acca f8 audit- internalcontrols slides

Internal Control Is …

A Process … Not Merely Policies, Procedures and Forms

Affected by People

Directed Toward the Achievement of Objectives

Internal Control As Defined by COSO Is …(Committee of Sponsoring Organizations)

A process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

Reliability of financial reporting;

Effectiveness and efficiency of operations; and

Compliance with applicable laws and regulations

Perfect Internal Control?

There is no such thing as a perfect internal control

system … there are inherent limitations, which

typically cannot be controlled

Perfect Internal Control? Inherent Limitations

Misunderstanding of Instructions


Mistakes of Judgment


Personal Carelessness


Distraction


Fatigue


Management Override

Can Lead to Cover Ups


Collusion Among Individuals

Circumvent Control Procedures Whose Effectiveness Depends on Segregation of

Duties


Staff Size Limitations

May Obstruct Efforts to Properly Segregate Duties

If Staff Size is Limited …

Compensating Controls Should Be Implemented to Ensure Objectives Are Met

A Compensating Control is used to Counter-balance an Internal Control Weakness

Perfect Internal Control? Summary Inherent Limitations

Misunderstanding of Instructions Mistakes of Judgment Personal Carelessness Distraction Fatigue Management Override Staff Size Limitations Collusion Among Individuals

Perfect Internal Control? Level of Assurances

As a Result of Inherent Limitations and Cost Limitations, the Internal Control Structure Can Provide Only “Reasonable”, Not Absolute Assurances, That Goals and Objectives Will Be Accomplished

Perfect Internal Control? “Reasonable Assurance”

The concept of reasonable assurance recognizes that the cost of an entity’s internal control structure should not

exceed the benefits that are expected to be derived. Although the cost-benefit

relationship is a primary criterion that should be considered in designing an internal control structure, the precise

management of costs and benefits usually is not possible.

Internal Control Failures Result From …

Lack of Integrity


Weak Control Environment


Inconsistent Objectives


Poor Communication


Inability to Understand & React to Changing Conditions

Internal Control Summary - Failures Result From …

Lack of Integrity Weak Control Environment Inconsistent Objectives Poor Communication Inability to Understand and React

to Changing conditions

Internal Control Primary Objectives

Compliance with policies, plans, laws, procedures, regulations, contracts, etc.


Accomplishment of goals and objectives


Reliability and integrity of information


Economical and efficient use of resources


Safeguarding of assets

Internal Control Summary Primary Objectives

Compliance

Accomplishment of Goals & Objectives

Reliability & Integrity of Information

Economical & Efficient Use of Resources

Safeguarding of Assets

Internal Control Isn’t Always Good When it …

Is Excessive Has a cost that outweighs the derived

benefits Tries to obtain the unobtainable, i.e.

“absolute assurance” Violates the Golden Rule of Internal

Control

Control is Excessive When …

It unnecessarily increases the complexity of transaction processing

The “control” steps merely increase the processing time and do not add value to the activity being controlled

Internal ControlGolden Rule

There is no greater waste than doing with great efficiency that

which should not be done at all!

Internal Control Traits Present When Poor I/C …

Bureaucracy Increased

In the best case scenario,

Productivity Decreased



Complexity Increased

Transaction Processing Time Increased



Non-value Adding Activities Increased

Going Nowhere Fast …


In the worst case scenario,

Interfere with goal accomplishment

Allow for abuse of assets

Internal Control Components

Control Environment Risk Assessment Control Activities Information & Communication Monitoring

Internal Control Components:Control Environment

Is the attitude and actions of the board and management

regarding the significance of control within the

organization

Internal Control Components:Control Environment

Provides the discipline and structure for the overall system of internal controls

Established and maintained by management Should foster control conscientiousness

Includes the overall “tone at the top” set by people in positions of authorityBased on the attitudes and habits of those in authority

Integrity and Ethical Values Management’s Philosophy & Operating

Style Organizational Structure Assignment of Authority & Responsibility Human Resource Policies & Practices Competence of Personnel

Control Environment Includes …

Institutional objectives, and how they are achieved, are based on preferences, value judgments and management styles

Control Environment Integrity and Ethical Values

Ethical values must be clearly communicated

Codes of conduct must be defined in written policy & procedures


Ethics may be transmitted by example, i.e. people tend to imitate their leadership

Real management concerns can often be evaluated in terms of how violators are dealt with, i.e. the messages sent by leader’s actions in such situations quickly become accepted behavior

Organizational values cannot rise above the integrity and

ethics of the people who create, administer and

monitor them


Factors affecting leadership’s philosophy and operating style:

Control Environment Management’s Philosophy & Operating Style

Delegation of Authority (Empowerment)

Risk Taking

Reliance on Policies & Procedures

Control Environment Management’s Philosophy & Operating Style

Administrators should promote compliance through their own actions

Administrators must support adherence to policies and procedures … if they expect employees to have that attitude

Provides the framework for achievement of objectives, through proper planning, executing, controlling, and monitoring

Control Environment Organizational Structure

Depends on the administration’s philosophy

The appropriateness of depends on various factors, such as size and type of activities

Control Environment Assignment of Authority & Responsibility

Determines the degree to which individuals & departments are encouraged to use initiative in addressing issues and problem solving, as well as the limits of their authority

Delegation of Authority (Empowerment)Placing control for certain decisions at lower levels of the organization, to individuals closest to everyday activities

Control environment is greatly influenced by the degree to which individuals are held accountable

Control Environment Assignment of Authority & Responsibility

Critical challenge is to delegate to the extent required to achieve objectives

Always remember that “One Can Delegate Authority, Not Responsibility”

Control Environment Human Resource Policies & Responsibilities

Human resource practices send messages to employees regarding expected levels of integrity, ethical behavior

and competence


Integrity, ethics, and competence must be exercised in …

HIRING


TRAINING




EVALUATING



PROMOTING



COMPENSATING


Disciplinary action should be consistently applied to all

employees

Control Environment Competence of Personnel

Lines of authority and responsibility clearly established, documented in written job descriptions and procedures manuals

Competent people must be hired

Control Environment Competence of Personnel

Job descriptions should be periodically updated to ensure that employees are aware of the duties they are expected to perform

Organizational charts provide a visual presentation of lines of authority

Internal Control Components:Risk Assessment …

Is the identification and analysis of relevant risks associated with the achievement of objectives

Is an ongoing process that is a critical component of an effective internal control system

Internal Control Components:Risk …

Risk is the uncertainty of an event occurring that could have an impact on

the achievement of objectives.

Risk is measured in terms of consequences and likelihood.

Internal Control Component:Risk Assessment

Risk can pertain to external & internal factors

External risk factors are outside of the university, usually beyond management’s span of control

Internal risk factors are within the university, usually within management’s control

Risk Assessment External Risk Factors

Economic Changes

Risk Assessment External Risk Factors (cont.)

Changing Student & Community Needs and/or Expectations


New or Changed Legislation or Regulations


Technological Developments


Natural Catastrophes


Competitive Conditions

Economic changes

Changing student & community needs

New/changed legislation & regulations

Technological developments

Natural catastrophes

Competitive conditions

Risk Assessment Summary - External Risk Factors

Risk Assessment Internal Risk Factors

New Personnel

Risk Assessment Internal Risk Factors (cont.)

Low Morale


Competence, Adequacy & Integrity of Personnel


New or Revamped Information Systems


Size of Organization

Can be measured in terms of …

Assets Liquidity Transaction Volume


Complexity & Volatility of Activities


Geographical Dispersion of Operations


Changes in Management Responsibilities

For, Example … Climbing The Ladder of Success

New Personnel Low Morale Competency & Integrity of Personnel New or Revamped Information Systems Size of Organization Complexity & Volatility of Activities Geographical Dispersion of Operations Changes in Management Responsibilities

Risk Assessment Summary Internal Risk Factors

After the risk factors have been identified, they

must be evaluated or analyzed in terms of risk

Risk Assessment Risk Analysis

Risk Assessment Risk Analysis Includes …

Estimating the Significance of the Risk

Risk Assessment Risk Analysis Includes … (cont.)

Assessing the Likelihood (or Frequency) of the Risk Occurring

A determination must be made on how to manage risk, i.e. an assessment of actions that can

be taken and their relative cost


What can go wrong What areas have the most risk What assets are at risk Who is in a position of risk


Administrators must determine …

Risk Assessment Risk Analysis … (cont.)

When determining risk levels, administrators must consider…

Governmental Mandates The

Unexpected Obstacles

Public Scandal

Risk Assessment Risks May Include Such Things As …


Revenues Not Received or Not Recorded Properly


Assets Not Used Efficiently

Finances PersonnelSpace

Efficient Performance accomplishes objectives and goals in an ACCURATE and TIMELY FASHION with

MINIMAL USE of RESOURCES


Assets Not Used Effectively

Effective Control is present when management directs systems in such a manner as to provide REASONABLE ASSURANCE that the

organization’s OBJECTIVES and GOALS will be ACHIEVED

Finances PersonnelSpace


Assets Diverted to Personal Use

SpaceFinances

Personnel

All Break and No Work


When Information Used For Decision Is Making Not Reliable, Available or Timely

Reliable Available Timely

In assessing risk, the potential loss associated with any

exposure or risk is weighed against the cost to

control it

Internal Control Component:Risk Assessment

Control activities are the policies and procedures that

help ensure that management directives are carried out

Internal Control Component:Control Activities


Generally, control activities (procedures) fall within five broad categories

Authorizations Segregation of Duties Recording Safeguarding Reconciliations

Control ActivitiesAuthorizations …

Transactions must be authorized and executed in accordance with

management’s intent

Authorization to initiate or approve transactions should be limited to specific personnel

Control ActivitiesAuthorizations … (cont.)

Authorizations can be limited by type of transaction (e.g. timesheets) or amount of transactions (e.g. under a certain dollar amount)

Segregation of duties is adequate when no one person is a position

to both initiate and conceal errors and/or irregularities in

the normal course of their duties without detection

Control ActivitiesSegregation of Duties …

Provide that one employee does not have responsibility for all phases of a transaction

Different people should be responsibility for:

Control ActivitiesSegregation of Duties …(cont.)

• Authorizing Transactions• Recording Transactions• Maintaining Custody of the Assets

Generally, an employee with physical access to an asset should

not also be responsible for the accounting records for that asset

Control ActivitiesSegregation of Duties …(cont.)

Documents and records must be properly designed to provide reasonable assurance that …

Control ActivitiesRecording …

Assets are properly controlled

Transactions are properly recorded in the correct account, amount, and period

Control ActivitiesRecording …(cont.)

Proper design may include such things as …

Pre-numbered documents, which can be used to detect missing documents and for tracking purposes

NCR documents, which can be used for authenticity and control purposes

Control ActivitiesRecording …(cont.)

Transactions should be properly documented

Records should be retained in an organized manner

Measures should be taken to safeguard the access to and use of both assets and records

Achieved through physical security & reconciliation of assets to records

Control ActivitiesSafeguarding …

Control ActivitiesSafeguarding …

Assets should be physically secured

Access to assets should be limited to designated authorized personnel

Are independent checks and internal

verification procedures designed to help provide assurance

that the other four control procedures are

achieved

Control ActivitiesReconciliations …

Control ActivitiesReconciliations …(cont.)

The person performing the reconciliation (or

verification procedures) should be independent from the individuals

originally responsible for preparing the data

Internal Control Components:Information & Communication

The purpose of the information and communication system is to help ensure that employees are aware of …

The unit’s goals and objectives

How the unit’s goals and objectives are to be accomplished

Who is responsible for the specific tasks to accomplish them


The information & communication system must provide administrators with

reports containing operational, financial, and

compliance information for progress monitoring and

decision making


Pertinent information must be identified, captured and communicated to

appropriate personnel on a timely basis

The quality of information received and/or given influences the quality of decisions


Once information is identified, captured, and processed it is reported formally and informally through both

manual and computerized information systems

Information & CommunicationInformation Systems Include …

University’s Written Policies and Procedures

Budget Unit’s Goals and Objectives

Information & CommunicationSystems Include …(cont.)

Budget Unit’s Documented Policies and Procedures

Organizational Charts


Position Descriptions

Performance Evaluations


Training Programs

Periodic Progress Reports (Goals & Objectives Accomplishment)


Employees must know what they are supposed to accomplish and

how they are to do it


Communication must flow …

Up and down the organization

Across organizational lines

Information & CommunicationInformation Systems’ Effectiveness

Strategic Plan Necessary Resources Targeted Audience Timeliness of Sufficient Detailed

Information Accuracy and Relevancy of Information

Depends Largely on Following Factors:

Information & CommunicationInformation Systems’ Effectiveness (cont.)

Information Systems should be developed and revised based on a strategic plan

The strategic plan must be congruent with university-wide and activity-level objectives


Management must commit the necessary resources (human and

financial) to information systems development


Information must reach the right people, i.e. the targeted audience


Information must be in sufficient detail and timely enough to allow for

an appropriate response


Reports must be accurate and provide information relevant to

established objectives

Monitoring includes the following:

Internal Control Components:Monitoring

Supervising

Observing

Testing

Reporting to Responsible Individuals

Is a process that assesses the quality of the system’s performance over time


Ensures that the internal control system is operating as expected and that the organization’s goals and objectives are achieved


Should be performed by supervisory personnel and be focused on high-risk areas


Can be ongoing monitoring activities, separate evaluations or a combination of the two

Ongoing monitoring occurs in the normal course of operations, inclusive of regular supervisory activities

The scope and frequency of separate evaluations depend primarily on risk assessment and the effectiveness of the ongoing monitoring procedures

Reviews of financial reports such as ..

MonitoringMonitoring Activities Include …

Comparisons of budgeted to actual revenues and/or expenditures

Comparisons of current to prior months and/or years activities


Spot Checks of Transactions to Ensure Compliance With Policies and Procedures

Reviews of Outstanding Encumbrances


Evaluation of Trends

Review of Supporting Documentation


Documentation of Software Licenses

Surprise Cash and Other Asset Counts


Follow-up on Complaints


Internal control systems change over time. Once effective procedures can become less effective due to …

New Personnel

Varying Effectiveness of Training and Supervision

Time and Resource Constraints


When changes occur, the internal control system must change to

meet those changes

Remember … Time & Change Waits For No One


If management does not make the necessary changes, the organization may,

in most cases, be left behind

Internal control is a process, affected by people, directed toward the achievement of goals

Internal Control vs. ControlsCompared

Controls are a part of the internal control process

Internal Control vs. ControlsControls

Controls are any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that

established goals and objectives will be achieved

Control is the result of proper planning, organizing, and directing by management

Internal Control vs. ControlsAdequate Control

Is present when management has planned and organized (designed) in a manner that

reasonable assurance that the …

Organization’s risks have been managed effectively

Organization’s goals and objectives will be achieved efficiently and economically

Internal Control vs. ControlsAdequate Control & Reasonable Assurance

Reasonable Assurance implies that material errors and irregularities will be prevented or detected / corrected

within a timely period by employees during the normal course of

performing their assigned duties

Internal ControlsErrors Defined

An error is an unintentional mistake Examples of errors include …

Mathematical error

Unintentional omission of events or transactions

Internal ControlsIrregularities Defined

An irregularity is an intentional act; a fraud

Examples of irregularities include …• Manipulation, falsification, or alteration of

accounting records or supporting documentation

• Misrepresentation or intentional omission of events or transactions

Types of Controls

Preventive Detective Directive EDP General Controls

Preventive, Detective or Directive

EDP Application Controls Preventive, Detective or Directive

Types of ControlsPreventive Controls …

Deter undesirable events from occurring

Should be designed to discourage errors or irregularities

Types of ControlsExamples of Preventive Controls …

A computer application which checks validity prevents the entry of invalid account numbers

Shred documents containing confidential information (SSN, grades, addresses, etc.)

Types of Controls Examples of Preventive Controls …

Reading and understanding policy and procedures manuals

Manager’s approval of a purchase requisition for expenditure appropriateness

Read Sign

Departmental University


Restrict access to data to only authorized users

Physically restricting access to assets


Keep food and drinks away from computer hardware

Back-up your work periodically on your personal computer … length of interval depends on importance of the data


Protect your password

Run updated anti-virus software on your personal computer

Types of Controls




Types of ControlsDetective Controls …

Detect and correct undesirable events which have occurred

Should be designed to identify an error or irregularity after it has occurred

Exception reports which list incorrect or invalid entries or transactions

Types of Controls Examples of Detective Controls …

A review of long distance telephone charges to check for improper or personal calls

Reconciliations

Types of Controls Examples of Detective Controls …

Types of Controls




Types of ControlsDirective Controls …

Cause or encourage a desirable event to occur

Should be designed to aid in the accomplishment of goals and objectives

Types of Controls Examples of Directive Controls …

Written, distributed policy and procedures

Training seminars

Well defined job descriptions

Types of Controls




Types of ControlsEDP General Controls

Ensure that the programmed procedures within a computerized

system are appropriately implemented, maintained, and

operated and that only authorized changes are made to programs and

data


Programmed procedures include the precise

instructions to the computer to perform specific steps to achieve a particular task


There are two types of programmed procedures … Accounting and Control

Programmed Accounting Procedures … are simply accounting procedures performed by the computer

Programmed Control Procedures … ensure the completeness, accuracy, and authorization of processed and stored data


Examples of Programmed Accounting Procedures include …

Calculating and producing student bills

Updating master files

Generating data within the computer


Examples of Programmed Control Procedures include … Matching student identification numbers

against a master file containing student information

Exception reports generated when there are instances when the computer is unable to complete the prescribed operation


There are seven categories of EDP General Control Procedures

Implementation File Conversion Maintenance Computer Operations Data File Security Program Security System Software

EDP General ControlsImplementation Control Procedures

Help guard against financially significant errors in new applications

Ensure that programmed procedures for new systems or major enhancements to existing systems are effectively designed and implemented

EDP General Controls File Conversion Control Procedures

Ensure that newly created or converted data files contain correct data

Ensure that when a significant new system is introduced or an existing system is modified, the conversion process does not give rise to data file errors

EDP General Controls Maintenance Control Procedures

Cover same areas as implementation procedures, but relate to program amendments rather than entirely new applications

Ensure that changes to programmed procedures are effectively designed and implemented

EDP General ControlsComputer Operations Control Procedures

Ensure the continuity of processing and the consistent application of programmed procedures

Ensures that the correct data files are used, including their correct version, and that recovery procedures for processing failures are provided

EDP General ControlsData File Security Control Procedures

Protect data from unauthorized access that could result in their modification, disclosure or destruction

Are designed to prevent or detect unauthorized changes to stored data

Are designed to prevent or detect the initiation of unauthorized transaction

EDP General Controls Program Security Control Procedures

Are designed to prevent or detect unauthorized amendments to programs

EDP General Controls System Software Control Procedures

Are designed to ensure that system software is effectively implemented, maintained, and protected from unauthorized changes

System software includes such things as operating systems, utilities, sorts, compilers, file management systems, security software packages, etc.

EDP General ControlsThings Commonly Looked At …

Is access to programs and data adequately secured?

Are only authorized changes made to programs and data files?

Program and Data File Security


Is the access level granted to employees consistent with the duties that they perform (need-to-know basis)?



Is access to programs and data terminated when employees separate from the university?



Are unauthorized attempts to access the system monitored?

Followed-up on?



Is access to file servers, computers, etc. physically restricted?

Are the hinges on doors on the inside or outside?

Physical Security


Are there any water pipes or sprinkler systems located above sensitive computer equipment?

Physical Security


Is there a Business Continuity Plan (Disaster Recovery Plan)?

Is it up-to-date?

Has it been tested recently?

Ever been tested?

Continuity of Operations


Are there sufficient back up and recovery procedures on the main processing system?

Continuity of Operations

Are critical operations on personal computers backed up?

How often?


How fast does the vendor respond to the needs of the university?

Is the vendor dependable?

Vendor Relations

Types of Controls




Types of ControlsEDP Application Controls

Are the programmed control procedures in application software

(e.g. SCT products), and related manual procedures, designed to help ensure the completeness, accuracy, and authorization of

data processed and stored

Types of ControlsEDP Application Controls

Completeness and Accuracy of Input Completeness and Accuracy of Updates Authorization Maintenance Security

There are five categories of EDP Application Control Procedures

EDP Application ControlsExamples Include …

Computerized edit checks for data input into the system, i.e. “No ID for term selected”

Matching sales orders against a master file containing credit information, such as credit line limitations

Manual procedures to follow-up on items listed in exception reports

Everyone at Northwestern has a role in regard to internal controls

Internal ControlsResponsibility For …

Roles will vary depending on level of responsibility and the nature of involvement by the individual


A weak link in the organizational structure can create a weakness in the control system


The management board is responsible for providing important oversight

Dr. Sally Clausen, President ULS


The President is responsible for providing leadership and direction to Vice Presidents and

Administrators

Dr. Randall J. Webb, President NSU


The President, along with Vice Presidents and other senior

administrators, are responsible for establishing the presence of …

Integrity Ethics Competence Positive Control Environment


The President, along with Vice Presidents and other senior administrators, are responsible for establishing major

operating policies that form the foundation of the internal control system


Vice Presidents are responsible for providing direction and oversight to

senior administrators in major functional areas (e.g. colleges,

departments, auxiliary operations and support services)


Deans, directors, and department heads are

responsible for executing those major institution-

wide control policies and procedures


Deans, directors, and department heads are

responsible for designing and implementing control systems at detailed levels within their specific units


Managers and other supervisory personnel are responsible for executing

control policies and procedures at detailed

levels within their specific units


Each individual within a unit is responsible for

being cognizant of proper internal control procedures associated with their specific job

responsibilities

Internal auditors are responsible for examining

the adequacy and effectiveness of the

University’s internal controls, and making

recommendations where control improvements are

needed


Internal auditors contribute to the effectiveness of the controls, but they are

not responsible for establishing or maintaining them


Internal auditors are a part of the internal control system, not the whole

system

Internal Controls …And Internal Auditors

Internal Controls …And Internal Auditing

Internal Auditing is an independent, objective assurance and consulting activity designed to add value and

improve an organization’s operations.


Assurance Services

An objective examination of evidence for the purpose of providing an independent assessment on risk

management, control, or governance processes for the organization.


Financial Engagements Performance Engagements Compliance Engagements System Security Engagements Due Diligence Engagements

Assurance Services Examples Include …


Consulting Services

Advisory and related client service activities, the nature and scope of

which are agreed upon with the client and which are intended to add value

and improve the organization’s operations.


Consulting Services Examples Include …

Counsel Advice Facilitation Process Design Training


Internal Auditing helps an organization accomplish its objectives by bringing a

systematic, disciplined approach to evaluate and improve the effectiveness of …

Risk management

Control

Governance Processes

Internal Controls And Internal AuditorsTypical Internal Audit Functions …

Appraise the adequacy of the internal control system


Verify the existence of University assets, noting whether or not the assets are properly safeguarded


Identify operational opportunities for cost savings


Perform agreed-upon procedures for clients (departments) that add value and improve operations of the overall organization


Act as an in-house consultant on internal control matters


Submit timely audit reports to management, encompassing audit findings and recommendations for corrective action


Perform special projects or investigations as requested by management and board staff or as mandated by internal audit charter and IIA Code of Ethics

Direct personnel to change work methods

Internal Controls And Internal AuditorsInternal Auditors Should NOT …

Make financial or other operating decisions

Internal Controls And Internal AuditorsInternal Auditors Should NOT …

Direct personnel to take corrective action to audit recommendations

The adoption of audit recommendations is encouraged; however, acceptance of audit suggestions is the

responsibility of operating management

THE END