Monitoring and Testing Internal Controls

1
Monitoring and Testing Internal Controls

• Moore Stephens Lovelace, P.A. so much more than
  an accounting firm

Presented By Daniel J. OKeefe, CPA, MBA William
Blend, CPA
2
Agenda
1
What is risk
Internal Control Integrated Framework
2
3
Characteristics of Monitoring
4
Evaluating Deficiencies
5
Monitoring Strategies
Sampling
6
3
What is Risk
Control
Fraud/Abuse
Audit
Inherent
Detection
4
Internal Control Integrated Framework

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

5
The Monitoring Process
6
Levels of Review
7
Why Monitor
Controls and Environment Change Over time

• NEW PERSONNEL
• AVAILIABILITY OF RESOURCES
• PRIORITIES
• TECHNOLOGY
• ACCOUNTING AND REPORTING

8
Characteristics of Monitoring

• Extent to which personnel obtain evidence as to
  whether the system of internal control continues
  to function.
• Extent to which communications from external
  parties corroborate internally generated
  information, or indicate problems.
• Periodic comparison of amounts recorded by the
  accounting system with physical assets.
• Responsiveness to internal and external auditor
  recommendations on means to strengthen internal
  controls.
• Extent to which training seminars, planning
  sessions and other meetings provide feedback to
  management n whether controls operate
  effectively.
• Whether personnel are asked periodically to
  state whether they understand and comply with the
  entitys code of conduct and regularly perform
  critical control activities.
• Effectiveness of internal audit activities.

9
Balancing Risk and Control
Excessive Controls Can

• INCREASE BUREAUCRAY
• REDUCE PRODUCTIVITY
• INCREASE COMPLEXITY OF TRANSACTION
• INCREASE TRANSATION CYCLE TIME
• INCREASE OF NO-VALUE ADDED ACTIVITIES

10
Deficiencies Defined
Control Deficiency
Exists when the design or operation of a control
does not allow management or employees, in the
normal course of performing their assigned
functions, to prevent or detect on a timely basis
noncompliance with a type of compliance
requirement of a federal program.
Significant Deficiency
A control deficiency, or combination of control
deficiencies, that adversely affects the entitys
ability to administer a federal program such that
there is more than a remote likelihood that
noncompliance with a type of compliance
requirement of a federal program that is more
than inconsequential will not be prevented or
detected.
Material Weakness
A significant deficiency, or combination of
significant deficiencies, that results in more
than remote likelihood that material
noncompliance with a type of compliance
requirement of a federal program will not be
prevented or detected.
11
Evaluating Deficiencies
In a System or Process
The significance of a control deficiency depends
on the potential for noncompliance and not on
whether noncompliance actually has occurred.
Potential Noncompliance
Absence of Noncompliance
The absence of identified noncompliance does not
provide evidence that identified control
deficiencies are not significant deficiencies or
material weaknesses.
Likelihood and Magnitude
The auditor should consider the likelihood and
magnitude of actual or potential noncompliance
when evaluating whether control deficiencies,
individually or in combination, are significant
deficiencies or material weaknesses.
12
Evaluating Deficiencies
Nature
Judgment
The nature of the type of compliance requirement
involved and future consequences.
Subjectivity and complexity, and the extent of
judgment allowed.
Factors that affect likelihood
Fraud
Interaction
The susceptibility of fraud. Includes cause and
frequency.
The interaction of control or deficiency with
other controls or deficiencies.
13
Evaluating Deficiencies
The volume of activity exposed to the deficiency
in the current period or expected in future
periods
The amounts or total of transactions exposed to
deficiency
Adverse publicity or other qualitative factors
Factors that may affect the magnitude of
noncompliance when evaluating control deficiencies
14
Indicators of Fraud

• Operating policies and procedures have not been
  developed or are outdated
• Key documentation is lacking or does not exist
• Lack of asset accountability or safeguarding
  procedures
• Improper payments
• False or misleading information
• A pattern of large procurements in any budget
  line with remaining funds at year end, in order
  to use up all of the funds available and
• Unusual patterns and trends in contracting,
  procurement, acquisition, and other activities of
  the entity or program under audit.

15
Internal Control Myths and Facts
Myth
Fact
Starts with a strong set of policies and
procedures.
Starts with a strong control environment.
Myth
Starts with a strong set of policies and
procedures.
Internal auditors are responsible for internal
controls.
Management is the owner of internal control.
Its everyone's responsibility and should be an
integral part of operations.
Its an accounting thing, we do it because they
tells us to.
Takes time away from our core activities.
Should be built into, not on to business
processes.
Strong controls, will prevent fraud.
Controls provide reasonable, but not absolute
assurance.
16
Monitoring Strategies
Assessment
Procedures
Assess entities risk and the related controls.
Develop Procedures to address the assessed risks.
Monitoring Process
Evaluation
Performance
Evaluate procedure results and make appropriate
changes when necessary.
Perform procedures.
17
Resources
Size Resources
Good Segregation of Duties Internal Audit
Function More degreed personnel
Large
Medium
Good Segregation of Duties No Internal Audit
Function Fewer degreed personnel
Small
Lack of Segregation of Duties No Internal Audit
Function No degreed personnel
18
Appropriate Monitoring Data
Appropriate Data
Data is relevant when it provides meaningful
information regarding the control being
evaluated.
Relevant
Reliable
Data is reliable when it is accurate, verifiable
and comes from an objective source.
Timely
Data that is timely allows for the prevention and
correction of a control deficiency before it
results in a significant impact on the control
objective.
19
Control or Monitoring Activity
Designed to lead to timely detection and
correction of errors Control Activity
Designed to correct the cause of
errors Monitoring Activity
When Possible Design Activities To Combine Both
20
Sampling

• Sampling Risk
• Sampling Types
• Sampling Methods
• Sample Population
• Sample Size

21
Sampling Risk
Risk of incorrect acceptance or
rejection. Substantive Risk
Risk of assessing control risk to high or to
low. Control Risk
These sampling risk are audit related risks
22
Sample Size
Factors Effecting Size
While absolute assurance is not achievable
through sampling. The amount of assurance is
directly proportional to the sample size
Assurance Required
Expected Error
The numbers of exceptions expected in the sample.
The larger expected errors the larger the sample.
Stratification
Dividing the population into homogeneous groups.
This process normally used in substantive audit
tests.
23
Sampling Types
Statistical Sampling
Sampling that uses random sample selection and
probability theory to evaluate sample results and
measure sampling risk. The two main types of
statistical sampling are Attribute testing
items that can only have two possible results
correct or incorrect Variable testing
items which can take any value within a
continuous range.
Non-Statistical
Any approach which does not fulfill all of the
characteristics of Statistical Sampling usually
referred to as judgmental sampling.
24
Common Sampling Methods
Random Number
Systematic
Haphazard
Uses a uniform sampling interval. Normally the
sample size is divided by the total population
Every item in the population has the same
probability of being selected.
Attempts to give all items the same chance of
being selected.
Others
Value Weighted Monetary Unit Blocked
25
Sample Population

• Ensure the population will fulfill the
  objective
• Ensure the population is complete
• Ensure any missing items are accounted for
• Pick the proper method for the populations size

26
Sampling Tools
Internet Random Bots, Randomizer Excel ACL ID
EA
27
Areas Suitable to Sampling
Area
Sampling
Payroll
Checks / Dir Dep, Emplye Files, Deductions, etc.
Myth
Starts with a strong set of policies and
procedures.
Travel Expenditures
Travel Vouchers, TE Accounts
Vendor Files, Checks, Wires, etc.
Cash Disbursements
Bid List, Prof. Services, Capital Outlay
Contracts
Petty Cash Vendor (Emplye, City, County)
Petty Cash Transactions
Fixed Assets
Capital Outlay Accounts, RM Accounts
Grant Expenditures
Applicable G/L Accounts, Contracts
28

• Moore Stephens Lovelace, P.A. so much more than
  an accounting firm

Questions?