Presentation on theme: "March 2011 Created by: Margie Harvey & Dorraine Teitsch."— Presentation transcript:
March 2011 Created by: Margie Harvey & Dorraine Teitsch
Definition – It is the integration of activities, plans, attitudes, policies and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its objectives and mission.
Everyone! Everyone at CDTA has responsibility for ensuring the internal control system is effective.
There are four: 1.Reliable financial statements 2.Operational efficiency and effectiveness 3.Compliance with laws and regulations 4.Safeguarding resources from abuse, fraud and waste
Operating Controls: Promote effectiveness, efficiency, and compliance Examples: Policies, regulations, and procedures to enforce compliance with laws and CDTA goals Safeguarding Controls: Designed to detect and prevent fraud, waste and abuse of resources Examples: Payment documentation and approvals, separation of duties, physical inventory counts – comparing SPEAR data to actual parts on shelves
The Committee of Sponsoring Organizations (COSO) produced the Internal Control – Integrated Framework, known as the COSO report. This report has directly influenced corporate governance, government accountability, and internal auditing. It set forth 5 interrelated components: 1.Control Environment 2.Risk Assessment 3.Communication and Information Systems 4.Control Activities 5.Monitoring
It is the attitude toward internal control established and maintained by management and employees. It is the foundation for all other components! It encompasses “tone at the top” and management’s style, philosophy and supportive attitude. It influences all decisions and activities of an organization. Key factors are organizational structure and accountability
The Control Environment sends the message that internal controls are an integral part of the organization and apply to everyone It includes: Integrity and ethical values Operating style and attitude Organizational structure and methods of assigning responsibility and authority Competence and reliability of people Influence of external entities
Management’s Responsibilities regarding the control environment include: Practicing ethics & integrity Committing to excellence Fostering positive employee morale Having a supportive attitude Setting the tone Providing direction and vision Hiring and keeping competent staff
Risks are events that threaten the accomplishment of meeting the organization’s objectives and mission. Risks can be industry specific or enterprise- wide. There are internal and external risks. Examples: Human error Failing to meet established goals Fraud System breakdowns Natural disasters
Risks vary and impact: Strategic efforts and corporate governance Operations Finance Reporting Compliance They change over time. Not all risks are equal – some are more likely to occur than others, while some have greater impact than others. It is important to identify the probability of the event happening and its significance. Too much trust and a lack of a segregation of duties influence risk.
Fraud is a common risk that should not be ignored. By definition, fraud is an intentional misrepresentation of a material existing fact made by one person to another with knowledge of its falsity and for the purpose of inducing the other person to act, and upon which the other person relies with resulting injury or damage. It may be made by omission or purposeful failure to state material facts, which nondisclosure makes other statements misleading. It must relate to an existing fact (not a promise) and must be made knowingly and intentionally (not by mistake)!
Poor internal controls create opportunity for fraud!
Risk Assessment is the second element of internal control. Risk Assessment is the identification and analysis of relevant risks in relation to the achievement of an organization’s objectives for the purpose of determining how best to manage those risks. It determines what can go wrong. The risk assessment process is an ongoing one as internal and external threats constantly develop or change.
The purpose is to assess the likelihood and impact of the risk: Likelihood – The probability that an unfavorable event would occur. Impact – A measure of the magnitude of the effect on CDTA if the unfavorable event were to occur. Questions to keep in mind: o What can go wrong? o What obstacles could keep you from achieving your goal? o What’s the worst thing that could happen? o What’s the worst thing that has happened?
Strategic: Risks that prevent CDTA from achieving its overall mission and vision. Operational: Risks that prevent a department or function from operating in the most effective and efficient manner that disrupts other operations. Financial: Risks that have significant financial impact to CDTA and may negatively impact. Reporting: Risks that occur for failure to document and report data timely and accurately. Compliance: Risks that may expose CDTA to fines and penalties from a regulatory agency for non- compliance with laws and regulations.
Management needs to think continuously about: How to manage risk day-to-day How to prevent risk How to manage risk during change Management needs to determine the level of risk that is acceptable or not acceptable. Management needs to either accept the risk or establish control activities to prevent or mitigate the risk.
Management may accept the risk if it is not very significant. Management may choose to accept the risk if the cost associated with implementing control activities is greater than the cost of the event occurring, should it occur.
Sometimes management cannot accept the risk, therefore management must establish controls that work to prevent the risk from occurring or at least reduce the risk to an acceptable level. Management must identify the most effective and efficient control activities for handling the risk by evaluating: The cause of the risk Identifying the cost of the control vs. the cost of the event happening (cost-benefit analysis) Prioritizing the risk
As the third element of internal control, Control Activities are tools used to reduce and prevent risks that can impede accomplishment of the organization’s objections and mission. They occur throughout CDTA at all levels and functions. They are important to both automated and manual systems. Examples: Authorized signatures required on checks Computer passwords Preventative maintenance schedules Policy and procedure manuals Segregation of duties
The cost of the control activities should not be greater than the cost of the potential loss! A cost benefit analysis is done where positive factors are identified, quantified and added and negative factors are identified, quantified and subtracted to determine the net result, which then determines whether the control is acceptable.
As the next element of internal control, monitoring is the review of an organization’s activities to assess performance and to determine the effectiveness of controls. It provides feedback to management and others by means of routine, on-going managerial and supervisory activities, as well as through the use of separate evaluations conducted by Internal Audit Examples: Internal audits Bank reconciliations Driver Vehicle Inspection Reports (DVIR’s) Preventative Maintenance Inspections (PMI’s)
As the final element of internal control, Information & Communication exchanges information between and among people and organizations. They fulfill many needs, including: Conveying organizational goals, objectives, policies, procedures, performance targets, ethics, and expectations Conveying operational and financial information Coordinating activities Expressing the needs, goals, and accomplishments of employees Expressing the needs of CDTA’s customers and the public as a whole Demonstrating accountability, performance and reliability both internally and externally The paths of communication must be found throughout CDTA and must flow internally, upward, downward and across, as well as externally.
Communication is the exchange of useful information to support decisions and coordinate activities. Information systems allow for more effective communication in order to carry out responsibilities. Both are essential to the organization, should be tailored to the user, and must provide information that is: Accurate Complete Timely Useful
Think about your own internal controls and the things you do: Lock your house and your vehicle Keep your checkbook in a safe place Set up a username and password for on-line banking Review your credit card statements before paying them Reconcile your bank statement Maintain a budget for household expenses Keep your ATM debit pin # separate from your card Have your children ask for permission before they do certain things
CDTA offices are locked when not occupied Computer passwords are periodically changed Check purchase card charges against source documents Check management reports against source documents Compare actual cash received in Treasury to GFI fare box reports Reconcile bank statements Perform preventative maintenance on buses and fare boxes Perform pre-trip inspection of buses Ask for certain permission and authorizations
In order to succeed, we must manage our operations effectively and efficiently Provide reasonable assurance we are meeting our goals and objectives Manage and mitigate risks Protect resources from fraud, waste and abuse Be accountable to employees, customers, stakeholders, vendors, and the public Adhere to the Internal Control Act
In 1987, the Legislature enacted the NYS Governmental Accountability, Audit and Internal Control Act which highlighted the need for management to promote good internal controls and accountability in government. This law was later updated and made the Internal Control Act effective January 1, 1999. 6 areas of responsibility mandated are: 1.Establish & maintain guidelines for a system of internal controls 2.Establish & maintain a system of internal controls and a program of internal control review 3.Make available to each officer and employee a clear & concise statement of generally applicable management policies and standards with which the officer or employee shall be expected to comply with 4.Designate an internal control officer (ICO) who shall report to the CEO and who will implement and review internal control responsibilities. The ICO should be communicated to all employees. 5.Implement education & training efforts for officers and employees for adequate awareness and understanding 6.Periodically assess the need to establish, maintain or modify an internal audit function
The ICO has the responsibility for coordinating, maintaining and reviewing internal control activities for CDTA. The current ICO is Margie Harvey. The ICO position does not in any way diminish the responsibility of all managers to oversee internal controls in their operations. The ICO is responsible for managing the annual “Internal Control Review and Certification” process and does so in conjunction with the Internal Audit Assistant (IAA)
Internal Audit (IA) has the responsibility for evaluating the effectiveness of internal control through a review of systems and processes. Further, in order to identify potential audit areas, IA must review specific risk factors including operational deficiencies, internal control weaknesses, and liabilities to the organization. IA must establish an audit plan that focuses on the highest areas of risk to increase audit efficiency and effectiveness.
Managers are required to evaluate the internal controls for their department. This is done through a risk vulnerability and internal control review self assessment by management for their respective departments and functions. Each manager is required to certify that the information submitted is true and correct. The “Internal Control Review and Certification Process” occurs annually at CDTA in March and is coordinated by the ICO and the Internal Audit Assistant. Before 2011, CDTA was required to certify its internal controls to the NYS Division of Budget, however with the advent of the Authority Budget Office, CDTA is no longer required to certify its internal controls to DOB. However, in order to be in compliance with the Internal Control Act, CDTA is required to review its internal controls at least annually.
To complete an Internal Control Self- Assessment Survey Define key departmental functions and the risks associated with them Rate the likelihood and impact that risks will occur Determine whether there are effective internal controls in place to carry out goals and objectives and to mitigate any risks
Directors and Department Heads are responsible for periodically assessing internal controls Self-assessment of each department’s internal controls and risks are key to carrying out departmental goals and objectives, as well as to adhering to CDTA’s fundamental mission
Step 1: Complete the Internal Control Self- Assessment Survey
Step 2: Define key functions of your department and the risks associated with them. Determine the risks in terms of strategic (executive management only), operational, financial, reporting and compliance risks. Step 3: Rate the likelihood and impact of the risk in the event that it will occur.
Internal Controls Review: Function & Risk Assessment
Step 4: Determine whether you have effective internal controls in place to mitigate those risks, and identify whether they are effective, and if they can be improved or changed, note the corrective action either implemented or to be implemented.
Internal Controls Review Form
Internal Control Officer (ICO): Reviews the forms for completeness Meets with managers as necessary Internal Audit Assistant (IAA): Reviews forms for areas of risk and control Meets with managers as necessary Summarizes the risk data for senior management Reviews forms to formulate annual Audit Plan
Case of the transmission purchase Jill, a senior staff assistant, has a company procurement card. Her manager, Anna, is out of town on company business and will not be in the office for 3 weeks. On Wednesday, Jill’s car wouldn’t start. She desperately needed a transmission which her mechanic replaced. When paying for the repairs to her vehicle, which totaled $2,898.93, she accidentally used the company procurement card to pay for the repairs. On Thursday, Jill received a notice from American Express confirming the purchase, at which point she realized her mistake. The statement arrived a week later and Jill, failing to disclose her personal purchase, asked Jack, the department head, to approve the statement in Anna’s absence. By the time of Anna returned, Jill was unable to save enough money to repay the company for the car repairs. Since Anna had not seen the statement and it had already been approved and processed for payment by Finance, Jill decided not to bring it up. She had been an exceptional employee for 15 years and had seen many of her co-workers receive bonuses. She decided it was her turn. This would be her bonus, she rationalized. She had earned it!
Take a moment to answer these questions before going to the next slide. What internal controls were side stepped by Jill? Did Jill commit fraud? Which internal control element does fraud come under?
Internal controls were side stepped that could have mitigated fraud including: Jill did not comply with procedure when she used the company procurement card for personal use. (This is a weakness in the control activity.) Integrity and ethical values were set aside when Jill did not disclose her fraud. She knowingly omitted a material fact that one of the purchases was for personal use and rationalized she deserved it, in addition to the pressure of being short of funds. (This is a high risk area, in addition to a weakness in communication and information.) The department head failed to review the credit card statement and compare to source documentation. If he reviewed the original receipt, he should have seen Jill’s signature. (This is both a weakness in the control environment and monitoring.) While fraud is evaluated under the element of risk assessment, this case study showed weaknesses in each of the elements of internal control.
Who is the Internal Control Officer? a) Margie Harvey b) Dorraine Teitsch c) Carm Basile Who has a role in Internal Control? a) Management only b) Operators and maintenance personnel only c) Everyone What are the 5 elements of Internal Control? a) Integrity, Ethics, Fraud, Risk Assessment, Auditing b) Control Environment, Risk Assessment, Control Activities, Monitoring, Information and Communication c) Control Environment, Fraud, Control Activities, Monitoring, Information and Technology
What are risks? a) Events that threaten CDTA’s mission and objectives b) Fraud c) Human Error d) System breakdowns and natural disasters e) All of the above What is the importance of internal control and risk assessment? a) To operate effectively and efficiently b) To provide reasonable assurance that CDTA is meeting its goals & objectives c) To manage and mitigate risks d) To protect resources from fraud, waste & abuse e) All of the above Answers: a, c, b, e, e
You’re on the roll with Internal Control and Risk Assessment!