Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Controls Agenda: Basics of Internal Controls – what are they?

Similar presentations


Presentation on theme: "Internal Controls Agenda: Basics of Internal Controls – what are they?"— Presentation transcript:

1 Internal Controls Agenda: Basics of Internal Controls – what are they?
COSO framework Practical applications to your current processes Facilitator: Laura Williams Updated February 2014 Welcome to a short video on Internal Controls, intended to give UNC Charlotte employees a baseline understanding of what internal controls are and how we can apply them to our everyday work environments and existing business processes.

2 Internal Control Basics
What are internal controls? We’ll start with the basics. What do we mean when we say “internal control”? What do these controls look like?

3 Connect Objectives What are you trying to achieve? Risks
What might thwart our efforts? Controls How can we manage risk? We first need to think about what we are trying to control. In order for there to be a control, we must be trying to control something, i.e., a risk to an identified objective. So, we need to start with our objectives; what are we trying to achieve in our organization and the departments we work in? Once we establish those objectives, we can identify what risks might exist to achieving our objectives and from there, we can determine what controls we might be able to put in place to control those risks. For example, an objective at UNC Charlotte might be to increase efficient use of resources. A risk to achieving that goal might be theft of University assets. So, an internal control to put in place to mitigate that risk is key card access to buildings, where access is only given to authorized employees. Remember, without a risk, there is no need for an internal control.

4 Operations Reporting Compliance Internal Control
INTERNAL CONTROL is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to: Operations Reporting Compliance Effectiveness Efficiency Safeguarding assets Reliability Timeliness Transparency With regulatory environment Now we move on to a formal definition of internal control: INTERNAL CONTROL is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to: Operations, including the effectiveness and efficiency of those operations, and the safeguarding of assets necessary to carry out operations; Reporting, including the reliability, timeliness, and transparency of reporting, both internal and external, and both financial and non-financial reporting (for example, reporting that the Office of Institutional Research performs and makes available in the Fact Book); and Compliance with our regulatory environment. So, for UNC Charlotte, that includes the State and its various administrative bodies (OSBM, OSC, OSA, DOA, etc.), as well as federal regulations related to financial aid, regulations related to grants and contracts, tax law, Export Controls, Payment Card Industry standards, etc. There are some people that say the objectives in this definition should be even more far-reaching and less confined to just operations, reporting, and compliance, since an entity’s objectives could reach beyond these three categories. For example, the University’s commitment to sustainability might be considered a strategic objective, rather than an operational or compliance-driven objective. Management has a fundamental responsibility to develop and maintain effective internal control.

5 Able to provide reasonable assurance
Internal Control INTERNAL CONTROLS are Continuous Effected by people Able to provide reasonable assurance Adaptable Built into operations Not one single event Dynamic “Only you can prevent forest fires” Not absolute assurance To the entire entity or to a particular division, business process, etc. Internal Controls also have the following characteristics. They are: Continuous, since they are not just one single event but built directly into operations, and they are dynamic to accommodate for an ever-changing environment; Effected by people; in other words, internal controls aren’t going to happen by themselves. It’s like the US Forest Service’s old campaign slogan, “Only you can prevent forest fires.” If we’re introducing the risk to the process, then we also have to introduce and implement the control. Able to provide reasonable assurance, not absolute assurance. Even the best designed controls are subject to other limitations that we’ll talk about later. Adaptable to the entire entity or to a particular division, business process, or other level of the organization. So, to recap, internal control is a process designed to help achieve objectives, and the controls themselves should be continuous, effected by us, able to provide reasonable assurance, and adaptable to different levels of the organization. As you can see, this definition is intentionally broad since internal controls can take on a variety of flavors.

6 Risks of Weak Internal Controls
Identifying Key Controls Risks of Weak Internal Controls Financial misstatements Business loss Loss of funds or materials Incorrect or untimely management information Fraud or collusion Tarnished reputation with the public Program Sustainability compromised Missed goals As I mentioned earlier, we should identify objectives first, and then risks, and then controls. But it can be easier for some people to think about the risks first… I wouldn’t say these people are pessimistic; they just may be risk averse or cautious! In reality, I think many people find it easy to identify risks to broad objectives; this can actually help us to then go back and more accurately identify specific objectives. For instance, a broad objective I might have is to survive. A risk to that survival is getting in a car wreck. So a more specific objective might be to drive safely. We can then identify a control for that risk: seatbelts, air bags, etc. In any case, here are some examples of risks of weak internal controls. I think you could easily think of the goals associated with these risks, and by the end of this presentation, hopefully you’ll be able to identify some of the controls we can put in place to mitigate these risks as well.

7 What are the five integrated components of internal control?
COSO Framework What are the five integrated components of internal control? Let’s move on to some of the key terminology you need to know to talk about internal control as it is widely accepted in the U.S. We’ll talk about the COSO framework and the five integrated components of internal control that it highlights. First, what is COSO? [cut to coso.org] COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission. COSO is a joint initiative of 5 organizations, including the American Institute of CPAs and the Institute of Internal Auditors. COSO is dedicated to providing thought leadership on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established the common internal control model, definitions, and framework that many companies and organizations use to assess their control systems. The COSO framework has been adopted by the state of North Carolina as its standard for internal controls within state agencies. The framework also gained importance and attention after the Enron and WorldCom scandals and the resulting Sarbanes-Oxley Act, which was enacted in 2002 to set new and enhanced accounting standards for U.S. companies, including annual assessment by management and external auditors of internal control on financial reporting. The moral of the story here is that internal controls aren’t just something fun to add to our list of things to do; without them, there isn’t just risk of fraud and mismanagement of assets; there is a proven history of fraud and mismanagement actually occurring on very large scales.

8 Updated COSO Framework
Reflective of the current environment Applicable to more business objectives Integrated approach to addressing organization-wide objectives Flexible and customizable Principles-based rather than Rules-based 17 principles – formalize fundamental concepts to help Specify objectives Assess risks Deploy controls Designed to help address objectives across the organization E.g., addressing financial reporting fraud might help address compliance objectives Key: Ramp it up in the “right” areas How to define right areas? Risk assessment. COSO’s original internal control framework was established in 1992 and was recently updated in May 2013. According to COSO, this new framework is intended to: Be more reflective of the current environment – For instance, taking into account new risks, such as bad PR via social media Cover more business objectives – giving us a more integrated approach to addressing organization-wide objectives and trying to move beyond Sarbanes-Oxley Be flexible and customizable – The new framework identifies 17 principles, which are intended to formalize fundamental concepts to help organizations: 1) specify objectives, 2) assess risks, and 3) deploy controls (here again we see the objectives-risks-controls connection). A principles-based framework allows people within an organization to make decisions based on the ‘spirit’ of the principle, rather than over-emphasizing rules at the expense of judgment. In rules-based environments, employees might conclude that anything not forbidden is permitted. In addition, heavy focus on the “don’ts” may lead to cynicism about the purpose of the code or other unintended effects. Of course, there is another side to the coin; sometimes, you just need to make rules. In general, one of the keys to implementing the COSO framework is to ramp up controls in the “right” areas. How do we define the “right” areas? Through risk assessment, which we’ll go over shortly.

9 5 integrated components
Updated COSO Framework Along the 3 main objectives At all levels of the organization The COSO “cube” 5 integrated components Here we can see what is called the COSO “cube.” It has five integrated components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring, which are pervasive at all levels of the organization, from the most comprehensive – at the entity level – down through each operating unit and to the most discrete level, the process function. And, as we discussed earlier, these components all operate along the three main objectives identified by COSO: operations, reporting, and compliance. We’ll now talk through each of these internal control components, starting with the control environment.

10 1. Control Environment COSO cube – 5 Integrated Components
The set of standards, processes, and structures that provide the basis for carrying out internal control Comprises integrity and ethical values of the organization The Board and Senior Management - and you! Establish tone at the top Establish expected standards of conduct and reinforce expectations Parameters enable the Board to carry out its governance oversight responsibilities University tone at the top: Policy 804, Standards of Ethical Conduct The first component of the internal control framework is the Control Environment, a set of standards, processes, and structures that provide the basis for carrying out internal control. The control environment comprises the integrity and ethical values of an organization, as well as: Management’s philosophy and operating style Organizational structure How management assigns authority and responsibility (both along functional and administrative reporting lines) The competence of the entity’s people Personnel development (including training and support) As part of the control environment, the board of trustees and senior management must establish tone at the top. What exactly is tone at the top? One definition is: a visible willingness by senior management to let values drive decisions, to prioritize those values above other factors – including financial results – and to expect all others in the organization to do the same. This tone helps to establish expected standards of conduct and reinforce expectations of employees. This, in turn, establishes parameters that enable the Board to carry out its governance oversight responsibilities. [cut to NC GS] For example, North Carolina General Statute 138A is the State Government Ethics Act. This, arguably, helps set a tone at the top for the State, setting expectations for state employees and others acting in service to the state, and also allowing the state to address any violations of these standards. As another example, University Policy 804, Standards of Ethical Conduct, was approved in October of 2013 and sets forth UNC Charlotte’s commitment to ethical, legal, and professional behavior for all members of the University community. [cut back] In the same way, all leaders at the University are responsible for setting the tone at the top of their departments and units. This “tone” should match that set by senior management but can be tailored to specific needs of business units.

11 Control Environment for Financial Reporting
COSO cube – 5 Integrated Components Control Environment for Financial Reporting This is one diagram depicting the control environment as it relates to financial reporting. As you can see, the control environment serves as an umbrella for the entity’s internal control framework. Good internal controls will not be effective without a sound control environment. Or another way to look at it is, a really good control environment is the foundation for really good internal controls. If you could truly inculcate a culture where no theft occurred, would you even need locks on the doors?

12 COSO cube – 5 Integrated Components
The Control Environment should ensure controls are in place, covering areas such as: Hiring practices Training programs Whistleblower policies Code of Ethics Clear lines of responsibility and authority Etc. As part of our regular business processes, we should continually monitor and update the Control Environment for dynamic changes As we said, the board and senior management are in charge of setting the stage for the entity-wide control environment. However, departmental managers should establish departmental policies as necessary in light of their unique objectives and risk factors in the absence of any central policies. Listed are some specific areas that the control environment should cover. In addition, as part of your regular business processes, you should continually monitor and update your Control Environment for dynamic changes.

13 Compliance v. Integrity Strategy:
COSO cube – 5 Integrated Components Difference between Compliance v. Integrity Strategy: A ‘Compliance Strategy’ tries to prevent violations of regulations and self-interested behavior by employees by imposing standards of conduct that are intended to compel acceptable behavior. An ‘Integrity Strategy’ seeks to create conditions that support right action by communicating the values and vision of the organization, aligning the standards of employees with those of the organization, and relying on the whole management team, not just lawyers and compliance officers. One other thing to keep in mind when designing your control environment is the difference between a compliance v. an integrity strategy: A Compliance Strategy tries to prevent violations of regulations and self-interested behavior by employees by imposing standards of conduct that are intended to compel acceptable behavior. A compliance strategy relies more on lawyers and compliance officers. An ‘integrity strategy’ seeks to create conditions that support right action by communicating the values and vision of the organization, aligning the standards of employees with those of the organization, and relying on the whole management team, not just lawyers and compliance officers. So, in summary, a compliance strategy focuses more on preventing wrong while an integrity strategy focuses more on fostering right. Sometimes a combination of both may be warranted.

14 The Control Environment should be documented:
COSO cube – 5 Integrated Components The Control Environment should be documented: Process documentation/ controls Determine extent of existing documentation; leverage this Create new if no documentation exists Update for changes in operations Types of documentation that can be used: Process Narratives Organizational charts Flowcharts Questionnaires Memorandums Checklists Finally, in order for the control environment to be effective, it must be documented. The first step in ensuring proper internal control is to ensure business processes are properly identified and documented. Types of documentation that can be used include Process Narratives Organizational charts Flowcharts Questionnaires Memorandums Checklists

15 2. Risk Assessment COSO cube – 5 Integrated Components
Involves a dynamic and iterative process for identifying and assessing risks Risk: the possibility that an event will occur and adversely affect the achievement of objectives. The Board and Senior Management (and you!) Establish objectives linked at different levels of the entity Must take holistic approach – look at the full organization Apply internal control to achieve multiple objectives Prevent domino effects, e.g., weakness in financial reporting that jeopardizes operations Establish risk tolerances Increasingly important when resources are constrained The second component of the internal control framework is Risk Assessment, which involves a dynamic and iterative process for identifying and assessing risks. A Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Risks can be introduced by changes – for instance, new leaders and managers, new markets and products, growth, and emerging technologies. One way to categorize risk is along 4 key risk areas: Strategic – including Political risk, talent and succession planning risk, and risk from dependencies on other organizations Financial – including risk of audit findings and other things that would undermine reporting integrity Compliance – including Fraud and non-compliance with fair employment practices Operational – including the risk that Programs fail to meet their objectives, natural disasters, and lack of technology availability The board of trustees and senior management must establish objectives linked at different levels of the entity, as we’ve already discussed, and then determine the risks to those objectives. By taking a holistic view of the organization's objectives, management should then be able to apply internal control to achieve multiple objectives and prevent domino effects, for example, a weakness in financial reporting that jeopardizes ongoing operations. Risk assessment is especially important when resources are constrained, since risk assessment allows for a more strategic use of resources.

16 Risk Management Risk Assessment COSO cube – 5 Integrated Components
A process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within risk appetite/tolerance level, to provide reasonable assurance about achieving entity goals and objectives. Risk Assessment An element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this forms the basis on which control activities are determined. One thing to note is the difference between risk management and risk assessment. Risk Management is A process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within a risk appetite or tolerance level, to provide reasonable assurance about achieving entity goals and objectives. Risk Assessment is An element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this assessment forms the basis on which control activities are determined.

17 Process-level Risk Assessment
COSO cube – 5 Integrated Components Risk assessment should occur at the business process level as well as the entity level. Process-level Risk Assessment Low Medium High Risk Assessment 1. Materiality of the amounts Large dollars/transaction High volume of transactions Significant impact on key ratios or disclosures 2. Complexity of the process Limited internal skills Multiple data handoffs Highly technical in nature 3. History of accounting adjustments Accounting errors Valuation adjustments, etc. 4. Propensity for change in Business processes or controls Related accounting Grading Filter Four Primary Factors As we’ve noted, risk assessment should occur at the business process level as well as the entity level. Once you have identified your objectives, apply these four risk assessment factors: Materiality of the amounts in question Complexity of the process History of accounting adjustments Propensity for change in the processes or controls This should help us to assess risk for the process in question in terms of likelihood and impact. Internal considerations to assess risk: Use of qualitative/quantitative methods Change in management responsibilities Weak or unresponsive tone at the top Human capital – quality of personnel hired/retained Employee sabotage System security weaknesses Rapid growth Changes in processes or access to assets External considerations: Technological advancements (more tools available, as well as existing tools we are using are outdated) Changing/evolving client/constituent needs or expectations Changing legislative requirements and new laws/regulations Decentralized organization operations Natural disasters Impact of program, political, and economic changes

18 Risk Mapping COSO cube – 5 Integrated Components Impact
Consider the organization’s risk tolerance and risk appetite related to the risk response Impact Here we see a risk map where the x axis shows Likelihood, where: A-Almost impossible B-Remote C-Low D-Reasonably possible E-Probable F-Very High And the Y axis shows Impact: I-Marginal II-Significant III-Severe IV-Catastrophic So, once we have assessed risk, we can consider the organization’s risk tolerance and risk appetite related to the risk response. If the likelihood is low and the impact is marginal, then that falls within the green area on this chart, and management may decide that resources should be directed elsewhere, for more pressing needs. However, if a risk has a likelihood of reasonably possible and an anticipated impact of severe, then that falls within the red area on this chart, and management may decide to direct resources towards the mitigation of this risk. Keep in mind that a risk assessment is meaningless without specific criteria to apply to each rating. For example, what is the difference between an impact of significant v. severe? These definitions, along with the organization’s risk tolerance (that is, what areas are considered green, yellow, or red) need to be set before a meaningful assessment can take place. One overall question to keep in mind is, what is the impact to stakeholders?

19 Risk Strategies COSO cube – 5 Integrated Components Mitigation
Avoidance Do not proceed! Mitigation Improve controls to reduce likelihood/impact Transfer Shift responsibility to an external party Acceptance Accept the risk! Creation Seek risk activities strategically to maximize opportunities Once a risk assessment is completed, and the impact and likelihood are determined, we can then determine which strategy to choose to deal with the risk. The first is avoidance, which means that the process in question would not be pursued. This would be a likely option to choose if the risk likelihood was found to be very high, and the impact to be catastrophic, in other words, risks that fall within the red area of the risk tolerance map we just looked at. The second strategy is mitigation, where we would improve controls to reduce the likelihood and impact of the process. This is where many control activities will be done. The third strategy is transfer, where responsibility is shifted to an external party. Another strategy is acceptance, where the organization simply accepts the risk. This would make sense if the risk likelihood was found to be remote, and the impact to be marginal. In general, we should accept risks only if in green area of the risk tolerance map. The final strategy listed is creation, where risk activities are strategically sought to maximize opportunities. These types of decisions should lie with senior management only. We must be cautious when choosing these strategies. For example, Transferring too much responsibility to third parties is a risk in itself. This should only be done if it is known that the organization would introduce more risk by taking on the task itself.

20 3. Control Activities COSO cube – 5 Integrated Components
The actions established through policies and procedures that help ensure management’s directives to mitigate risks are carried out. Performed at all levels within the entity Types: Preventive and detective and corrective Compensating Manual and automated Examples: Approvals & Authorizations Embedded verifications Reconciliations Independent Reviews Asset security Segregation of duties The third component of the internal control framework is Control Activities, which are the actions established through policies and procedures that help ensure management’s directives to mitigate risks are carried out. These activities are performed at all levels of the entity. There are certain types of control activities, including preventive, detective, and corrective; compensating; and manual and automated. We will go over the difference between these control types. Control activities are exactly what they sound like– the activity part of the internal control framework. While the control environment and risk assessment set the stage for good controls, the control activities are where the meat of the control work is done. Examples of control activities include: Approvals & Authorizations Embedded verifications Reconciliations Independent Reviews Asset security Segregation of duties

21 Preventive Control Detective Control
COSO cube – 5 Integrated Components Preventive Control Prevents the occurrence of a negative event in a proactive manner Examples: Approval for purchase > $5,000 Passwords for access to Banner Petty cash held in lockbox Security and surveillance systems Pre-numbered checks Detective Control Detect the occurrence of a negative event after the fact in a reactive manner Examples: Supervisor review & approval Report run showing user activity Reconcile petty cash Physical inventory count Review missing/voided checks The first way we can categorize control activities is between preventive and detective controls. Preventive Controls prevent the occurrence of a negative event in a proactive manner. [click] Examples here at UNC Charlotte include: Approval required for purchases greater than $5,000 Passwords required for access to Banner Petty cash that must be held in a lockbox Security and surveillance systems in high-risk areas, and Pre-numbered checks Detective Controls Detect the occurrence of a negative event after the fact in a reactive manner Supervisor review & approval Reports that are run showing user activity Reconciliation of petty cash Annual Physical inventory counts, and Review of missing and voided checks Preventive controls are stronger that detective controls. It is more effective and less costly to prevent something from happening rather than to attack it on the back end; sometimes it is hard to stop something that is already in motion, similar to a snowball effect. This chart also shows corrective controls, but really I would deem these more as corrective ‘actions’, since the correction isn’t really a control itself.

22 Control Activities COSO cube – 5 Integrated Components
If a weakness or limitation exists within the control environment, a compensating control may be relied upon to mitigate the risk Can be preventive or detective Example: A unit does not have the staff resources to establish an adequate segregation of duties. Potential compensating controls could include: Automation of certain transaction data that cannot be altered by the staff Manager review of detailed summary reports of the transactions initiated by the staff Peer staff and/or manager selects a sample of transactions and vouches back to supporting documentation There are also compensating controls, which may be relied upon to mitigate existing risks if a control activity that should otherwise be in place is not in place. Compensating controls can be either preventive or detective. One common scenario is when a department or unit does not have the staff resources to establish an adequate segregation of duties. Potential compensating controls could include: Automation of certain transaction data that then cannot be altered by the staff, that is, removing humans from the process altogether Manager review of detailed summary reports of the transactions initiated by the staff. So, if one staff member is a requester in 49er Mart, and her supervisor is the approver, then the overall manager of that area should, on a periodic basis – say, monthly – separately review summary reports of these transactions. Another option would be for Peer staff and/or a manager – someone separate from the personnel involved with making the transaction - to select a sample of transactions and vouch back to supporting documentation In all these ways, we are compensating for the fact that the advisable control activity – segregation of duties – is not possible with current resources.

23 Control Activities COSO cube – 5 Integrated Components
Automated Control Manual Control Require action to be taken by employees, e.g., Obtain supervisor’s approval for overtime Reconcile bank accounts Match receiving to POs Built into network infrastructure and software applications, e.g., Passwords Data entry validation checks Batch controls The final category of controls we’ll go over is manual v. automated controls. Manual controls Require action to be taken by employees. Examples include Obtaining a supervisor’s approval for overtime Reconciling bank accounts, and Matching receiving to Purchase Orders Automated controls are Built into the network infrastructure and software applications. Examples include Passwords Data entry validation checks, and Batch controls Automated controls are more reliable and cost effective than manual controls

24 4. Information and Communication
COSO cube – 5 Integrated Components 4. Information and Communication Information is necessary to carry out internal control responsibilities to support achievement of objectives Communication: the continual, iterative process of providing, sharing, and obtaining necessary information Internal and external Information should be timely, accessible, and allow for successful control actions The fourth component of the internal control framework is Information and Communication. This component is pretty straightforward but is also very important in ensuring a cohesive, sustainable framework. Accurate, timely information is necessary to properly carry out internal control responsibilities in support of the achievement of an organization’s objectives. And communication is the continual, iterative process of providing, sharing, and obtaining that necessary information. Management and employees must be able to obtain information from both internal and external sources as necessary, and communication paths must be viable to both internal and external parties. Information should be timely, accessible, and allow for successful control actions. Obviously, that is a very high-level statement that is harder to do than say, but the key is to try to keep communicating the right information to the right people at the right time. Key: To communicate the right information to the right people at the right time

25 Information & Communication
COSO cube – 5 Integrated Components Information & Communication Things to communicate: Initiatives Goals Changes Opportunities Feedback Questions Answers Policies Procedures Standards Expectations Even with so many ways to communicate these days – , text messaging, Twitter, Facebook, apps, the cloud, FedEx, mail, phone calls, or EVEN face-to-face - sometimes it is difficult to find ways to communicate effectively and with impact. Just keep in mind what you are trying to communicate and to whom. Remember that more communication is not always better, but more well thought-out, directed communication is essential to all operations, including internal controls.

26 5. Monitoring Activities
COSO cube – 5 Integrated Components 5. Monitoring Activities Evaluations used to ascertain whether components of internal control are present and functioning Ongoing evaluations: Built into business processes Provide timely information Separate evaluations: Conducted periodically Vary in scope and frequency Dependent on assessment of risks, effectiveness of ongoing evaluations, other management considerations Findings are evaluated against relevant criteria The fifth and final component of the internal control framework is Monitoring. Monitoring activities are evaluations used to ascertain whether components of internal control are present and functioning. These evaluations can be split into two categories: Ongoing evaluations are built into business processes and provide timely information on the underlying controls. Separate evaluations are conducted periodically and vary in scope and frequency based on prior assessments of risk, the effectiveness of ongoing evaluations, and other management considerations such as resource prioritization. Separate evaluations include Internal Audit activities. In other words, when we monitor an activity, we are assessing the performance of an internal control system over a period of time, helping to validate that the internal control system is operating as expected. Any findings that result from monitoring activities should be evaluated against relevant criteria, for example, how long has the control been compromised, and how high are the risks? Any deficiencies that are found, which are more pernicious to the control system than findings, should be communicated to the Board and Senior Management. It confirms that the findings of audits and other reviews are promptly resolved so that internal controls are not compromised. Monitoring should be directed at both internal and external risks to the organization. Monitoring also consists of supervisory review and sign off to help ensure proper checks and balances. Your organization should have a strategy for effective ongoing monitoring. Deficiencies are communicated to the Board and Sr. Management

27 Testing Control Processes
COSO cube – 5 Integrated Components Testing Control Processes Identify transactions to be tested key controls applicable standards to test the transactions (i.e., criteria to judge compliance effectiveness) Determine appropriate type of testing extent of testing Create test plan Conduct tests for effectiveness Document testing and results Assess test results Communicate findings, recommendations Monitoring activities should be designed to test an adequate number of key controls to ensure an entity can make all relevant financial assertions related to significant accounts. Risk-based testing includes identification of key processes and controls and developing test procedures and sampling that is appropriate for the related risk to the organization. To test control processes, we should first identify the key controls, transactions to be tested, and applicable standards against which to test the transactions. We would then determine the appropriate type of testing, e.g., ongoing or separate evaluations, and the extent of testing, e.g., determining how often to test or the sample size needed. From there, we would create a test plan, conduct tests for effectiveness, document testing and results, assess those results, and communicate findings and recommendations to the appropriate people.

28 Monitoring/Validating Controls
COSO cube – 5 Integrated Components Monitoring/Validating Controls Deficiency in Design – A critical control is not properly designed, i.e., even if the control operates as designed, the control objective is not always met. When validating control design (determining effectiveness): Consider various factors (how control is performed, who performs the control, what data/reports used in performing control, what physical evidence is produced from the control) Work off of process narratives, flowcharts, and any other relevant material obtained and/or completed in the documentation stage Be aware that application controls are either programmed control procedures (e.g., edits, matching, reconciliation routines) or computer processes (e.g., calculations, on-line entries, automatic system interfaces). When monitoring activities have been completed, the results must then be analyzed and reported. If deficiencies in controls are found, they should be categorized as either deficiencies in design or deficiencies in operations. A deficiency in design occurs when a critical control is not properly designed; that is, even when the control operates as designed, the control objective is not always met. Remember that a critical control is one that is critical to the organization’s ability to meet its control objectives. The picture on this slide shows a train that has derailed due to a design deficiency. Per the news reports, this accident was caused by "serious deficiency" in the design of the cantilever arm and the fact that the concrete did not have adequate strength likely due to lack of its adequate curing. Thus, when validating control design (that is, determining the control’s effectiveness), we should consider various factors. In this case, how is the train usually kept from derailing, who ensures that this control is in place, and what data/reports and physical evidence were or could be used in monitoring the control? This information could be evaluated using process narratives, flowcharts, and any other documentation.

29 Monitoring/Validating Controls
COSO cube – 5 Integrated Components Monitoring/Validating Controls Deficiency in Operation – A properly designed control does not operate as intended, or the person performing the control does not possess the necessary authority or qualification to perform the control effectively. Testing operating effectiveness includes, in part: Reviewing supporting documentation for proper authorization, Reviewing the results of periodic reconciliations, and Reviewing policies and procedures to determine if they are being followed. Use appropriate sampling techniques as necessary. The other type of control deficiencies is a deficiency in operation. These occur when a properly designed control does not operate as intended, or when the person performing the control does not possess the necessary authority or qualification to perform the control effectively. The picture on this slide shows a clip from the movie Gravity, where Sandra Bullock plays an astronaut that is stranded in space. Here, she is in a foreign space station where, even though controls have likely been properly designed, the astronaut does not possess the necessary qualifications to operate the controls effectively. Testing for operating effectiveness (down here on Earth) can include: Reviews of supporting documentation for proper authorization, Reviews of periodic reconciliations, and Reviews of policies and procedures to determine if they are being followed All of these reviews can be performed on a sample basis.

30 Monitoring/Validating Controls
COSO cube – 5 Integrated Components Monitoring/Validating Controls Documentation should be maintained for: The evaluation of internal control at the entity and process levels What testing has been performed Identified deficiencies Documentation must contain sufficient information to: Identify who performed the work and when Enable understanding of the nature, timing, extent, and results of the procedures performed Enable understanding of the evidence obtained Support the conclusions reached Finally, when monitoring and validating controls, several key items should be documented, including: The evaluation of internal control at the entity and process levels What testing has been performed, and Identified deficiencies Documentation must contain sufficient information to: Identify who performed the work and when Enable understanding of the nature, timing, extent, and results of the procedures performed Enable understanding of the evidence obtained, and Support any conclusions reached Remember that documentation is key to both establishing controls and monitoring them. Without clear documentation, controls become uncontrollable!

31 Limitations of Internal Control
Even an effective system of internal control can experience a failure. Limitations may result from: Suitability of established objectives Reality that human judgment in decision making can be faulty and subject to bias Breakdowns that can occur because of human failures such as simple errors Ability of management to override internal control Ability of management, other personnel, and/or third parties to circumvent controls through collusion External events beyond the University’s control Again, internal control provides reasonable, not absolute, assurance of achieving objectives. Note that even an effective, well-designed system of internal control can experience a failure. Limitations may result from: The lack of suitability of established objectives The reality that human judgment in decision making can be faulty and subject to bias Breakdowns that can occur because of human failures such as simple errors The ability of management to override internal controls The ability of management, other personnel, and/or third parties to circumvent controls through collusion External events beyond the University’s control Again, internal control provides reasonable, not absolute, assurance of achieving objectives. The point of internal controls is to prevent what is preventable, not to prevent everything. Remember one of the key components of internal control is risk assessment.

32 Practical Implications
How can you incorporate internal controls within your current processes? In our final section, we’ll try to bring all the pieces together and see how you can incorporate internal controls within your current processes.

33 Connect Objectives What are you trying to achieve? Risks
What might thwart our efforts? Controls How can we manage risk? Do you remember this slide from the very beginning of this session? Always keep in mind that we first need to think about what we are trying to control. In order for there to be a control, we must be trying to control something, and what is that something? It is a risk to an identified objective. So, we need to start with our objectives; what are we trying to achieve in our organization and the departments we work in? Once we establish those objectives, we can identify what risks might exist to achieving our objectives and from there, we can determine what controls we might be able to put in place to control those risks. For business managers at UNC Charlotte, an objective might be to increase the number of students in their departments by providing quality scholarships to a diverse population. A risk to achieving this goal might be a poor scholarship application and delivery system that mistakenly sends award letters to the wrong students. So, stronger automated controls within the system would be necessary to mitigate this risk. Again remember: without a risk, there is no need for an internal control.

34 Document the process! Determining Where Controls are Needed
Identifying Key Controls Determining Where Controls are Needed First, must … Document the process! Pick a method that suits the process: Flowchart or Narrative Identify process owner and activity owners Identify the key inputs, activities, outputs, and risk points Identify policies that impact the process Identify standards that may specify mandatory controls Once it has been determined that controls are necessary, the next step is to start documenting! I know it seems like we harp on documentation quite a bit, but that’s because it is indeed essential to setting up and maintaining proper controls. Before we begin to document controls, we must first document the process we are trying to control. Process documentation is a whole art (and process!) in and of itself, but as a brief overview, the high-level steps are listed on this slide.

35 Identifying Key Control Activities
Identifying Key Controls Identifying Key Control Activities Identify and document all controls associated with key processes Identify the characteristics of controls that, when functioning as intended, would provide the evaluator with a ‘level of comfort’ to conclude that the control is effective with respect to a given risk Consider control effectiveness by focusing on: Directness and clarity of the control technique Frequency with which the control technique is applied Experience of personnel performing the control Procedures followed when a control identifies an exception condition Once the process in question is documented, identify and document all controls associated with the key processes. So, if the process is “cash receipts”, three key controls might include: Use of a lockbox and numbered receipts when collecting cash, Segregation duties between the person who receives the cash, the person who deposits the cash, the person who reports the cash receipt, and the person preparing reconciliations, and Review and sign-off of cash receipt and accounts receivable reports and bank reconciliations by a supervisor not involved with cash handling duties. Then identify the characteristics of controls that, when functioning as intended, would provide the evaluator with a ‘level of comfort’ to conclude that the control is effective with respect to a given risk. So, in our cash receipts example, perhaps your department does not have enough staff to enable full segregation of duties. However, as long as the person who receives and deposits the cash is separate from the person who reports the cash, that may give you a level of comfort with regard to that control as long as you are also reviewing bank reconciliations and other reports on a periodic basis. Other points to focus on when determining control effectiveness are: The directness and clarity of the control technique The frequency with which the control technique is applied The experience of personnel performing the control, and The procedures followed when a control identifies an exception condition

36 Understanding Control Design
Identifying Key Controls Understanding Control Design For internal controls over financial reporting, consider the following questions: Will the control techniques help achieve the control objectives? Will the controls mitigate risk to an acceptable level? How do the related control objectives prevent or detect a potential misstatement? How do potential misstatements affect the related financial report line item? We have been talking about internal controls in general, but one key area of internal control is related to financial reporting, both for internal departmental reports and University-wide financial reports, which are key to management decision making. When designing and documenting controls over financial reporting, consider the following questions: Will the control techniques help achieve the control objectives? Will the controls mitigate risk to an acceptable level? (and how do you define ‘acceptable level’?) How do the related control objectives prevent or detect a potential misstatement? How do potential misstatements affect the related financial report line item?

37 Common Basic Internal Control Principles
Identifying Key Controls Common Basic Internal Control Principles Establish Responsibility Assign each task to only one person Segregate Duties Don’t make one employee responsible for all parts of a process Restrict Access Don’t provide access to systems, information, assets, etc. unless needed to complete assigned responsibilities Document Procedures and Transactions Prepare documents to show that activities have occurred Independently verify Check others’ work Even if none of the rest of this session has stuck with you (and I’m sure it has!), there are some common basic internal control principles that can be applied on a practical level to any process: Establish responsibility. All key tasks should be assigned, and they should be assigned to only one person. If tasks are not assigned, you run the risk of no one taking responsibility or multiple people doing duplicative work or colluding. Segregate Duties. The following responsibilities should be segregated in each business process: Maintaining proper custody of assets Properly recording the transactions Authorizing the transactions, and Reconciling the transactions Remember that compensating controls can be put in place where full segregation of duties is not possible. At the very least, do not make one employee responsible for all parts of a process. A key to defeating opportunity for fraud is to divide key functions so that no one person has control over ALL parts of a transaction. 3. Restrict Access. Don’t provide access to systems, information, assets, etc. unless that access is needed to complete assigned responsibilities. 4. Document Procedures and Transactions. We’ve already talked about documentation. It’s necessary to prepare evidence to show that activities have occurred and verify findings. 5. Independently verify. Remember to check others’ work. Don’t let an employee have unbridled and unchecked authority. Note that higher risk transactions include: The purchase of goods and services Cash receipts Payroll operations Inventory operations These processes should be more closely monitored for proper controls since they present higher opportunities for fraud and misappropriation than other processes.

38 Understanding Control Design
Identifying Key Controls Understanding Control Design Good Controls are: Focused Integrated Accurate Simple Accepted Cost Effective Finally, a few characteristics of good controls are that they are: Focused on critical points of operations Integrated into established processes (should not be burdensome but part of the actual process) Accurate, in that they provide factual information that is useful, reliable, valid, and consistent Simple and easy to understand Accepted by employees Cost effective; controls should not cost more than the risks they mitigate

39 Need to connect Objectives, Risks, and Controls
Key Points Need to connect Objectives, Risks, and Controls Five interrelated components of Internal Control Control Environment Risk Assessment Control Activities Information and Communication Monitoring Along 3 main objectives Operations Reporting Compliance Across the organization, down to the process functions No silver bullet Should accompany process documentation efforts We’ve reached the end of this session on internal controls. To review, here are a few of the key points we covered: Remember that the best way to identify internal controls is to first identify the Objectives and Risks to those objectives. The controls mitigate those risks. Remember that the Five interrelated components of Internal Control are: The control Environment Risk Assessment Control Activities Information and Communication, and Monitoring Which operate along 3 main objectives: Operations Reporting, and Compliance And apply across the organization, starting at the entity level and running all the way down to the process functions. Remember that there is no silver bullet when it comes to internal controls; they help to provide reasonable, not absolute, assurance against identified risks. Finally, as we’ve seen, the establishment and assessment of internal controls should accompany process documentation efforts; documentation of controls is an outgrowth of the documentation of the underlying processes.

40 Resources Video of this presentation: http://youtu.be/b1YoVW-lyMg
Controller’s Office: Laura Williams, Compliance Manager, x7-5002 Phil Maher, Business Process Analyst, x7-5781 Greg Verret, Business Process Analyst, x7-5782 Internal Audit: Tom York, Director, x7-5693 Tommy Earnhardt, Staff Auditor, x7-5694 External sites: PwC summary on why the COSO Update deserves your attention: COSO website: COSO Executive Summary on updated Internal Control Integrated Framework: Thanks for your attention during this video session. Listed are key contacts in the Controller’s Office and the Internal Audit department if you have any questions about internal controls or related topics. In addition, a few links to further information on the COSO framework are also provided.


Download ppt "Internal Controls Agenda: Basics of Internal Controls – what are they?"

Similar presentations


Ads by Google