the importance of internal controls lgc resource april 2014
TRANSCRIPT
WHAT ARE INTERNAL CONTROLS?
Processes effected by an entity’s management and other personnel designed to provide assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Control Environment The control environment is the core of any system of
internal control.
It sets the tone for the entire organization.
Factors include: ethical values competence of employees at all levels managements’ operating style and attitude
toward controls
Risk Assessment Risks are INTERNAL and EXTERNAL events
that threaten the accomplishment of objectives. Process of identifying, evaluating, and deciding
how to manage these events….. What is the likelihood of the event occurring? What would be the impact if it were to occur? How do we reduce the risk?
Consideration of Fraud
Control Activities Control Activities consist of the specific policies
and procedures put in place to mitigate the risk of error, noncompliance, and fraud.
(physical inventory count, segregation of duties, authorization of activities, proper backup procedures)
Communication & Information Adequate information must be captured,
identified, and communicated on a timely basis.
Just a reminder…….
ACTIONS SPEAK LOUDER THAN WORDS
MonitoringMonitoring occurs in the course of
everyday operations, it includes regular management & supervisory activities and other actions personnel take in performing their duties.
Simple Definition Internal controls are common sense
procedures that address:
What could go wrong? What steps should be taken to prevent
those events from happening?
Personal Internal Control System
Locking your car when you leave it in the parking lot
Comparing your receipts to your credit card statement
Keeping your banking PIN confidential
Why are Internal Controls Important?
They can catch small mistakes before they become big problems.
They protect employees by removing opportunities for innocent mistakes or intentional fraud.
Why are Internal Controls Important?
Protect the strong from temptation Protect the weak from opportunity Protect the innocent from false accusation
From Once upon Internal Control by James Ulvog, CPA
FRAUD
Frauds discovered in the recent years. Committed by one person Trusted employee Internal controls were either nonexistent or
not monitored
Effective IS Controls Proper back-up procedures
Section 10-7-121, TCA, requires that records maintained electronically be copied to a storage media daily. Storage media more than one week old shall be stored at a location other than at the building where the original is maintained
Effective IS Controls (cont.) Proper back-up procedures
Daily backups should be stored in a secure location within the office.
Weekly backups should be rotated to a secure, fireproof off-site location.
A backup log documenting the location of all backups should be maintained.
Backups should be tested.
Effective IS Controls (cont.) Password Maintenance
All users should have a unique login and password. Shared logins should not be used.
Passwords should remain confidential. Passwords should be changed every 90
days. Passwords of former employees should be
immediately disabled.
Effective IS Controls (cont.) Disaster Recovery Planning
Specific steps to follow to restore system Emergency phone numbers of personnel and
vendors Backup storage location Manual procedures to follow until the system
is restored
Effective IS Controls (cont.) Virus/Spyware Prevention
Virus detection software should be used. Virus definitions should be kept current. All files, e-mail attachments, etc. should be
scanned.
Effective IS Controls (cont.) Policies and procedures manual
Operating system and application security Start-up/shut down procedures Back-up procedures Hardware software maintenance procedures Daily, monthly, and year-end procedures Output distribution list Hardware disposal policy Virus prevention policy
Effective IS Controls (cont.)
Loading Operating System Updates
Restricting Physical Access to System
Proper Application Controls Adequate audit trail exists. Audit logs are maintained and reviewed.
Audit Logs and Other Reports TnCIS
Delete Log Report Out-of Court Payments Report
Trustee Audit Changes By Date Report Unprorated Receipts Report Maximum Posting Date Report
Fund Offices Payroll Check Change Report Maximum Posting Date Report
Reasons why controls don’t always work: Inadequate knowledge of policies or governing
regulations.
“I didn’t know that!”
Form over substance “You mean I’m supposed to do something besides initial/sign it?”
Inadequate segregation of duties
“We trust ‘A’ who does all of these things”
The “Trusted Employee”Per the ACFE’s 2012 Report to the Nations:
87% of the fraudsters studied had never been charged or convicted of a fraud related offense
84% had never been punished or terminated by an employer for fraud-related conduct
What is Segregation of Duties?In general, the main incompatible duties to be segregated are:
Custody of Assets Authorization or approval of related transactions
affecting those assets Recording or reporting of related transactions
What is Segregation of Duties? No employee should be in a position to both
commit fraud or error and conceal it in their normal course of duties.
At least two sets of eyes are required for any
transaction
Example: Movie Theater
What if it’s not possible to properly segregate duties?Use Compensating Controls
Supervisory or other oversight procedures designed to reduce the risk of errors or fraud not being detected
Effective Controls- Cash Receipts and DepositsSeparate cash drawers Prenumbered cash receipts- 9-2-103,
TCAStamp checks “for deposit only” as soon
as they are receivedDrawer checkout proceduresDeposit timely- 3 day deposit lawDeposit Receipts Intact
Effective Controls- Cash Receipts and Deposits (cont.)
Deposit slips should be itemizedSign- “You must receive an official
receipt or your transaction is not complete
Segregate Duties- Employees responsible for receipting should NOT also be responsible for posting receipts to the accounting records.
Effective Controls- Disbursements
Disbursements by official prenumbered checks
Review documentationDo not sign blank checksSegregate duties between writing checks,
signing, distribution, and posting to the accounting records
Effective Controls- Bank Reconciliations One employee should be responsible for
opening the bank statement, reviewing it, and initialing.
A separate employee should reconcile the bank statement monthly
Bank reconciliations should be reviewed by an employee not responsible for reconciling the statement.
Effective Controls- Procurement
Establish clear lines of authority for approving purchases before they occur
Purchase orders Verify availability of appropriations before
purchases are approved Payments for purchases should only be made
after documentation that the goods or services were received
Segregate duties between approval, payment and updating the accounting records
Effective controls- Journal Entries (JE’s) Use a standard journal entry form Supervisory review and approval of all journal
entries Segregate duties between preparation of the
JE, Approval of the JE, and posting to the records
Supervisory review that all JE’s were properly posted to the records
More information? Comptroller’s website has internal control
checklists specifically designed for offices such as
Trustee General Sessions and Circuit Court Clerk Clerk and Master Etc.
www.comptroller.tn.gov