Presentation on theme: "Internal Controls, Risks and You"— Presentation transcript:
1 Internal Controls, Risks and You March 2011Created by: Margie Harvey & Dorraine Teitsch
2 What is Internal Control? Definition – It is the integration of activities, plans, attitudes, policies and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its objectives and mission.
4 Who has a role in Internal Control? Everyone!Everyone at CDTA has responsibility for ensuring the internal control system is effective.
5 Internal Control Objectives There are four:Reliable financial statementsOperational efficiency and effectivenessCompliance with laws and regulationsSafeguarding resources from abuse, fraud and waste
6 Two Broad Control Types Operating Controls: Promote effectiveness, efficiency, and complianceExamples: Policies, regulations, and procedures to enforce compliance with laws and CDTA goalsSafeguarding Controls: Designed to detect and prevent fraud, waste and abuse of resourcesExamples: Payment documentation and approvals, separation of duties, physical inventory counts – comparing SPEAR data to actual parts on shelves
7 Five Elements of Internal Control The Committee of Sponsoring Organizations (COSO) produced the Internal Control – Integrated Framework, known as the COSO report.This report has directly influenced corporate governance, government accountability, and internal auditing.It set forth 5 interrelated components:Control EnvironmentRisk AssessmentCommunication and Information SystemsControl ActivitiesMonitoring
9 Control EnvironmentIt is the attitude toward internal control established and maintained by management and employees.It is the foundation for all other components!It encompasses “tone at the top” and management’s style, philosophy and supportive attitude.It influences all decisions and activities of an organization.Key factors are organizational structure and accountability
10 Control Environment Objectives The Control Environment sends the message that internal controls are an integral part of the organization and apply to everyoneIt includes:Integrity and ethical valuesOperating style and attitudeOrganizational structure and methods of assigning responsibility and authorityCompetence and reliability of peopleInfluence of external entities
11 Management’s Responsibilities Management’s Responsibilities regarding the control environment include:Practicing ethics & integrityCommitting to excellenceFostering positive employee moraleHaving a supportive attitudeSetting the toneProviding direction and visionHiring and keeping competent staff
12 What are Risks?Risks are events that threaten the accomplishment of meeting the organization’s objectives and mission.Risks can be industry specific or enterprise- wide.There are internal and external risks.Examples:Human errorFailing to meet established goalsFraudSystem breakdownsNatural disasters
13 Risks Risks vary and impact: They change over time. Strategic efforts and corporate governanceOperationsFinanceReportingComplianceThey change over time.Not all risks are equal – some are more likely to occur than others, while some have greater impact than others.It is important to identify the probability of the event happening and its significance.Too much trust and a lack of a segregation of duties influence risk.
14 Fraud Fraud is a common risk that should not be ignored. By definition, fraud is an intentional misrepresentation of a material existing fact made by one person to another with knowledge of its falsity and for the purpose of inducing the other person to act, and upon which the other person relies with resulting injury or damage.It may be made by omission or purposeful failure to state material facts, which nondisclosure makes other statements misleading.It must relate to an existing fact (not a promise) and must be made knowingly and intentionally (not by mistake)!
15 Poor internal controls create opportunity for fraud! Causes of FraudPoor internal controls create opportunity for fraud!
16 Risk AssessmentRisk Assessment is the second element of internal control.Risk Assessment is the identification and analysis of relevant risks in relation to the achievement of an organization’s objectives for the purpose of determining how best to manage those risks.It determines what can go wrong.The risk assessment process is an ongoing one as internal and external threats constantly develop or change.
17 Risk AssessmentThe purpose is to assess the likelihood and impact of the risk:Likelihood – The probability that an unfavorable event would occur.Impact – A measure of the magnitude of the effect on CDTA if the unfavorable event were to occur.Questions to keep in mind:What can go wrong?What obstacles could keep you from achieving your goal?What’s the worst thing that could happen?What’s the worst thing that has happened?
18 5 Types of RiskStrategic: Risks that prevent CDTA from achieving its overall mission and vision.Operational: Risks that prevent a department or function from operating in the most effective and efficient manner that disrupts other operations.Financial: Risks that have significant financial impact to CDTA and may negatively impact.Reporting: Risks that occur for failure to document and report data timely and accurately.Compliance: Risks that may expose CDTA to fines and penalties from a regulatory agency for non- compliance with laws and regulations.
19 Managing Risks Management needs to think continuously about: How to manage risk day-to-dayHow to prevent riskHow to manage risk during changeManagement needs to determine the level of risk that is acceptable or not acceptable.Management needs to either accept the risk or establish control activities to prevent or mitigate the risk.
20 Accepting RiskManagement may accept the risk if it is not very significant.Management may choose to accept the risk if the cost associated with implementing control activities is greater than the cost of the event occurring, should it occur.
21 Preventing or Reducing Risk Sometimes management cannot accept the risk, therefore management must establish controls that work to prevent the risk from occurring or at least reduce the risk to an acceptable level.Management must identify the most effective and efficient control activities for handling the risk by evaluating:The cause of the riskIdentifying the cost of the control vs. the cost of the event happening (cost-benefit analysis)Prioritizing the risk
22 Control ActivitiesAs the third element of internal control, Control Activities are tools used to reduce and prevent risks that can impede accomplishment of the organization’s objections and mission.They occur throughout CDTA at all levels and functions.They are important to both automated and manual systems.Examples:Authorized signatures required on checksComputer passwordsPreventative maintenance schedulesPolicy and procedure manualsSegregation of duties
23 Cost vs. BenefitThe cost of the control activities should not be greater than the cost of the potential loss!A cost benefit analysis is done where positive factors are identified, quantified and added and negative factors are identified, quantified and subtracted to determine the net result, which then determines whether the control is acceptable.
24 MonitoringAs the next element of internal control, monitoring is the review of an organization’s activities to assess performance and to determine the effectiveness of controls.It provides feedback to management and others by means of routine, on-going managerial and supervisory activities, as well as through the use of separate evaluations conducted by Internal AuditExamples:Internal auditsBank reconciliationsDriver Vehicle Inspection Reports (DVIR’s)Preventative Maintenance Inspections (PMI’s)
25 Information & Communication As the final element of internal control, Information & Communication exchanges information between and among people and organizations.They fulfill many needs, including:Conveying organizational goals, objectives, policies, procedures, performance targets, ethics, and expectationsConveying operational and financial informationCoordinating activitiesExpressing the needs, goals, and accomplishments of employeesExpressing the needs of CDTA’s customers and the public as a wholeDemonstrating accountability, performance and reliability both internally and externallyThe paths of communication must be found throughout CDTA and must flow internally, upward, downward and across, as well as externally.
26 Communication and Information Systems Communication is the exchange of useful information to support decisions and coordinate activities.Information systems allow for more effective communication in order to carry out responsibilities.Both are essential to the organization, should be tailored to the user, and must provide information that is:AccurateCompleteTimelyUseful
27 Everyday Internal Controls Think about your own internal controls and the things you do:Lock your house and your vehicleKeep your checkbook in a safe placeSet up a username and password for on-line bankingReview your credit card statements before paying themReconcile your bank statementMaintain a budget for household expensesKeep your ATM debit pin # separate from your cardHave your children ask for permission before they do certain things
28 CDTA Internal Control Examples CDTA offices are locked when not occupiedComputer passwords are periodically changedCheck purchase card charges against source documentsCheck management reports against source documentsCompare actual cash received in Treasury to GFI fare box reportsReconcile bank statementsPerform preventative maintenance on buses and fare boxesPerform pre-trip inspection of busesAsk for certain permission and authorizations
29 Importance of Internal Control & Risk Assessment Process In order to succeed, we must manage our operations effectively and efficientlyProvide reasonable assurance we are meeting our goals and objectivesManage and mitigate risksProtect resources from fraud, waste and abuseBe accountable to employees, customers, stakeholders, vendors, and the publicAdhere to the Internal Control Act
30 NYS Internal Control Act In 1987, the Legislature enacted the NYS Governmental Accountability, Audit and Internal Control Act which highlighted the need for management to promote good internal controls and accountability in government. This law was later updated and made the Internal Control Act effective January 1, 1999.6 areas of responsibility mandated are:Establish & maintain guidelines for a system of internal controlsEstablish & maintain a system of internal controls and a program of internal control reviewMake available to each officer and employee a clear & concise statement of generally applicable management policies and standards with which the officer or employee shall be expected to comply withDesignate an internal control officer (ICO) who shall report to the CEO and who will implement and review internal control responsibilities. The ICO should be communicated to all employees.Implement education & training efforts for officers and employees for adequate awareness and understandingPeriodically assess the need to establish, maintain or modify an internal audit function
31 Internal Control Officer Role The ICO has the responsibility for coordinating, maintaining and reviewing internal control activities for CDTA.The current ICO is Margie Harvey.The ICO position does not in any way diminish the responsibility of all managers to oversee internal controls in their operations.The ICO is responsible for managing the annual “Internal Control Review and Certification” process and does so in conjunction with the Internal Audit Assistant (IAA)
32 Internal Audit RoleInternal Audit (IA) has the responsibility for evaluating the effectiveness of internal control through a review of systems and processes.Further, in order to identify potential audit areas, IA must review specific risk factors including operational deficiencies, internal control weaknesses, and liabilities to the organization.IA must establish an audit plan that focuses on the highest areas of risk to increase audit efficiency and effectiveness.
33 Annual Internal Control Review & Risk Assessment Process Managers are required to evaluate the internal controls for their department. This is done through a risk vulnerability and internal control review self assessment by management for their respective departments and functions. Each manager is required to certify that the information submitted is true and correct.The “Internal Control Review and Certification Process” occurs annually at CDTA in March and is coordinated by the ICO and the Internal Audit Assistant.Before 2011, CDTA was required to certify its internal controls to the NYS Division of Budget, however with the advent of the Authority Budget Office, CDTA is no longer required to certify its internal controls to DOB. However, in order to be in compliance with the Internal Control Act, CDTA is required to review its internal controls at least annually.
34 Management’s RoleTo complete an Internal Control Self- Assessment SurveyDefine key departmental functions and the risks associated with themRate the likelihood and impact that risks will occurDetermine whether there are effective internal controls in place to carry out goals and objectives and to mitigate any risks
35 Where do we go from here?Directors and Department Heads are responsible for periodically assessing internal controlsSelf-assessment of each department’s internal controls and risks are key to carrying out departmental goals and objectives, as well as to adhering toCDTA’s fundamental mission
36 How is this accomplished? Step 1: Complete the Internal Control Self- Assessment Survey
38 Step 2:Define key functions of your department and the risks associated with them. Determine the risks in terms of strategic (executive management only), operational, financial, reporting and compliance risks.Step 3:Rate the likelihood and impact of the risk in the event that it will occur.
39 Internal Controls Review: Function & Risk Assessment
40 Step 4:Determine whether you have effective internal controls in place to mitigate those risks, and identify whether they are effective, and if they can be improved or changed, note the corrective action either implemented or to be implemented.
42 Next Steps: Internal Control Officer (ICO): Reviews the forms for completenessMeets with managers as necessaryInternal Audit Assistant (IAA):Reviews forms for areas of risk and controlSummarizes the risk data for senior managementReviews forms to formulate annual Audit Plan
43 Case Study Case of the transmission purchase Jill, a senior staff assistant, has a company procurement card. Her manager, Anna, is out of town on company business and will not be in the office for 3 weeks. On Wednesday, Jill’s car wouldn’t start. She desperately needed a transmission which her mechanic replaced. When paying for the repairs to her vehicle, which totaled $2,898.93, she accidentally used the company procurement card to pay for the repairs. On Thursday, Jill received a notice from American Express confirming the purchase, at which point she realized her mistake.The statement arrived a week later and Jill, failing to disclose her personal purchase, asked Jack, the department head, to approve the statement in Anna’s absence.By the time of Anna returned, Jill was unable to save enough money to repay the company for the car repairs. Since Anna had not seen the statement and it had already been approved and processed for payment by Finance, Jill decided not to bring it up. She had been an exceptional employee for 15 years and had seen many of her co-workers receive bonuses. She decided it was her turn. This would be her bonus, she rationalized. She had earned it!
44 Case Study: QuestionsTake a moment to answer these questions before going to the next slide.What internal controls were side stepped by Jill?Did Jill commit fraud?Which internal control element does fraud come under?
45 Case Study: Control Concerns Internal controls were side stepped that could have mitigated fraud including:Jill did not comply with procedure when she used the company procurement card for personal use. (This is a weakness in the control activity.)Integrity and ethical values were set aside when Jill did not disclose her fraud. She knowingly omitted a material fact that one of the purchases was for personal use and rationalized she deserved it, in addition to the pressure of being short of funds. (This is a high risk area, in addition to a weakness in communication and information.)The department head failed to review the credit card statement and compare to source documentation. If he reviewed the original receipt, he should have seen Jill’s signature. (This is both a weakness in the control environment and monitoring.)While fraud is evaluated under the element of risk assessment, thiscase study showed weaknesses in each of the elements of internalcontrol.
46 Take a Quick Quiz Who is the Internal Control Officer? Margie Harvey Dorraine TeitschCarm BasileWho has a role in Internal Control?Management onlyOperators and maintenance personnel onlyEveryoneWhat are the 5 elements of Internal Control?Integrity, Ethics, Fraud, Risk Assessment, AuditingControl Environment, Risk Assessment, Control Activities, Monitoring, Information and CommunicationControl Environment, Fraud, Control Activities, Monitoring, Information and Technology
47 Quiz continued What are risks? Events that threaten CDTA’s mission and objectivesFraudHuman ErrorSystem breakdowns and natural disastersAll of the aboveWhat is the importance of internal control and risk assessment?To operate effectively and efficientlyTo provide reasonable assurance that CDTA is meeting its goals & objectivesTo manage and mitigate risksTo protect resources from fraud, waste & abuseAnswers: a, c, b, e, e
48 You’re on the roll with Internal Control and Risk Assessment! Remember:You’re on the roll with Internal Control and Risk Assessment!