmarksMeasures against achievement of goals and objectives.Identify unexpected results or conditions which requirefollow-up.
42Security of AssetsAccess to assets such as equipment, inventories, and cash is restricted.Periodically assets are counted and compared to control records.
43Segregations of Duties Duties are segregated to reduce the risk of error or inappropriate action.Normally the responsibilities of the following should be separated:Initiating, approving, & recording transactionsHandling the related assetsReconciling balancesReviewing reportsOne person cannot steal and conceal.
44Controls over Information Systems General controls include data center, system software acquisition & maintenance, security access, and system development & maintenance.General controls support the functioning of application controls.Application controls are programmed steps designed to control application processing.
45Risk Assessment: Creating the Right Balance and Understanding the Limitations of Internal Controls
46Risk Assessment is a process to Identify significant risksAssess risksWhat is the likelihood of occurrence?What is the potential impact?Manage these risks through:AvoidanceAcceptance and Sharing (Insurance)Mitigate with Controls
47What are risks?A risk is anything that could jeopardize the achievement of your organization’s objective.Achieve our goalsOperate effectively and efficientlyProtect the university’s assets from lossProvide reliable financial dataComply with applicable laws, policies, and procedures
48Risks Questions to ask yourself: What can go wrong? How could someone steal from us?What policies are we most affected by?What types of transactions in our area provide the greatest risk?How can someone bypass the internal controls?What potential risk areas could cause adverse publicity?
49Limitations on Internal Controls Employees can make mistakes or exercise poor judgmentThere can be collusion – where two or more individuals work together to stealManagement may inappropriately override established policies or procedures
52To: Faculty, Staff, and Students Fr: A. V. Diaz OFFICE OF THE EXECUTIVE VICE PRESIDENT FOR BUSINESS AND FINANCE, TREASURERTo: Faculty, Staff, and StudentsFr: A. V. DiazExecutive Vice President for Business and Finance, TreasurerRe: Fraud Reporting ProgramBest practices provide for a fraud reporting program as an important part of a healthy business environment. Purdue University has inplace controls to provide reasonable assurance that fraudulent, illegal, or dishonest activity on the part of University employees, officers, orbusiness contacts is prevented or detected, but the potential for inappropriate transactions and behavior still exists within the University, asit does in any organization. therefore, consistent with best business practices, Purdue University has implemented a fraud reportingprogram to ensure that the University provides a mechanism for reporting improper or inappropriate acts.This is an important program, and I encourage you to use it when appropriate and to communicate the existence of this program to yourColleagues in the University community. Please help us make the program a success by using it for its intended purpose, reportingsuspected improper or illegal acts affecting Purdue University that you have witnessed or of which you might have knowledge. Personalcomplaints regarding harassment or issues other than fraud should be filed according to existing University policies.The Internal Audit Office is responsible for the administration of the Purdue University fraud reporting program. For additional informationon the program, please visit A Disclosure Form for Anonymous Reporting is available at the Web site. If you havespecific questions about the program, please contact Peggy Fish, Director of Audits, at (765) orTo anonymously report suspected fraud or other wrongdoings, call (765) , toll-free (866) , or mail information to PurdueUniversity, Internal Audit Office, Freehafer Hall of Administrative Services, 401 S. Grant Street, West Lafayette, INThank you for your assistance and commitment to this effort.c: President France A. CórdovaHovde Hall, Room 230 • 610 Purdue Mall • West Lafayette, IN Phone (765) • Fax (765)
53Reportable Activities Include TheftEmbezzlementImproper reporting of timeQuestionable paymentsMisuse or questionable use of cash/p-cardsDiversion of or lack of timely deposit of revenuesCredit card fraudInappropriate communication of confidential informationAny other illegal or questionable acts
54Fraud Reporting Program Not Intended for: Monitoring personnel issues:address through departmental management or Human ResourcesDirect to the Office of the Vice President for Ethics andCompliance or to the Office of Institutional Equity Issues related to:affirmative actionequal accessequal employmenteducational opportunity
55Mechanisms to Report Suspicious Acts Fraud Reporting Hotline a) is anonymousb) has no caller IDc) has no call back optionAnonymous Forma) available through Internal Audit’s homepageCall Internal Audit Direct
57New Business Manager 2 employees Payroll Clerk, 20 yrs. exp., does own payroll/HR processing, does all follow-up review, knows new system, everyone is happy with her, wants to be left alone, schedules vacation around payroll, will call you when she needs youAccounting Clerk, 18 months exp. at PU, prior exp., no training except invoice vouchers, does work by category once a month (Cash receipts, funds transfers, billings, Budget Adjustments, Error Corrections.) Purchasing done as needed. Works well with giving academic administrators what they need.BA has senior role with Dean, does not look at monthly statements since staff is so competent and has delegated all signature authority without further review.
58Procurement CardsOne clerk for procurement card transactions – extensive use of the card occurs. People love its ease.Only has one card so not does need a check-out process.Distribution document is quickly reviewed and approved. Does account allocation but never changes object code.Users have 90 days to turn in receipts – meets requirement to turn in reconciliation within 90 days.Validates amount of receipt matches the reconciliation.Missing receipts are not pursued – she finds that the BM accepts certain explanations for missing receipts and she always uses these standard reasons.The clerk is newly graduated from high school and is up-to-date on desktop computer skills. Saves the department from having to train her. They are very happy.
59Travel PI has federal grant that requires a lot of travel. Car travel primarily to 3 locations.PI is account manager and has chosen who the delegate will be – a clerk reporting to them.Business Manager delegated signature authority, but delegate insists on signing Bus Managers name – BM agreed to this.PI/delegate make travel arrangements and process all transactions.Delegate knows of instance where PI was in town during “travel”BM just found out exception to policy routinely filed – no receipts for travel since PI stays with colleagues.Cuts down on grants travel costs – everyone is happy.It bothers BM, but you are reviewing monthly statements and feel as good as you can about it..
60Asset Control Inventory of capital assets is hard to make a priority. New capitalization limit is wonderful, assets went from 500 to 150.Inventories have never really been completed in past.Lot of movement in departmental equipment – a lot of take home.Student hourly is performing inventory with scanning equipment.125 of 150 items found – BM is very happy with this # but is being asked to resolve the remaining 25,Not really BM problem since she is new since last inventory 2 years ago.Will be hard to resolve since equipment taken home is not recorded and equipment has been disposed of.Property Accounting is requiring police reports on unresolved items.
61Receipting of Revenue½ day workshop developed for 300 people, at $50 per person.Chair has decided to deposit the revenue in a restricted fund to maintain control.Documentation for registration states that fee is a donation – although the donation is required for registration.Department secretary is in charge of process and will receive and process all registrations and payments.Chair is not interested in details, only wants final list.Cash and checks coming via mail and hand delivered.Registration information is entered into a database and registration forms are then destroyed because of lack of storage space.Receipts are not being issued because mailed-in registrations would be too much trouble and expense.Secretary accumulated all receipts before processing CRV.Business Manager found out about this when transaction showed up on the monthly operating statements.
62Internal Controls Thank you for your time and participation If questions please contact Ken Wilson at or or Deb Martin