36336510 acca f8 audit internal controls slides

8/8/2019 36336510 ACCA F8 Audit Internal Controls Slides

1/223

Internal Control Is

A Process Not Merely

Policies, Procedures and Forms

Affected by People

Directed Toward theAchievement of Objectives


2/223

Internal ControlAs Defined by COSO Is (Committee of Sponsoring Organizations)

A process, affected by an entitys board of directors, management, and other personnel,

designed to provide reasonable assuranceregarding the achievement of objectives in thefollowing categories:

Reliability of financial reporting;

Effectiveness and efficiency of operations; and

Compliance with applicable laws and regulations


3/223


4/223

Perfect Internal Control?

Inherent Limitations

Misunderstanding of Instructions


5/223



Mistakes of Judgment


6/223



Personal Carelessness


7/223



Distraction


8/223



Fatigue


9/223



Management Override

Can Lead to Cover Ups


10/223


Inherent LimitationsCollusion Among Individuals

Circumvent Control Procedures Whose

Effectiveness Depends on Segregation of Duties


11/223



Staff Size Limitations

May Obstruct Efforts to Properly

Segregate Duties


12/223

If Staff Size is Limited Compensating Controls Should Be

Implemented to Ensure Objectives Are Met

A Compensating Control is used to Counter-

balance an Internal Control Weakness


13/223


Summary Inherent Limitations

Misunderstanding of Instructions

Mistakes of Judgment

Personal Carelessness

Distraction

Fatigue

Management Override

Staff Size Limitations

Collusion Among Individuals


14/223


Level of Assurances

As a Result of Inherent

Limitations and CostLimitations, the InternalControl Structure Can ProvideOnly Reasonable, NotAbsolute Assurances, ThatGoals and Objectives Will BeAccomplished


15/223


R

easonable Assurance

The concept of reasonable assurancerecognizes that the cost of an entitys

internal control structure should notexceed the benefits that are expected tobe derived. Although the cost-benefit

relationship is a primary criterion thatshould be considered in designing aninternal control structure, the precise

management of costs and benefits

usually is not possible.


16/223

Internal ControlF

ailures ResultF

rom

Lack of Integrity


17/223

Internal ControlF

ailures ResultF

rom

Weak Control Environment


18/223

Internal ControlF

ailures ResultF

rom

Inconsistent Objectives


19/223

Internal ControlF

ailures ResultF

rom

Poor Communication


20/223

Internal ControlF

ailures ResultF

rom

Inability to Understand & React

to Changing Conditions


21/223

Internal ControlSummary - Failures ResultFrom

Lack of Integrity

Weak Control Environment Inconsistent Objectives

Poor Communication

Inability to Understand and React

to Changing conditions


22/223

Internal ControlP

rimary Objectives

Compliance with policies, plans, laws,procedures, regulations, contracts, etc.


23/223

Internal ControlP

rimary Objectives

Accomplishmentof goals and objectives


24/223

Internal ControlP

rimary Objectives

Reliability and integrity of information


25/223

Internal ControlP

rimary Objectives

Economicaland efficientuse of

resources


26/223

Internal ControlP

rimary Objectives

Safeguardingof assets


27/223

Internal Control

SummaryP

rimary Objectives

Compliance

Accomplishment of Goals & Objectives

Reliability & Integrity of Information

Economical & Efficient Use ofResources

Safeguarding of Assets


28/223

Internal Control Isnt Always Good

When it

Is Excessive

Has a cost that outweighs the derivedbenefits

Tries to obtain the unobtainable, i.e.

absolute assurance Violates the Golden Rule of Internal

Control


29/223

Control is Excessive When

It unnecessarily increases the

complexity of transaction processing

The control steps merely increasethe processing time and do not addvalue to the activity being controlled


30/223

Internal ControlGolden Rule

There is no greater waste thandoing with great efficiency that

which should not be done at

all!


31/223

Internal ControlTraits Present When Poor I/C

Bureaucracy Increased

In the best case scenario,

Productivity Decreased


32/223



Complexity Increased

Transaction Processing Time Increased


33/223



Non-value Adding Activities Increased

Going Nowhere Fast


34/223


In the worst case scenario,

Interfere with goal accomplishment

Allow for abuse of assets


35/223

Internal Control Components

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring


36/223


Control Environment

Risk Assessment

Control Activities


Monitoring


37/223

Internal Control Components:Control Environment

Is the attitude and actions of

the boardand managementregarding the significance of

control within theorganization


38/223

Internal Control Components:Control Environment

Provides the discipline and structure forthe overall system of internal controls

Established and maintained bymanagement

Should foster control conscientiousness

Includes the overall tone at the top setby people in positions of authority

Based on the attitudes and habits of those inauthority


39/223

Integrity and Ethical Values

Managements Philosophy & OperatingStyle

Organizational Structure

Assignment of Authority & Responsibility Human Resource Policies & Practices

Competence of Personnel

Control EnvironmentIncludes


40/223








41/223

Institutional objectives, and how they are

achieved, are based on preferences, value

judgments and management styles

Control EnvironmentIntegrity and Ethical Values

Ethical values must be clearly

communicated

Codes of conductmust be defined inwritten policy & procedures


42/223


Ethics may be transmitted by example, i.e.people tend to imitate their leadership

Realmanagement concerns can often be

evaluatedin terms ofhow violators aredealt with, i.e. the messages sent byleaders actions in such situations quicklybecome accepted behavior


43/223

Organizational values cannot

rise above the integrity andethics of the people who

create, administerand

monitorthem



44/223








45/223

Factors affecting leaderships philosophy

and operating style:

Control EnvironmentManagements Philosophy & Operating Style

Delegation of Authority (Empowerment)

Risk Taking Reliance on Policies & Procedures


46/223

Control EnvironmentManagements Philosophy & Operating Style

Administrators should promotecompliance through their own actions

Administrators must support adherenceto policies and procedures if theyexpect employees to have that attitude


47/223








48/223

Provides the framework for achievementof objectives, through proper planning,executing, controlling, and monitoring

Control EnvironmentOrganizational Structure

Depends on the administrationsphilosophy

The appropriateness of depends onvarious factors, such as size and type ofactivities


49/223





Assignment of Authority & Responsibility

Human Resource Policies & Practices



50/223

Control EnvironmentAssignment of Authority & Responsibility

Determines the degree to whichindividuals & departments are

encouraged to use initiative in addressingissues and problem solving, as well as thelimits of their authority

Delegation of Authority (Empowerment)Placing control for certain decisions atlower levels of the organization, toindividuals closest to everyday activities


51/223

Control environment is greatly influencedby the degree to which individuals areheld accountable

Control EnvironmentAssignment of Authority & Responsibility

Critical challenge is to delegate to the

extent required to achieve objectives

Always remember that One Can

Delegate Authority, Not Responsibility


52/223





Assignment of Authority &

R

esponsibility Human Resource Policies & Practices



53/223

Control EnvironmentHuman Resource Policies & Responsibilities

Human resource practices

send messages to employees

regarding expected levels of

integrity, ethical behaviorand competence


54/223


Integrity, ethics, and competence must beexercised in

HIRING


55/223


TRAINING



56/223



EVALUATING


57/223



PROMOTING


58/223


59/223


Disciplinary action should beconsistently applied to all

employees


60/223





Assignment of Authority &

Responsibility

Human Resource Policies & Practices



61/223

Control EnvironmentCompetence ofPersonnel

Lines of authority and responsibility

clearly established, documented in

written job descriptions andprocedures manuals

Competent people must be hired


62/223

Control EnvironmentCompetence ofPersonnel

Job descriptions should be periodically

updated to ensure that employees areaware of the duties they are expected to

perform

Organizational charts provide a visual

presentation of lines of authority


63/223


Control Environment

Risk Assessment Control Activities


Monitoring


64/223

Internal Control Components:Risk Assessment

Is the identification and analysis ofrelevantrisks associated with the achievement ofobjectives

Is an ongoing process that is a critical

component of an effective internal control

system


65/223

Internal Control Components:Risk

Riskis the uncertainty of an event

occurring that could have an impact onthe achievement of objectives.

Riskis measured in terms ofconsequences and likelihood.


66/223

Internal Control Component:Risk Assessment

Risk can pertain to external & internal

factors

External risk factors are outside of the

university, usually beyond managements

span of control

Internal risk factors are within the university,

usually within managements control


67/223

Risk AssessmentExternal RiskFactors

Economic Changes


68/223

Risk AssessmentExternal RiskFactors (cont.)

Changing Student & Community

Needs and/or Expectations


69/223


New or Changed Legislation or

Regulations


70/223


Technological Developments


71/223


Natural Catastrophes


72/223


73/223

Economic changes

Changing student & community needs

New/changed legislation & regulations

Technological developments

Natural catastrophes

Competitive conditions

Risk AssessmentSummary - External RiskFactors


74/223

Risk AssessmentInternal RiskFactors

New Personnel


75/223

Risk AssessmentInternal RiskFactors (cont.)

Low Morale


76/223


Competence, Adequacy & Integrity

of Personnel

i A


77/223


New or Revamped Information Systems

Ri k A


78/223


Size of Organization

Can be measured in terms of

Assets LiquidityTransaction

Volume

Ri k A


79/223


Complexity & Volatility of Activities

Ri k A t


80/223


Geographical Dispersion of Operations

Ri k A t


81/223


Changes in Management Responsibilities

For, Example Climbing The Ladder of Success

Ri k A t


82/223

New Personnel

Low Morale

Competency & Integrity of Personnel

New or Revamped Information Systems

Size of Organization

Complexity & Volatility of Activities Geographical Dispersion of Operations

Changes in Management Responsibilities

Risk AssessmentSummary Internal RiskFactors

Ri k A t


83/223

After the risk factors

have been identified, they

must be evaluated or

analyzed in terms of risk

Risk AssessmentRisk Analysis


84/223

Risk AssessmentRisk Analysis Includes

Estimating the Significance of the Risk

Ri k A t


85/223

Risk AssessmentRisk Analysis Includes (cont.)

Assessing the Likelihood (or Frequency)

of the Risk Occurring

Ri k A t


86/223

A determination must be made

on how to manage risk, i.e. an

assessment of actions that can

be taken and their relative cost


Ri k A t


87/223

What can go wrong

What areas have the most risk

What assets are at risk

Who is in a position of risk


Administrators must determine

Ri k A t


88/223

Risk AssessmentRisk Analysis (cont.)

When determining risk levels, administratorsmust consider

Governmental

MandatesThe

Unexpected Obstacles

Risk Assessment


89/223

Public Scandal

Risk AssessmentRisks May Include Such Things As

Risk Assessment


90/223

Risk Assessment

Risks May Include Such Things As

Revenues Not Received

or Not Recorded Properly

Risk Assessment


91/223

Risk Assessment


Assets Not Used Efficiently

FinancesPersonnel

Space

Efficient Performance accomplishes objectives and goals

in an ACCURATE and TIMELY FASHION with

MINIMAL USE ofRESOURCES

Risk Assessment


92/223

Risk Assessment


Assets Not Used Effectively

Effective Control is present when management directs systems in

such a manner as to provide REASONABLE ASSURANCE that the

organizations OBJECTIVES and GOALS will be ACHIEVED

FinancesPersonnelSpace

Risk Assessment


93/223

Risk Assessment


Assets Diverted to Personal Use

Space

FinancesPersonnel

All Break and No Work

Risk Assessment


94/223

Risk Assessment


When Information Used For Decision Is

Making Not Reliable, Available or Timely

Reliable Available Timely

Internal Control Component:


95/223

In assessing risk, the potential

loss associated with any

exposure or risk is weighed

against the cost to

control it

Internal Control Component:Risk Assessment


96/223


Control Environment

Risk Assessment

Control Activities


Monitoring



97/223

Control activities are the

policies and procedures that

help ensure that management

directives are carried out

Internal Control Component:Control Activities



98/223


Generally, control activities (procedures)

fall within five broad categories

Authorizations

Segregation of Duties

Recording

Safeguarding

Reconciliations



99/223


Authorizations


Recording

Safeguarding

Reconciliations

Control Activities


100/223

Control ActivitiesAuthorizations

Transactions must be authorizedand executed in accordance with

managements intent

Control Activities


101/223

Authorization to initiate or approve

transactions should be limited to specific

personnel

Control ActivitiesAuthorizations (cont.)

Authorizations can be limited by type oftransaction (e.g. timesheets) or amount oftransactions (e.g. under a certain dollar

amount)



102/223

Authorizations


Recording

Safeguarding

Reconciliations


Control Activities


103/223

Segregation of duties is adequatewhen no one person is a positionto both initiate and conceal

errors and/or irregularities inthe normal course of their dutieswithout detection


Control Activities


104/223

Provide that one employee does not haveresponsibility for all phases of a transaction

Different people should be responsibility

for:

Control ActivitiesSegregation of Duties (cont.)

Authorizing Transactions

Recording Transactions

Maintaining Custody of the Assets

Control Activities


105/223

Generally, an employee with

physical access to an asset should

not also be responsible for theaccounting records for that asset

Control ActivitiesSegregation of Duties (cont.)



106/223

Authorizations

Segregation of Duties Recording

Safeguarding

Reconciliations


Control Activities


107/223

Documents and records must beproperlydesignedto provide reasonable assurance

that

Control ActivitiesRecording

Assets are properly controlled

Transactions are properly recorded in the

correct account, amount, and period

Control Activities


108/223

Control ActivitiesRecording (cont.)

Proper design may include such things as

Pre-numbered documents, which can beused to detect missing documents and

for tracking purposes

NCR documents, which can be used for

authenticity and control purposes

Control Activities


109/223

Control ActivitiesRecording (cont.)

Transactions should be properly documented

Records should be retained in an organized

manner



110/223

Authorizations


Safeguarding

Reconciliations


Control Activities


111/223

Measures should be taken to safeguard

the access to and use ofboth assets and

records

Achieved through physical security &

reconciliation of assets to records

Co t o ct v t esSafeguarding

Control Activities


112/223

Safeguarding

Assets should be physically secured

Access to assets should be limited todesignated authorized personnel



113/223

Authorizations


Safeguarding

Reconciliations

pControl Activities

Control Activities


114/223

Are independentchecks and internal

verificationprocedures designed tohelp provide assurance

that the other fourcontrol procedures are

achieved

Reconciliations

Control Activities


115/223

Reconciliations (cont.)

The person performing

the reconciliation (orverification procedures)

should be independent

from the individualsoriginally responsible

for preparing the data


116/223


Control Environment



Monitoring


117/223

Internal Control Components:


118/223

pInformation & Communication

The information &

communication system must

provide administrators with

reports containing

operational, financial, and

compliance information forprogress monitoring and

decision making



119/223


Pertinent information must be identified,captured and communicated to

appropriate personnel on a timely basis

The quality of information received and/or

given influences the quality of decisions



120/223


Once information is identified,

captured, and processed it is reported

formally and informally through bothmanual and computerized information

systems



121/223

Information Systems Include

Universitys Written Policies andProcedures

Budget Units Goals and Objectives



122/223

Systems Include (cont.)

Budget Units Documented Policies andProcedures

Organizational Charts


123/223



124/223

Systems Include (cont.)

Training Programs

Periodic Progress Reports (Goals &

Objectives Accomplishment)



125/223


Employees must know what theyare supposed to accomplish and

how they are to do it



126/223


Communication must flow

Up and down the organization

Across organizational lines



127/223

Information Systems Effectiveness

Strategic Plan

Necessary Resources

Targeted Audience

Timeliness of Sufficient DetailedInformation

Accuracy and Relevancy of Information

Depends Largely on FollowingFactors:



128/223

Information Systems Effectiveness (cont.)

Information Systems should be developedand revised based on a strategic plan

The strategic plan must be congruent with

university-wide and activity-level objectives



129/223


Management must commit the

necessary resources (human andfinancial) to information

systems development



130/223


Information must reach the rightpeople, i.e. the targeted audience



131/223


Information must be in sufficient

detailand timely enough to allow foran appropriate response



132/223


Reports must be accurate andprovide information relevantto

established objectives


133/223


Control Environment



Monitoring



134/223

Monitoring includes the following:

Monitoring

Supervising

Observing

Testing

Reporting to Responsible Individuals



135/223

Is a process that assesses the qualityof the systems performance over

time

Monitoring

Ensures that the internal control systemis operating as expected and that theorganizations goals and objectives areachieved



136/223

Monitoring

Should be performed by supervisorypersonnel and be focused on high-

risk areas



137/223

Monitoring

Can be ongoingmonitoring activities, separateevaluations or a combination of the two

Ongoing monitoring occurs in the normal course

of operations, inclusive of regular supervisory

activities

The scope andfrequency ofseparate evaluations

depend primarily on risk assessmentand the

effectiveness of the ongoing monitoring

procedures

Monitoring


138/223

Reviews of financial reports such as ..

Monitoring Activities Include

Comparisons of budgeted to actual

revenues and/or expenditures

Comparisons of current to prior months

and/or years activities


139/223

Monitoring


140/223


Evaluation of Trends

Review of Supporting Documentation

Monitoring


141/223


Documentation of Software Licenses

Surprise Cash and Other Asset Counts

Monitoring


142/223


Follow-up on Complaints

Internal Control Components:M i i


143/223

Monitoring

Internal control systems change over time.Once effective procedures can become less

effective due to

New Personnel

Varying Effectiveness of Training andSupervision

Time and Resource Constraints



144/223

Monitoring

When changes occur, the internalcontrol system must change to

meet those changes

Remember Time & Change Waits For No One



145/223

Monitoring

If management does not make thenecessary changes, the organization may,

in most cases, be left behind

Internal Control vs. ControlsC d


146/223

Internal control is a process, affectedby people, directed toward the

achievement of goals

Compared

Controls are a part of the internalcontrol process

Internal Control vs. ControlsC t l


147/223

Controls

Controls are any action taken by management,the board, and other parties to enhance risk

management and increase the likelihood thatestablished goals and objectives will be achieved

Control is the result of

proper planning,

organizing, and directing

by management

Internal Control vs. ControlsAd t C t l


148/223

Adequate Control

Is present when management has planned

and organized (designed) in a manner that

reasonable assurance that the

Organizations risks have been managed

effectively

Organizations goals and objectives will be

achieved efficiently and economically

Internal Control vs. Controls


149/223

Adequate Control & Reasonable Assurance

Reasonable Assurance implies that

material errors and irregularities willbepreventedor detected / corrected

within a timely period by employees

during the normal course ofperforming their assigned duties

Internal ControlsE D fi d


150/223

Errors Defined

An error is an unintentional mistake

Examples of errors include

Mathematical error

Unintentional omission of events ortransactions

Internal ControlsIrregularities Defined


151/223

Irregularities Defined

An irregularity is an intentional act; a

fraud

Examples of irregularities include

Manipulation, falsification, or alteration of

accounting records or supporting

documentation

Misrepresentation or intentional omission

of events or transactions

Types of Controls


152/223

Types of Controls

Preventive

Detective

Directive

EDP General Controls

Preventive, Detective or Directive

EDP Application Controls


Types of Controls


153/223

Types of Controls

Preventive

Detective

Directive


Preventive, Detective or Directive EDP Application Controls


Types of ControlsPreventive Controls


154/223

Preventive Controls

Deter undesirable events

from occurring

Should be designed to discourage

errors or irregularities

Types of ControlsExamples of Preventive Controls


155/223

Examples ofPreventive Controls

A computer application which checks validity

prevents the entry ofinvalid account numbers

Shred documents containing confidential

information (SSN, grades, addresses, etc.)

Types of Controls

Examples of Preventive Controls


156/223


Reading and understanding policy and

procedures manuals

Managers approval of a purchase requisition

for expenditure appropriateness

Read Sign

Departmental University

Types of Controls



157/223


Restrict access to data to only authorized

users

Physically restricting access to assets

Types of Controls



158/223


Keep food and drinks away from computerhardware

Back-up your work periodically on your

personal computer length of intervaldepends on importance of the data

Types of Controls



159/223


Protect your password

Run updated anti-virus software on your

personal computer

Types of Controls


160/223

Types of Controls

Preventive

Detective

Directive




Types of ControlsDetective Controls


161/223

Detective Controls

Detect and correctundesirable events which

have occurred

Should be designed to

identify an error orirregularity after it has

occurred

Types of Controls

Examples of Detective Controls


162/223

Exception reports which list incorrect or

invalid entries or transactions


A review of long distance telephone charges

to check for improper or personal calls

Types of Controls



163/223

Reconciliations


Types of Controls


164/223

Types of Controls

Preventive

Detective

Directive





Types of ControlsDirective Controls


165/223

Directive Controls

Cause or encourage a

desirable event to occur

Should be designed to aid in

the accomplishment of goalsand objectives

Types of Controls

Examples of Directive Controls


166/223

Examples of Directive Controls

Written, distributed policy and

procedures

Training seminars

Well defined job descriptions

Types of Controls


167/223

Types of Controls

Preventive

Detective

Directive




Types of ControlsEDP General Controls


168/223

EDPGeneral Controls

Ensure that the programmedprocedures within a computerized

system are appropriatelyimplemented, maintained, and

operated and that only authorized

changes are made to programs anddata



169/223

EDPGeneral Controls

Programmed procedures

include the preciseinstructions to the computer

to perform specific steps to

achieve a particular task



170/223

EDPGeneral Controls

There are two types of programmed

procedures Accounting and Control

Programmed Accounting Procedures are

simply accounting procedures performed by the

computer

Programmed Control Procedures ensure

the completeness, accuracy, and authorization of

processed and stored data



171/223

EDPGeneral Controls

Examples of Programmed Accounting

Procedures include

Calculating and producing student

bills

Updating master files

Generating data within the computer



172/223

EDPGeneral Controls

Examples of Programmed Control

Procedures include

Matching student identification numbers

against a master file containing student

information

Exception reports generated when there are

instances when the computer is unable to

complete the prescribed operation



173/223

EDPGeneral Controls

There are seven categories of EDP GeneralControl Procedures

Implementation File Conversion

Maintenance

Computer Operations

Data File Security

Program Security

System Software

EDP General ControlsImplementation ControlProcedures


174/223

p

Help guard against financially

significant errors in new applications

Ensure that programmed procedures

for new systems or majorenhancements to existing systems are

effectively designed and implemented


175/223

EDP General ControlsMaintenance Control Procedures


176/223

Maintenance ControlProcedures

Cover same areas as implementationprocedures, but relate to program

amendments rather than entirelynew applications

Ensure that changes to programmedprocedures are effectively designedand implemented

EDP General ControlsComputer Operations Control Procedures


177/223

Computer Operations ControlProcedures

Ensure the continuity of processing

and the consistent application of

programmed procedures

Ensures that the correct data files

are used, including their correct

version, and that recovery

procedures for processing failures

are provided

EDP General ControlsData File Security Control Procedures


178/223

Data File Security ControlProcedures

Protect data from unauthorizedaccess that could result in their

modification, disclosure ordestruction

Are designed to prevent or detect

unauthorized changes to stored data Are designed to prevent or detect the

initiation ofunauthorized transaction

EDP General ControlsProgram Security ControlProcedures


179/223

g y

Are designed to prevent or detect

unauthorized amendments toprograms

EDP General ControlsSystem Software ControlProcedures


180/223

y f

Are designed to ensure that systemsoftware is effectively implemented,

maintained, and protected fromunauthorized changes

System software includes such things

as operating systems, utilities, sorts,compilers, file management systems,security software packages, etc.

EDP General ControlsThings Commonly Looked At


181/223

g y

Is access to programs and data adequately

secured?

Are only authorized changes made toprograms and data files?

Program and Data File Security



182/223

g y

Is the access level granted to employees

consistent with the duties that theyperform (need-to-know basis)?




183/223

g y

Is access to programs and dataterminated when employees separate

from the university?




184/223

g y

Are unauthorized attempts to access thesystem monitored?

Followed-up on?




185/223

g y

Is access to file servers, computers, etc.

physically restricted?

Are the hinges on doors on the inside oroutside?

Physical Security



186/223

g y

Are there any water pipes or sprinkler

systems located above sensitive computer

equipment?

Physical Security



187/223

g y

Is there a Business Continuity Plan

(Disaster Recovery Plan)?

Is it up-to-date?

Has it been tested recently?

Ever been tested?

Continuity of Operations


188/223



189/223

How fast does the vendor respond to the

needs of the university?

Is the vendor dependable?

Vendor Relations

Types of Controls


190/223

Preventive

Detective

Directive





Types of ControlsEDPApplication Controls


191/223

pp

Are the programmed controlprocedures in application software

(e.g. SCT products), and relatedmanual procedures, designed tohelp ensure the completeness,

accuracy, and authorization ofdata processed and stored

Types of ControlsEDPApplication Controls


192/223

Completeness and Accuracy of Input

Completeness and Accuracy of Updates

Authorization

Maintenance

Security

There are five categories of EDP ApplicationControl Procedures

EDP Application ControlsExamples Include


193/223

Computerized edit checks for data input into

the system, i.e. No ID for term selected

Matching sales orders against a master filecontaining credit information, such ascredit line limitations

Manual procedures to follow-up on itemslisted in exception reports

Internal ControlsResponsibility For


194/223

Everyone at Northwestern has a role in

regard to internal controls

Roles will vary depending on level of

responsibility and the nature ofinvolvement by the individual



195/223

A weak linkin the organizationalstructure can create a weakness in

the control system



196/223

The management board is responsible forproviding important oversight

Dr. Sally Clausen, President ULS



197/223

The President is responsible for providingleadership and direction to Vice Presidents and

Administrators

Dr. Randall J. Webb, President NSU


198/223



199/223

The President, along with Vice Presidents

and other senior administrators, are

responsible for establishing majoroperating policies that form the

foundation of the internal control system



200/223

Vice Presidents are responsible for

providing direction and oversight to

senior administrators in major

functional areas (e.g. colleges,

departments, auxiliary operations and

support services)



201/223

Deans, directors, and

department heads areresponsible for executing

those major institution-

wide control policies andprocedures



202/223

Deans, directors, and

department heads are

responsible for designingand implementing control

systems at detailed levels

within their specific units



203/223

Managers and other

supervisory personnel are

responsible for executing

control policies and

procedures at detailed

levels within their specific

units



204/223

Each individual within a

unit is responsible forbeing cognizant ofproper internal controlprocedures associatedwith their specific job

responsibilities



205/223

Internal auditors areresponsible for examining

the adequacy andeffectiveness of theUniversitys internalcontrols, and making

recommendations wherecontrol improvements are

needed



206/223

Internal auditors contribute to theeffectiveness of the controls, but they are

not responsible for establishing ormaintaining them

Internal Controls And Internal Auditors


207/223

Internal auditors are a part of the

internal control system, not the whole

system

Internal Controls And Internal Auditing


208/223

Internal Auditing is an independent,

objective assurance and consultingactivity designed to add value and

improve an organizations

operations.



209/223

Assurance Services

An objective examination of evidencefor the purpose of providing an

independent assessment on risk

management, control, or governanceprocesses for the organization.



210/223

Financial Engagements

Performance Engagements

Compliance Engagements

System Security Engagements

Due Diligence Engagements

Assurance ServicesExamples Include



211/223

Consulting Services

Advisory and related client serviceactivities, the nature and scope of

which are agreed upon with the clientand which are intended to add value

and improve the organizationsoperations.



212/223

Consulting ServicesExamples Include

Counsel Advice

Facilitation

Process Design

Training



213/223

Internal Auditing helps an organization

accomplish its objectives by bringing a

systematic, disciplined approach to evaluateand improve the effectiveness of

Risk management

Control

Governance Processes

Internal Controls And Internal AuditorsTypical Internal Audit Functions


214/223

Appraise the adequacy of the internal

control system



215/223

Verify the existence of University

assets, noting whether or not the assets

are properly safeguarded


216/223



217/223

Perform agreed-upon procedures forclients (departments) that add value

and improve operations of the overallorganization



218/223

Act as an in-house consultant on

internal control matters



219/223

Submit timely audit reports tomanagement, encompassing audit

findings and recommendations forcorrective action



220/223

Perform special projects

or investigations as

requested by managementand board staff or as

mandated by internal

audit charter and IIACode of Ethics


221/223

Internal Controls And Internal Auditors

Internal Auditors Should NOT


222/223

Direct personnel to take

corrective action to

audit recommendations

The adoption of audit recommendations is encouraged;

however, acceptance of audit suggestions is the

responsibility of operating management


223/223

THE END