Internal Control

Internal control basics Processes to review Tracking tools

Internal Control Internal control is a process – effected by those charged with governance, management, and other personnel designed to provide reasonable assurance about the achievement of an entity’s objectives which may fall into 3 categories: Reliability of financial reporting Effectiveness and efficiency of operations Compliance with applicable laws and regulations

WHY ARE INTERNAL CONTROLS IMPORTANT? Effective internal controls Safeguard public resources Protect employees Assist in fraud prevention

Five Components of Internal Control Control Environment Risk Assessment Control Activities Information and Communication Monitoring

Control Environment Starts at the top and sets the tone. Functions well if Management believes that controls are important and communicates that view to employees at all levels. Foundation for all other components of internal control providing discipline and structure. Key managers responsibilities clearly defined. Reflective of managements respect for and adherence to compliance requirements.

Evaluation of general control environment The person assigned to perform the internal control review must be or become, if not already familiar with the day-to-day activities of the entity. Organizational charts Planning and budget documents Job descriptions Inventory of statutory responsibilities and authorities Policies and procedures manuals Reports Audits, management reviews, program evaluations Internal control policies and procedures

Risk Assessments Identify the vulnerability of each assessable entity to waste, loss, unauthorized use or misappropriation. Consider Internal as well was External Events. (change in personnel) Consider Controls that have not been reviewed for a period of time. Analyze for possible effect, considering the likelihood and impact. Consider factors unique to your agency Past experience Staffing levels and experience Complexity of activities in relation to your mission Determine how to respond to each risk and who is responsible.

Step 1: Identify events(risks) ask What practices are being questioned by auditors and other oversight agencies? What information is critical to the agency’s operations and how vulnerable is it? What activities are regulated by the federal or state government? Are assets (cash, inventory, fixed assets) adequately protected? What circumstances may endanger future funding of your programs? New personnel. Incorporation of new technology.

Step 2: Analyze identified risks How important is this risk? How likely is it that this risk will occur (likelihood)? How large is the dollar amount involved (impact)? To what extent does the risk potential of one activity affect other activities? Are existing controls (policies and procedures) sufficient to manage this risk? To what degree are secondary controls in place?

Speak their language What is the mission? What will stop you from completing that mission? What preventative steps are you taking to reduce or eliminated that risk?

Step2 continued: Prioritize identified risks Likelihood = the possibility that a given event will occur. Impact the result or effect of an event. 3= High Risk – Mitigate or reduce the risk. 2= Medium Risk – Manage the risk. 1= Low Risk – Accept the risk.

Determine a risk response Identify possible response Accept and Monitor Transfer (Share) Reduce the likelihood Reduce the impact Avoid Evaluate the risk responses Consider the likelihood and impact Consider costs and benefit Select a response

Control Activities are the policies and procedures that help ensure that management directives are carried out. Policies and Procedures Management objectives (clearly written and communicated throughout the agency) Approvals and Authorizations Verifications Reconciliations Segregation of duties Physical and access controls Education, training and coaching

Control Activities in a strong system of Internal Control Pre-numbering Documents Authorization of transactions Independent Checks to maintain asset accountability Documentation Timely and appropriate performance reviews Physical controls for safeguarding assets Segregation of duties

Information and communication Risk communication creates a dialog about the existence, nature and severity or acceptability of risks. Communication can be formal through reports, training, written policy manuals, accounting and financial reporting manuals Communication can be informal through e-mail, speech, and actions of management. Most effective when travels in all directions.

Monitoring The process that assesses the quality of internal control performance over time by assessing the design and operation of controls on a timely basis and taking the necessary corrective actions. Allows an agency to react dynamically to change. Ensures things are working as planned Ongoing – Supervisory review of reconciliations, reports and processes. Periodic – internal audit sampling and at least annual reviews of high-risk business processes.

Limitations on Internal Control Human Error which may include errors in the design or use of automated controls. Deliberate circumvention of controls by collusion of two or more people. Management override of internal controls. Segregation of duties issues.

Recommendations/ Reporting A brief narrative of potential subsequent actions. Develop a new policy and/or procedure. Provide additional training. Functionally realign responsibilities to improve the segregation of duties. Schedule a detailed internal control review. Give any reasons why subsequent action should not be taken. For example: cost implement corrective action exceeds the value of the relative risk; legal mandate requires that the controls be in place even though costs exceeds perceived benefits.

Balance Sheet reviews Cut-off procedures for Liabilities – Payroll and A/P Controls over Assets in FAE – How are new assets communicated to finance, depreciation calculations, disposal of assets. Matching/Timeliness – Expenses recorded in the proper period. Accuracy of tuition revenues – resident, non-resident, who gets a waiver. Who prepares and reviews your journal entries? Investments – Who controls? Who reviews?

EVENT cYCLE Determine the event cycle. Review the series of processes which initiate and achieve an end product. Each have a defining beginning and ending point. Examples The disbursement cycle begins with the submission of the A-19 ends with a check printed. A student loan event cycle begins with the receipt of an application and concludes with the disbursement of the loan.

Document each event cycle Interview the person(s) involved in the cycle Review existing documentation Observe the activity Prepare either a narrative explanation documenting personnel performing the procedures, the forms and records developed and maintained, the number or dollar value processed. Walkthrough of the process from start to finish by tracing transactions from start to finish.

Proper segregation of duties Properly segregate duties so that no one person performs two or more of these functions Processes/records transactions Authorizes/Approves transactions Has custody of asset related records

Incompatible duties Payroll – process payroll, employee file maintenance, receive/distribute checks/ prepare bank reconciliation A/R – prepare deposit, access cash and check/ perform cash application in HP/ prepare bank reconciliation A/P – setting up vendors/ processing payments/ printing checks/preparing bank reconciliation Journal entries/Reconciliations – Prepare, sign, date must have a second reviewer sign and date.

Areas of exposure Employees who control a transaction, process or function from beginning to end. Not the entire system of cash receipts or disbursements, but rather a small slice. Primarily serves as bank account custodian but also performs the monthly reconciliation. Primarily acts as a cashier but also prepares the daily bank deposit. Primarily prepares input in account payable, but also has access to the checks. Prepares customer A/R cancellations and adjustments (write-offs) but also acts as a relief cashier. Primarily acts a cashier, but also reconciles the bank deposit information with the organizations accounting records. Employee with custody of assets, authorization or approval affecting those assets and reporting of related transactions.

PREVENTION OF SOD ISSUES Hire additional staff Split the responsibility between two existing staff members Establish a monitoring program for this key employee that effectively accomplishes a segregation of duties without hiring or using 2 employees to do the job, such as having an independent party monitor key employee tasks.

Don’t forget about the HP Documented procedure to remove terminated employees and periodically verify terminated users have been removed. Appropriate approval of new users and new menu access. Review current menu access for segregation issues. Be mindful of back up personnel. Make sure their additional duties to not create segregation of duties issues. Don’t share passwords.

POP QUIZ The 2012 Association of Certified Fraud Examiners Report to the Nations on Occupational Fraud and Abuse analyzed where fraud is occurring and at what frequency by industry. Where do you think government and public administration cases rank? A. 7th B. 1st C. 2nd D. 15th

Cash receipting LOSS prevention and detection Adequate SOD Compare Bank deposits to cash receipts records and verify the mode of payment agrees – deposits are intact. Review voided transactions to ensure they are supported Verify inventory records agree to usage Review bank reconciliations Perform surprise cash counts Look for missing deposit slips Look for unusual activity by employee or department Look for unusual journal entries

Additional Cash receipting CONTROLS Safeguard and limit access to receipts awaiting deposit. How long has it been since the safe combination was changed? Perform a periodic “look back” of revenues. Do they make sense given your understanding of operations? Review receipt sequence. Are receipts used in sequential order? Are all receipt numbers accounted for? Review bank reconciliations. Are they timely? Do the reconciling items make sense? Get a handle on unanticipated revenues Create and review error reports Know who is receiving the billing complaint calls Mandatory vacations Cross train duties

Purchase Card Review Ensure second signature on all submitted P-card logs. Ensure detailed credit card receipt is received, summary only is not acceptable. Statements paid without detail receipt to support purchase. Ensure items that were purchased are received and on-site. Review purchases for unusual vendors. Expense greatly exceeds what was budgeted or prior year totals.

Accounts Payable check review Review Travel Expense Report – Require conference agendas/registration be included in submission to ensure per diem is not submitted. Support is originals and not photocopies. Review vendor lists for unusual vendors or excessive payments. Reports are approved by budget authority or someone other than employee submitting for reimbursement. Ask follow up questions on unusual items. Confirm with a third party if necessary. Ensure reimbursement is not for expenses paid by college credit card.

Additional payment controls Ensure items purchased are on site. If you use positive pay make sure you know what the bank is verifying. Review for expenses that end in round numbers. Have an expectation of reasonable expenses and compare it to actual payments entered into the system. Checks should never go back to the department or person that initiated the payment.

Payroll internal controls Review payroll expenses for unusual fluctuations and amounts that are outside of your expectation, including benefit line items and overtime. Review personnel files to ensure you are not paying ghost employees. Look for unusual journal entries. Look for employees that rarely or never take leave. Review payroll reports for employees that use a PO box.

Documentation/Evidence of review Required to have adequate written documentation of activities conducted in connection to risk assessments, review of internal control activities and follow-up actions. Completed risk assessments Spreadsheets Write up of process Testing documentation

How to keep track of it all Survey Monkey Binders One - Note Data Base