Internal Controls… They Are Not For Wimps Presented by: Billy Morehead, Ph.D., CPA, CGFM, CPM AGA Past National President and Associate Professor of Accountancy Mississippi College, Clinton, Mississippi William A. Morehead, Ph.D., CGFM, CPA, CPM
Definition of Internal Control Internal control is a process – effected by those charged with governance, management, and other personnel – designed to provide reasonable assurance about the achievement of entity’s objectives with regard to: Reliability of financial reporting Effectiveness and efficiency of operations, and Compliance with applicable laws and regulations Source: AICPA SAS 115 William A. Morehead, Ph.D., CGFM, CPA, CPM
Definition of Risk Assessment Risk analysis involves a careful, rational process of estimating the significance of a risk, assessing the likelihood of its occurrence, and considering what actions and controls are necessary to manage it. Risk analysis involves estimating the cost to the agency if an unexpected risk actually occurs. William A. Morehead, Ph.D., CGFM, CPA, CPM
Definition of Performance Audit “Performance Audit is a valuable management tool carefully structured around tough, nationally recognized auditing principles that evaluate whether tax dollars are being spent in an effective, efficient and economic manner.” (Heartland Institute) William A. Morehead, Ph.D., CGFM, CPA, CPM
Those Charged With Governance: is defined as: “the person(s) with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the financial reporting and disclosure process.” In most entities, governance is a collective responsibility….
Internal Control Is Affected by those charged with Governance – an Entity’s Board of Directors, Management, & Other Personnel. The Establishment of Internal Control Is MANAGEMENT’S Responsibility. William A. Morehead, Ph.D., CGFM, CPA, CPM
Internal Control Consists of 5 Interrelated Components: Control environment (values, ethics, integrity) Risk assessment (inherent and direct) Control activities (policies and procedures) Information and communication (systems and financial statements, etc.) Monitoring (management, internal auditors, audit committees, etc.) William A. Morehead, Ph.D., CGFM, CPA, CPM
Objectives COSO Cube Components Entity
There Is a Direct Relationship Between: OBJECTIVES (What an Entity Strives to Achieve) and COMPONENTS (Organizational Climate & Structure Needed to Achieve the Objectives) BOTH are related to the entire entity & all business units & functions William A. Morehead, Ph.D., CGFM, CPA, CPM
COSO Pyramid
Internal Control, No Matter How Well Designed and Operated, Can Only Provide REASONABLE Assurance to Management and the Board of Directors Regarding Achievement of an Entity’s Control Objectives. William A. Morehead, Ph.D., CGFM, CPA, CPM
Control Environment The control environment sets the tone of an organization influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure. William A. Morehead, Ph.D., CGFM, CPA, CPM
Control Environment Factors Communication & enforcement of integrity & ethical values Commitment to competence Participation of those charged with governance Management’s philosophy & operating style Organizational structure Assignment of authority & responsibility Human resource policies and practices Entity’s risk assessment process William A. Morehead, Ph.D., CGFM, CPA, CPM
Communication & Enforcement of Integrity & Ethical Values Codes of conduct (behavioral statements) Policies and procedures regarding: Acceptable business practices Conflicts of interest Expected standards of ethical and moral behavior How communicated & reinforced William A. Morehead, Ph.D., CGFM, CPA, CPM
Communication & Enforcement of Integrity & Ethical Values Dealings with employees, suppliers, customers, investors, creditors, insurers, competitors, and auditors Pressures to meet unrealistic performance targets William A. Morehead, Ph.D., CGFM, CPA, CPM
Communication Pertinent Information Must Be Identified, Captured, and Communicated in a Form and Timeframe That Enables People to Carry Out Their Responsibilities William A. Morehead, Ph.D., CGFM, CPA, CPM
Effective Communication Must Also Occur in a Broader Sense Effective Communication Must Also Occur in a Broader Sense. All Personnel Must Receive a Clear Message From Top Management That Control Responsibilities Must Be Taken Seriously There Must Also Be Effective Communication With External Parties -- Customers, Suppliers, Regulators, and Shareholders William A. Morehead, Ph.D., CGFM, CPA, CPM
Commitment to Competence Hiring practices (check references) Formal job descriptions defining tasks that comprise particular jobs Analyses of the knowledge and skills necessary to perform jobs adequately William A. Morehead, Ph.D., CGFM, CPA, CPM
Participation of Those Charged with Governance Independence from management Experience & stature of its members Extent of its involvement and scrutiny of activities Appropriateness of its actions Information it receives William A. Morehead, Ph.D., CGFM, CPA, CPM
Participation of Those Charged with Governance Degree to which difficult questions are raised and pursued with management Interaction with internal and external auditors Oversight of the design & effective operation of whistle-blower procedures Oversight of the process for reviewing the effectiveness of the entity’s internal control William A. Morehead, Ph.D., CGFM, CPA, CPM
Management’s Philosophy and Operating Style Management philosophy is the set of shared beliefs and attitudes characterizing how the agency handles everything it does, from developing and implementing strategy to day-to-day activities. This philosophy reflects the agency’s values, influencing its culture and operating style, and affects how well fiscal programs can implement, maintain, and enforce control. William A. Morehead, Ph.D., CGFM, CPA, CPM
Management’s Philosophy and Operating Style Management philosophy appears in policy statements, oral and written communications, and decision-making. Management reinforces the philosophy more with everyday actions than with its words. William A. Morehead, Ph.D., CGFM, CPA, CPM
Management’s Philosophy and Operating Style Approach to taking and monitoring business risks Attitudes and actions toward financial reporting (conservative or aggressive application of GAAP, conscientiousness and conservatism when developing accounting estimates) Attitude toward information processing and accounting functions and personnel William A. Morehead, Ph.D., CGFM, CPA, CPM
Organizational Structure Appropriate framework for necessary planning, execution, control, and review of entity wide objectives Adequately defined key areas of authority and responsibility; and, appropriate lines of reporting Appropriate organization structure depends upon size, complexity, and nature of activities William A. Morehead, Ph.D., CGFM, CPA, CPM
Assignment of Authority and Responsibility How responsibility assigned How authority delegated Appropriate business practices Knowledge and experience of key personnel Appropriate resources provided for carrying out duties Policies and communications so all personnel understand entity’s objectives, know their roles and how they will be held accountable William A. Morehead, Ph.D., CGFM, CPA, CPM
Human Resource P&Ps Relate to recruitment, orientation, training, evaluation, counseling, promoting, compensating, and remedial actions Adequate background checks (educational background, prior work experience, past accomplishments, evidence of integrity & ethical behavior) Adequate retention and promotion criteria (continued education; performance appraisals; code of conduct guidelines) William A. Morehead, Ph.D., CGFM, CPA, CPM
Fraud Perpetrator’s Employment History Criminal History Fraud Perpetrator’s Employment History ©2008 by the Association of Certified Fraud Examiners, Inc.
Risk Assessment Inherent -- By the Very Nature of the Business Entity Direct -- As a Result of Action Taken by Management or Employees William A. Morehead, Ph.D., CGFM, CPA, CPM
Risk Circumstances Changes in operating environment New personnel New / revamped information systems Rapid growth of entity New technology New business models, products, activities Corporate restructuring New or expanded foreign operations New accounting pronouncements William A. Morehead, Ph.D., CGFM, CPA, CPM
External Influences Contributing to Risk: Economic Conditions Social Conditions Political Conditions External Regulation Natural Events Supply Sources Technological Changes Source: AICPA SAS 109 William A. Morehead, Ph.D., CGFM, CPA, CPM
Internal Influences Contributing to Risk: Changes in personnel duties Availability of funds for new initiatives or continuation of key programs Employee relations Information systems Data processing Cash management activities Asset protection and preservation Source: AICPA SAS 109 William A. Morehead, Ph.D., CGFM, CPA, CPM
Managing Risk... Can you identify internal and external risks? Which risks are significant? Do you have a thorough risk analysis process? Can you adequately anticipate the risk associated with change (self-imposed or as a result of external infliction)? William A. Morehead, Ph.D., CGFM, CPA, CPM
Information Systems Consists of: infrastructure (physical and hardware) Software People Procedures (manual & IT) Data Adequate Backup Systems
Information Systems Relevant to financial reporting objectives consists of procedures and records established to: Initiate Authorize Record Process Report Maintain accountability Provide security
Information Systems Encompasses methods and records that: Identify and record all valid transactions Describe transactions in sufficient detail & on a timely basis Measure the value of transactions Determine proper accounting time period Properly present transactions & related disclosures in the financial statements
Control Activities... …Are the Policies and Procedures That Help Ensure Management Directives Are Carried Out and Necessary Actions Are Taken to Address Risks that Threaten the Achievement of the Entity’s Objectives. William A. Morehead, Ph.D., CGFM, CPA, CPM
Relevant Control Activities Relevant Control Activities... Provide for Performance Reviews Provide for Information Processing (accuracy, completeness, & authorization – application controls & general controls) Provide Physical Controls (physical security of Assets, Documents, & Records; reconciliations & inventory counts) Adequate Segregation of Duties William A. Morehead, Ph.D., CGFM, CPA, CPM
Monitoring... If No One Ever Looks at or Reviews the Internal Control Environment -- What Good Is It Doing? William A. Morehead, Ph.D., CGFM, CPA, CPM
Monitoring Activities... Ongoing -- performance evaluation Corroboration of information -- bank reconciliations, etc. Comparison of physical assets to book assets -- inventories Internal and external audits -- effectiveness Codes of ethics certification Training and education William A. Morehead, Ph.D., CGFM, CPA, CPM
Benefits of Internal Control Benefits of Internal Control... A Well-designed & Well-functioning Internal Control System Can Help an Entity Achieve Its Performance and Profitability Targets William A. Morehead, Ph.D., CGFM, CPA, CPM
It Can Help Prevent Loss of Resources, Help Ensure Reliable Financial Reporting, and Help Ensure That the Entity Complies With Laws and Regulations William A. Morehead, Ph.D., CGFM, CPA, CPM
In Other Words, Internal Control Systems Can Help an Entity Get to Where It Wants to Go and Avoid Pitfalls and Surprises Along the Way William A. Morehead, Ph.D., CGFM, CPA, CPM
Increasing Interest in Performance Agency Managers must actively: Develop & Implement appropriate, cost-effective IC for results-oriented management Periodically assess the adequacy of those controls Identify needed improvement, and Take corresponding corrective action Government Performance Auditing (Ives & Hancox)
Six Stages for “Managing to Achieve Results” Strategic Planning (setting goals & objectives) Program Planning (establishing measurable objectives) Setting Priorities & Allocating Resources Actively Planning (establishing strategies & operational processes) Managing Operations (controlling & measuring performance) Assessing Results & Adjusting Strategies (where warranted) Government Performance Auditing (Ives & Hancox)
Performance Audits May be Broad or Narrow in Scope & Cover: Whether an entity is acquiring, protecting & using its resources in the most productive manner to achieve program objectives The extent to which legislative, regulatory, or organizational goals & objectives are being achieved Whether a program produced intended results or produced effects that were not intended by the program’s objectives Whether the entity is following sound procurement practices The validity & reliability of performance measures Government Performance Auditing (Ives & Hancox)
When Evaluating Economy & Efficiency of Operations – Ascertain: Whether resources are properly deployed Whether there are idle resources or overstaffed functions Whether resources are acquired at a reasonable price Government Performance Auditing (Ives & Hancox)
When Assessing Program Effectiveness & Results – Ascertain: for example: Whether a loan program created or retained the number of jobs anticipated to be created Whether a job-training program resulted in employment for the number of persons anticipated to be employed and for a particular period Government Performance Auditing (Ives & Hancox)
Types of Subjects Covered in Performance Audits Progress made in achieving goals of a specific program Assessment of the hiring, training & supervision of staff of a program State oversight & local government compliance with regulation of a program Assessment of a program intended to increase/decrease aspect of a program Assessment of the efficiency & effectiveness of a program Assessment of program service delivery & financial management Government Performance Auditing (Ives & Hancox)
Limitations of Internal Control Not a cure all Cannot ensure entity’s success or survival Cannot ensure entity will achieve operation, financial reporting, and compliance objectives Effectiveness limited by human judgment and hasty decision making William A. Morehead, Ph.D., CGFM, CPA, CPM
Collusion can result in control failure System can breakdown due to misunderstandings, mistakes in judgment, or errors committed due to carelessness, distraction, or fatigue Only as effective as the people who are responsible for its functioning Collusion can result in control failure Limited resources (cost/benefit) excessive control is costly & counterproductive too little control presents undue risk to entity William A. Morehead, Ph.D., CGFM, CPA, CPM
Everyone in an Organization Has Some Responsibility for Internal Control; However, MANAGEMENT Is Responsible! William A. Morehead, Ph.D., CGFM, CPA, CPM
Internal Auditors Contribute to Ongoing Effectiveness of IC Those Charged With Governance Provide Important Oversight External Auditors Contribute to Achievement of Entity’s Objectives and Provide Information Useful in Affecting IC William A. Morehead, Ph.D., CGFM, CPA, CPM
Deficiency in Internal Control Statement of Auditing Standard (SAS) 115 entitled “Communicating Internal Control Related Matters Identified in an Audit” defines deficiency in internal control, significant deficiency, and material weakness and provides guidance for auditors on evaluating the severity of the deficiencies in internal control. William A. Morehead, Ph.D., CGFM, CPA, CPM
Deficiency in Internal Control Determination as to whether a deficiency is significant or material is based upon whether a reasonable person would derive the same conclusion as the auditor or whether prudent officials having knowledge of the same facts and circumstances would agree with the auditor’s classification of the deficiency. William A. Morehead, Ph.D., CGFM, CPA, CPM
Deficiency in Internal Control A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. William A. Morehead, Ph.D., CGFM, CPA, CPM
Deficiency in Internal Control Significant deficiency is defined as a deficiency or combination of deficiencies, in internal control that is less severe than a material weaknesses, yet important enough to merit attention by those charged with governance. William A. Morehead, Ph.D., CGFM, CPA, CPM
Deficiency in Internal Control A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. William A. Morehead, Ph.D., CGFM, CPA, CPM
Deficiency in Internal Control One situation when a deficiency in internal control should be regarded as at least a significant deficiency and a strong indicator of a material weakness – ineffective oversight of the entity’s financial reporting and internal control by senior management and those charged with governance. William A. Morehead, Ph.D., CGFM, CPA, CPM
Indicators – Material Weakness Identification of fraud, whether or not material, on the part of senior management. Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control. Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance. William A. Morehead, Ph.D., CGFM, CPA, CPM
Deficiencies in Design Controls Inadequate design of controls over the preparation of the financial statements being audited. Inadequate design of controls over a significant account or process. Inadequate documentation of the components of internal control. Insufficient control consciousness within the organization; for example, the tone at the top and the control environment. William A. Morehead, Ph.D., CGFM, CPA, CPM
Deficiencies in Design Controls Absent or inadequate segregation of duties within a significant account or process Absent or inadequate controls over the safeguarding of assets Inadequate design of IT general and application controls that prevent the information system from providing complete and accurate information consistent with financial reporting objectives and current needs. William A. Morehead, Ph.D., CGFM, CPA, CPM
Deficiencies in Design Controls Employees or management who lace the qualifications and training to fulfill their assigned functions. Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity’s internal control over time. The absence of an internal process to report deficiencies in internal control to management on a timely basis. William A. Morehead, Ph.D., CGFM, CPA, CPM
Failures in the Operation of IC Failure in the operation of effectively designed controls over a significant account or process (example: the failure of a control such as dual authorization for significant disbursements within the purchasing process). Failure of the information and communication component of internal control to provide complete and accurate output because of deficiencies in timeliness, completeness, or accuracy (example: the failure to obtain timely and accurate consolidating information from remote locations that is needed to prepare the financial statements). William A. Morehead, Ph.D., CGFM, CPA, CPM
Failures in the Operation of IC Failure of controls designed to safeguard assets from loss, damage, or misappropriation. Failure to perform reconciliations of significant accounts (example: accounts receivable subsidiary ledgers are not reconciled to the general ledger account in a timely or accurate manner). Undue bias or lack of objectivity by those responsible for accounting decisions (example: consistent understatement of expenses or overstatement of allowances at the direction of management). William A. Morehead, Ph.D., CGFM, CPA, CPM
Failures in the Operation of IC Misrepresentation by entity personnel to the auditor (this is an indicator of fraud). Management override of controls Failure of an application control caused by a deficiency in the design or operation of an IT general control. An observed deviation rate that exceeds the number of deviations expected by the auditor in a test of the operating effectiveness of a control. William A. Morehead, Ph.D., CGFM, CPA, CPM
The determination of significant risks, which arise on most audits, is a matter for the auditor’s professional judgment. In exercising this judgment, the auditor should consider: inherent risk to determine whether: the nature of the risk, the likely magnitude of the potential misstatement, including the possibility the risk may give rise to multiple misstatements, and the likelihood of the risk occurring are such that they require special audit consideration. (SAS 109, ¶ 111) 66
Routine, noncomplex transactions which are subject to systematic processing are less likely to give rise to significant risks because they have lower inherent risks. On the other hand, significant risks are often derived from business risks which may result in a material misstatement. In considering the nature of the risks, the auditor should consider a number of matters, including the following: William A. Morehead, Ph.D., CGFM, CPA, CPM
Whether the risk is a risk of fraud. Whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires specific attention. The complexity of transactions. Whether the risk involves significant transactions with related parties. The degree of subjectivity in the measurement of financial information related to the risks, especially those involving a wide range of measurement uncertainty. Whether the risk involves significant nonroutine transactions which are outside the normal course of business for the entity, or otherwise appear to be unusual. (SAS 109, ¶111) William A. Morehead, Ph.D., CGFM, CPA, CPM
Significant risks often relate to significant nonroutine transactions and judgmental matters. Nonroutine transactions are those which are unusual, either due to size or nature, and therefore occur infrequently. Judgmental matters may include the development of accounting estimates for which there is significant measurement uncertainty. (emphasis added) (SAS 109, ¶ 112) William A. Morehead, Ph.D., CGFM, CPA, CPM
Exhibit 4: Management’s Commitment to Professional and Technical Competence Excellent Example William A. Morehead, Ph.D., CGFM, CPA, CPM
Exhibit 7: Risk Assessment Excellent Example William A. Morehead, Ph.D., CGFM, CPA, CPM
Exhibit 5: Assignment of Authority and Responsibility Excellent Example William A. Morehead, Ph.D., CGFM, CPA, CPM
Exhibit 7: Risk Assessment Excellent Example William A. Morehead, Ph.D., CGFM, CPA, CPM
Exhibit 8: Risk Response Where are the comments??? William A. Morehead, Ph.D., CGFM, CPA, CPM
Exhibit 22: Monitoring Questionnaire Poor Response – Not Completed – Indicates Poor Internal Controls William A. Morehead, Ph.D., CGFM, CPA, CPM
10 The Hot Ten! 10. Weak Internal Controls 9. Lack of or Poor Assessment of IC by Management 8. Personal Pressures 7. Environmental Changes 6. Audit Deficiencies 5. Inadequate, Limited, or Reduced Training Resources 4. Related Party Transactions 3. Management’s Override of Internal Controls 2. Negative Work Environment – Poor Tone at the Top 1. Blind Trust
Questions? Contact Information Billy Morehead, Ph.D., CGFM, CPA, CPM Associate Professor of Accountancy Mississippi College P. O. Box 4014 Clinton, MS 39058 Phone: 601-925-7742 Email: morehead@mc.edu