Guide to Internal Controls

Similar documents
PART 6 - INTERNAL CONTROL

Understanding Internal Controls Office of Internal Audit

Guide to Internal Controls

Company LOGO C B T. An Educational Computer Based Training Program

Internal Controls: Need Them, Have Them, Love Them

GATU Webinar Part 1 March 2017 Presented by Carol Kraus, CPA

Internal Control Questionnaire and Assessment

Internal Control Questionnaire and Assessment

Internal Control Systems

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

Chapter 7 Internal Controls

Assessment of the Design Effectiveness of Entity Level Controls. Office of the Chief Audit Executive

If an adequate segregation of duties does not exist, the following could occur:

Prince William County Public Schools Annual Audit Plan

Maryland School for the Deaf

AUDITING. Auditing PAGE 1

Internal Audit Appendix: IIA Standards

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Evaluation Tool. Revised January 2006 Internal Control Management and INTRODUCTION

Auditing Standards and Practices Council

Internal Audit Policy and Procedures Internal Audit Charter

STUDY UNIT TEN INTERNAL AUDIT RESPONSIBILITIES FOR FRAUD

Internal Controls Integrating COSO

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

Protecting Fixed Assets: Internal Controls for Non Profits

EFFICIENT USE OF AUDIT COMMITTEES

College of Engineering and Computer Science Dean's Office

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Transparency in the Workforce System Establishing Firewalls & Internal Controls

Evaluating Internal Controls

npliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for

An Overview of the 2013 COSO Framework. August 2013

2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda

2014 Integrated Internal Control Plan. FRCC Spring Compliance Workshop April 8-10, 2014

Diocese of Covington Policies & Procedures Manual Section: Compliance Accounting Policy: Internal Control & Segregation of Duties

Contract and Procurement Fraud. Fraud in Procurement without Competition

FRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS

INTERNAL CONTROL HANDBOOK

Triple C Housing, Inc. Compliance Plan

CAPE FEAR COMMUNITY COLLEGE VICE PRESIDENT OF BUSINESS SERVICES

White Paper. Effective and Practical Deployment of COSO: Entity Level Control and Lessons Learned. July 10, 2008 THE ROBERTS COMPANY, LLC

OVERVIEW 4/19/10. Internal Controls and the Audit Process May 4, 2010 OVERVIEW. Definition and historical perspective of internal auditing

A Discussion About Internal Controls February 2016

Kansas State University

The Internal Control Framework

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

Entity level controls Design/implementation 530 Page 1 of 9

Internal Audit Work Plan

CHAPTER 7. Internal Control. Review Questions

CITY OF CORPUS CHRISTI

[RELEASE NOS ; ; FR-77; File No. S ]

Achieve. Performance objectives

BOM/BSD 2/November 1994 BANK OF MAURITIUS. Guideline on Maintenance of Accounting and other Records and Internal Control Systems

Compliance Policies and Procedures

Quality Assurance and Improvement Program (QAIP)

Internal Financial Controls (IFC) ICAI Seminar October 8, 2016

CODE OF CONDUCT AND ETHICS

38 Years of Excellent Client Service New COSO Model and How Internal Controls Help to Reduce Opportunity for Fraud

Measuring Compliance Program Effectiveness

OFFICE OF INTERNAL AUDIT AUDIT MANUAL

SETTING POLICIES and GUIDELINES for CONDUCTING INTERNAL INVESTIGATIONS

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Fire Department Inventory Management Audit

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

THE GULF COAST CENTER CORPORATE COMPLIANCE PLAN

Sheena Tran, CPA May 19, 2014

Sonoma County. Internal Audit Report. Auditor Controller Treasurer Tax Collector. Sonoma County Payroll Process

JOB TITLE: VP, BSA Officer REPORTS TO: SVP, Deposit Operations and Regulatory Compliance/CRA Officer DEPARTMENT: Compliance

Defining Payroll Process

The Episcopal Diocese of Kentucky

Introduction to the Compliance & Ethics Program. General Compliance

ASSOCIATED BANC-CORP CODE OF BUSINESS CONDUCT AND ETHICS

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

FOUNDATION BUILDING MATERIALS, INC. EMPLOYEE CODE OF CONDUCT

Internal Control and the IC System in Philippines

6. Cross-Cutting Issues Indicators

Arc of Onondaga Corporate Compliance Plan

Code of Business Conduct and Ethics

OVERVIEW. Common Personality Traits of Fraudsters. Common Sources of Pressure. Changes in Behavior

Statement on Risk Management and Internal Control

Recommendations. General report on the local government audit outcomes for

Introductions. An Overview of the COSO 2013 Framework. Christian Peo Sharon Todd. An Overview of the 2013 COSO Framework.

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Communication Report No

Internal Control Evaluation

Strengthening Control and integrity: A Checklist for government Managers

BIG LOTS, INC. CODE OF BUSINESS CONDUCT AND ETHICS

Audit Project Process Overview 1/18/ Compliance and Audit Symposium. Agenda. How to Kick-start your. Audit Planning and Risk Assessment

RELM WIRELESS CORPORATION (the Company ) CODE OF BUSINESS CONDUCT AND ETHICS

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

Key Elements of Antifraud Programs and Controls

Auditing for Effective Training

Internal Audit Report. Contract Administration: 601CT Contracts TxDOT Internal Audit Division

Whether you take in a lot of money. or you collect pennies

University System of Maryland University of Baltimore

UPMC POLICY AND PROCEDURE MANUAL. Links to policies referenced within this policy can be found in Section V.

Message to All Directors, Officers and Employees of Atmos Energy Corporation

Internal Audit Self-Assessment Questionnaire:

UNIVERSITY OF NEW MEXICO INTERNAL AUDIT CONTROL SELF ASSESSMENT QUESTIONNAIRE. School/Organization Phone Organization Code

DEPARTMENT OF BUSINESS AND PROFESSIONAL REGULATION. Office of Inspector General. Annual Report. RICK SCOTT Governor. KEN LAWSON Secretary

Transcription:

Guide to Internal Controls

Table of Contents Introduction to Internal Controls...3 Roles...4 Components....5 Control Environment...5 Risk assessment...6 Control Activities...7 Information & Communication...9 Monitoring Activities...9 Responsibilities at the Department level...11 2

Definition Introduction to Internal Controls Internal control is a process, affected by management, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Internal controls apply to all University departments and operations. Understanding internal controls provides an additional reference tool for all employees to identify and assess operating controls, financial reporting, and legal/regulatory compliance processes and to take action to strengthen controls where needed. By developing effective systems of internal control, we can contribute to enhancing the University s ability to meet its objectives and reducing the potential liability from fines and penalties that could be imposed for violations. This guide is not a substitute for existing policies and procedures. This guide is based upon the internal control guidelines as recommended by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission and should be used in conjunction with existing policies and procedures. Tools The examples and checklists in this guide should not be interpreted as an all-inclusive list of all controls appropriate for each department. With time, control processes can be expected to change to reflect changes in the operating environment. Information regarding roles, components of internal controls, best practices, and responsibilities at the department level can be found by accessing the various tabs under the Internal Controls section. Additionally, internal controls checklists can be located in the forms section of the Division of Finance website. The checklists have been designed to provide the campus community with a tool for evaluating their internal controls structure and general compliance by business process. 3

Roles Different departments within the University play vital roles in creating, implementing, and assessing internal controls including: Management & Employees Every individual within the University has some role in affecting internal controls. Roles vary with responsibility. Managers are ultimately responsible for the appropriate use and control of the funds entrusted to them. Management is accountable to the Board of Curators, providing governance, guidance, oversight, and at times is accountable to the IRS and funding agencies of federal, state and private grants and contracts. Division of Finance & Accounting Services: The Division of Finance serves as a strategic campus partner to ensure the University continues to maintain a focused fiscal strategy and a sustainable financial base. Accounting Services is responsible for ensuring compliance with University policies and procedures and accurate financial reporting within the University s accounting structure. Accounting Services can assist departments with evaluating internal controls. Department of Internal Audit: The UM Internal Auditing Department is responsible for performing internal audits at the University with Board of Curators approval. Internal audits assist management by providing independent and objective analyses of activities and controls. UM Internal Audit is not part of a department s internal controls, but an audit can help identify weaknesses. See the UM Internal Audit website for more information about the internal audit function. The Ethics and Compliance Hotline: The University of Missouri Ethics and Compliance Hotline ( Hotline ) is a 24 hour/365 day, confidential way for individuals to report instances of suspected fraud, misconduct, or noncompliance with laws, regulations or policies in a manner that preserves anonymity and assures non-retaliation. Individuals may remain anonymous when making the report if they so choose, but should provide sufficient detail for the situation to be investigated. The Hotline can be accessed via the toll free number (1-866-47-9821) or directly at the University of Missouri Ethics and Compliance Hotline. 4

Components In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. Internal control consists of five interrelated components as follows: Control (or Operating) environment: The control environment sets the tone for the organization and influences how employees conduct their activities and carry out their control responsibilities. The control environment is the foundation for all other components of internal control and provides structure and discipline. The following table will provide some guidance on control environment principals: Control Environment Principle Integrity and ethical values. Commitment to competence. Attention and oversight including those charged with governance. Management's philosophy and operating style. Control Objective Management, through its attitudes and actions, demonstrates character, integrity, and ethical values. Sound integrity and ethical values, particularly of top management, are developed and set the standard of conduct for the organization and financial reporting. The entity is committed to competence in the requirements of particular jobs and in translating those requirements into knowledge and skills. The board of Curators and all employees of the University are actively involved and has significant influence over the entity's internal control environment and its financial reporting. Management analyzes the risks and benefits of new ventures, assesses turnover among employees, investigates and resolves improper business practices, views accounting as a means to monitor and control the various activities of the organization, and adopts accounting policies that reflect the economic realities of the business. Documentation(*) Provide employees with Standard of Conduct (Chapter 330). Also provide method for reporting violations. Employee training and Evaluations. The University policies and procedures, hotline. Degree of care taken in understanding policies and procedures related to financial reporting. 5

Organizational structure. Manner of assigning authority and responsibility. The organizational structure of the University is appropriately designed to promote a sound control environment. Authority and responsibility, appropriate reporting lines, and free flow of information across the University provide unfettered influence to effectively run the entity and support effective financial reporting. The University assigns authority and responsibility to provide a basis for accountability and control. Organizational charts reflecting roles and responsibilities. Defined job duties of key employees. Clearly defined responsibilities and authority limits (Segregation of duties) Risk assessment The central theme of internal control is to identify risks to the achievement of the University's objectives and to do what is necessary to manage those risks. This can be accomplished by: Determine Goals and Objectives: At the highest levels, goals and objectives should be presented in a strategic plan that includes a mission statement and broadly defined strategic initiatives. At the department level, goals and objectives should support the department's strategic plan. Goals and objectives are classified in the following categories: Operations objectives: These objectives pertain to the achievement of the basic mission(s) of a department and the effectiveness and efficiency of its operations, including performance standards and safeguarding resources against loss. Examples of operational objectives may include improving College and departmental operational efficiency, and providing dedicated customer service to the wide variety of internal and external customers. These goals must be specific, measurable, agreed upon, realistic, and time sensitive. Financial reporting objectives: These objectives pertain to the preparation of reliable financial reports. Examples of financial reporting objectives may include providing accurate and timely financial reports. Compliance objectives. These objectives pertain to adherence to applicable laws and regulations. Examples of compliance objectives may include being complaint with grant restrictions, federal and state regulations in addition to university policies and procedures. Identify risks after determining goals: Risk assessment is the identification and analysis of risks associated with the achievement of operations, financial reporting, and compliance goals and objectives. This, in turn, forms a basis for determining how those risks should be managed. To properly manage their operations, managers need to determine the level of operations, financial and compliance risk they are willing to assume. Risk assessment is one of management's responsibilities and enables management to act proactively in reducing unwanted surprises. A risk is anything that could 6

jeopardize the achievement of an objective. For each of the department s objectives, risks should be identified. Asking the following questions helps to identify risks: What could go wrong? How could we fail? What must go right for us to succeed? Where are we vulnerable? What assets do we need to protect? Do we have liquid assets or assets with alternative uses? How could someone steal from the department? How could someone disrupt our operations? How do we know whether we are achieving our objectives? Control activities Control activities are actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks. Control activities can be either preventive or detective. Preventive controls attempt to prevent or deter undesirable acts from occurring. They are proactive controls, designed to prevent a loss, error, or omission. Examples of preventive controls are: Preventive Control Control Description Examples Segregation of duties Adequate documentation In an ideal environment, major functions such as authorization, recording, verification, and custody of assets, should be performed by a different employee. If a person performs more than one of these major functions, without additional mitigating controls in place, there is the potential to carry out and conceal errors and/or irregularities in the course of performing day-to-day activities. Each transaction must stand on its own and an independent reviewer should be able to easily interpret and understand the purpose of the transaction. This can be achieved by maintaining adequate supporting documentation. Incompatible duties may include: Authorizing a transaction to purchase an asset, receiving and maintaining custody of the asset Depositing cash and reconciling bank accounts Receiving checks and approving write-offs on accounts receivables Answering the following questions somewhere on the transaction: Who What When Where Why Business Purpose Evidence of additional approvals required 7

Proper authorizations. All transactions must be authorized. The individual initiating the transaction must have the authority to do so. Employees cannot authorize transactions for their own business reimbursement. Unacceptable forms of authorizations include verbal authorizations and signature stamps. Dean budgeting for a program to occur Division of Finance-Contracts signing a contract HR Supervisor verbally approving travel to a training for an employee Electronic approval by Fiscal Reviewer on voucher Physical security over cash and other assets Access to equipment, inventories, securities, cash and other assets should be restricted based on need; and assets are periodically counted. Limit access to safe to change fund custodian and manager Registers locked when not in use Lab equipment in secure rooms only accessible by researchers Detective controls attempt to detect undesirable acts that have occurred. They provide evidence after-thefact that a loss or error has occurred, but do not prevent them from occurring. Examples of preventive controls are: Detective Control Control Description Examples Regular supervisory review of account activity, reports, and reconciliations Physical Inventories Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up. Departments with significant inventories should maintain inventory controls over the items. Inventory items received and issued should be recorded, so that a current "book" balance is always known Compare budget to actual expenses and investigate significant differences. Routinely spot-check transactions, records, and reconciliations to ensure expectations are met as to timeliness, completeness, and segregation of duties. Follow up on unexpected results or unusual transactions. Ask for explanations of unexpected results and ask for reasons for unusual transactions. Document your reviews of reports and reconciliations by initiating and dating the reports. Periodically, a person who is independent of the inventory purchasing and inventory custody functions should physically count the inventory items. The counts should be compared to the "book" balances. Missing items should be investigated, resolved, and analyzed for possible control deficiencies. 8

Control selfassessment Departments should examine and improve existing internal controls and/or implement new internal controls to mitigate risks associated with a process or function. Departments are encouraged to utilize the internal controls checklists that can be located in the forms section of the Division of Finance website. The objective of the internal controls checklists is to provide campus community with a tool for evaluating their internal control structure and general compliance by business process. Information and communication The Information and Communication component supports the functioning of all components of internal control. In combination with the other components, information and communication supports the achievement of the University s mission. When assessing internal control over a significant activity (or process), the key questions to ask about information and communication are as follows: Does our department get the information it needs from internal and external sources in a form and timeframe that is useful? Does our department get information that alerts it to internal or external risks (e.g., legislative, regulatory, and developments)? Does our department identify, capture, process, and communicate the information that others need (e.g., information used by other departments)-in a form and timeframe that is useful? Does our department provide information to others that alerts them to internal or external risks? Monitoring Activities Monitoring is the assessment of internal control performance over time. The purpose of monitoring is to determine whether internal control is adequately designed, properly executed, and effective. Internal control is adequately designed and properly executed if all five internal control components (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) are present and functioning as designed. Monitoring can be accomplished by ongoing monitoring activities and by separate evaluations of internal control such as: Self-assessments On a haphazard basis, upper management may review various account reconciliations. This will ensure that financial activities are being performed on a timely basis and create a secondary level of review. Peer reviews Departments within each college may perform peer reviews of transactions and accounts to ensure that financial activities are valid, sufficient supporting documentations were maintained and main duties have been segregated. 9

Internal audits Internal audits and reviews can also be performed at the department or college level. This is referred to as the Continuous Auditing. The objective of Continuous Auditing is to assess the completeness, accuracy and propriety of a quarterly or semi-annually sample of transactions drawn from the University Accounting System. 10

Responsibilities at the Department Level As an Administrator/manager/employee of a department, you can do the following to enhance your department s control environment: Make sure job descriptions exist, clearly state responsibility for internal control, and correctly translate desired competencies. Implement segregation of duties where duties are divided, or segregated, among different people to reduce risk of error or inappropriate actions. No one person has control over all aspects of any financial transaction. Make sure transactions are authorized by a person delegated approval authority when the transactions are consistent with policy and funds are available. Ensure records are routinely reviewed and reconciled by someone other than the preparer, to determine that transactions have been properly processed. Make certain that equipment, inventories, cash and other property are secured physically, counted periodically, and compared with item descriptions shown on control records. Provide employees with appropriate training and guidance to ensure they have the knowledge necessary to carry out their job duties. For example, if your department is a recipient of sponsored funds, make sure that individuals administering funds are well trained on federal rules and regulations regarding the use of grant funds. Make sure employee performance evaluations are conducted periodically. Good performance should be valued highly and recognized in a positive matter. Make sure that appropriate counseling and/or disciplinary action is taken when an employee does not comply with policies and procedures and/or behavioral standards. Utilize the internal controls checklists that can be located in the forms section of the Division of Finance website. The objective of the internal controls checklists is to provide campus community with a tool for evaluating their internal control structure and general compliance by business process. 11

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback