The Basics of Internal Controls & Segregation of Duties

Similar documents
INTERNAL CONTROLS 101

EFFICIENT USE OF AUDIT COMMITTEES

Seminar Internal Control Identification and Filtering

Implementation Tool for Auditors

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

Internal Controls: Providing an Effective Control Environment. Why This Session Is Needed. Lesson Overview & Module Objectives

Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)

PART 6 - INTERNAL CONTROL

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

Community Bankers Conference

Guide to Internal Controls

Chapter 06. Audit Planning, Understanding the Client, Assessing Risks, and Responding. McGraw-Hill/Irwin

Presented by Ed Williamson and Erica Bailey

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Internal Audit How the Internal Audit Function Facilitates Internal Controls. Office of the City Auditor City of Tallahassee

Evaluating Internal Controls

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a

Internal Controls: Need Them, Have Them, Love Them

Internal Control Program

Chapter 18. Integrated Audits of Public Companies. McGraw-Hill/Irwin. Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Internal Control Questionnaire and Assessment

PAS B.2.4 July 30, PAS-014(R)

REPORT 2016/033 INTERNAL AUDIT DIVISION

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

COSO What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions

CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

FDICIA Reporting for Financial Institutions. Reporting Changes Under Part 363 and SAS 130

Single Audit Update: Internal Control over Compliance and the GAO s Green Book. MSBO s 80 th Annual Conference April 19, 2018

Background. Required Communications of Other Internal Control Deficiencies

PLUM CREEK LIBRARY SYSTEM MANAGEMENT LETTER YEAR ENDED JUNE 30, 2014

RREGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT FUNCTION IN MICROFINANCE INSTITUTIONS. Article 1 Scope and Purpose

AICPA Peer Review Program Compliance: Responding to Latest Developments

INTERNAL CONTROLS AUDITOR JOHN BYRD, SENIOR AUDITOR TONYA CARRIGAN, SENIOR AUDITOR

Statement on February 2014 Auditing Standards 128. Using the Work of Internal Auditors

Entity level controls Design/implementation 530 Page 1 of 9

Internal Controls Integrating COSO

The most commonly applied model for designing and auditing internal

SA 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL

Committee for Senior Business Administrators. Segregation of Duties

Minneapolis Public Schools Special School District No. 1 Minneapolis, Minnesota. Communications Letter of the Student Activity Accounts.

McGraw-Hill/Irwin. Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in

What Are Your Auditors Doing? Presented by Carrie Kennedy, Partner Travis Smith, Partner Moss Adams LLP

CHAPTER 2 THEORETICAL FOUNDATIONS. organization which responsible to record and employs physical resources and other

IAASB Main Agenda (December 2008) Page Agenda Item

We wish to thank the staff and management of the Authority for their cooperation and assistance during the course of this engagement.

STATE OF NORTH CAROLINA

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

Understanding Internal Controls. Federal Highway Administration New Mexico Division

Navigating the PCAOB s and SEC s internal control expectations A discussion. June 2015

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

Internal Controls for Deans, Directors and Chairs

FRAUD AWARENESS UPDATE

IAASB Main Agenda (March 2005) Page Agenda Item 12-C

VERSION #1 WRITE ON YOUR SCANTRON!!!

Internal Control in Higher Education

Internal Control Questionnaire and Assessment

Private Company Services. Private companies: are your internal controls supporting your business strategy?*

Office of the City Manager

BOM/BSD 2/November 1994 BANK OF MAURITIUS. Guideline on Maintenance of Accounting and other Records and Internal Control Systems

Executive Directors Series: Overview of an assurance engagement

LeiningerCPA, Ltd. INTERNAL CONTROL PROCEDURE STATEMENT

After completing this Session, you should be able to answer the following questions:

VGFOA Fall Conference October 23, 2014 John Montoro, Presenter

MANAGING FRAUD RISK. Teresa D. Thamer, CPA, CFE Brenau University

CHARTER OF THE AUDIT, FINANCE AND RISK COMMITTEE OF THE BOARD OF DIRECTORS OF ACE AVIATION HOLDINGS INC.

FRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS

ECON 132A SPRING 2008 MT#2

Annual Audit and Other Financial Matters

COSO 2013: Updated internal control framework

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

The definition of a deficiency is also set forth in the attached Appendix I.

STATE OF NORTH CAROLINA

How well you are prepared to deal with IFC

Internal Audit Policy and Procedures Internal Audit Charter

Kentucky State University Office of Internal Audit

Ten Payment Fraud Protections

Defining Payroll Process

Chapter 7 Internal Controls

CATERPILLAR INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS (adopted by the Board of Directors on February 11, 2015)

AUDIT COMMITTEE CHARTER. Specifically, the Audit Committee is responsible for overseeing that:

Audit Training-of-Trainers Workshop, November 2014, Vienna Components of internal control within organization

IPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES For PEI Credit Unions

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

Maryland School for the Deaf

AGA Gulf Region PDT COSO and the Green Book: An Enhanced Internal Control Framework

FEDERAL AWARD PROGRAMS INTERNAL CONTROL EVALUATION. Cross-cutting characteristics (generally applicable to all fourteen requirements)

2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda

Agenda 11/26/13. Updated COSO Framework

Format and organization of GAGAS Auditor preparation of financials is a significant threat to independence 3 party arrangements in government State

AUDIT COMMITTEE CHARTER

An Overview of the 2013 COSO Framework. August 2013

July 30, (1) CHAPTER 5. Table of Contents

Business Benefits by Aligning IT best practices

The definition of a deficiency is also set forth in the attached Appendix I.

Chapter 6 Field Work Standards for Performance Audits

GAIT FOR BUSINESS AND IT RISK

INTERNAL CONTROLS FOR NONPROFITS

Transcription:

The Basics of Internal Controls & Segregation of Duties Presented by: Kevin L. Pegish, CPA Senior Audit Manager Northwest Region klpegish@ohioauditor.gov

Internal Controls, we will discuss the following: COURSE AGENGA The Basics The Components The Responsibilities Lack of Internal Controls Segregation of Duties 2

3 INTERNAL CONTROL

Internal Controls Overview & GAO s Green Book 4 4

Internal Controls Overview The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework ://www.coso.org https SAS 55 / 70 / 78 Now AU-C 315 Green Book U.S. Government Accountability Office (GAO) http://www.gao.gov/greenbook/overview 5

Definition AU-C 315.04 defines internal control as a process, effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance of achieving the following objectives: 6

Objectives Reliable financial reporting Effective and efficient operations Compliance with laws and regulations. Internal control over the safeguarding of assets against unauthorized acquisition 7

Objectives (Cont.) Safe and sound operations. The integrity of records and financial statements. Compliance with laws and regulations. A decreased risk of unexpected losses. A decreased risk of damage to the association s reputation. Adherence to internal policies and procedures. Efficient operations. 8

Internal Control Structure SAS 55 There is a direct relationship between an entity's objectives and the internal control components it implements to provide reasonable assurance about their achievement. In addition, internal control is relevant to the entire entity, or to any of its operating units or business functions. This relationship is depicted as follows: 9

Current Guidance AU-C 315. A 68 More than just control procedures Control environment Information & communication Risk assessment Monitoring Control activities/procedures 10

11 Components/Objectives/Entity

Control Environment The effectiveness of internal controls rests with the people of the organization who create, administer, and monitor them. Integrity and ethical values are essential elements of a sound foundation for all other components of internal control. The commitment for effective control environment rests at the top. Reaching a conclusion about a financial institution s internal control environment involves a degree of subjectivity because of the intangible nature of measuring effectiveness. 12

Control Environment: Starts at the Top! Tone at the Top for ethical behavior Committed to internal controls Code of conduct Hiring qualified job applicants 13

Risk Assessment Management should identify risks relevant to financial reporting including external and internal events Operating environment changes New personnel New technology Accounting pronouncements New or revamped information systems 14

Risk Assessment Answer: Ask more questions: What can go wrong? How can we avoid it? Particularly critical when things change: Reorganization, new systems or computers, new transaction types, etc. 15

Information and Communication Systems Internally generated data, along with external events, activities, and conditions are necessary for a business to make informed decisions. Information system should provide sufficient detail to properly classify the transaction for financial reporting, and measure the value of the transactions. 16

Information & Communication Management's monitoring activities may include using information from communications from external parties such as customer complaints and regulator comments that may indicate problems or highlight areas in need of improvement. Entity should have those issues reviewed by someone other than the individual responsible for that accounting function. Entities should have procedures in place regarding how these items are followed up. 17

Information & Communication Examples Customer calls regarding late fees assessed however customer has documentation they were not late. Customer calls regarding payments made by check not cashed timely. Call regarding customers not given a receipt. These all could be fraud indicators!! 18

Monitoring Controls Management and supervisory activities that determine whether management s objectives are achieved, including whether application or computer controls are working effectively. A process that assesses the quality of internal control performance over time AND timely modification of policies and procedures, as needed 19

Control Activities/Procedures Control activities are the policies and procedures that help ensure management carries out its directives. Control activities should assure accountability in the entities operations, financial reporting, and compliance areas. 20

Types of Control Activities/Procedures Control procedures include: Automated (Application) Built in computer controls i.e. Edit checks, automated computations (These controls are generally preventative in nature) Monitoring Controls - Typically performed by Management i.e. Review month-end budget vs. actual reports occur after the transaction has been processed through the accounting system. (These controls are generally detective in nature) 21

Application Controls Application controls are activities directed at achieving control objectives for transaction cycles. Can be done by anyone qualified and assigned to do them. Can be automated (edit checks, automated computations and updates of accumulated data, etc.) Are generally preventive in nature. 22

Internal Controls Even if you outsource or delegate some processing, you are not absolved from your duties to have controls over that activity The best way to accomplish this is to ensure your service organization has a type II SAS 70 audit (SOC 1) 23

Typical Service Organization s Examples of typical SO s: Payroll processing Income tax processing EMS billing services Self-insurance claim processing Investment purchases (transaction not pre-approved) Examples that are not SO s: Bank checking account Investment purchases (entity approves each trans.) Purchased insurance policy Purchase of utility services for your office building 24

Typical Internal Control Categories Minutes Resolutions Bank Reconciliations/Statements Receipts/Pay-ins/Streams Disbursement/Vouchers/invoice/Streams Payroll Contracts Ohio Compliance/Uniform Guidance 25

Typical Internal Control Categories (OCS) Direct Laws Indirect Laws & Statutorily Mandated Tests Stewardship Optional Procedures Manual 26

REPORT OF INDEPENDENT ACCOUNTANTS Management s Financial Statements Audit Opinion Audit Report Auditing Standards in accordance with GAGAS & GAAS Basis of Accounting 27

Responsibilities for Internal Controls Management must be committed to development and maintenance of controls. Management needs to clearly define expectations Segregation of duties has cost associated 28

Who is Management? Smaller entities have elected officials such as Board of Trustees or Village Council but no layers of management. The elected officials would then function as management and have sole responsibility 29

Management s Responsibility for Fraud Management should assess risks and review fraud risk indicators to develop policies or controls to minimize the risk of a fraud occurring. 30

Internal Controls Internal controls can help assure that balances and transactions are complete, existed, occurred, are accurately recorded, properly cutoff and properly classified 31

Internal Controls Develop internal controls To protect assets from loss Ensure transactions are authorized Ensure all funds are collected for services provided by the local government Ensure restricted funds used according to allowable purposes 32

Benefits of Internal Controls Safeguard and Protect public assets Public money Public property Make responsible financial decisions via budgeting Properly manage government resources to achieve goals of government via internal controls 33

Deficiency in Internal Control Results in errors which occur in normal course of operations and are not detected or corrected timely. Deficiency in Design Existing control is either nonexistent or control in place does not address the specific control objective. Deficiency in Operation Control not being performed by an individual being bypassed during daily operations. 34

Internal Control Relevance Sufficient understanding of controls Plan the audit Determine nature, timing, and extent of tests to perform Control risk Client's internal controls will not prevent or detect material misstatements timely 35

Segregation of Duties 36 36

Segregation of Duties Definition GB 10.12 10.14 Process where management divides or segregates key duties and responsibilities among different people to reduce the risk of error, misuse, or fraud. So that no one individual controls all key aspects of a transaction or event, this includes separating the responsibilities for: Authorizing Transactions Processing & Recording Transactions Reviewing the Transactions Handling Any Assets Related to the Transactions 37

Segregation of Duties in Standards/Guides Green Book (GB) AU C s (US Auditing Standards) Ohio Administrative Code (OAC) 38

Various Standards AU-C 240 Inadequate segregation of duties or independent checks increases the susceptibility of misappropriation AU-C 265 Absent or inadequate S.o.D may be deficiencies, significant deficiencies, or material weaknesses AU-C 315 Should reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud OAC 117-2-04(D)(4) And on and on and on.. 39

Assignment of Responsibility & Delegation of Authority Mgmt. determines what level of authority each key role needs to fulfill a responsibility. Mgmt. delegates authority only to the extent required to achieve the entity s objectives. As part of delegating authority, management evaluates the delegation for proper segregation of duties. GB 3.08 40

Segregation of Duties AU C 240 Inadequate segregation of duties or independent checks increases the susceptibility of misappropriation AU C 265 Absent or inadequate S.o.D may be deficiencies, significant deficiencies, or material weaknesses 41

Segregation of Duties AU C 315 Should reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud OAC 117 2 04(D)(4) When designing the public officeʹs system of internal control and the specific control activities, mgmt. should plan for adequate segregation of duties or compensating controls. 42

In order to audit S.o.D we need: An adequately updated understanding of the process How: AOS addresses this through narratives When: Beginning of the audit Why: Provides basis for further testing Effective communication How: Face to face, electronic, policies When: Throughout engagement Why: Consistent approach

Benefits are not mutually exclusive Better Understanding Knowledgeable Team Gain efficiencies Effective

How to make S.o.D a focal point Evaluation Documentation Communication

Evaluation Audit Strategy Discussion among audit Staff Members Discussion at pre audits if needed Walk through of processes Local Gov t Analyze internal control processes Who is doing what What are the possible risks

Documentation Auditors Discuss and complete narratives Segregation of Duties Matrix Utilize narratives to tailor audit procedures Local Gov t Detailed policies and procedures Audit trail Evidence of implementation of controls

Communication Auditors Planning discussions Inquiries during the audit Audit report Local Gov t Provide policies to all staff Update them regularly throughout the year Discuss known/identified issues with auditors

When might there be an issue? Any time an individual is serving in more than one of the key roles authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets AND No compensating controls are in place

Compensating Controls Definition: A control that can limit the severity of a deficiency and prevent it from being a material weakness. Although they can mitigate the severity, they do not eliminate the deficiency. Examples: Review of detailed reports Review/reperform reconciliation procedures Review/approve any adjustments (i.e. non cash adj) Caution: If compensating controls are monitoring controls Evaluate they are adequate. 50

Compensating Controls If there are no SOD issues No compensating controls are necessary SOD issues exist with effective compensating controls Evidence of the compensating control is needed Identifiable issues w/o appropriate compensating controls A fraud risk exists An audit issue/ comment is likely needed If risk is significant, auditors may need to change the audit plan

What are significant risks? Risks may be determined as significant if: The accounting cycle is material Absent/inadequate safeguards Auditor judgment If risks are significant, our audit reactions may include: No reliance on prior year control tests Additional management involvement in audit More sampling tests

Does it mean there is fraud? Difference between fraud risk and fraud. Evidence of a fraud risk area does not necessarily indicate fraud has occurred. We may modify the nature, timing and/or extent of our procedures in response to any heightened fraud risks identified. Important to keep in mind that each case or scenario is different. Each potential fraud is unique, even within the same schemes. Many factors determine the handling and ultimate outcome of the issue. There is no black and white rule book or checklist.

What should local gov t do? Policies and procedures Communicate Internal controls

Establish Policies/procedures Put it in writing: Could be formal Ordinances or resolutions, or Could be policy manuals or handbooks Why? Formal way to ensure everyone is on the same page Written documentation can assist in identifying weaknesses or potential SOD issues Assists in the event of an emergency

Establish Internal Controls Internal Control System Controls should exist to prevent, detect, or deter misstatements or errors i.e. sign offs/approvals, reconciliations/reviews, etc.. Segregation of Duties Evaluate who is doing what, and consider whether that has the potential to be an issue If so, implement some compensating control to reduce risk Monitoring Controls Board/Admin. Should provide oversight to make sure controls are being followed i.e. evidence of sign offs/initials, reperformance of reconciliations, etc..

Communication Intra entity Evidence should support that policies/procedures are communicated/understood by all Reasons for changes to procedures or why controls were overridden should be documented Inter entity Communication with vendors/related parties should occur at least occasionally Communication with auditors to assist in evaluating processes

Benefits? Efficient/Effective Mitigate the possibility of fraud Roles are clearly defined and adhered to Lowers the risk of material misstatement Audit Impact Smoother audit through: Less fraud risks More informed auditors

Importance of evaluating and documenting policies and procedures ostrengthens organizational processes oprovide staff a better understanding Internal controls/ Segregation of duties helps mitigates risks ofraud Risks Summary ofinancial statement error risks 59

60 Questions

Always Remember.. Auditors are here to help!! 61

62

Presenter Contact Information Northwest Region One Government Center, Suite 1420 Toledo, Ohio 43604 Kevin L. Pegish, CPA Presenter Phone: 800-443-9276 Email: klpegish@ohioauditor.gov 6 3

88 E. Broad St. Columbus, Ohio 43215 Phone: (800) 282 0370 (614) 466 4515 Fax: (614) 466 4490 Email: ContactUs@OhioAuditor.gov www.ohioauditor.gov

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback