2 Internal Controls Fraud Separation of duties SOA Reconciliation What do you think of when someone mentions Internal Controls?FraudSeparation of dutiesSOA ReconciliationUniversity AuditsP-CardsArticle on front page of Ann Arbor News
3 Internal Control Definition Internal Control is a process designed to provide reasonable assurance regarding the achievement of objectives in thefollowing three categories:Examples:Underutilized State-of-the-ArtLecture HallA21 RequirementsStatement of ActivityEffectiveness and Efficiency of Operations Processes are doing what they are intended to do (i.e., achieving their objectives), and doing so in an efficient manner - - i.e., making good use of available resources.Compliance with Laws and Regulations Actions are consistent with all applicable laws and regulations.Reliability of Financial Reporting Accuracy and reliability of Financial Statements.
4 Internal Control Framework Central Financial ProcessesReviewed annually by external auditors- Reviewed periodically by internal auditUnit Financial FunctionsHighly decentralized process with individual control processesRelies heavily on institutional knowledge and often undocumented processesOversight may rely on faculty and other non-financial leadershipOptimized Control EnvironmentOngoing integrated process to connect central process owners with Units
5 Internal Controls Myths and Facts Internal control starts with a strong set of policies and procedures.Internal control: That’s why we have internal auditors!Internal control is a finance thing.Internal controls are essentially negative, like a list of “thou-shalt-nots.”Internal controls take time away from our core activities of research, instruction, and patient care.FACTS:Internal control starts with a strong control environment.While internal auditors play a key role in the system of control, management is the primary owner of internal control.Internal control is integral to every aspect of business.Internal control makes the right things happen the first time.Internal controls should be built “into,” not “onto” business processes.Source: Institute of Internal Auditors, 2003
6 Risk and Internal Controls What are risks?A risk is anything that could jeopardize:Achieving our goalsOperating effectively and efficientlyProtecting the university’s assets from lossProviding reliable financial dataComplying with applicable laws, policies, and procedures
7 Risk and Internal Controls Questions to ask yourself:What can go wrong?How could someone steal from us?What policies are we most affected by?What types of transactions in our area provide the greatest risk?How can someone bypass the internal controls?What potential risk areas could cause adverse publicity?
8 Risk and Internal Controls Assess risksWhat is likelihood of occurrence?What is potential impact?Likelihood ofOccurrenceImpact
9 Risk and Internal Controls What could go wrong in your unit?Fire breaks out in research labKey local system/application goes downKey employee calls in sickMedia becomes aware of P-Card fraudSafety or security incident with faculty/student/staff member overseasCash missing from departmental fundsFaculty hires family member inappropriately
10 Key Risk Areas Federal Compliance – All types Information Technology–Security, privacy, accessInternational Operations – Currency, disasterDisaster Planning/Recovery – Flu, Virginia TechStudent/Faculty/Employment Safety – Stress, counseling, other workplace violenceFacilities and Construction Management – Managing / monitoring building constructionSelected key industry risks from discussions with top University Presidents, other senior management, Regents, and Trustees (PwC Co-Sponsored Conference on Enterprise-Wide Risk and Other Discussions)
11 Types of Internal Controls Controls can be either automated or manualAutomated Controls – Incorporated into application logic / algorithmsExample: System automatically searches for a matching PO before paying an invoiceManual Controls – Performed by individuals outside of the system or applicationExample: Supervisor’s signature on P-Card statement
12 Types of Internal Controls Controls can be either preventive or detectivePreventive Controls – Built into the process or system to avoid or minimize risk. Helps make processes more efficient and can reduce cost of corrective actions.Example: Access Controls - - Only individuals with approved M1 access can perform transactions in MPathwaysDetective Controls – Provides a process assessment to identify potential issues for further reviewExample: Unit reconciles Gross Pay Register to ensure all transactions are correctExample: Payroll reviews any invalid shortcode charges
13 Types of Internal Controls While Automated Controls are generally more effective, Preventive Controls are typically more efficientAutomatedDetectiveAutomatedPREVENTIVELevel ofReliability(Effective)ManualDetectiveManualPREVENTIVELevel of Economic Value (Efficient)
14 Types of Internal Controls Controls - particularly related to information processing - support the following objectives or assertions:CompletenessAll transactions are processed (once and only once)AccuracyAll transactions are processed correctlyAll transactions are authorized or approved by appropriate personValidityRestrictivenessAccess to certain functions is restricted to appropriate persons
15 CAVR and Your Checkbook When you reconcile your checkbook every month, you are going through the CAVR steps:CompletenessDid the bank process all the checks that I wrote this month?AccuracyDid the bank process all the checks correctly - - the right amount?Were all the checks processed by the bank written by me?ValidityRestrictivenessDid someone else have access to my checkbook?
16 CAVR and the Gross Pay Register CompletenessAll employees that should be in a unit, are in the unitAccuracyThe pay for a new hire starting in the middle of a month is correctValidityAdditional pay was approved by appropriate personRestrictivenessPerson processing changes in pay is not reconciling GPR
17 Types of Internal Controls AutomatedControlsManualControlsPreventiveDetectivePreventiveDetectiveCompletenessAccuracyValidityRestrictiveness
18 University Audit Common Control Issues Cash HandlingImprest / petty cash management and reconciliationCredit card processing / protecting sensitive informationCash depositing – timely depositsPurchasingP-Cards – Review of statements and expenses, authorization, personal expendituresPurchases over $5,000Payroll / TimekeepingReturning signed timesheetsProper timesheet approvalReview /Approval of ExpensesTravel and hosting – business purposeProper review and approval by higher levelStatement of Activity review / managerial or departmental review of expenses
19 The Five Components of a Strong Internal Control Framework MonitoringAssessment of a control system’s performance over time.Combination of ongoing and separate evaluation.Management and supervisory activities.Internal audit activities.Control ActivitiesPolicies/procedures that ensure management directives are carried out.Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.Information and CommunicationPertinent information identified, captured and communicated in a timely manner.Access to internal and externally generated information.Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.Control EnvironmentSets tone of organization-influencing control consciousness of its people.Factors include integrity, ethical values, competence, authority, responsibility.Foundation for all other components of control.Risk AssessmentRisk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.All five components must be in place for internal control to be effective.
20 Internal Control Framework ComponentGeneral DescriptionExamples of UM ActivityControlSets tone of organizationStandard Practice GuidesEnvironmentStatement on StewardshipFinance, Audit and Investment CommitteeRiskIdentification and analysisInternal Audit Risk AssessmentAssessmentof relevant risksRisk Management, Compliance OfficesPolicies and procedures thatP-Card Approvals, SOA reconciliations, separation ofActivitiesgovern day-to-day activityduties, written procedures, access controlsInformation andFlow of timely, accessible andBRM Academy, Foundations of Supervision, metricCommunicationpertinent informationreporting, management reviews, websites, annualperformance reviewsMonitoringAssessment of controlsInternal Audit, annual gap analysis, M-Reports,Oversight reports
21 What is Fraud? Fraud - Typically requires 3 key elements: Did something bad/wrong - - misrepresentation of factsDone intentionallyResulted in unauthorized personal gain
22 Who Commits Fraud? Those having: Pressure - Usually caused by financial need or desire for lavish lifestyleAbility to rationalize – Make excuses and do not think of crime as stealingOpportunity – Typically arises from weak controls or too much independence/ control given to someone
23 Who Commits Fraud? Sometimes the best personnel; Per the ACFE study:Majority of perpetrators werelong-serving, middle-aged, male executives and managersPositive correlation exists between size of loss and perpetrator’s authority level, tenure, education level, age, and male genderSource: ACFE Report to Nation on Occupational Fraud & Abuse - study of 1134 fraud cases
24 How Does Fraud Occur?Billing – Employee submits invoice for payment to bogus vendor or for personal expensesNon-cash – Employee steals office supplies, stamps, business services, identity of students/staff, etc.Expense reimbursement – Employee files expense report claiming personal travel, nonexistent meals, etc.Skimming – Employee accepts payment from customer but does not recordPayroll – Employee takes unreported annual/sick leave, claims overtime for hours not worked, adds ghost employee to payrollSource: ACFE Report to Nation on Occupational Fraud & Abuse - study of 1134 fraud cases
25 How is Fraud Detected?The sum of percentages in this chart exceeds 100% because in some cases respondents identified more than one detection method.Source: ACFE Report to Nation on Occupational Fraud & Abuse - study of 959 fraud cases25
26 University of Michigan Compliance Hotline A website and dedicated phone number available to all faculty and staff as an additional avenue to report potential concerns in three specific areas:Financial ManagementRegulatory AdherencePatient SafetyDoes not replace existing reporting mechanisms in the Health System or on campusManaged by a third-party vendor; allows 24-hour availability and callers may remain anonymous
27 Internal Controls and Efficiency It’s not always about fraud:Controls help prevent/detect human errorSystem input errorsAutomation can eliminate risk and increase efficiencyDirect time entry eliminating hardcopy timesheetsRedundant or unnecessary stepsReconciling GPR to SOA
28 Key Resource Contacts Subject Contact Email Phone Internal Control Brent HaaseRelated Lynda LyallP-Card Carolynn BlankenshipJournal Entry Jarrod Van KirkCash HandlingCash/Checks James GormanCredit Cards Matt DeseckEmployment Academic / Staff HR Representative