Risks, Controls,

1
Risks, Controls, Ethics
INDIANA UNIVERSITY
Financial Administrator Development Series
2
Session Objectives

• Understand and apply INTERNAL CONTROL concepts to
  accomplish your organizations objectives
• RISK Assessment and Management
• ETHICAL VALUES and CONDUCT

3
What are Internal Controls and why should I care ?
4
Why should you care?

• Internal Controls minimize the RISKS to your
  Organization!!!

5
RISKS your Organization faces

• Financial Reporting
• Compliance
• Operational
• Loss of Assets

6
Why should you care?

• ITS YOUR JOB TO CARE

7
Financial Institutional Policy I-1

• Role of Fiscal Administrator, Account Manager,
  and Account Supervisor.
• Account Supervisor has a leadership or executive
  role.
• Account Manager has an operational role.
• Fiscal Officer has an oversight role.

8
Its your Job

• Financial Institutional Policy I-1
• trained and hired for the purpose of providing
  fiscal, policy, and internal control management
  of all funds...
• responsible for ensuring that processes and
  related controls have been established to achieve
  the mission and objectives of their
  organization(s).

9
What is Internal Control

• Internal control is a PROCESS of specific
  policies and procedures designed to provide
  reasonable assurance that organizations
  objectives will be met
• Provide reliable financial reporting
• Promote efficient and effective operations
• Helps ensure compliance with policy
• Protect University Assets

10
Internal Control Components
11
Control Environment

• TONE AT THE TOP
• Integrity, ethical values, and behavior of
  management
• Managements control consciousness
• Managements commitment to competence
• Its the way you do Business
• Organization structure
• Assignment of authority and responsibility
• Policies and practices

12
What do we mean by Tone at the Top ?

• Promote ethical values conduct
• Walk the walk
• Lead by example
• Be approachable
• Compliance w/Policy
• Dont circumvent rules

• Full disclosure
• Fix problems
• Equal treatment for equal offenses
• Reward things that are done right
• Hug your Auditor

13
Questions

• Which attributes of a Super Fiscal Officer can be
  useful in exhibiting a strong Tone at the top?
• When should you be demonstrating a strong Tone
  at the top?

14

• What are Ethics?

15
Defining Ethics?

• ethic Pronunciation 'e-thik Function noun
  from Greek Éthos, Date 14th century
• 1 the discipline dealing with what is good and
  bad and with moral duty and obligation2 a a set
  of moral principles or values b the principles
  of conduct governing an individual or a group
  ltprofessional ethicsgt

16
Defining Ethics?

• Doing the right thing

17
Whats the Right Thing?

• What are the Rules

18
Ethical Rules?

• Is it legal and in compliance with IU policy?
• Is it fair?
• Honest, truthful, responsible, trustworthy,
  respect individual
• Would it pass the newspaper test (or the Mom
  test)?

19
Why Ethics are important to your Organization?

• Responsibility
• Regulatory requirements
• Return on integrity (the other ROI)

20

• Responsibility stewards of given to us by
• State
• Students

21
Return on integrity (the other ROI)

• Good Ethics Good Business
• Better employee decision making
• Greater employee commitment to the organization
• Reduced unethical or illegal behavior
• Better work environment
• Better reputation and image for IU

22

• QUIZ
• ETHICAL DILEMMAS

23
Ethical Dilemma - What do you do?

A company that does a lot of business with your
school/dept offers you a part-time job working on
the weekends, do you

1. Take it, its a lot of s for a few hours work.
2. Tell them youll do it but only if theyll also
   hire your boss.
3. ?

24
Ethical Dilemma - What do you do?

You have just finished a meal at a small
family-run restaurant. The service was good and
the food delicious, but you really do think the
meal was over-priced for what you got. Also,
during the meal you ordered some drinks, but
when you get the bill the drinks aren't
listed. Do you-

• Just pay the bill since it was their mistake
• Tip the waiter extra to make up for difference
• ?

25
Ethical Dilemma - What do you do?

• The company that does all of your departments
  shredding sent you a 100 gift certificate for
  being such a good customer.
• Do you
• Buy a birthday present for your spouse
• Give it to your boss for a Bosss Day present.
• ?

26
Ethical Dilemma - What do you do?

• Your secretary wants to take the afternoon off to
  attend her childs graduation ceremony, but she
  has no vacation hours left. She says she will
  make it up the following week. What do you do?
• Let her do it and have her make up the time next
  week.
• Cover for her and forget about extra hours
• ?

27
Ethical Dilemma - What do you do?

• Your dear friend and office assistant, Mary
  asks you if she can borrow 10 printer
  cartridges from the office supply. When you ask
  her why, she says her husbands needs them to
  print a big project tonight and he doesnt have
  money to buy them. She says shell replace them
  at the end of the month when she gets paid.

28
Ethical Dilemma - Part IIWhat do you do

• A week after you tell Mary NO, you discover
  the office is out of printer cartridges. Another
  worker said he saw Mary take them from the
  storage cabinet and carry them out to her car. He
  didnt say anything because he didnt think it
  was any of his business. Besides he knew that
  Mary was a good friend of yours.

29
ETHICS

• Closing Thoughts

30
Silence is NOT Golden

• Speak out!
• Be outraged!
• Silence implies your consent!!

31
Important to talk

• Transparency
• Get other perspectives/input
• Hopefully Consensus

32
Who you going to call?

• Supervisor
• Human Resources
• Purchasing
• Accounting
• University Legal Counsel
• Internal Audit
• Police

33
Causes of Ethical Failures

1. NO Tone at the Top
2. NO Consistency
3. Train Wrecks
4. Fear of Retaliation
5. No Reporting Mechanisms
6. No Education, Communication or Tools

34
Causes of Ethical Compromises

• Lack of Tone at the Top
• Dont Walk the Talk
• No vision of standards for behavior
• Standards to high or to low
• The reasons for standards not communicated

35
Causes of Ethical Compromises

• Inconsistency
• Only ethical when it doesnt cost
• Different rules for different levels of employees
• Rules that change according to situation
• Rules not enforced

36
Causes of Ethical Compromises

• Train Wrecks
• Set unrealistic expectations
• Reward those who accomplish
• Punish those who dont

37
Causes of Ethical Compromises

• Fear of Retaliation
• Fire the whistle-blower
• Not a team player

38
Causes of Ethical Compromises

• No visible/viable means to report
• Gives impression leaders dont really want to
  hear
• Makes it hard even if someone wishes to report

39
Causes of Ethical Compromises

• No Education, Communication, or Tools
• What are the rules (policies)
• What are the ethics standards
• How can I do it
• Who can I contact
• Cant just post and pray

40
Factors of an Ethical Environment

• Integrity of senior management
• Are they leading by example? Walking the talk?
• Clear ethical expectations
• Stake in the ground (Code of Ethical Conduct,
  discussions)
• Understand why
• Consistency
• Doesnt count unless price is paid
• What else?

41
QUESTION

• What specifically are you going to do to promote
  a strong ethical environment in your
  organization?

42
Internal Control Components
43
Written goals and objectives?

• Internal control is pointless without goals and
  objectives.
• Written goals and objectives focus efforts toward
  desired outcomes.
• Written goals and objectives provide a rationale
  for resource allocation.
• Written goals and objectives are evidence of
  thoughtful management.

44
What objectives do we need?

• Mission statement.
• Operations objectives.
• Financial reporting objectives.
• Compliance objectives.
• Objectives for all significant activities.

45
Internal Control Components
46
What are risks?

• A risk is anything that could jeopardize the
  achievement of your organizations objective.
• Operate effectively and efficiently and achieve
  our goals
• Provide reliable financial data
• Comply with applicable laws, policies, and
  procedures
• Protect the universitys assets from loss

47
Risk Assessment is a process to

• Identify significant risks
• Assess risks
• What is the likelihood of occurrence?
• What is the potential impact?
• Manage these risks through
• Avoidance
• Acceptance and Sharing (Insurance)
• Mitigate with Controls

48
How do we identify risks?

• You know your risks.
• For each objective, ask yourself
• What could go wrong?
• What assets do we need to protect?
• How could someone steal from us?
• What is our greatest legal exposure?
• What else?

49
Assess Risks

• Likelihood probability of occurrence
• Impact effect on IU/your organization
• Loss of resources
• Loss of public trust
• Violation of policies, laws, regulations
• Bad publicity
• Decreased enrollment
• What else?

50
Internal Control Components
51
Control Activities

• The policies and procedures that help ensure that
  actions identified as necessary to manage risks
  are carried out properly and in a timely manner
• must be implemented thoughtfully,
  conscientiously, and consistently
• unusual conditions identified must be
  investigated and appropriate corrective action
  taken
• Should be proactive, value added, and cost
  effective

52
Control Activities

• Approvals, Authorizations, and Verifications
• Having written policies and procedures and limits
  to authority
• Reconciliations
• Explanations of the differences between two
  different sets of data

53
Control Activities

• Reviews of Performance
• For programs, departments, and individual
  employees
• Security of Assets
• Limiting access, keeping records, and making
  periodic counts to compare to our records

54
Control Activities

• Segregation of Functions
• The approval, recording/reconciling, and custody
  functions should be segregated
• Controls over Information Systems
• Application and development, controls within
  applications, security of data and machines

55
What control activities do I need?

• Enough to help ensure that you are managing your
  significant risks.
• Actions should be taken and control activities
  should be performed to mitigate significant risks
  to acceptable levels.
• An action to manage a risk can be anything.

56
What needs to be approved?

• Per policy, all financial transactions must be
  approved by the dept Financial Administrator.
• Financial Administrator can delegate signature
  authority
• What to approve and what to delegate?
• It depends on the risk assessment.
• Generally, the higher the risk activities the
  higher level of approval/authorization.

57
What needs to be reconciled?

• It depends on the risk assessment. Information
  about high risk activities should be reconciled
  to ensure its accuracy and completeness.
• Monthly operating reports must be reconciled to
  departmental records.
• Payroll voucher reports should be reviewed and
  compared to departmental records.
• What else?

58
What activities should be reviewed?

• It depends on the risk assessment
• Information about high risk activities must be
  reviewed by management.
• Generally, the Chair/Director/PI should review
  reports which compare budget to actual
• To measure performance.
• To detect problems.
• Performance reviews of staff
• Managements review should be documented.

59
What assets need to be secured?

• It depends on the risk assessment
• Liquid assets, assets with alternative uses,
  dangerous assets, vital documents, critical
  systems, and confidential information need to be
  secured.
• Access to these assets should be restricted.
• Perpetual records should be maintained periodic
  physical counts should be performed--differences
  should be checked.

60
What duties need to be segregated?

• It depends on the risk assessment
• The approval, accounting/reconciling, and asset
  custody functions should be segregated.
• Generally, duties related to cash receipts,
  payroll and purchases are high risk and should be
  segregated.

61
How do we control our computers?

• It depends on the risk assessment
• If critical or confidential information then both
  the information and the computer need to be
  controlled.
• Basic controls are
• Password protecting information.
• Backing-up information.
• Virus Scanning
• Practicing safe computing
• What else?

62
Balance RISKs with CONTROLs
Controls
Risks
Excessive Risks
Excessive Control
Loss of Income Theft of Assets Poor
Decisions Noncompliance Public Scandals
Increased Costs Reduced Productivity Increased
Complexity Increased Time to Complete Decreased
Motivation
63
What can happen!!
U.S. Restricts Research at Johns Hopkins After a
Volunteer's Death The U.S. Department of Health
and Human Services in July halted all federally
financed medical studies on human subjects at the
Johns Hopkins University School of Medicine, and
other medical programs within the university. The
action followed the death in June of a healthy
volunteer participation an asthma study.
64

What can happen?

IUPUI Theft is Alleged Ex-staffer denies guilt in
300,000 thievery By Jennifer E. Smith The
Indianapolis News INDIANAPOLIS, IN A former
staff member at IUPUI is facing charges of
embezzling more than 300,000 from the
University. Timothy C. Brough was arrested this
week on six counts of theft and receiving stolen
property. Brough pleaded not guilty today in
Superior Criminal Court and requested that
65
How bad can it get?

• Former IUPUI employee commits suicide
• Tim Brough, charged with the theft of 329,621
  from IUPUI Access Point found dead in his garage.
• By Mike Lafferty
• The IUPUI Sagamore
• Tim Brough a former IUPUI employee accused of
  stealing more than 300,000 from the university
  committed suicide earlier this

66
Internal Control Components
67
Information and Communication

• Communicate policies and procedures
• Supervisors and employees understand objectives
  and job responsibilities
• Get the information you (and staff) need
• Do performance evaluations
• Measure customer satisfaction
• Open door policy
• Hear the good and the bad news

68
Internal Control Components
69
Monitor Performance

• Evaluating your Internal Controls to determine
• Adequately designed
• Properly executed, and
• Effective
• How can we KNOW?

70
How can we KNOW?

• Ongoing supervisory activities
• Look at your processes
• Periodic evaluations
• Self-assessment
• Peer review
• Internal audit
• External audits

71
Monitor Performance

• Internal Controls are effective if you know
• The extent to which your organizations goals and
  objectives are being achieved
• In compliance with relevant policies, etc.
• Financial records are reliable
• Assets are safeguarded
• Resources are use to advance organizations
  mission

72
When is internal control effective?

• All internal control components are present and
  functioning as designed.
• The Board and University management have
  reasonable assurance that
• Operational objectives are being achieved.
• Financial statements are reliable.
• Compliance with applicable laws and regulations
• Assets are protected

73
Who is Responsible for Control?

• EVERYONE
• Management is responsible for establishing a
  controlled environment.
• Faculty and staff are responsible for carrying
  out internal controls by following policies and
  procedures.
• Internal Audit, in an advisory/consultant role,
  is responsible for evaluating whether appropriate
  controls have been implemented and if they are
  functioning as intended.

74
Internal Control

• Is a Process
• Designed to provide reasonable assurance that
  organizations objectives will be met
• Provides reliable financial reporting
• Promotes efficient and effective operations
• Helps ensure compliance with policy
• Protects university Assets

75
Why Internal Controls fail?

• Human Errors - Bad Judgment
• Management Override
• Collusion
• Cost versus Benefit

76
Internal Control components
77
Define Organizations Goals and Objectives?
Organizational Objectives
Identify Assess Risks

• Define goals and objectives in relation to
• Mission,
• Activities and processes,
• Financial reporting requirements, and
• Compliance issues

Identify Assess Residual Risks
Action
No
Yes
78
SMART Goals Objectives
S pecific M easurable A ttainable R ealistic T
imeframe
79
Identify and assess potential RISKs by asking
Organizational Objectives
Identify Assess Risks
What Could Go WRONG ? What must go RIGHT? How
likely is it that the risk will happen? What
will be the impact) if it happens?
Identify Assess Residual Risks
Action
No
Yes
80
Recap
Organizational Objectives
Identify Assess Risks

• Set the objective
• Assess the objective using SMART
• Identify the risks
• Assess the risks

Identify Assess Residual Risks
Action
No
Yes
81
What controls are in place to achieve your
objectives ?
Organizational Objectives
Identify Assess Risks

• Control Environment
• Tone at Top
• Competence
• Roles Responsibilities
• Information Communication
• Control Activities

Identify Assess Residual Risks
Action
No
Yes
82
What could still go wrong given existing controls
?
Organizational Objectives
Identify Assess Risks

• Look at your risks, and your existing controls to
  identify any gaps.

Identify Assess Residual Risks
Action
No
Yes
83
Can you live with the Residual Risk ?
Organizational Objectives
Identify Assess Risks

• Do your existing controls, provide reasonable
  assurance that you will get achieve your
  objectives?
• Something's you cant control (changes in
  government regulations, weather)
• Risk acceptance decision will depend on the
  culture of the organization

Identify Assess Residual Risks
Action
Acceptable
No
Yes
84
Action Planning
Organizational Objectives
Identify Assess Risks

• If the level of uncontrolled risk is too
  high/unacceptable then action plans are developed
  to reduce the residual risk to an acceptable
  level.

Identify Assess Residual Risks
Action
No
Yes
85
Group Exercise

• Case Study
• Planning a SURPRISE 50th Birthday Party for your
  spouse
• Objectives
• identify
• Risks
• identify and assess

86
SURPRISE 50th Birthday Party

• OBJECTIVES
• Risks

87
SURPRISE 50th Birthday Party

• OBJECTIVES
• Surprise
• Great Party in your spouses opinion
• Reasonable costs
• Risks
• Right people not invited
• Wrong atmosphere
• Weather?
• Other competing events (Basketball game)

88
Assess Risk
89
SURPRISE 50th Birthday Party

• Controls
• Control Environment - Competent team
• Budget with authorizations and approvals
• Segregation of Functions
• Controls over Information Systems
• Residual Risks
• ?

90
Identify Controls
91
Organizational Objectives
Identify Assess Risks
The Risk Assessment/ Management Process
Identify Assess Residual Risks
Action
No
Yes
92
Questions?
93
What is Internal Control?
94
QUIZ - Internal control is a

• PROCESS of specific policies and procedures
• Designed to provide reasonable assurance that
  organizations objectives will be met
• Provide reliable financial reporting
• Promote efficient and effective operations
• Helps ensure compliance with policy
• Protect university Assets

95
Who is Responsible for Control ?

• In a word, everyone
• Management is responsible for establishing a
  controlled environment.
• Faculty and staff are responsible for carrying
  out internal controls by following policies and
  procedures.
• Internal Audit, in an advisory/consultant role,
  is responsible for evaluating whether appropriate
  controls have been implemented and if they are
  functioning as intended.

96
QUIZ

• Name four Control Activities

97
Control Activities

• Approvals, Authorizations, and Verifications
• Reconciliations
• Reviews of Performance
• Security of Assets
• Segregation of Functions
• Controls over Information Systems

98
QUIZ

• The most important Internal Control component is
• Risk assessment/management process
• Hug your auditor
• Positive Tone at the Top
• Strong ethical climate
• Control environment with answers 3 4

99
Quiz

• Risk Assessment/Management is
• Planning a surprise birthday party
• A department at IU
• A process to assess risks and controls as they
  impact on the achievement of a business objective

100
QUIZ

• Effective Internal Control Systems will
• Provide reasonable assurance that your
  organizations objectives will be met
• Promote reliable financial reporting
• Provide efficient and effective operations
• Help ensure compliance with policy
• Protect university assets
• All of the above

101
Quiz?

• Short Definition of Ethics?
• What are the Rules?

102
Quiz

• Short Definition of Ethics?
• Doing the Right Thing
• What Are the Rules?
• Moral Values (Is it fair?)?
• Is it legal and in compliance with IU policy?
• Would it pass the newspaper test (or the Mom
  test)?

103
Case Study

• Identify 1- 3 SMART OBJECTIVES
• Identify the 1- 3 possible RISKs that would
  prevent you from achieving your objectives
• List the CONTROLS you would implement to mitigate
  these risks

104
Case Scenario 1

• Your Dean has informed you that the school will
  be starting a four week, half-day summer program
  in the schools discipline for fifth and sixth
  graders. The goals of the program are to get them
  interested in the subject matter and encourage
  them to start thinking about college and Indiana
  University. The program will use upper-class
  students from the school as instructors. Fees
  will be set so that the program at least breaks
  even. The first summer, the program will
  accommodate 30 students in two classes of 15
  each. Classes will be held on campus with one
  off-campus field trip.

105
Case Scenario 1

• Additional Information
• When reviewing/reconciling the monthly operating
  statement, your administrative support person
  reports to you that only 29 of the 30 enrolled
  students has paid the class fees. Upon
  questioning, you discover the Dean had told the
  Program Director to allow his nephew to attend
  for free so that the Dean could get an
  independent assessment of the program.

106
Case Scenario 2

• Your school received a private grant to pay 10
  graduate students to mentor targeted high-risk
  high school students. The grant will also provide
  for institutional support, such as mentor
  selection, mentor training, and post-program
  assessment. At the end of the grant, a report
  detailing each students high school performance
  is required.

107
Case Scenario 2

• Additional Information
• You happen to meet one of the high school
  students at a social function and he tells you
  how great the program is and how he appreciates
  the help one of the mentors has given him in
  getting lined up with financial aid for college
  next year. You ask some more questions and
  discover that the mentor has a financial aid
  consulting business on the side and has signed up
  several of the students parents as clients.

108
Case Scenario 3

• You learned that with the implementation of the
  new Student System your school will be receiving
  and processing Admissions Applications along with
  the 65 application fee. Your Dean says you will
  be responsible for seeing that the applications
  are entered correctly and all the money is
  deposited properly.

109
Case Scenario 3

• Additional Information
• The Dean told you he is very pleased and
  surprised at how much money has come in from
  Application Fees. He wants you to start
  depositing half of all the future fees received
  into the Schools unrestricted IU Foundation
  account so we can have funds to pay for all those
  little extras that the university wont allow.

110
Case Scenario 4

• Your Dean informs you that he wants the school to
  begin selling a selection of gift items via the
  Web. The goals of the program are to generate
  additional profits, promote awareness of the
  school or program, and to support students,
  staff, and the public with shopping in a
  convenient manner. This was real successful at
  the last school he was at and he knows it will
  work here if we can just keep the costs down.

111
Case Scenario 4

• Additional Information
• Much to your surprise the Web site has been a
  great success! After congratulating the staff
  person working on this you discover that she has
  been underreporting hours worked because she felt
  that there was not enough money in the budget to
  support all the overtime she has to put in. She
  knows that you and the Dean have constantly
  stressed the need to stay within the budget so
  she was trying to do her part.

112
Case Scenario 5

• Your Dean tells you he wants you to contract for
  a coffee/snacks kiosk in the building lobby. He
  doesnt care what snacks they sell but he wants
  to make sure they sell StarBuzz coffee.

113
Case Scenario 5

• Additional Information
• You see your secretary and the guy who runs the
  coffee kiosk at a basketball game. When you talk
  to her later about how she knows him, she says
  hes her boyfriend and also explains how she
  helped him win the kiosk contract by showing him
  what the other competitors bids were because he
  promised he would beat the best bid and sell
  StarBuzz coffee.

114
(No Transcript)
115
http//www.indiana.edu/iuaudit/

• Thank you