Internal Controls - Applications

1
Internal Controls - Applications

• Presented by the CSU System Department of
  Internal Auditing

2
AGENDA

• Introduction
• Define Internal Controls
• Internal Control Components
• Types of Internal Controls
• Reporting Internal Control Breakdowns
• Fraud!!!
• Discussion Controls in Your Department
• Conclusion

3
OVERVIEW OF INTERNAL AUDITING DEPARTMENT
4
INTERNAL AUDITING DEPARTMENT

• Established at CSU in 1967
• Reports directly to the Board of Governors Audit
  Committee
• Reports administratively to the Chancellor of the
  CSU System

5
(No Transcript)
6
PURPOSE

• To assist members of the organization in the
  effective discharge of their responsibilities.
  To this end, internal auditing provides analyses,
  appraisals, recommendations, counsel, and
  information concerning the activities reviewed.
• Provide the Board and Management with information
  about the adequacy and effectiveness of the
  Universitys system of internal controls and the
  quality of performance.

7
STAFF MEMBERS

• Allison Horn, Director
• Auditors
• Melody Johnson
• Tom Locashio
• Stephanie Wolvington
• Destiny Halpin (CSU-Pueblo)
• Barbara Biegel (Student Intern)

8
OBJECTIVES OF TRAINING

• Understand what internal controls are
• Understand the importance of internal controls
• Be able to identify types of internal controls
• Recognize the internal controls in place within
  your department
• Implement effective internal controls in your
  area of responsibility
• Know how to report breakdowns in internal controls

9
WHAT ARE INTERNAL CONTROLS?
10
DEFINITION

• Internal controls are a system of processes,
  effected by management, designed to provide
  reasonable assurance that the organizations
  objectives are achieved in the following
  categories
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Internal controls are NOT merely more red tape

11
WHY SHOULD YOU CARE?

• EVERYONE in the University has some
  responsibility for internal control
• We are each responsible for good stewardship of
  the resources of the State of Colorado
• Internal controls are effected by people. They
  are not merely policy manuals or forms, but
  people functioning at every level of the
  University.
• Effective internal controls make our jobs easier
  and help us do our jobs better

12
HOW DO INTERNAL CONTROLS MAKE MY JOB EASIER AND
BETTER?

• Policies and procedures are established
• Authority and responsibility are clearly defined
• Things are done right the first time
• Expectations are clear
• The risk that our goals will not be achieved is
  minimized
• We will know that we are doing the right things
  the right way

13
RELATIONSHIP AMONG INTERNAL CONTROL COMPONENTS
14
COMPONENTS OF INTERNAL CONTROL

• Control Environment
• The foundation for all other components of
  control
• Risk Assessment
• Identifying and analyzing relevant risks to
  achieving objectives
• Control Activities
• Mechanisms needed to provide reasonable assurance
  that organization objectives will be accomplished

15
COMPONENTS OF INTERNAL CONTROL (Continued)

• Information Communication
• Helps ensure employees and other constituents are
  aware of information they need to do their job
  and accomplish the organizations goals and
  objectives
• Monitoring
• Assess quality and facilitates continuous
  improvement

16
EXAMPLES OF INTERNAL CONTROLS IN EACH COMPONENT
17
CONTROL ENVIRONMENT

• A control conscious environment is an environment
  that supports ethical values and business
  practices. A control conscious environment
  conveys an attitude of honesty and accountability
  at all levels. It is a preventative control.
  This preventative control is the foundation for
  all other components of internal control,
  providing discipline and structure.
• Control environment factors include
• Integrity and ethical values Code of Ethics,
  Conflict of Interest Policy, Commitment to
  Excellence
• - Leadership philosophy and operating style

18
CONTROL ENVIRONMENT (Continued)

• Way management assigns authority and
  responsibility, and organizes and develops its
  people
• Competence of workers
• Training
• Skill Sets
• Our most basic internal control is hiring good
  people
• If effective, it can make other controls easier
• If ineffective, it is difficult for other
  controls to compensate

19
RISK ASSESSMENT Getting up in the morning
requires a tremendous leap of faithauthor
unknown

• Risks impact the organizations ability to
  maintain financial strength, a positive public
  image, and product or service quality.
• Risk cannot be eliminated entirely
• Establish departmental objectives (what are the
  goals?)
• Identify external and internal risk to achieving
  those objectives
• Evaluate and prioritize risks
• Establish a plan for managing those risks
• Assess effectiveness
• Remember The cost of the safeguards must be
  weighed against the impact of the threats. The
  benefit of an internal control must outweigh the
  costs of implementing that control.

20
CONTROL ACTIVITIES

• Policies and procedures that help ensure
  management directives are carried out and
  necessary actions are taken to address risks
• Authorization
• Approvals
• Segregation of duties
• Access to assets
• Security
• Reconciliations
• Reviews
• Documentation

21
INFORMATION COMMUNICATION

• Encompasses the entire control environment
• Information systems must provide data that is
• Relative to established objectives
• Accurate and sufficient in detail
• Understandable and in a usable form
• Timely
• Knowledge of applicable laws
• Information must be provided to the right people
  in time to allow appropriate action

22
INFORMATION COMMUNICATION (Continued)

• Communication must flow up and down the
  organization and across organizational lines
• Employees duties and responsibilities are
  effectively communicated
• There are channels to report suspected
  improprieties
• Employee suggestions for improvement are
  encouraged

23
INFORMATION COMMUNICATION (Continued)

• How can information be communicated?
• In person meetings, discussions, one-on-one
• Technology websites, e-mail, conferencing
• Through computer programs (systems or
  applications)
• Reporting or viewing via live applications
• General ledger, human resources
• Manipulating data to make it more user-friendly
• Microsoft Word, Excel, Access, etc.

24
INFORMATION COMMUNICATION (Continued)

• What controls protect information?
• Physical controls
• Locks on file cabinets and doors
• Document shredders
• Securing laptops and external data devices
• Technology-based controls
• Appropriate access authorization
• Passwords
• Data backup and recovery
• Anti-virus software

25
MONITORING

• A process that assesses the quality of
  performance over time and aids in identifying
  losses, errors, or irregularities
• Ongoing monitoring activities
• Management review of operating and financial
  reports
• Review and analysis of complaints from external
  sources
• Comparison of reports with physical assets
• Evaluation of trends
• Internal audits
• Separate evaluations
• Self assessment
• External reviews

26
MONITORING (Continued)

• Monitoring should be a constant in the
  application of internal controls
• Effective procedures can become less effective
  due to
• Departure of personnel
• Lack of training and supervision
• Time and resource constraints
• Additional pressures

27
TYPES AND LIMITATIONS OF INTERNAL CONTROLS
28
TYPES OF INTERNAL CONTROLS

• Directive
• Designed to establish desired outcomes
• Laws
• Policies
• Procedures
• Manuals
• Preventative
• Control mechanism that occurs before a
  transaction or action is performed
• Training
• Pre-authorizations
• Physical control over assets
• System access controls

29
TYPES OF INTERNAL CONTROLS

• Detective
• Control mechanisms that occur after a transaction
  or action is performed
• Reviews and comparisons
• Reconciliations
• Physical counts of inventories
• Manual
• An individual is responsible for taking a
  specified action
• Review for accuracy and compliance prior to
  entering in the financial system

30
TYPES OF INTERNAL CONTROLS

• Information Technology (Electronic) Controls
• Technology allows or prohibits actions
• Passwords, backups, anti-virus (User-based)
• Restricted access to systems, testing, rejection
  of invalid entries, calculations
  (Application-based)
• Application development, change control
  (IT-based)
• Compensating
• Controls placed in a different area than the
  ideal position to make up for an inability to
  place controls where desired
• Having only one staff member in a department, so
  entries are reviewed and approved by someone in
  another department.

31
TYPES OF INTERNAL CONTROLS

• Soft Controls
• Tone at the top
• Performance evaluations
• Training programs
• Hard Controls
• Segregation of duties
• Secondary review and approval
• Reconciliations

32
LIMITATIONS OF INTERNAL CONTROLS

• Judgment Decisions are made humans, often under
  pressure and time constraints, based on
  information at hand
• Breakdowns Employees may not understand
  instructions or may simply make mistakes. Errors
  may result from new systems and processes
• Management Override High-level personnel may be
  able to override prescribed policies and
  procedures
• Collusion Two or more individuals, working
  together, may be able to circumvent controls

33
REPORTING INTERNAL CONTROL BREAKDOWNS

• ALL employees have a duty to report fiscal
  misconduct (FPI J-3)
• Fiscal Misconduct includes
• Embezzlement
• Misappropriation of goods, services, or resources
• Conflict of interest situations that result in
  financial loss
• Violation of University fiscal policies
  procedures for personal gain

34
REPORTING INTERNAL CONTROL BREAKDOWNS

• One of the following should promptly be notified
• Ones immediate supervisor
• CSU System Internal Auditing Department
  
• Office of the General Counsel
• University Police Department
• Human Resources Department
• Appropriate Vice President
• Department of Business Financial Services
• Silence is NOT Golden
• Speak out!
• Be outraged!
• Silence implies your consent!!

35
Fraud Triangle
Pressure
Opportunity
Rationalization
36
Red Flags of Fraud

• Common Personality Traits of Fraudsters
• Common Sources of Pressure
• Changes in Behavior

37
Internal Control Breakdowns Leading to Fraud

• Examples
• Medical College of Georgia (A/P Fraud)
• Mistaken 2 Million Check Created
• Kansas University Medical Center, Improper
  Spending
• Lost U.S. Weapons in Enemy Hands?
• De-Frauding the Halls of Academe

38
DEPARTMENTAL DISCUSSIONS

• What internal controls are in place in your
  department for the following processes?
• Payroll
• A-Cards
• Cash Handling
• Financial Transactions
• Health Safety
• Others
• What types of controls are they? Preventive,
  directive, detective, manual, IT, etc?

39
QUESTIONS?

• What specific control concerns can we help you
  with?