Title: Internal Controls Training
1 Internal Controls Training
RIT
Steven Morse, CPA, Executive Director Patrick
Didas, CPA, CFE, Associate Director July 21, 2009
2IACAs Mission
- Institute Audit, Compliance Advisement promotes
a strong internal control environment by
objectively and independently assessing risks and
controls evaluating business processes for
efficiency, effectiveness, and compliance
providing management advisory services and
offering training to the University community.
We focus on preserving the resources of the
University for use by our students as they
prepare for successful careers in a global
society.
RIT
2
3Objectives
- What you should know after this class
- five types of business risk
- examples of internal controls and their
components - who relies on RITs internal controls
- who is responsible for RITs internal controls
maintenance and oversight
RIT
3
4What is any organization concerned with?
RIT
4
5What is Risk?
- Anything that could negatively impact the
Institutes (Departments) ability to meet its
business objectives.
RIT
5
6Types of Risk
- Strategic risk that would prevent an area from
accomplishing its objectives. (meeting its
mission). - Financial risk that could result in a negative
financial impact to the Institute. (waste or loss
of assets). - Regulatory (Compliance) risk that could expose
the Institute to fines and penalties from a
regulatory agency due to non-compliance with laws
and regulations. - Reputational risk that could expose the
Institute to negative publicity. - Operational risk that could prevent the
department from operating in the most effective
and efficient manner or be disruptive to other
Institute operations.
RIT
6
7What Does an Organization Do To Mitigate Those
Risks?
Internal Controls
RIT
7
8What are Internal Controls?
- Internal control is a process, effected by
people, designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories - Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with laws and regulations
RIT
8
9Internal Control Types
- Operational promotes operational effectiveness
and efficiency as well as adherence to policies
and procedures. - Examples
- Employee Performance Evaluations
- Project Goals/Milestones, Key Performance
Indicators, - Publishing Policies and Guidelines
- Physical Asset Controls
- System Access Controls Exception Reports
- Management Oversight 3rd Party Verification
- Job Rotation, Cross Training
RIT
9
10Internal Control Types
- Financial designed to safeguard assets and
ensure completeness, accuracy and reliability of
financial records. - Examples
- Ledger Account Reconciliations
- Budget to Actual Reviews
- Oracle Reports
- Fixed Asset Inventory List
- Authorizations and Approvals
- Segregation of Duties
- Trend Analysis
RIT
10
11Internal Control Types
- Compliance ensures compliance with applicable
laws and regulations. - Examples
- Public Safety Crime Reports
- Human Subjects Research Review
- Research Sponsor Agreements and regular review of
adherence - Material Safety Data Sheets
RIT
11
12Components of Internal Control
Source The Committee of Sponsoring Organizations
of the Treadway Commission
Monitoring
Information Communication
Control Activities
Risk Assessment
Control Environment
The COSO Model
RIT
12
13Control Activity Descriptors
- Soft Controls ethics and competency - Tone at
the Top - Hard Controls - segregation of duties (assignment
of authority responsibility) limiting access to
cash - Preventive Controls controls to prevent an
undesirable situation, for example Policies
Procedures, Authorization and Approvals - Detective Controls - controls to detect when an
undesirable condition occurs (after the fact)-for
example reconciliation of ledger account
activity
RIT
13
14Controls Are Everybodys Business
Myth Fact Internal control starts with
a strong Internal control starts with a
strong
set of policies and procedures
control environment Internal control
thats why we have Management is the owner of
the internal auditors.
internal control. Internal control is a
finance thing. Internal control is
integral to every
We do what the
controllers office aspect of the
business.
tells us to do. Internal
controls are essentially Internal
control makes the right things
negative, like a
list of thou shalt happen the first
time, and every time.
nots.
RIT
14
15Controls Are Everybodys Business (continued)
Myth Fact Internal controls are a
necessary Internal controls should be
built into, not
evil. They take time away
from our not onto, business processes.
core activities making products,
making sales, and serving
customers. With downsizing and empower-
With downsizing and empowerment,
ment, we
have to give up a certain we need
different forms of control.
amount of control. If
controls are strong enough, we Internal
controls provide reasonable,
can be sure
there will be no fraud, but not absolute,
assurance that the
and financial
statements will be organizations
objectives will be
accurate. achieved.
RIT
15
16Biggest threats to the Internal Control Structure
RIT
16
17Who Relies On RIT Having a GoodSystem Of
Internal Controls?
- Students, Parents, Alumni, Donors, Research
Sponsors Is their money being converted into
the best value and used in accordance with their
intentions? - Financial Institutions, Rating Agencies RITs
ability to meet its debt payments. - Middle States Is RIT managing resources to best
ensure student interests are served? - Government Is RIT providing a value to the
community, and in compliance with laws and
regulations? - Faculty and Staff Do we work in a well
controlled environment? - RITs Officers and Board Are they confident
that all of the above is happening?
RIT
17
18Who is responsible for Internal Controls
oversight?
- YOU - all employees are risk managers
- Check IACAs web site (forms link) to test your
area of responsibility. - http//finweb.rit.edu/iaca
RIT
18
19Your Role
- Follow RIT policies and procedures they were
designed with Internal Controls in mind - Identify areas in your departments operations
where controls could be strengthened and develop
controls to address the weakness. - Be a good steward of RITs assets
- Use common sense
RIT
19
20RIT Senior Managements Role
- To enhance the control environment, the
Institute is responsible for - Setting standards/policies
- Defining expectations
- Providing training
- Stating its mission, vision, and core values
- Supporting the design of systems to include
built-in detective controls as well as data
security controls - Planning, organizing, directing, controlling
-
-
RIT
20
21Top Control Issues
- The most popular controls weaknesses we find
- Lack of adherence to procurement and travel
policies - Lack of documented review of Oracle reports
- Lack of thorough Oracle ledger documentation
- Hourly employee block time reporting
- Fixed asset inventories
-
-
RIT
21
22A Common Result of Poor Internal Controls
- Fraud definition
- Intentional misrepresentation
- Victim suffers monetary or property loss
RIT
22
23Who Typically Commits Fraud and Why?
The Fraud Triangle
RIT
23
245 minute break
RIT
24
25Video
- Internal Controls for Colleges and Universities
RIT
25
26Case Study 1 Missing Camera
Joe, the hard working staff assistant, is asked
to process a requisition to purchase a new 5,000
camera to be used by a Research Associate (RA)
who is working on a federal grant. Later, when
Joe conducts the annual physical inventory for
the department, as requested by the Property
Control Office, he is not able to locate the
camera in the department. Joe learns the RA was
given permission by the grant administrator to
take the camera home so that he could take photos
at his sisters wedding (that was 2 months ago).
When Joe talks to the department chair about it,
he is told not to worry since the camera wasnt
purchased with university funds (i.e., the grant
paid for it), it would be ok to check it off on
the inventory report even though it had been
removed from the premises.
RIT
26
27Case Study 2 - The New TV
- Jill, a senior staff assistant, is the
departments procurement card holder. Her
manager Anna, the departments budget authority,
travels extensively so Jill occasionally uses a
signature stamp to approve her procurement card
statements. Jill went shopping for a new TV one
weekend. While checking out, Jill mistakenly
used her companys procurement card. On Monday
she received an email from Paymentnet confirming
the purchase when she realized her mistake. - Jill decided to wait until Anna returned from out
of town to ask her advice. Jill was certain Anna
would understand and help her straighten things
out. The statement arrived a week later and Jill
had Jack, the office assistant, approve the
statement since Anna wasnt due back for another
two weeks. - Upon Annas return, Jill had not saved enough
money to repay the company for the TV. Since
Anna had not seen the statement and it had
already been processed by Accounting, Jill
decided not to bring it up. She had been an
exceptional employee for years and had seen many
of her coworkers receive bonuses. She decided it
was her turn. This would be her bonus. She had
earned it.
RIT
27
28To Summarize What Can You Do
- Set the right tone your behavior influences
others. - Be aware of your organizations objectives and
risks. - Adhere to policies and procedures
- Call IACA or the Controllers Office with
internal control questions - Report violations
RIT
28