Internal Controls aka Good Business Practices

1
Internal Controls aka Good Business Practices
2
What are internal controls and why are they
important?

• Definition Committee of Sponsoring
  Organizations of the Treadway Commission (COSO),
  Internal Control-Integrated Framework, (New
  Jersey American Institute of Certified Public
  Accountants, 1994 edition), pg. 3

3
Internal control is a process, effected by an
entitys board of directors (regents), management
and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives in the following categories

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations.

4
That sounds kind of technical. What does it mean
in laymans terms?
5
Consider your own personal internal control
system

• When you came to work today, did you lock the
  doors to your house?
• Do you keep the PIN number for your ATM card
  confidential and in a safe place?
• Do you balance your checking account each month?
• Do you compare credit card statement charges with
  your signed receipts?

6
In our University environment internal controls
serve the same purposes

• Protect the Universitys assets
• Ensure records are accurate
• Promote operational efficiency
• Encourage adherence to policies

7
Components of internal control as defined by COSO

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

8
Control Environment

• Ethical tone at the top communicated in words
  and deeds
• Ethics program, including meaningful code of
  conduct
• Active, independent, well-informed Board of
  Directors (Regents)
• Organization structure appropriate to entitys
  activities and which promotes the flow of
  information
• Clear definition of responsibilities and
  accountabilities

9
Control Environment (cont.)

• Analysis of knowledge and skills needed to
  perform each job formal job descriptions
• Qualified and well-trained personnel
• Frequent interaction between senior and operating
  management
• Appropriate policies and procedures for hiring,
  training, promoting and compensating employees
• Background checks for new hires, especially those
  in sensitive positions

10
Components of internal control as defined by COSO

• Control Environment
• Risk Assessment

11
Risk Assessment

• Process designed to
• Identify significant risks
• Assess risks
• What is the likelihood of occurrence?
• What is the potential impact?
• Manage these risks through
• Acceptance and sharing (insurance)
• Avoidance
• Mitigate with internal controls (good
• business practices)

12
What are risks?

• A risk is anything that could jeopardize the
  achievement of your organizations objective to
• Reach your goals
• Operate effectively and efficiently
• Protect the Universitys assets from loss
• Provide reliable financial data
• Comply with applicable laws, policies and
  procedures

13
Identifying your risks

• Questions to ask yourself
• What can go wrong?
• How could someone steal from us?
• What laws or regulations would be violated?
• What policies most affect us?
• What types of transaction/activities in our area
  expose us to the greatest risk?
• How can someone bypass the internal controls?
• What potential risks could cause adverse
  publicity?

14
Components of internal control as defined by COSO

• Control Environment
• Risk Assessment
• Control Activities

15
Control Activities

• Control activities are the policies, procedures
  and processes that help ensure that actions
  identified as necessary to manage risks are
  carried out properly and in a timely manner.

16
Key Control Activities
17
Segregation of Duties

• Functions are divided so that no one person has
  control over all parts of a transaction. This
  reduces the risk of error or inappropriate
  action.
• Ideally, the responsibilities of the following
  should be separated
• Initiating, approving recording transactions
• Handling the related assets
• Reconciling balances

• Reviewing reports

18
Authorizations/Approvals/Verification

• Limit delegated authority
• Develop written procedures outlining delegation
  guidelines
• No rubber stamping
• Never sign a blank form
• Secure access to passwords, electronic signatures
  or other signatory devices
• Never give your password to anyone
• Verify against an internal or external document
  ie. invoice, picture id, etc.

19
Security of Assets

• Periodic asset counts
• Periodic comparisons
• Investigation of discrepancies
• Regular data file backups
• Secure document retention (both hard copy
  electronic)
• Physical safeguards against theft and fire
• Consider academic research data and human
  animal research subjects as assets

20
Components of internal control as defined by COSO

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication

21
Information and Communication

• Information
• Pertinent info must be identified, captured and
  communicated in a form and timeframe to allow
  people to carry out their responsibilities
• Information systems produce reports containing
  operational, financial and compliance related
  info necessary to operate and control the
  business
• Information systems should include external
  activities, events and conditions that may affect
  the business

22
Information and Communication (Contd)

• Communication
• Employees duties and responsibilities effectively
  communicated
• Channels of communication for people to report
  suspected improprieties
• Channels of communication for employee
  suggestions for improvement
• Completeness and timeliness of information
  provided across the organization

23
Components of internal control as defined by COSO

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

24
Monitoring

• Ongoing monitoring activities are managements
  responsibility
• Compares information about current performance
  to budgets, prior periods, and other benchmarks
  (ie. peer universities)
• Measures against achievement of goals and
  objectives
• Identifies unexpected results or conditions which
  require follow-up

25
Monitoring (cont.)

• Entire process must be constantly monitored and
  changes made as conditions warrant
• Separate evaluations can be conducted by Internal
  Audit

26
A different way of looking at internal controls

• Preventive designed to discourage errors or
  irregularities
• Detective designed to identify an error or
  irregularity after it has occurred
• Compensating or mitigating designed to
  compensate for the absence of expected controls

27
Examples of Preventive Controls

• Knowledge that someone is reviewing your work
• Segregation of Duties
• Limited access
• Levels of authorization
• Security badges
• Business rules set up in automated systems

28
Examples of Detective Controls

• Reconciliations
• Audits
• Confirmations
• Exception Reports
• Reviews done on a regular basis

29
Examples of Compensating Controls

• Inadequate staffing available to perform cash
  handling activities (segregation of duties)
  sharing responsibilities with another dept.
• Inadequate HR system reporting of personnel
  terminations and transfers alternative
  reporting mechanism developed from the mainframe
  operating system