Internal Controls: Need Them, Have Them, Love Them Tiffany R. Winters, Esquire twinters@bruman.com Brustein & Manasevit Fall Forum 2010 Why Do We Have Internal Controls? The Federal Managers Financial Integrity Act of 1982 Requires the General Accounting Office (GAO) to issue standards for internal controls in the government. General Accountability Office: Standards for Internal Controls Management and Evaluation Tool: http://www.gao.gov/new.items/d011008g.pdf Chief Financial Officers Act of 1990 Financial Management Systems must comply with internal control standards Federal Financial Management Improvement Act of 1996 2 Lower Audit Threshold Materiality threshold lowered Old: Material Weaknesses For every compliance requirement selected for audit, the auditor must assess: The likelihood of whether the agency s internal controls can prevent and detect noncompliance that is more than inconsequential from occurring in a timely manner MORE INTERNAL CONTROL FINDINGS! 3 1
Definition of Internal Controls Internal controls are tools to help program and financial managers achieve results and safeguard the integrity of their programs. Includes processes for planning, organizing, directing, controlling, and reporting on agency operations Internal controls are the means by which an organization s resources are directed, monitored and measured. Internal controls play and important role in preventing and detecting fraud and protecting resources. 4 Objectives of Internal Controls Efficiency of Operations Reliability of Financial Reporting Compliance with Effectiveness and Applicable Laws and Regulations Safeguarding Assets 5 Types of Internal Controls Preventative Controls designed to discourage errors or irregularities. Documented policies and procedures Trained, competent and trustworthy personnel Process for approvals and authorizations Access and data entry restrictions Segregation of duties 6 2
Types of Internal Controls (cont.) Detective Controls designed to identify an error or irregularity after it has occurred. Monitoring transactions Audits Reconciliations and reviews Verifications 7 Types of Internal Controls (cont.) Corrective Controls designed to detect if a risk has been realized and reacts. Automated financial management systems are able to implement strong corrective controls. Example: automatic rejection of transaction without proper approvals 8 Components of Internal Controls 9 3
Internal Controls Control Environment Goal: Allows management and employees to maintain a positive and supporting attitude towards internal controls. Integrity and Ethical Values Commitment to Competence Management s Philosophy and Operating Style Organizational Structure Assignment of Authority and Responsibilities Human Resources Policies and Practices Oversight Groups 10 Internal Controls Risk Assessment Every Agency Has Weaknesses!! First Establish clear and consistent objectives Entity wide Objectives Activity-level Objectives Clearly communicate objectives to all employees Obtain feedback signifying that communication has been effective 11 Internal Controls Risk Assessment (cont.) Risk Identification: What could go wrong? What assets do we need to protect? How could someone steal or disrupt operations? What information do we rely on? Examples: New legislation, regulations, laws New or updated information systems or technology Rapid growth Downsizing New programs, activities or grants Lack of personnel Newly hired personnel, training needs 12 4
Internal Controls Risk Assessment (cont.) Once risks are identified, conduct risk analysis: Assess the likelihood (or frequency) of risk occurring Estimate the potential impact if the risk were to occur Determine how the risk should be managed High Risk Low Low Judgment Required Impact High 13 Internal Controls Control Activities 14 Internal Controls Control Activities Goal: Policies, procedures, techniques and mechanisms that help ensure that management's directive to mitigate risks identified are carried out Examples: General Application GAO Common Categories of Control Activities 15 5
Internal Controls Control Activities (cont.) 16 Internal Controls Control Activities (cont.) 17 Internal Controls Control Activities (cont.) All Transactions and other significant events are clearly documented!! 18 6
Internal Controls Information and Communications Goal: Ensure personnel receive relevant, reliable and timely information that enables them to carry out their responsibilities. Information Communications Forms and Means of Communication 19 Internal Controls Monitoring Goal: Assess the quality of internal controls over time and ensure any findings are promptly resolved. Ongoing program and fiscal monitoring Separate Evaluations Audit Resolution Include policies and procedures for correcting any findings in a timely manner OMB Circular A-133 audits 20 Don t Rely Solely on A-133 Single Audits! A-133 Audit are NOT necessarily reliable regarding compliance Not all programs are covered Depth of Review Problems with Quality Hold Firms Accountable Be Proactive Internal Controls!! Use Reports in Monitoring Watch for repeat findings 21 7
Identifying Internal Control Problems Signs that something might be wrong: Blank Signature Forms Rubber Stamp Approvals (multiple stamps) Stolen Property Too Much Override Authority No documentation Employees in the newspaper Answer like but we ve always done it that way 22 How To Test Your Internal Controls Examples: Accounts Payable Review accounts payable to ensure payments are made to actual company vendors and all invoices are properly coded and paid. Fixed Assets Review fixed asses to determine the proper tag and inventory records have been assigned and depreciation is being calculated correctly. Financial Statements Review financial statements and the underlying documentation to the reports figures. 23 How to Conduct an Internal Control Process Walkthrough Example: Financial Statements: 1. Identify significant transactions 2. Document an understanding of internal controls in place regarding financial statements Use checklists, flowcharts, narratives or questionnaires to determine the current internal controls 3. Select sample transactions and determine if the sample correctly flow through the internal controls system Note any deviations 24 8
How to Conduct an Internal Control Process Walkthrough (cont.) 25 How to Conduct an Internal Control Process Walkthrough (cont.) Discuss the results of the walkthrough with management and inform them of any deficiencies that need immediate attention Document any changes to risk assessment Document findings 26 Weak Internal Controls What Now? When internal controls weaknesses are determined various options: 1. Increase supervision and monitoring 2. Institute additional or compensating controls 3. Accept risk inherent with the control weakness (assuming management is aware of the weakness) 27 9
Internal Control Resources OMB Circular A-133 Compliance Supplement 2010, Part 6: http://www.whitehouse.gov/sites/default/files/omb/circ ulars/a133_compliance/2010/pt6.pdf OMB Circular A-123 Management's Responsibility for Internal Control : http://www.whitehouse.gov/sites/default/files/omb/asse ts/omb/circulars/a123/a123_rev.pdf 28 The Ultimate Internal Control ~ The Disclaimer ~ This presentation is intended solely to provide general information and does not constitute legal advice or a legal service. This presentation does not create a client-lawyer relationship with Brustein & Manasevit and, therefore, carries none of the protections under the D.C. Rules of Professional Conduct. Attendance at this presentation, a later review of any printed or electronic materials, or any follow-up questions or communications arising out of this presentation with any attorney at Brustein & Manasevit does not create an attorney-client relationship with Brustein & Manasevit. You should not take any action based upon any information in this presentation without first consulting legal counsel familiar with your particular circumstances. 29 10