Review Internal Controls: A Prac4cal Applica4on Guide #2035

Transcription

1 Review Internal Controls: A Prac4cal Applica4on Guide #2035 Presented by Alan Wenk Performance Contrac4ng Inc. WORLD- CLASS CONSTRUCTION Alan.Wenk@pcg.com

2 Session Objective This session will provide a basic overview of the importance of internal controls in any business. It is important that risk management and control are not seen as a burden on business, rather as a means by which business opportunities are maximized and potential losses associated with unwanted events reduced.

3 Session Agenda Define Internal Controls Discuss why internal controls are important Who is responsible for internal controls Internal control objectives and types Limitations of internal controls Result of weak internal controls Risk Control Matrixes - used to identify and monitor risks

4 Internal Controls - Definition Internal control is the process, effected by an entity's Board of Trustees, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Reliability of financial reporting, Effectiveness and efficiency of operations, and Compliance with applicable laws and regulations.

5 Why Have Internal Controls Help align objectives of the business Ensure activities carried out by the business are in line with the business objectives Safeguard assets Secure physical and monetary assets are protected from fraud, theft and errors Prevent and detect fraud and errors Encourage good management Allowing managers to receive timely and relevant information on performance against targets

6 Why Have Internal Controls cont.. Allow action to be taken against undesirable performance Authorizing a formal method of dealing with fraud or dishonesty if detected Reduce exposure to risks Minimizing the chance of unexpected events Ensure proper financial reporting Maintaining accurate and complete reports required by legislation and management.

7 Who is Responsible For Internal Controls External auditors are not responsible for an entitys internal controls. External auditors evaluate internal controls as part of their audit planning process, but they are not responsible for the design and effectiveness of your controls. Management (including the governing board) is responsible for making sure that the right controls are in place, and that they are performing as intended.

8 The importance of internal controls and risk management Internal control is one of the principal means by which risk is managed. Other devices used to manage risk include: the transfer of risk to third parties sharing risks contingency planning the withdrawal from unacceptably risky activities. Companies can accept risk too. Getting the balance right is the essence of successful business to knowingly take risk, rather than be unwittingly exposed to it. Trust But Verify

9 Why Should I Care About Internal Controls Lack of internal controls is most commonly cited as the factor that allows fraud to occur, according to the Association of Certified Fraud Examiners' (ACFE) 2008 Report to the Nation on Occupational Fraud and Abuse. Thirty-five percent of respondents to ACFE's survey cited inadequate internal controls as a primary contributing factor in the frauds they investigated. Fraud and losses affect everyone in the company by reducing 401K, ESOP, bonuses, higher cost of capital, lower stock price returns, and can even put companies out of business (Enron).

10

11 The system of internal control An internal control system encompasses the policies, processes, tasks, behaviors and other aspects of a company that, taken together: facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the companys objectives (safeguarding of assets from inappropriate use or from loss and fraud, and ensuring that liabilities are identified and managed); help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organization; help ensure compliance with applicable laws and regulations, and also internal policies with respect to the conduct of business

12 Internal Control Objectives Internal Control objectives are desired goals or conditions for a specific event cycle which, if achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur. They are conditions which we want the system of internal control to satisfy. The control objectives include authorization, completeness, accuracy, validity, physical safeguards and security, error handling and segregation of duties. Authorization The objective is to ensure that all transactions are approved by responsible personnel in accordance with specific or general authority before the transaction is recorded. Completeness The objective is to ensure that no valid transactions have been omitted from the accounting records. Accuracy The objective is to ensure that all valid transactions are accurate, consistent with the originating transaction data and information is recorded in a timely manner. Validity The objective is to ensure that all recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management's general authorization. Physical Safeguards & Security The objective is to ensure that access to physical assets and information systems are controlled and properly restricted to authorized personnel. Error handling The objective is to ensure that errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management. Segregation of Duties The objective is to ensure that duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing the transaction. A well designed process with appropriate internal controls should meet most, if not all of these control objectives.

13 Internal Control Types Detective Designed to detect errors or irregularities that may have occurred. Corrective Designed to correct errors or irregularities that have been detected. Preventive Designed to keep errors or irregularities from occurring in the first place.

14 Internal Control Examples - Detective Cash counts; bank reconciliation; Review payroll reports (review your payroll statement); Compare transactions on reports to source documents; Monitor actual expenditures against budget;

15 Internal Control Examples - Preventive Reading and understanding applicable admin policies, department policy/procedures to learn the right way to do something; Review and approval process for purchase requisitions to make sure they are appropriate before the purchase; The use of passwords to stop unauthorized access to systems/ applications;

16 Accounts Payable/Cash Disbursements Common Risks: Checks Processed by Unauthorized Personnel Payments Made Based on Invalid or Unapproved Invoices Payments to Fictitious or Invalid Vendors Misuse of Hand Drawn Checks A good control system has these duties segregated: Setting Up Vendors Processing / Approving POs Processing Invoices Processing Checks

17 Accounts Receivable/Cash Receipts Common Risks: Misappropriation of Funds Prior To Posting to the Accounting Records Not Crediting Appropriate Accounts Receivable, Duplication of Revenue Diversion of funds to improper accounts A good control system has these duties segregated: Establishing Bank Accounts In Entitys Name Receiving Cash, Depositing Cash Recording Cash Reconciling Cash

18 Limitations of Internal Controls No matter how well internal controls are designed, they can only provide reasonable assurance that objectives have been achieved. Some limitations are inherent in all internal control systems. These include: Judgment: The effectiveness of controls will be limited by decisions made with human judgment under pressures to conduct business based on the information at hand. Breakdowns: Even well designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes. Errors may also result from new technology and the complexity of computerized information systems. Management Override: High level personnel may be able to override prescribed policies and procedures for personal gain or advantage. This should not be confused with management intervention, which represents management actions to depart from prescribed policies and procedures for legitimate purposes. Collusion: Control systems can be circumvented by employee collusion. Individuals acting collectively can alter financial data or other management information in a manner that cannot be identified by control systems.

19 Why Controls Dont Always Work Inadequate knowledge of policies or governing regulations. I didnt know that! Inadequate segregation of duties. We trust A who does all of those things. Inappropriate access to assets. Passwords shared, cash not secured Form over substance. You mean Im supposed to do something besides initial/sign it? Control override. I know thats the policy, but we do it this way.just get it done; I dont care how! Inherent limitations. People are people and mistakes happen. You cannot foresee or eliminate all risk.

20 What can happen when internal controls are weak or non-existent When the recommendation is made to improve controls within a department or company there are usually three basic arguments for not implementing those controls: There is not enough staff to have adequate segregation of duties. It is too expensive. The employees are trusted and controls are not necessary. These arguments represent pitfalls to unsuspecting management. Each argument is in itself a problem that needs to be resolved. The problem of not having enough staff or other resources should be discussed with your supervisor. In most cases, compensating controls can be implemented in situations where one person has to do all of the businessrelated transactions for a department. If implementing a recommended control seems too expensive, be sure to consider the full cost of a fraud that could occur because of the missing control. In addition to any funds that may be lost, consider the cost of time that would have been spent by the department during the time of an investigation of the matter, and the cost of hiring a new employee. Fraud is always expensive and the prevention of fraud is worth the cost. Finally consider the issue of trust. Most employees are trustworthy and responsible, which is an important factor in employee relations and departmental operations. However, it is also the responsibility of administrators to remain objective. Experience shows that it is often the most trusted employees who are involved in committing frauds.

21 Lack of or Weak Internal Controls The store manager who was transferring merchandise from one store to another. In fact, he was diverting the merchandise for his own use. The bookkeeper who adjusted her own charge account so she was getting her merchandise free. The salesperson who processed cash refunds using fictitious names and pocketed the money. The cashier who destroyed cash sales tickets and pocketed the cash. The bookkeeper who used company checks to pay her personal bills. The receiving clerk who helped himself to new merchandise that had been received. Vendor invoices paid twice. This not only reduces cash but overstates book inventory and results in shrinkage. Inaccurate management information resulting in wrong decisions being made. If charge sales or payments are posted to customers accounts incorrectly you run the risk of losing valuable customers.

22

23 Internal Controls - Movie Trivia Peter, Michael, and Samir decide to divert the supposedly "rounded-off" portions of banking interest deposits after Michael and Samir learn that they will be laid off. However, they end up taking much more than the fractions of a cent because of a misplaced decimal point. Office Space Salami slicing (A prime example of collusion and embezzlement) Whats happening to Globodyne? Frank responds with the perfect summary of the Enron debacle, We took our shifting losses and we put them into businesses that we actually owned. And then the balance sheet, it showed profit. But actually there was debt. Fun with Dick and Jane (An example of management override and misappropriation of assets)

24 The changing role of internal audit Traditional Viewed as a policeman Value added Seen as a value adding resource Compliance based approach Process driven/value added approach Viewed by management as the owners of Seen as a quasi-consultant to control help with control Purely finance orientated Business objective orientated Staffed by unqualified inexperienced staff A mix of qualified auditors and business professionals Seen as a green pasture prior to retirement Seen as a training ground for senior management

25 Famous Quotes Honesty pays, but it doesnt seem to pay enough to suit some people F.M. Hubbard Bank failures are caused by depositors who dont deposit enough money to cover the losses due to mismanagement Dan Quayle

26 Internal Control Myths and Facts Myths Facts Internal control starts with a Internal control starts with a strong set of policies/procedures. strong control environment. Internal control: Thats why we have internal auditors! While internal auditors play a key role in the system of control, management is the primary owner. Internal control is a finance thing. Internal control is integral to every aspect of operations. Internal controls are essentially Negative, like a list of thou-shalt-nots. Internal control makes the right things happen the first time!

27 Building A Risk Control Matrix Identify all business processes by department (i.e. AP check processing, vendor set up) Determine what risks are associated with each of these processes. What could go wrong? Answer the following questions: What is the risk level (High, Medium, Low) What assertion needs to be verified (Existence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure) What type of controls are in place (Preventive, Detective, Manual, Automated) Will the controls, if they are operating as designed, ensure the objective? Monitoring process and frequency

28 Reasons for Strong Internal Controls Helps reduce the risk for fraud / internal theft Promote operational efficiency and effectiveness Provide reliable financial information Safeguard assets and records Encourage adherence to prescribed policies Comply with regulatory agencies

29 Words of Wisdom Dont judge a man un9l you have walked a mile in his shoes At least then if he gets mad you are a mile down the road and you have his shoes.

30 Ques4ons?