Internal Control Program

1
Internal Control Program
Presentation to the Faculty and Staff Please
click your mouse or press the enter key to
advance Fall 2005
2
This Presentation Will Include.

• An overview of the Internal Control Program as it
  currently exists.
• Recent audit results.
• Recent changes to the program.

3
INTERNAL CONTROLL ???

• What me worry?
• Except when things go awry..
• What do you worry about going wrong?
• What steps have you taken to assure it doesnt?
• How do you know things are under control?
• Internal Controls Are Common Sense

4
Internal Controls Are

• Basic management practices, not only over fiscal
  operations but also over program activities.
• Examples
• Making sure grades are recorded and posted
  correctly.
• Tracking a service contract employee for the time
  on a job and how long he/she took to complete it.
  

5
What is the University Program?

• It was established formally with the passage of
  the New York State statute, the Internal Control
  Act of 1987.
• To augment the State statute, the University
  codified and issued Internal Control Program
  guidelines in 1996.
• The program was modeled after the framework
  suggested by the Committee on Sponsoring
  Organizations (COSO).
• The COSO framework breaks down the basic elements
  of internal control into five areas control
  environment, risk assessment, control activities,
  information and communication, monitoring and
  feedback.

6
What did the Internal Control Act Require?

• Establish and maintain guidelines for a system of
  internal control.
• Establish and maintain a system for continuous
  review of internal control operations.
• Make a clear and concise statement of management
  policies and standards available to all
  employees.
• Designate an Internal Control Officer to
  implement and review the Universitys Internal
  Control Program.
• Implement education and training efforts to
  ensure employee awareness and understanding of
  internal control standards and evaluation
  techniques.
• Periodically evaluate the need for an internal
  audit function.

7
Current Observations

• A recent review indicated that certain campus
  programs need to conform more closely to the
  requirements.
• Some Campus departments would be unable to comply
  the State and the Universitys Internal Control
  programs.
• The principal areas of concern relate to
• Departmental vulnerability assessments that are
  inadequately assessed by the department.
• Departmental internal control programs that are
  not comprehensive enough.
• Corrective action recommendations from testing
  programs that are not followed up in order to
  correct finding.

8
SUNY Oswegos Internal Control Program

• Based on The Elements of
• Control Environment
• Risk Assessment
• Control Activities
• Information Communication
• Monitoring and /or feedback

9
Who is responsible for Internal Control? We
all are.

• Management assures appropriate controls are in
  place for all operations.
• Every employee follows controls and reports
  problems or improvements.

10
Internal Control in the News

• Weak controls
  make an organization
• susceptible to
  failure. We read in the
• newspapers about
  organizational failures,
• typically
  concerning waste,
• mismanagement or
  fraud.

11
Why is Internal Control Important?
OMPLIANCE with applicable laws/policies
CCOMPLISHMENT of the entitys mission ELEVANT
and reliable data CONOMICAL and efficient
use of resources AFEGUARD assets
12
Internal Controls Are

• THE SAFEGUARDS AND MANAGEMENT OVERSIGHT DESIGNED
  TO

• Prevent, detect, and correct program and
  operational breakdowns

• Ensure that goals are met

13
Safeguards Oversight

• Preventing program/operational breakdowns
• Examples
• Written guidelines for data access
• Consistent criteria for review
• or approval
• Controlled access/inventory controls
• Written and communicated
  policy and procedures
• Risk Assessments

14
Safeguards/Management Oversight

• Detecting program/operation breakdowns
• Examples
• Reviewing, testing,
• and monitoring controls
• Audits
• Complaints

15
Reasonable Assurance

• Internal controls are to provide a reasonable
  assurance that the objectives of the system will
  be accomplished.

Risk
Benefits
Costs
The cost of internal control should not exceed
the benefit derived.
16
Types of Control and Examples
DOCUMENTATION - Policies and procedures
RECORDS - Recording transactions events
AUTHORIZATION - Approving transactions
STRUCTURE - Separation of duties
SUPERVISION - Monitoring control objectives
SECURITY - Safeguarding resources
17
Internal Control Process

• Identify Functions
• Assess Risk/Vulnerability
• Conduct Internal Control Reviews
• Take Corrective Action

18
Risk Categories

• Business Interruption system breakdowns or a
  catastrophe.
• Erroneous Management Decision bad judgment or
  could be based on erroneous, inadequate or
  misleading information
• Fraud, Embezzlement and Theft management fraud,
  employee theft, and customer and outside theft.

19
Risk Categories

• Statutory Sanctions penalties arising from
  failure to comply with regulatory requirements,
  as well as overt violations
• Excessive Costs/Deficient Revenues expenses
  which could have been avoided, as well as loss of
  revenues to which the organization is entitled
• Loss, Misuse or Destruction of Assets
  unintentional loss of physical assets such as
  cash, inventory and equipment

20
Internal Control Review

• Checks Whether Controls Work by
• Evaluating If Controls Are Adequate
• Testing Whether Procedures Are Followed

21
What Is Compliance Testing?

• Its Like Placing
• Your Procedures
• Under A Microscope

22
If You Cant Measure It, You Cant Manage It!

• Determine what is an acceptable performance level
  
• if 99.9 is good enough, then

• 12 babies will be given to the wrong parents
  each day

• 18,322 pieces of mail will be mishandled in
  the next hour

• 2 million documents will be lost by the IRS
  next year
• But many functions dont require 100
  performance

23
Internal Control Testing

• Makes sure controls on paper are

• Actually being used as designed

• Really meet the control
• objectives

24
Internal Control Testing
In some cases, a simple test may prevent
unwanted situations from occurring
Test Prevents Test drive a car Buying a
lemon
Physical exam Serious health problems

• Smoke detector Failure to work during fire

25
Select Test Methods

• Three methods for testing controls to determine
  if they are working

1. DOCUMENT ANALYSIS Review records, forms, or
other documents
2. OBSERVATION Watch the control being
performed in practice
3. INTERVIEW Elicit information from
those performing that control
26
Analyze Test Results To
Determine specific causes of variances
Identify regional or statewide trends
Assess actual or potential impacts
27
Take Corrective Action

• When weaknesses are found, decide to

Institute new controls
Improve existing controls, or
Accept the risk
28
Areas with Weak Controls
Weak controls may not show up immediately but
certain signs point to this deficiency

• Inability to meet upper managements deadlines
  for supplying information
• Incorrect or unclear information
• Unusually high employee turnover
• Crowded, poorly organized files, requiring extra
  effort to locate material
• Poor employee morale

29
Occupational Fraud
Opportunity
Pressure
Rationalization
30
Red Flags of Occupational Fraud

• Marked personality changes in employees
• Financial pressures on employees
• Employee living beyond his/her means
• Employee having outside business interests
• Poor internal controls

31
Red Flags of Occupational Fraud Continued

• Rising department expenses
• Too much control in key employees
• Lax management
• Failure to pre-Screen employees

32
Reporting Fraud and Waste

• Report suspected and waste to your department
  head, or the Internal Control Officer, Byron
  Smith at 3642 or email at byron_at_oswego.edu
• Or report Fraud to SUNY at University Audit
• http//www.suny.edu/UniversityAuditor/reportfraud.
  cfm

33
An Effective Control Environment

• Is a product of

• Managements philosophy, style supportive
  attitude

• Competence

• Ethical values

• Integrity

• Morale of the organizations people

• Organizational structure

• Accountability relationships

34
Managements Responsibility

• The manager is accountable for system adequacy

• This is an inherent responsibility, not an overlay

• Additional resources do not automatically flow,
  we must all pitch in.

• In its broadest terms, every employee plays a part

35
Lessons Learned

• Maintain visible leadership

• Make it thats how we do business around here

• Keep the process as simple as possible

• Monitor follow through as closely as the planning

36
Ethics

• Ethics and New York State Public Officer Law
• Ethics is crucial in an effective internal
  control program for without it the words and
  actions of internal control are meaningless.
  Enron, the infamous corporation whose name is
  practically synonymous with corporate scandal
  has a very nice 64 page code of ethics and an
  extensive internal control policy. In the end it
  took the press with some inside help to bring
  this scandal into public view.
• http//www.thesmokinggun.com/enron/enronethics1.ht
  ml
• New York State has a number of ethics laws
  governing state employees and their actions with
  probably the center piece being the Public
  Officer Law.
• http//www.dos.state.ny.us/ethc/eisg.html

37
SUNY and SUNY OSWEGO as part of Statewide Agency
Compliance must

• Submit an Annual Presidential
• Internal Control Certification

• Create and maintain
• Internal Control Program

• Dont Reinvent the Wheel for
• your departments program!
• (its not that complicated)

38
New Areas of Focus

• Beginning with the 2005-06 fiscal year the
  internal control program will focus on IC
  education and departmental controls.
• They are partly in response to a review of our
  Internal Control Program conducted by University
  Auditors.
• Priorities are
• Education of all employees as to the Internal
  control program.
• Testing in areas out side of the key financial
  areas as required.
• Follow up on Vulnerability Assessments findings.
• Workforce and Succession Planning

39
Campus Approach to Each Area (New and Old)

• Review vulnerability assessment for each area.
• Work with department to determine your risks in
  each area.
• Then departments must ascertain what controls and
  processes are in place to address these risks.
• Where controls are missing, they must be
  added--mitigating controls can help in certain
  instances.
• Be certain to engage all the affected departments
  and areas.
• Carefully document your work.

40
Additional Resources Relating to All Areas of
Internal Control

• Please refer to additional information
• A videotape entitled Internal Controls for
  Colleges Universities and a document entitled
  Internal Control Concepts and Applications, both
  developed by the Association of College
  University Auditors (see the Internal Control
  Coordinator)
• A book entitled Mission Continuity Planning
  published by NACUBO

41
Questions?

• Contact Mark Cole, Internal Control Coordinator
  Phone - 3627 or email rcole2_at_oswego.edu
• Byron Smith, Internal Control Officer Phone
  Phone - 3642 or email Byron_at_oswego.edu
• Now please take the Internal control Quiz
• SUNY Oswego - Internal Control QUIZ
• If the above link does not take you automatically
  to the survey web page copy the link below and
  paste it into your web browser.
• http//survey.oswego.edu/icontrol/icontrol.htm