Presentation on theme: "Internal Controls Agenda: Basics of Internal Controls – what are they?"— Presentation transcript:
1Internal Controls Agenda: Basics of Internal Controls – what are they? COSO frameworkPractical applications to your current processesFacilitator:Laura WilliamsUpdated February 2014Welcome to a short video on Internal Controls, intended to give UNC Charlotte employees a baseline understanding of what internal controls are and how we can apply them to our everyday work environments and existing business processes.
2Internal Control Basics What are internal controls?We’ll start with the basics. What do we mean when we say “internal control”? What do these controls look like?
3Connect Objectives What are you trying to achieve? Risks What might thwart our efforts?ControlsHow can we manage risk?We first need to think about what we are trying to control. In order for there to be a control, we must be trying to control something, i.e., a risk to an identified objective. So, we need to start with our objectives; what are we trying to achieve in our organization and the departments we work in? Once we establish those objectives, we can identify what risks might exist to achieving our objectives and from there, we can determine what controls we might be able to put in place to control those risks. For example, an objective at UNC Charlotte might be to increase efficient use of resources. A risk to achieving that goal might be theft of University assets. So, an internal control to put in place to mitigate that risk is key card access to buildings, where access is only given to authorized employees. Remember, without a risk, there is no need for an internal control.
4Operations Reporting Compliance Internal Control INTERNAL CONTROL is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to:OperationsReportingComplianceEffectivenessEfficiencySafeguarding assetsReliabilityTimelinessTransparencyWith regulatory environmentNow we move on to a formal definition of internal control: INTERNAL CONTROL is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to:Operations, including the effectiveness and efficiency of those operations, and the safeguarding of assets necessary to carry out operations;Reporting, including the reliability, timeliness, and transparency of reporting, both internal and external, and both financial and non-financial reporting (for example, reporting that the Office of Institutional Research performs and makes available in the Fact Book);and Compliance with our regulatory environment.So, for UNC Charlotte, that includes the State and its various administrative bodies (OSBM, OSC, OSA, DOA, etc.), as well as federal regulations related to financial aid, regulations related to grants and contracts, tax law, Export Controls, Payment Card Industry standards, etc.There are some people that say the objectives in this definition should be even more far-reaching and less confined to just operations, reporting, and compliance, since an entity’s objectives could reach beyond these three categories. For example, the University’s commitment to sustainability might be considered a strategic objective, rather than an operational or compliance-driven objective.Management has a fundamental responsibility to develop and maintain effective internal control.
5Able to provide reasonable assurance Internal ControlINTERNAL CONTROLS areContinuousEffected by peopleAble to provide reasonable assuranceAdaptableBuilt into operationsNot one single eventDynamic“Only you can prevent forest fires”Not absolute assuranceTo the entire entity or to a particular division, business process, etc.Internal Controls also have the following characteristics. They are:Continuous, since they are not just one single event but built directly into operations, and they are dynamic to accommodate for an ever-changing environment;Effected by people; in other words, internal controls aren’t going to happen by themselves. It’s like the US Forest Service’s old campaign slogan, “Only you can prevent forest fires.” If we’re introducing the risk to the process, then we also have to introduce and implement the control.Able to provide reasonable assurance, not absolute assurance. Even the best designed controls are subject to other limitations that we’ll talk about later.Adaptable to the entire entity or to a particular division, business process, or other level of the organization.So, to recap, internal control is a process designed to help achieve objectives, and the controls themselves should be continuous, effected by us, able to provide reasonable assurance, and adaptable to different levels of the organization. As you can see, this definition is intentionally broad since internal controls can take on a variety of flavors.
6Risks of Weak Internal Controls Identifying Key ControlsRisks of Weak Internal ControlsFinancial misstatementsBusiness lossLoss of funds or materialsIncorrect or untimely management informationFraud or collusionTarnished reputation with the publicProgram Sustainability compromisedMissed goalsAs I mentioned earlier, we should identify objectives first, and then risks, and then controls. But it can be easier for some people to think about the risks first… I wouldn’t say these people are pessimistic; they just may be risk averse or cautious! In reality, I think many people find it easy to identify risks to broad objectives; this can actually help us to then go back and more accurately identify specific objectives. For instance, a broad objective I might have is to survive. A risk to that survival is getting in a car wreck. So a more specific objective might be to drive safely. We can then identify a control for that risk: seatbelts, air bags, etc.In any case, here are some examples of risks of weak internal controls. I think you could easily think of the goals associated with these risks, and by the end of this presentation, hopefully you’ll be able to identify some of the controls we can put in place to mitigate these risks as well.
7What are the five integrated components of internal control? COSO FrameworkWhat are the five integrated components of internal control?Let’s move on to some of the key terminology you need to know to talk about internal control as it is widely accepted in the U.S. We’ll talk about the COSO framework and the five integrated components of internal control that it highlights.First, what is COSO? [cut to coso.org]COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission. COSO is a joint initiative of 5 organizations, including the American Institute of CPAs and the Institute of Internal Auditors. COSO is dedicated to providing thought leadership on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established the common internal control model, definitions, and framework that many companies and organizations use to assess their control systems.The COSO framework has been adopted by the state of North Carolina as its standard for internal controls within state agencies. The framework also gained importance and attention after the Enron and WorldCom scandals and the resulting Sarbanes-Oxley Act, which was enacted in 2002 to set new and enhanced accounting standards for U.S. companies, including annual assessment by management and external auditors of internal control on financial reporting. The moral of the story here is that internal controls aren’t just something fun to add to our list of things to do; without them, there isn’t just risk of fraud and mismanagement of assets; there is a proven history of fraud and mismanagement actually occurring on very large scales.
8Updated COSO Framework Reflective of the current environmentApplicable to more business objectivesIntegrated approach to addressing organization-wide objectivesFlexible and customizablePrinciples-based rather than Rules-based17 principles – formalize fundamental concepts to helpSpecify objectivesAssess risksDeploy controlsDesigned to help address objectives across the organizationE.g., addressing financial reporting fraud might help address compliance objectivesKey: Ramp it up in the “right” areasHow to define right areas? Risk assessment.COSO’s original internal control framework was established in 1992 and was recently updated in May 2013.According to COSO, this new framework is intended to:Be more reflective of the current environment – For instance, taking into account new risks, such as bad PR via social mediaCover more business objectives – giving us a more integrated approach to addressing organization-wide objectives and trying to move beyond Sarbanes-OxleyBe flexible and customizable –The new framework identifies 17 principles, which are intended to formalize fundamental concepts to help organizations: 1) specify objectives, 2) assess risks, and 3) deploy controls (here again we see the objectives-risks-controls connection). A principles-based framework allows people within an organization to make decisions based on the ‘spirit’ of the principle, rather than over-emphasizing rules at the expense of judgment. In rules-based environments, employees might conclude that anything not forbidden is permitted. In addition, heavy focus on the “don’ts” may lead to cynicism about the purpose of the code or other unintended effects. Of course, there is another side to the coin; sometimes, you just need to make rules.In general, one of the keys to implementing the COSO framework is to ramp up controls in the “right” areas. How do we define the “right” areas? Through risk assessment, which we’ll go over shortly.
95 integrated components Updated COSO FrameworkAlong the 3main objectivesAt all levels of the organizationThe COSO “cube”5 integrated componentsHere we can see what is called the COSO “cube.” It has five integrated components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring, which are pervasive at all levels of the organization, from the most comprehensive – at the entity level – down through each operating unit and to the most discrete level, the process function. And, as we discussed earlier, these components all operate along the three main objectives identified by COSO: operations, reporting, and compliance.We’ll now talk through each of these internal control components, starting with the control environment.
101. Control Environment COSO cube – 5 Integrated Components The set of standards, processes, and structures that provide the basis for carrying out internal controlComprises integrity and ethical values of the organizationThe Board and Senior Management - and you!Establish tone at the topEstablish expected standards of conduct and reinforce expectationsParameters enable the Board to carry out its governance oversight responsibilitiesUniversity tone at the top: Policy 804, Standards of Ethical ConductThe first component of the internal control framework is the Control Environment, a set of standards, processes, and structures that provide the basis for carrying out internal control.The control environment comprises the integrity and ethical values of an organization, as well as:Management’s philosophy and operating styleOrganizational structureHow management assigns authority and responsibility (both along functional and administrative reporting lines)The competence of the entity’s peoplePersonnel development (including training and support)As part of the control environment, the board of trustees and senior management must establish tone at the top. What exactly is tone at the top? One definition is: a visible willingness by senior management to let values drive decisions, to prioritize those values above other factors – including financial results – and to expect all others in the organization to do the same. This tone helps to establish expected standards of conduct and reinforce expectations of employees. This, in turn, establishes parameters that enable the Board to carry out its governance oversight responsibilities.[cut to NC GS]For example, North Carolina General Statute 138A is the State Government Ethics Act. This, arguably, helps set a tone at the top for the State, setting expectations for state employees and others acting in service to the state, and also allowing the state to address any violations of these standards. As another example, University Policy 804, Standards of Ethical Conduct, was approved in October of 2013 and sets forth UNC Charlotte’s commitment to ethical, legal, and professional behavior for all members of the University community.[cut back]In the same way, all leaders at the University are responsible for setting the tone at the top of their departments and units. This “tone” should match that set by senior management but can be tailored to specific needs of business units.
11Control Environment for Financial Reporting COSO cube – 5 Integrated ComponentsControl Environment for Financial ReportingThis is one diagram depicting the control environment as it relates to financial reporting. As you can see, the control environment serves as an umbrella for the entity’s internal control framework. Good internal controls will not be effective without a sound control environment. Or another way to look at it is, a really good control environment is the foundation for really good internal controls. If you could truly inculcate a culture where no theft occurred, would you even need locks on the doors?
12COSO cube – 5 Integrated Components The Control Environment should ensure controls are in place, covering areas such as:Hiring practicesTraining programsWhistleblower policiesCode of EthicsClear lines of responsibility and authorityEtc.As part of our regular business processes, we should continually monitor and update the Control Environment for dynamic changesAs we said, the board and senior management are in charge of setting the stage for the entity-wide control environment. However, departmental managers should establish departmental policies as necessary in light of their unique objectives and risk factors in the absence of any central policies. Listed are some specific areas that the control environment should cover. In addition, as part of your regular business processes, you should continually monitor and update your Control Environment for dynamic changes.
13Compliance v. Integrity Strategy: COSO cube – 5 Integrated ComponentsDifference betweenCompliance v. Integrity Strategy:A ‘Compliance Strategy’ tries to prevent violations of regulations and self-interested behavior by employees by imposing standards of conduct that are intended to compel acceptable behavior.An ‘Integrity Strategy’ seeks to create conditions that support right action by communicating the values and vision of the organization, aligning the standards of employees with those of the organization, and relying on the whole management team, not just lawyers and compliance officers.One other thing to keep in mind when designing your control environment is the difference between a compliance v. an integrity strategy:A Compliance Strategy tries to prevent violations of regulations and self-interested behavior by employees by imposing standards of conduct that are intended to compel acceptable behavior. A compliance strategy relies more on lawyers and compliance officers.An ‘integrity strategy’ seeks to create conditions that support right action by communicating the values and vision of the organization, aligning the standards of employees with those of the organization, and relying on the whole management team, not just lawyers and compliance officers.So, in summary, a compliance strategy focuses more on preventing wrong while an integrity strategy focuses more on fostering right. Sometimes a combination of both may be warranted.
14The Control Environment should be documented: COSO cube – 5 Integrated ComponentsThe Control Environment should be documented:Process documentation/ controlsDetermine extent of existing documentation; leverage thisCreate new if no documentation existsUpdate for changes in operationsTypes of documentation that can be used:Process NarrativesOrganizational chartsFlowchartsQuestionnairesMemorandumsChecklistsFinally, in order for the control environment to be effective, it must be documented. The first step in ensuring proper internal control is to ensure business processes are properly identified and documented.Types of documentation that can be used includeProcess NarrativesOrganizational chartsFlowchartsQuestionnairesMemorandumsChecklists
152. Risk Assessment COSO cube – 5 Integrated Components Involves a dynamic and iterative process for identifying and assessing risksRisk: the possibility that an event will occur and adversely affect the achievement of objectives.The Board and Senior Management (and you!)Establish objectives linked at different levels of the entityMust take holistic approach – look at the full organizationApply internal control to achieve multiple objectivesPrevent domino effects, e.g., weakness in financial reporting that jeopardizes operationsEstablish risk tolerancesIncreasingly important when resources are constrainedThe second component of the internal control framework is Risk Assessment, which involves a dynamic and iterative process for identifying and assessing risks.A Risk is the possibility that an event will occur and adversely affect the achievement of objectives.Risks can be introduced by changes – for instance, new leaders and managers, new markets and products, growth, and emerging technologies.One way to categorize risk is along 4 key risk areas:Strategic – including Political risk, talent and succession planning risk, and risk from dependencies on other organizationsFinancial – including risk of audit findings and other things that would undermine reporting integrityCompliance – including Fraud and non-compliance with fair employment practicesOperational – including the risk that Programs fail to meet their objectives, natural disasters, and lack of technology availabilityThe board of trustees and senior management must establish objectives linked at different levels of the entity, as we’ve already discussed, and then determine the risks to those objectives. By taking a holistic view of the organization's objectives, management should then be able to apply internal control to achieve multiple objectives and prevent domino effects, for example, a weakness in financial reporting that jeopardizes ongoing operations.Risk assessment is especially important when resources are constrained, since risk assessment allows for a more strategic use of resources.
16Risk Management Risk Assessment COSO cube – 5 Integrated Components A process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within risk appetite/tolerance level, to provide reasonable assurance about achieving entity goals and objectives.Risk AssessmentAn element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this forms the basis on which control activities are determined.One thing to note is the difference between risk management and risk assessment.Risk Management isA process applied in a strategic setting and across the entity, designed to identify and manage risks to stay within a risk appetite or tolerance level, to provide reasonable assurance about achieving entity goals and objectives.Risk Assessment isAn element of internal control within the risk management process that enables management to identify and assess key risks to achieving its objectives; this assessment forms the basis on which control activities are determined.
17Process-level Risk Assessment COSO cube – 5 Integrated ComponentsRisk assessmentshould occur at the business process level as well as the entity level.Process-level Risk AssessmentLowMediumHighRisk Assessment1. Materiality of the amountsLarge dollars/transactionHigh volume of transactionsSignificant impact on key ratios or disclosures2. Complexity of the processLimited internal skillsMultiple data handoffsHighly technical in nature3. History of accounting adjustmentsAccounting errorsValuation adjustments, etc.4. Propensity for change inBusiness processes or controlsRelated accountingGrading FilterFour Primary FactorsAs we’ve noted, risk assessment should occur at the business process level as well as the entity level. Once you have identified your objectives, apply these four risk assessment factors:Materiality of the amounts in questionComplexity of the processHistory of accounting adjustmentsPropensity for change in the processes or controlsThis should help us to assess risk for the process in question in terms of likelihood and impact.Internal considerations to assess risk:Use of qualitative/quantitative methodsChange in management responsibilitiesWeak or unresponsive tone at the topHuman capital – quality of personnel hired/retainedEmployee sabotageSystem security weaknessesRapid growthChanges in processes or access to assetsExternal considerations:Technological advancements (more tools available, as well as existing tools we are using are outdated)Changing/evolving client/constituent needs or expectationsChanging legislative requirements and new laws/regulationsDecentralized organization operationsNatural disastersImpact of program, political, and economic changes
18Risk Mapping COSO cube – 5 Integrated Components Impact Consider the organization’s risk tolerance and risk appetite related to the risk responseImpactHere we see a risk map where the x axis shows Likelihood, where:A-Almost impossibleB-RemoteC-LowD-Reasonably possibleE-ProbableF-Very HighAnd the Y axis shows Impact:I-MarginalII-SignificantIII-SevereIV-CatastrophicSo, once we have assessed risk, we can consider the organization’s risk tolerance and risk appetite related to the risk response. If the likelihood is low and the impact is marginal, then that falls within the green area on this chart, and management may decide that resources should be directed elsewhere, for more pressing needs. However, if a risk has a likelihood of reasonably possible and an anticipated impact of severe, then that falls within the red area on this chart, and management may decide to direct resources towards the mitigation of this risk.Keep in mind that a risk assessment is meaningless without specific criteria to apply to each rating. For example, what is the difference between an impact of significant v. severe? These definitions, along with the organization’s risk tolerance (that is, what areas are considered green, yellow, or red) need to be set before a meaningful assessment can take place.One overall question to keep in mind is, what is the impact to stakeholders?
19Risk Strategies COSO cube – 5 Integrated Components Mitigation AvoidanceDo not proceed!MitigationImprove controls to reduce likelihood/impactTransferShift responsibility to an external partyAcceptanceAccept the risk!CreationSeek risk activities strategically to maximize opportunitiesOnce a risk assessment is completed, and the impact and likelihood are determined, we can then determine which strategy to choose to deal with the risk.The first is avoidance, which means that the process in question would not be pursued. This would be a likely option to choose if the risk likelihood was found to be very high, and the impact to be catastrophic, in other words, risks that fall within the red area of the risk tolerance map we just looked at.The second strategy is mitigation, where we would improve controls to reduce the likelihood and impact of the process. This is where many control activities will be done.The third strategy is transfer, where responsibility is shifted to an external party.Another strategy is acceptance, where the organization simply accepts the risk. This would make sense if the risk likelihood was found to be remote, and the impact to be marginal. In general, we should accept risks only if in green area of the risk tolerance map.The final strategy listed is creation, where risk activities are strategically sought to maximize opportunities. These types of decisions should lie with senior management only.We must be cautious when choosing these strategies. For example, Transferring too much responsibility to third parties is a risk in itself. This should only be done if it is known that the organization would introduce more risk by taking on the task itself.
203. Control Activities COSO cube – 5 Integrated Components The actions established through policies and procedures that help ensure management’s directives to mitigate risks are carried out.Performed at all levels within the entityTypes:Preventive and detective and correctiveCompensatingManual and automatedExamples:Approvals & AuthorizationsEmbedded verificationsReconciliationsIndependent ReviewsAsset securitySegregation of dutiesThe third component of the internal control framework is Control Activities, which are the actions established through policies and procedures that help ensure management’s directives to mitigate risks are carried out. These activities are performed at all levels of the entity.There are certain types of control activities, including preventive, detective, and corrective; compensating; and manual and automated. We will go over the difference between these control types.Control activities are exactly what they sound like– the activity part of the internal control framework. While the control environment and risk assessment set the stage for good controls, the control activities are where the meat of the control work is done.Examples of control activities include:Approvals & AuthorizationsEmbedded verificationsReconciliationsIndependent ReviewsAsset securitySegregation of duties
21Preventive Control Detective Control COSO cube – 5 Integrated ComponentsPreventive ControlPrevents the occurrence of a negative event in a proactive mannerExamples:Approval for purchase > $5,000Passwords for access to BannerPetty cash held in lockboxSecurity and surveillance systemsPre-numbered checksDetective ControlDetect the occurrence of a negative event after the fact in a reactive mannerExamples:Supervisor review & approvalReport run showing user activityReconcile petty cashPhysical inventory countReview missing/voided checksThe first way we can categorize control activities is between preventive and detective controls.Preventive Controls prevent the occurrence of a negative event in a proactive manner.[click]Examples here at UNC Charlotte include:Approval required for purchases greater than $5,000Passwords required for access to BannerPetty cash that must be held in a lockboxSecurity and surveillance systems in high-risk areas, andPre-numbered checksDetective Controls Detect the occurrence of a negative event after the fact in a reactive mannerSupervisor review & approvalReports that are run showing user activityReconciliation of petty cashAnnual Physical inventory counts, andReview of missing and voided checksPreventive controls are stronger that detective controls. It is more effective and less costly to prevent something from happening rather than to attack it on the back end; sometimes it is hard to stop something that is already in motion, similar to a snowball effect.This chart also shows corrective controls, but really I would deem these more as corrective ‘actions’, since the correction isn’t really a control itself.
22Control Activities COSO cube – 5 Integrated Components If a weakness or limitation exists within the control environment, a compensating control may be relied upon to mitigate the riskCan be preventive or detectiveExample: A unit does not have the staff resources to establish an adequate segregation of duties. Potential compensating controls could include:Automation of certain transaction data that cannot be altered by the staffManager review of detailed summary reports of the transactions initiated by the staffPeer staff and/or manager selects a sample of transactions and vouches back to supporting documentationThere are also compensating controls, which may be relied upon to mitigate existing risks if a control activity that should otherwise be in place is not in place. Compensating controls can be either preventive or detective.One common scenario is when a department or unit does not have the staff resources to establish an adequate segregation of duties. Potential compensating controls could include:Automation of certain transaction data that then cannot be altered by the staff, that is, removing humans from the process altogetherManager review of detailed summary reports of the transactions initiated by the staff. So, if one staff member is a requester in 49er Mart, and her supervisor is the approver, then the overall manager of that area should, on a periodic basis – say, monthly – separately review summary reports of these transactions.Another option would be for Peer staff and/or a manager – someone separate from the personnel involved with making the transaction - to select a sample of transactions and vouch back to supporting documentationIn all these ways, we are compensating for the fact that the advisable control activity – segregation of duties – is not possible with current resources.
23Control Activities COSO cube – 5 Integrated Components Automated ControlManual ControlRequire action to be taken by employees, e.g.,Obtain supervisor’s approval for overtimeReconcile bank accountsMatch receiving to POsBuilt into network infrastructure and software applications, e.g.,PasswordsData entry validation checksBatch controlsThe final category of controls we’ll go over is manual v. automated controls.Manual controls Require action to be taken by employees. Examples includeObtaining a supervisor’s approval for overtimeReconciling bank accounts, andMatching receiving to Purchase OrdersAutomated controls are Built into the network infrastructure and software applications. Examples includePasswordsData entry validation checks, andBatch controlsAutomated controls are more reliable and cost effective than manual controls
244. Information and Communication COSO cube – 5 Integrated Components4. Information and CommunicationInformation is necessary to carry out internal control responsibilities to support achievement of objectivesCommunication: the continual, iterative process of providing, sharing, and obtaining necessary informationInternal and externalInformation should be timely, accessible, and allow for successful control actionsThe fourth component of the internal control framework is Information and Communication. This component is pretty straightforward but is also very important in ensuring a cohesive, sustainable framework. Accurate, timely information is necessary to properly carry out internal control responsibilities in support of the achievement of an organization’s objectives. And communication is the continual, iterative process of providing, sharing, and obtaining that necessary information.Management and employees must be able to obtain information from both internal and external sources as necessary, and communication paths must be viable to both internal and external parties. Information should be timely, accessible, and allow for successful control actions.Obviously, that is a very high-level statement that is harder to do than say, but the key is to try to keep communicating the right information to the right people at the right time.Key: To communicate the right information to theright people at the right time
25Information & Communication COSO cube – 5 Integrated ComponentsInformation & CommunicationThings to communicate:InitiativesGoalsChangesOpportunitiesFeedbackQuestionsAnswersPoliciesProceduresStandardsExpectationsEven with so many ways to communicate these days – , text messaging, Twitter, Facebook, apps, the cloud, FedEx, mail, phone calls, or EVEN face-to-face - sometimes it is difficult to find ways to communicate effectively and with impact. Just keep in mind what you are trying to communicate and to whom. Remember that more communication is not always better, but more well thought-out, directed communication is essential to all operations, including internal controls.
265. Monitoring Activities COSO cube – 5 Integrated Components5. Monitoring ActivitiesEvaluations used to ascertain whether components of internal control are present and functioningOngoing evaluations:Built into business processesProvide timely informationSeparate evaluations:Conducted periodicallyVary in scope and frequencyDependent on assessment of risks, effectiveness of ongoing evaluations, other management considerationsFindings are evaluated against relevant criteriaThe fifth and final component of the internal control framework is Monitoring. Monitoring activities are evaluations used to ascertain whether components of internal control are present and functioning. These evaluations can be split into two categories:Ongoing evaluations are built into business processes and provide timely information on the underlying controls.Separate evaluations are conducted periodically and vary in scope and frequency based on prior assessments of risk, the effectiveness of ongoing evaluations, and other management considerations such as resource prioritization. Separate evaluations include Internal Audit activities.In other words, when we monitor an activity, we are assessing the performance of an internal control system over a period of time, helping to validate that the internal control system is operating as expected. Any findings that result from monitoring activities should be evaluated against relevant criteria, for example, how long has the control been compromised, and how high are the risks? Any deficiencies that are found, which are more pernicious to the control system than findings, should be communicated to the Board and Senior Management.It confirms that the findings of audits and other reviews are promptly resolved so that internal controls are not compromised.Monitoring should be directed at both internal and external risks to the organization.Monitoring also consists of supervisory review and sign off to help ensure proper checks and balances.Your organization should have a strategy for effective ongoing monitoring.Deficiencies are communicated to the Board and Sr. Management
27Testing Control Processes COSO cube – 5 Integrated ComponentsTesting Control ProcessesIdentifytransactions to be testedkey controlsapplicable standards to test the transactions (i.e., criteria to judge compliance effectiveness)Determineappropriate type of testingextent of testingCreate test planConduct tests for effectivenessDocument testing and resultsAssess test resultsCommunicate findings, recommendationsMonitoring activities should be designed to test an adequate number of key controls to ensure an entity can make all relevant financial assertions related to significant accounts.Risk-based testing includes identification of key processes and controls and developing test procedures and sampling that is appropriate for the related risk to the organization.To test control processes, we should first identify the key controls, transactions to be tested, and applicable standards against which to test the transactions. We would then determine the appropriate type of testing, e.g., ongoing or separate evaluations, and the extent of testing, e.g., determining how often to test or the sample size needed. From there, we would create a test plan, conduct tests for effectiveness, document testing and results, assess those results, and communicate findings and recommendations to the appropriate people.
28Monitoring/Validating Controls COSO cube – 5 Integrated ComponentsMonitoring/Validating ControlsDeficiency in Design – A critical control is not properly designed, i.e., even if the control operates as designed, the control objective is not always met.When validating control design (determining effectiveness):Consider various factors (how control is performed, who performs the control, what data/reports used in performing control, what physical evidence is produced from the control)Work off of process narratives, flowcharts, and any other relevant material obtained and/or completed in the documentation stageBe aware that application controls are either programmed control procedures (e.g., edits, matching, reconciliation routines) or computer processes (e.g., calculations, on-line entries, automatic system interfaces).When monitoring activities have been completed, the results must then be analyzed and reported. If deficiencies in controls are found, they should be categorized as either deficiencies in design or deficiencies in operations.A deficiency in design occurs when a critical control is not properly designed; that is, even when the control operates as designed, the control objective is not always met. Remember that a critical control is one that is critical to the organization’s ability to meet its control objectives.The picture on this slide shows a train that has derailed due to a design deficiency. Per the news reports, this accident was caused by "serious deficiency" in the design of the cantilever arm and the fact that the concrete did not have adequate strength likely due to lack of its adequate curing.Thus, when validating control design (that is, determining the control’s effectiveness), we should consider various factors. In this case, how is the train usually kept from derailing, who ensures that this control is in place, and what data/reports and physical evidence were or could be used in monitoring the control? This information could be evaluated using process narratives, flowcharts, and any other documentation.
29Monitoring/Validating Controls COSO cube – 5 Integrated ComponentsMonitoring/Validating ControlsDeficiency in Operation – A properly designed control does not operate as intended, or the person performing the control does not possess the necessary authority or qualification to perform the control effectively.Testing operating effectiveness includes, in part:Reviewing supporting documentation for proper authorization,Reviewing the results of periodic reconciliations, andReviewing policies and procedures to determine if they are being followed.Use appropriate sampling techniques as necessary.The other type of control deficiencies is a deficiency in operation. These occur when a properly designed control does not operate as intended, or when the person performing the control does not possess the necessary authority or qualification to perform the control effectively.The picture on this slide shows a clip from the movie Gravity, where Sandra Bullock plays an astronaut that is stranded in space. Here, she is in a foreign space station where, even though controls have likely been properly designed, the astronaut does not possess the necessary qualifications to operate the controls effectively.Testing for operating effectiveness (down here on Earth) can include:Reviews of supporting documentation for proper authorization,Reviews of periodic reconciliations, andReviews of policies and procedures to determine if they are being followedAll of these reviews can be performed on a sample basis.
30Monitoring/Validating Controls COSO cube – 5 Integrated ComponentsMonitoring/Validating ControlsDocumentation should be maintained for:The evaluation of internal control at the entity and process levelsWhat testing has been performedIdentified deficienciesDocumentation must contain sufficient information to:Identify who performed the work and whenEnable understanding of the nature, timing, extent, and results of the procedures performedEnable understanding of the evidence obtainedSupport the conclusions reachedFinally, when monitoring and validating controls, several key items should be documented, including:The evaluation of internal control at the entity and process levelsWhat testing has been performed, andIdentified deficienciesDocumentation must contain sufficient information to:Identify who performed the work and whenEnable understanding of the nature, timing, extent, and results of the procedures performedEnable understanding of the evidence obtained, andSupport any conclusions reachedRemember that documentation is key to both establishing controls and monitoring them. Without clear documentation, controls become uncontrollable!
31Limitations of Internal Control Even an effective system of internal control can experience a failure. Limitations may result from:Suitability of established objectivesReality that human judgment in decision making can be faulty and subject to biasBreakdowns that can occur because of human failures such as simple errorsAbility of management to override internal controlAbility of management, other personnel, and/or third parties to circumvent controls through collusionExternal events beyond the University’s controlAgain, internal control provides reasonable, not absolute, assurance of achieving objectives.Note that even an effective, well-designed system of internal control can experience a failure. Limitations may result from:The lack of suitability of established objectivesThe reality that human judgment in decision making can be faulty and subject to biasBreakdowns that can occur because of human failures such as simple errorsThe ability of management to override internal controlsThe ability of management, other personnel, and/or third parties to circumvent controls through collusionExternal events beyond the University’s controlAgain, internal control provides reasonable, not absolute, assurance of achieving objectives. The point of internal controls is to prevent what is preventable, not to prevent everything. Remember one of the key components of internal control is risk assessment.
32Practical Implications How can you incorporate internal controls within your current processes?In our final section, we’ll try to bring all the pieces together and see how you can incorporate internal controls within your current processes.
33Connect Objectives What are you trying to achieve? Risks What might thwart our efforts?ControlsHow can we manage risk?Do you remember this slide from the very beginning of this session?Always keep in mind that we first need to think about what we are trying to control. In order for there to be a control, we must be trying to control something, and what is that something? It is a risk to an identified objective. So, we need to start with our objectives; what are we trying to achieve in our organization and the departments we work in? Once we establish those objectives, we can identify what risks might exist to achieving our objectives and from there, we can determine what controls we might be able to put in place to control those risks.For business managers at UNC Charlotte, an objective might be to increase the number of students in their departments by providing quality scholarships to a diverse population. A risk to achieving this goal might be a poor scholarship application and delivery system that mistakenly sends award letters to the wrong students. So, stronger automated controls within the system would be necessary to mitigate this risk.Again remember: without a risk, there is no need for an internal control.
34Document the process! Determining Where Controls are Needed Identifying Key ControlsDetermining Where Controls are NeededFirst, must …Document the process!Pick a method that suits the process: Flowchart or NarrativeIdentify process owner and activity ownersIdentify the key inputs, activities, outputs, and risk pointsIdentify policies that impact the processIdentify standards that may specify mandatory controlsOnce it has been determined that controls are necessary, the next step is to start documenting! I know it seems like we harp on documentation quite a bit, but that’s because it is indeed essential to setting up and maintaining proper controls.Before we begin to document controls, we must first document the process we are trying to control. Process documentation is a whole art (and process!) in and of itself, but as a brief overview, the high-level steps are listed on this slide.
35Identifying Key Control Activities Identifying Key ControlsIdentifying Key Control ActivitiesIdentify and document all controls associated with key processesIdentify the characteristics of controls that, when functioning as intended, would provide the evaluator with a ‘level of comfort’ to conclude that the control is effective with respect to a given riskConsider control effectiveness by focusing on:Directness and clarity of the control techniqueFrequency with which the control technique is appliedExperience of personnel performing the controlProcedures followed when a control identifies an exception conditionOnce the process in question is documented, identify and document all controls associated with the key processes. So, if the process is “cash receipts”, three key controls might include:Use of a lockbox and numbered receipts when collecting cash,Segregation duties between the person who receives the cash, the person who deposits the cash, the person who reports the cash receipt, and the person preparing reconciliations, andReview and sign-off of cash receipt and accounts receivable reports and bank reconciliations by a supervisor not involved with cash handling duties.Then identify the characteristics of controls that, when functioning as intended, would provide the evaluator with a ‘level of comfort’ to conclude that the control is effective with respect to a given risk. So, in our cash receipts example, perhaps your department does not have enough staff to enable full segregation of duties. However, as long as the person who receives and deposits the cash is separate from the person who reports the cash, that may give you a level of comfort with regard to that control as long as you are also reviewing bank reconciliations and other reports on a periodic basis.Other points to focus on when determining control effectiveness are:The directness and clarity of the control techniqueThe frequency with which the control technique is appliedThe experience of personnel performing the control, andThe procedures followed when a control identifies an exception condition
36Understanding Control Design Identifying Key ControlsUnderstanding Control DesignFor internal controls over financial reporting, consider the following questions:Will the control techniques help achieve the control objectives?Will the controls mitigate risk to an acceptable level?How do the related control objectives prevent or detect a potential misstatement?How do potential misstatements affect the related financial report line item?We have been talking about internal controls in general, but one key area of internal control is related to financial reporting, both for internal departmental reports and University-wide financial reports, which are key to management decision making. When designing and documenting controls over financial reporting, consider the following questions:Will the control techniques help achieve the control objectives?Will the controls mitigate risk to an acceptable level? (and how do you define ‘acceptable level’?)How do the related control objectives prevent or detect a potential misstatement?How do potential misstatements affect the related financial report line item?
37Common Basic Internal Control Principles Identifying Key ControlsCommon Basic Internal Control PrinciplesEstablish ResponsibilityAssign each task to only one personSegregate DutiesDon’t make one employee responsible for all parts of a processRestrict AccessDon’t provide access to systems, information, assets, etc. unless needed to complete assigned responsibilitiesDocument Procedures and TransactionsPrepare documents to show that activities have occurredIndependently verifyCheck others’ workEven if none of the rest of this session has stuck with you (and I’m sure it has!), there are some common basic internal control principles that can be applied on a practical level to any process:Establish responsibility. All key tasks should be assigned, and they should be assigned to only one person. If tasks are not assigned, you run the risk of no one taking responsibility or multiple people doing duplicative work or colluding.Segregate Duties. The following responsibilities should be segregated in each business process:Maintaining proper custody of assetsProperly recording the transactionsAuthorizing the transactions, andReconciling the transactionsRemember that compensating controls can be put in place where full segregation of duties is not possible. At the very least, do not make one employee responsible for all parts of a process. A key to defeating opportunity for fraud is to divide key functions so that no one person has control over ALL parts of a transaction.3. Restrict Access. Don’t provide access to systems, information, assets, etc. unless that access is needed to complete assigned responsibilities.4. Document Procedures and Transactions. We’ve already talked about documentation. It’s necessary to prepare evidence to show that activities have occurred and verify findings.5. Independently verify. Remember to check others’ work. Don’t let an employee have unbridled and unchecked authority.Note that higher risk transactions include:The purchase of goods and servicesCash receiptsPayroll operationsInventory operationsThese processes should be more closely monitored for proper controls since they present higher opportunities for fraud and misappropriation than other processes.
38Understanding Control Design Identifying Key ControlsUnderstanding Control DesignGood Controls are:FocusedIntegratedAccurateSimpleAcceptedCost EffectiveFinally, a few characteristics of good controls are that they are:Focused on critical points of operationsIntegrated into established processes (should not be burdensome but part of the actual process)Accurate, in that they provide factual information that is useful, reliable, valid, and consistentSimple and easy to understandAccepted by employeesCost effective; controls should not cost more than the risks they mitigate
39Need to connect Objectives, Risks, and Controls Key PointsNeed to connect Objectives, Risks, and ControlsFive interrelated components of Internal ControlControl EnvironmentRisk AssessmentControl ActivitiesInformation and CommunicationMonitoringAlong 3 main objectivesOperationsReportingComplianceAcross the organization, down to the process functionsNo silver bulletShould accompany process documentation effortsWe’ve reached the end of this session on internal controls. To review, here are a few of the key points we covered:Remember that the best way to identify internal controls is to first identify the Objectives and Risks to those objectives. The controls mitigate those risks.Remember that the Five interrelated components of Internal Control are:The control EnvironmentRisk AssessmentControl ActivitiesInformation and Communication, andMonitoringWhich operate along 3 main objectives:OperationsReporting, andComplianceAnd apply across the organization, starting at the entity level and running all the way down to the process functions.Remember that there is no silver bullet when it comes to internal controls; they help to provide reasonable, not absolute, assurance against identified risks.Finally, as we’ve seen, the establishment and assessment of internal controls should accompany process documentation efforts; documentation of controls is an outgrowth of the documentation of the underlying processes.
40Resources Video of this presentation: http://youtu.be/b1YoVW-lyMg Controller’s Office:Laura Williams, Compliance Manager, x7-5002Phil Maher, Business Process Analyst, x7-5781Greg Verret, Business Process Analyst, x7-5782Internal Audit:Tom York, Director, x7-5693Tommy Earnhardt, Staff Auditor, x7-5694External sites:PwC summary on why the COSO Update deserves your attention:COSO website:COSO Executive Summary on updated Internal Control Integrated Framework:Thanks for your attention during this video session. Listed are key contacts in the Controller’s Office and the Internal Audit department if you have any questions about internal controls or related topics. In addition, a few links to further information on the COSO framework are also provided.