Internal Controls Integrating COSO

Transcription

1 Community Action Partnership 2016 Annual Convention August 30 September 2, 2016 Austin, TX J.W. Marriott Austin Internal Controls Integrating COSO Thursday, September 1, :15 am 10:45 am Presented by: Janet S. Johnson, CPA, CMA, Senior Manager NONPROFIT AND GOVERNMENT PRACTICE Reproduction or use of any training materials in this manual, except within a participant s agency without express written permission is prohibited by copyright law.

2

3 Internal Controls Integrating COSO Trainer: Janet S Johnson, CPA, CMA, Senior Manager 1 Materials/Disclaimer Please note that these materials are incomplete without the accompanying oral comments by the trainer(s). These materials are informational and educational in nature and represent the speakers' own views. These materials are for the purchasing agency s use only and not for distribution outside of the agency or publishing on a public website. 2 An Auditor s Look at Internal Controls (COSO) 1

4 Agenda Framework of internal control Management responsibilities Overview and best practices for an organization-wide model of internal control 3 Internal Control Defined A process effected by those charged with governance, management, and other personnel Designed to provide reasonable assurance about the achievement of an entity s objectives Framework developed by the Committee of Sponsoring Organizations (COSO), which issued Internal Control Integrated Framework (1992, updated in 2013) 4 An Auditor s Look at Internal Controls (COSO) 2

5 COSO Framework 5 6 An Auditor s Look at Internal Controls (COSO) 3

6 Objectives of Internal Controls There are three main objectives of internal controls Effective and efficient operations Reliable financial reporting Compliance with applicable laws and regulations 7 Safeguarding of Assets A subset of each of these three objectives Internal control should provide assurance that assets are safeguarded from: Ineffective or inefficient use Unauthorized acquisition, use, disposal, or theft (fraud) Illegal use 8 An Auditor s Look at Internal Controls (COSO) 4

7 Internal Control Framework 9 Figure 2. Internal Control Components and Related Principles The following is a summary of the 17 internal control principles by internal control component as presented in the 2013 Framework. (Pleaserefer to the 2013 Framework for the actual principles and related descriptions.) Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibilities 3. Establishes structure, authority, and responsibility 4. Demonstrates commitment to competence 5. Enforces Accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10.Selects and develops control activities 11.Selects and develops general controls over technology 12.Deploys through policies and procedures 13.Uses relevant, quality information 14.Communicates internally 15.Communicates externally 16.Conducts ongoing and/or separate evaluations 17.Evaluates and communicate s deficiencies 10 An Auditor s Look at Internal Controls (COSO) 5

8 Control Environment COSO Objectives Demonstrate commitment to character, integrity & ethical values Establish the consciousness of the organization Set the tone and foundation for all the internal controls Demonstrate the competence of the entity's people and management Enforce accountability, attention, and direction provided by the audit committee and board of directors Exercise oversight responsibility Establish structure, authority and responsibility Tools & Methods to Achieve Mission statement Ethics statement, code of conduct, and other key policies (e.g., acceptable business practices, conflicts of interest, etc.) Standing board committees with charters (e.g., Audit Committee, Nominating & Corporate Governance Committee, Compensation Committee) Tenure and depth of senior management experience, including the CEO, CFO and COO Training to support execution of staff and management s assigned duties Formal job descriptions Segregate incompatible activities 11 Control Environment Components: Integrity & ethical values of management Commitment to competence Board oversight & interaction w/auditors Management philosophy regarding risk Organizational structure Assignment of authority & responsibility Human resource policies 12 An Auditor s Look at Internal Controls (COSO) 6

9 Risk Assessment COSO Objectives Establish objectives, including how risks should be managed, including entity and activity objectives Establish and maintain an effective process to identify, analyze, and manage risks relevant to the preparation of reliable financial statements (both internal and external) Identify, analyze, and manage change Develop mechanisms to anticipate, identify, and react to routine events or activities that affect achievement of entity or activity-level objectives Tools & Methods to Achieve Business plans and budgets with realistic goals Periodic review and update strategic plans and objectives Document and communicate about risk throughout the organization Involve a broad spectrum of personnel with collective knowledge of all areas in risk assessment and business planning Senior management should periodically report on risk management to the audit committee or board Work with the independent auditors and other third-party experts to appropriately address complex changes in accounting or regulation 13 Risk Assessment Examples: Changes in regulations New personnel New systems or technology Rapid growth or downsizing New programs, grants, services 14 An Auditor s Look at Internal Controls (COSO) 7

10 Control Activities COSO Objectives Establish policies and procedures that help ensure management directives are carried out Ensure controls address risks Establish controls throughout the organization at all levels and in all functions Ensure action is taken on exceptions Review the design and operating effectiveness of controls Select and develop controls over technology Tools & Methods to Achieve Monitoring Policy Segregation of duties Verification System access System automation Board oversight Financial review Authorization Transaction review Reconciliation Entity level controls (e.g.,, Company-wide programs, controls and/or monitoring) 15 Information and Communication COSO Objectives Ensure that pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities Demonstrate the organization communicates internally and externally Produce reports containing operational, financial, and compliance-related information Communicate to all personnel that control responsibilities must be taken seriously Ensure significant information can be communicated upwards within the organization. Exercise effective communication must occur down, across, and up an organization and with parties external to the organization Tools & Methods to Achieve Conduct monthly conference calls Accounting bulletins and a company handbook Standard half-day employee orientation that addresses company ethics and values issues A record retention period that follows all applicable federal, state and local laws (Generally 7 years) Conduct a survey to determine the information that is needed or desired Period-end reporting deadlines that allow for an appropriate review by management Whistleblower hotline 16 An Auditor s Look at Internal Controls (COSO) 8

11 Information and Communication Means of informing and communicating: Accounting records Accounting processing Financial reporting process Communication of employee duties and responsibilities Disaster recovery Includes IT controls 17 Monitoring COSO Objectives Assess the quality of the entity's internal control performance over time by conducting ongoing and/or separate evaluations Ensure internal control deficiencies are reported throughout the organization with serious matters reported to top management and the board Detect and remediate control deficiencies throughout the entire system of internal control over financial reporting Tools & Methods to Achieve Internal audit or personnel with the requisite skills and independence periodically evaluate areas Investigate complaints of improper financial matters by external parties such as suppliers or regulators are fully investigated and documented Use surveys and focus groups to understand employee perceptions Require employees to acknowledge compliance with the code of conduct Require signatures to verify performance of significant control functions such as reconciliations Checklists, questionnaires, or programs 18 An Auditor s Look at Internal Controls (COSO) 9

12 Monitoring Assessing internal control performance using: Internal audit External audit Special assessments of internal controls Input from personnel Input from third parties (e.g. donors, grantors, vendors, etc.) 19 COSO Cube 20 An Auditor s Look at Internal Controls (COSO) 10

13 Internal Controls Let s look at controls for significant classes of transactions and account balances. 21 Internal Controls Preventive Designed to prevent errors, fraud, or illegal acts from being committed Distinguish preventive policies from preventive controls (e.g. requiring two signatures on checks) Detective Designed to detect errors, frauds, or illegal acts and allow for corrective action Example: bank account reconciliation 22 An Auditor s Look at Internal Controls (COSO) 11

14 Revenue and Cash Receipts Goal: Make it impossible to commit and conceal fraud Segregate: Receipt of funds, Recording of revenue, and Maintenance of accounts. 23 Cash Segregation of Duties Billing Recording revenue in the accounting records Receipt of payments Initial recording of collections Preparation of deposits Posting of receipts to the accounting records Reconciling the bank statement Reconciling accounts receivable subledger with the general ledger 24 An Auditor s Look at Internal Controls (COSO) 12

15 Revenue and Cash Receipts Preventive Controls Examples: Restrictive endorsement of checks received Timely depositing of funds daily Lock up undeposited funds in a safe 25 Revenue and Cash Receipts Detection Controls Examples: Log cash receipts: payor names, amounts, form of payment, description of what the payment is for. Reconcile cash receipts log with deposits made to the bank. Reconcile cash receipts log with revenue recorded on accounting records. 26 An Auditor s Look at Internal Controls (COSO) 13

16 Revenue and Cash Receipts Common revenue and cash receipts fraud Skimming Lapping Write-offs of accounts receivable Unauthorized credits 27 Purchasing and Disbursements Key control areas: Ordering and receipt of goods Check writing process Payment authorization and approval Delivery of checks Bank reconciliation 28 An Auditor s Look at Internal Controls (COSO) 14

17 Purchasing Segregate duties in the following areas: Purchase request Purchase authorization Receiving supplies, other items Recording of accounts payable Approval of vendor invoices Check writing Recording of disbursements Delivery of checks to vendors Reconciliation of accounts payable subledger Reconciliation of bank account 29 Check-Writing Internal Controls Manually-signed checks No pre-signed checks Require 2 real signatures over a certain $ amount DO NOT USE signature stamps!! Check signers should really review the checks and supporting documentation Computer-signed checks: Authorized check signer reviews and approves the check register The Finance Director should not be a check signer 30 An Auditor s Look at Internal Controls (COSO) 15

18 Disbursements Common controls over check writing process (cont.) Mailing all checks promptly after signature Locking up all signed checks that are not mailed the same day Reconciling the bank statement in a timely manner by someone other than the person who writes and records checks Properly voiding checks Maintaining a list of voided checks as well as physical custody 31 Disbursements Payment authorization and approval Require original invoices (no copies or statements accepted) Match with receiving reports Match with purchase order Match with vendor bid/proposal Review of invoice Mathematical accuracy Description of goods or services Quantities and prices Vendor information Documented approval by purchasing agent Cancellation of invoice 32 An Auditor s Look at Internal Controls (COSO) 16

19 Disbursement Check Delivery Mail by individual other than the one authorizing the expenditure Example: supervisors do not hand out paychecks Avoid direct delivery to vendor by purchasing agent 33 Disbursements Bank Reconciliation Review statement for duplicate checks or unnumbered checks Investigate gaps in check numbers Review statement for other debits Examine returned checks Signs of alteration or forged signatures Review endorsements for consistency Compare payees with check register or disbursements journal Verify lists of voided checks 34 An Auditor s Look at Internal Controls (COSO) 17

20 Purchasing and Disbursements Common cash disbursement fraud schemes Billing schemes - internal and external Misclassifying personal expenditures Check tampering 35 Payroll General payroll controls Maintain written policies and procedures for timekeeping and payroll processing Utilize a separate bank account for payroll Use pre-numbered checks in sequence Maintain proper physical security over unused payroll checks Hold unclaimed payroll checks in a secure location 36 An Auditor s Look at Internal Controls (COSO) 18

21 Payroll General payroll controls (cont.) Maintain a detailed payroll register that lists every paycheck along with total gross pay, all payroll withholdings and net pay Use a timekeeping system Review and approve of payroll tax returns Review the posting of payroll from the payroll register Authorize in writing all salaries and wage rates by a designated Agency official 37 Payroll Segregate these duties: Authorize pay rates and changes Enter master employee data into the payroll system Enter timekeeping information Authorize timekeeping information Process payroll Distribute payroll Transfer funds to the payroll bank accounts Reconcile the payroll bank accounts Post payroll to the general ledger 38 An Auditor s Look at Internal Controls (COSO) 19

22 Payroll Common payroll fraud schemes Ghost employees Overstatement of hours worked Overstatement of pay rates Under-withholding of payroll taxes 39 Property and Equipment General controls over property and equipment Budget for additions of property and equipment Physical security over the Agency s premises and buildings Use numbered identification tags on all acquired property Take physical inventories and reconcile with the general ledger Maintain appropriate levels of insurance for theft and damage 40 An Auditor s Look at Internal Controls (COSO) 20

23 Property and Equipment Segregation of duties: Budgets Purchase Receipt Maintenance of inventory records Write-offs of property and equipment that are fully depreciated, obsolete or unused Physical inventories 41 Information Technology The most important element of information technology is the security plan. It should address: Physical access Controls over access to data Data input controls Software controls Protection of hardware Disaster recovery 42 An Auditor s Look at Internal Controls (COSO) 21

24 Information Technology Limit physical access to servers Access to data should be restricted to only authorized individuals Read-only access to modules Restrictions on copying of data Restrictions on adding, deleting or changing data 43 Information Technology Software controls Document all changes in software Review and authorize all requested changes to software Restrict access to software 44 An Auditor s Look at Internal Controls (COSO) 22

25 Information Technology Protection of Hardware Communicate the risks of off-site use of laptops Require that data stored on a laptop be backed up prior to taking off-site Permanently mark laptops as property of the Agency 45 What can go Wrong with Internal Controls? Management override! Recording fictitious business events or transactions Changing the timing of recognition of legitimate transactions Establishing or reversing reserves to manipulate results, including intentionally biasing assumptions and judgments used to estimate account balances. 46 An Auditor s Look at Internal Controls (COSO) 23

26 The COSO Model How to make it work for you An Auditor s Look at Internal Controls (COSO) 24

27 Figure 2. Internal Control Components and Related Principles The following is a summary of the 17 internal control principles by internal control component as presented in the 2013 Framework. (Pleaserefer to the 2013 Framework for the actual principles and related descriptions.) Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibilities 3. Establishes structure, authority, and responsibility 4. Demonstrates commitment to competence 5. Enforces Accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10.Selects and develops control activities 11.Selects and develops general controls over technology 12.Deploys through policies and procedures 13.Uses relevant, quality information 14.Communicates internally 15.Communicates externally 16.Conducts ongoing and/or separate evaluations 17.Evaluates and communicate s deficiencies 49 Documents to download: Poster of Internal Control Integrated Framework Principles Leveraging COSO Across the Three Lines of Defense Other Thought Papers are availble 50 An Auditor s Look at Internal Controls (COSO) 25

28 For Information on How We Can Help Visit the Wipfli Booth (#402) for more details or Connect with me: Bring Wipfli to You: Tammy T. Jelinek My Wipfli Access to our experts: Regulation questions Audit Process Human Resource Technology Leadership 52 An Auditor s Look at Internal Controls (COSO) 26

29 COSO Internal Control Integrated Framework Principles 2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO). Used by permission. Control Environment The organization demonstrates a commitment to integrity and ethical values. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Monitoring Activities 16 The organization Information & Communication Risk Assessment The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The organization considers the potential for fraud in assessing risks to the achievement of objectives. The organization identifies and assesses changes that could significantly affect the system of internal control. selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Control Activities 10 The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11 The organization selects and develops general control activities over technology to support the achievement of objectives. 12 The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. 13 The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 17 The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. 14 The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15 The organization communicates with external parties regarding matters affecting the functioning of internal control. COSO For more information about COSO, visit coso.org.