Tim Grow, CPA Charleston Office Managing Shareholder Internal Control Tim Grow, CPA Charleston Office Managing Shareholder © Elliott Davis, PLLC © Elliott Davis, LLC
Internal Control Effectiveness and efficiency of operations Internal control is a process, effected by an entity’s board of directors, management and others, designed to provide reasonable assurance regarding the achievement of objectives in the following areas: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations © Elliott Davis, LLC © Elliott Davis, PLLC
The Need for Internal Control In order to establish effective controls an organization should first identify its relevant: Objectives of control Risks Controls to manage risk © Elliott Davis, LLC © Elliott Davis, PLLC
Internal Control Process Internal control is a process established to provide reasonable assurance of the achievement of objectives related to: Operations Reporting Compliance The responsibility to develop and maintain effective internal controls lies with management and the board of directors. © Elliott Davis, LLC © Elliott Davis , PLLC
Characteristics Basic characteristics of internal control include: Continuity Dependent on the cooperation of personnel The ability to provide reasonable assurance Adaptability © Elliott Davis, LLC © Elliott Davis, PLLC
Consequences of Weak Controls Weak internal controls create a number of undesirable consequences such as: Fraud Collusion Loss of reputation Inefficient operations © Elliott Davis, LLC © Elliott Davis, PLLC
COSO The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an initiative of 5 groups, including the AICPA. COSO established an internal control framework in 1992. The COSO framework is the foundation of the internal control processes in most organizations today. © Elliott Davis, LLC © Elliott Davis, PLLC
COSO Framework The COSO integrated framework embodies 5 integral components of internal control Control environment Risk assessment Control activities Information and communication Monitoring activities © Elliott Davis, LLC © Elliott Davis, PLLC
Control Environment The COSO framework defines the Control Environment as a set of processes, standards, and structures that promote effective internal control The Control Environment is impacted by the ethics and integrity of the organization, in particular the “tone at the top” established by management. © Elliott Davis, LLC © Elliott Davis, PLLC
Components of the Control Environment* The Control Environment includes: The training and support of employees Organizational structure Management’s philosophy and operating style (what you permit you promote) Hiring procedures i.e. hiring competent /qualified employees Overall ethics of the organization © Elliott Davis, LLC © Elliott Davis, PLLC
Control Environment Strategies Integrity Strategy Aims to establish effective internal control by communication of organizational values and vision, and create an environment that promotes ethical behavior Compliance Strategy Seeks to limit unwanted behaviors by enforcing strict standards of conduct © Elliott Davis, LLC © Elliott Davis, PLLC
Documentation of the Control Environment* An entity should document the controls and processes in place that relate to its control environment. Types of documentation include: Flowcharts Narratives Questionnaires Memos Organizational Charts © Elliott Davis, LLC © Elliott Davis, PLLC
COSO Risk Assessment In the COSO framework, Risk Assessment is the process through which an entity both identifies and assesses its prevalent risks. A risk is the possibility that something will happen that adversely affects the entity’s achievement of its objectives. Having risks is “OK” all organizations have them © Elliott Davis, LLC © Elliott Davis, PLLC
Risk Management VS. Risk Assessment Risk management is a process designed to identify and manage risks with the purpose of keeping risks within a tolerable range so that an entity has reasonable assurance that it will achieve its objectives. Risk assessment is an element within the risk management process. It allows management to create an assessment of key risks which forms a basis on which to determine control activities. © Elliott Davis, LLC © Elliott Davis, PLLC
Risk Assessment, Continued* Risk assessment is composed of four primary factors: Materiality of the amounts Complexity of the process History of accounting adjustments Propensity for changes in financial processes An entity should conduct risk assessment on both the process level and the entity level. © Elliott Davis, LLC © Elliott Davis, PLLC
Risk Responses There are five predominant risk strategies: Avoidance - Don’t do it Mitigation – Lessen it’s impact Transfer – Move the risk Acceptance – Tolerate it Creation – Develop a response © Elliott Davis, LLC © Elliott Davis, PLLC
COSO – Control Activities Control activities are performed at all levels within an entity, and consist of the activities that help achieve the risk mitigation goals established by management. Types of control activities: Manual Automated Preventative, detective, and corrective Compensating © Elliott Davis, LLC © Elliott Davis, PLLC
Manual Control VS. Automated Control Manual Controls require action to be taken by organizational personnel, for instance: Reconciliation of bank accounts Matching purchase orders to invoices Automated Controls are built into the entity’s software system and network, for instance: Batch controls System generated exceptions © Elliott Davis, LLC © Elliott Davis, PLLC
Preventive Control VS. Detective Control A preventive control is a proactive control activity. Its goal is to eliminate negative events before they occur. Preventive controls are stronger than detective controls. Detective controls are reactive control activities. The purpose of a detective control is to identify a negative event after its actual occurrence. © Elliott Davis, LLC © Elliott Davis, PLLC
Compensating Controls In some instances a weakness or limitation within the control environment can be mitigated by relying on a compensating control: Can be detective or preventive Common in small organizations; for example when proper segregation of duties is difficult to accomplish. © Elliott Davis, LLC © Elliott Davis, PLLC
COSO – Information and Communication Communication and information are integral to the accomplishment of an entity’s objectives. Communication should be an ongoing process of sharing, obtaining, and creating relevant information and delivering it to appropriate personnel. Information must not only be accessible but also timely. © Elliott Davis, LLC © Elliott Davis, PLLC
COSO – Monitoring Activities Monitoring activities can be either ongoing or separate assessments of internal control that are used to determine whether internal control components are implemented and operating effectively. Ongoing monitoring activities are built into the business processes and are the most timely. Separate monitoring activities are those that are conducted periodically and may involve varying levels of detail and frequency. © Elliott Davis, LLC © Elliott Davis, PLLC
Monitoring Activities, Cont’d Steps of the monitoring process include: Identify what is being tested Determine the type and extent of testing Create tests Conduct tests for effectiveness Document testing and results Assess test results Communicate findings © Elliott Davis, LLC © Elliott Davis, PLLC
So…now I know what I’m trying to achieve, how do I implement? Implementation So…now I know what I’m trying to achieve, how do I implement? © Elliott Davis, LLC © Elliott Davis, PLLC
Overview Document an understanding of processes and controls (hopefully the entity already has some of this documentation) Identify key controls (best done collaboratively) Evaluate for design effectiveness Test for implementation Consider testing for operating effectiveness © Elliott Davis, LLC © Elliott Davis, PLLC
Document an Understanding Authorization – How does management approve transactions, vendors, policies, etc.? Initiating and recording – How are transactions initiated? How do transactions get into the accounting system (including subledgers) Processing – How is activity on the account processed (for example, batch processing, end-of-day processing, real time processing)? Reporting – What general ledger accounts and other information are used to prepare reports? How is information reported in the financials? © Elliott Davis, LLC © Elliott Davis, PLLC
Key Controls - Institute of Internal Auditors “A key control is a control that provides reasonable assurance that material errors will be prevented or detected in a timely manner.” - Institute of Internal Auditors © Elliott Davis, LLC © Elliott Davis, PLLC
Evaluate Effectiveness Ask “What could go wrong?” Consider potential misstatements whether caused by fraud or error Consider mitigating controls Consider design © Elliott Davis, LLC © Elliott Davis, PLLC
Mitigating Controls Lessen the impact or puts a cap on the amount of potential error A mitigating control is instrumental in identifying possible errors when a key control is not in place. It can often prevent the error from being material © Elliott Davis, LLC © Elliott Davis, PLLC
Test for Implementation - Walkthroughs Selecting a few transactions and walking them through the transaction cycle focusing on key controls Objective of walkthroughs: Confirm understanding of key elements of processes and related controls Determine whether the entity has implemented the controls Determine whether changes have occurred that may impact the effectiveness of the process or control © Elliott Davis, LLC © Elliott Davis, PLLC
Evaluate for Operating Effectiveness Accomplished through Inquiry Observation Inspection Re-performance © Elliott Davis, LLC © Elliott Davis, PLLC
Internal Control Never Stops Conclusion Internal Control Never Stops It should be the bedrock for the organization It will be as effective as it is given priority Things get ugly when it fails Effective internal control will rarely be given its due © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC