Internal Controls Training

1
Internal Controls Training
RIT
Steven Morse, CPA, Executive Director Patrick
Didas, CPA, CFE, Associate Director July 21, 2009
2
IACAs Mission

• Institute Audit, Compliance Advisement promotes
  a strong internal control environment by
  objectively and independently assessing risks and
  controls evaluating business processes for
  efficiency, effectiveness, and compliance
  providing management advisory services and
  offering training to the University community.
  We focus on preserving the resources of the
  University for use by our students as they
  prepare for successful careers in a global
  society.

RIT
2
3
Objectives

• What you should know after this class
• five types of business risk
• examples of internal controls and their
  components
• who relies on RITs internal controls
• who is responsible for RITs internal controls
  maintenance and oversight

RIT
3
4
What is any organization concerned with?

• Risks

RIT
4
5
What is Risk?

• Anything that could negatively impact the
  Institutes (Departments) ability to meet its
  business objectives.

RIT
5
6
Types of Risk

• Strategic risk that would prevent an area from
  accomplishing its objectives. (meeting its
  mission).
• Financial risk that could result in a negative
  financial impact to the Institute. (waste or loss
  of assets).
• Regulatory (Compliance) risk that could expose
  the Institute to fines and penalties from a
  regulatory agency due to non-compliance with laws
  and regulations.
• Reputational risk that could expose the
  Institute to negative publicity.
• Operational risk that could prevent the
  department from operating in the most effective
  and efficient manner or be disruptive to other
  Institute operations.

RIT
6
7
What Does an Organization Do To Mitigate Those
Risks?

• Implement

Internal Controls
RIT
7
8
What are Internal Controls?

• Internal control is a process, effected by
  people, designed to provide reasonable assurance
  regarding the achievement of objectives in the
  following categories
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with laws and regulations

RIT
8
9
Internal Control Types

• Operational promotes operational effectiveness
  and efficiency as well as adherence to policies
  and procedures.
• Examples
• Employee Performance Evaluations
• Project Goals/Milestones, Key Performance
  Indicators,
• Publishing Policies and Guidelines
• Physical Asset Controls
• System Access Controls Exception Reports
• Management Oversight 3rd Party Verification
• Job Rotation, Cross Training

RIT
9
10
Internal Control Types

• Financial designed to safeguard assets and
  ensure completeness, accuracy and reliability of
  financial records.
• Examples
• Ledger Account Reconciliations
• Budget to Actual Reviews
• Oracle Reports
• Fixed Asset Inventory List
• Authorizations and Approvals
• Segregation of Duties
• Trend Analysis

RIT
10
11
Internal Control Types

• Compliance ensures compliance with applicable
  laws and regulations.
• Examples
• Public Safety Crime Reports
• Human Subjects Research Review
• Research Sponsor Agreements and regular review of
  adherence
• Material Safety Data Sheets

RIT
11
12
Components of Internal Control
Source The Committee of Sponsoring Organizations
of the Treadway Commission
Monitoring
Information Communication
Control Activities
Risk Assessment
Control Environment
The COSO Model
RIT
12
13
Control Activity Descriptors

• Soft Controls ethics and competency - Tone at
  the Top
• Hard Controls - segregation of duties (assignment
  of authority responsibility) limiting access to
  cash
• Preventive Controls controls to prevent an
  undesirable situation, for example Policies
  Procedures, Authorization and Approvals
• Detective Controls - controls to detect when an
  undesirable condition occurs (after the fact)-for
  example reconciliation of ledger account
  activity

RIT
13
14
Controls Are Everybodys Business
Myth Fact Internal control starts with
a strong Internal control starts with a
strong
set of policies and procedures
control environment Internal control
thats why we have Management is the owner of
the internal auditors.
internal control. Internal control is a
finance thing. Internal control is
integral to every
We do what the
controllers office aspect of the
business.
tells us to do. Internal
controls are essentially Internal
control makes the right things
negative, like a
list of thou shalt happen the first
time, and every time.
nots.
RIT
14
15
Controls Are Everybodys Business (continued)
Myth Fact Internal controls are a
necessary Internal controls should be
built into, not
evil. They take time away
from our not onto, business processes.

core activities making products,

making sales, and serving

customers. With downsizing and empower-
With downsizing and empowerment,
ment, we
have to give up a certain we need
different forms of control.
amount of control. If
controls are strong enough, we Internal
controls provide reasonable,
can be sure
there will be no fraud, but not absolute,
assurance that the
and financial
statements will be organizations
objectives will be
accurate. achieved.
RIT
15
16
Biggest threats to the Internal Control Structure
RIT
16
17
Who Relies On RIT Having a GoodSystem Of
Internal Controls?

• Students, Parents, Alumni, Donors, Research
  Sponsors Is their money being converted into
  the best value and used in accordance with their
  intentions?
• Financial Institutions, Rating Agencies RITs
  ability to meet its debt payments.
• Middle States Is RIT managing resources to best
  ensure student interests are served?
• Government Is RIT providing a value to the
  community, and in compliance with laws and
  regulations?
• Faculty and Staff Do we work in a well
  controlled environment?
• RITs Officers and Board Are they confident
  that all of the above is happening?

RIT
17
18
Who is responsible for Internal Controls
oversight?

• YOU - all employees are risk managers
• Check IACAs web site (forms link) to test your
  area of responsibility.
• http//finweb.rit.edu/iaca

RIT
18
19
Your Role

• Follow RIT policies and procedures they were
  designed with Internal Controls in mind
• Identify areas in your departments operations
  where controls could be strengthened and develop
  controls to address the weakness.
• Be a good steward of RITs assets
• Use common sense

RIT
19
20
RIT Senior Managements Role

• To enhance the control environment, the
  Institute is responsible for
• Setting standards/policies
• Defining expectations
• Providing training
• Stating its mission, vision, and core values
• Supporting the design of systems to include
  built-in detective controls as well as data
  security controls
• Planning, organizing, directing, controlling

RIT
20
21
Top Control Issues

• The most popular controls weaknesses we find
• Lack of adherence to procurement and travel
  policies
• Lack of documented review of Oracle reports
• Lack of thorough Oracle ledger documentation
• Hourly employee block time reporting
• Fixed asset inventories

RIT
21
22
A Common Result of Poor Internal Controls

• Fraud definition
• Intentional misrepresentation
• Victim suffers monetary or property loss

RIT
22
23
Who Typically Commits Fraud and Why?
The Fraud Triangle
RIT
23
24
5 minute break
RIT
24
25
Video

• Internal Controls for Colleges and Universities

RIT
25
26
Case Study 1 Missing Camera
Joe, the hard working staff assistant, is asked
to process a requisition to purchase a new 5,000
camera to be used by a Research Associate (RA)
who is working on a federal grant. Later, when
Joe conducts the annual physical inventory for
the department, as requested by the Property
Control Office, he is not able to locate the
camera in the department. Joe learns the RA was
given permission by the grant administrator to
take the camera home so that he could take photos
at his sisters wedding (that was 2 months ago).
When Joe talks to the department chair about it,
he is told not to worry since the camera wasnt
purchased with university funds (i.e., the grant
paid for it), it would be ok to check it off on
the inventory report even though it had been
removed from the premises.
RIT
26
27
Case Study 2 - The New TV

• Jill, a senior staff assistant, is the
  departments procurement card holder. Her
  manager Anna, the departments budget authority,
  travels extensively so Jill occasionally uses a
  signature stamp to approve her procurement card
  statements. Jill went shopping for a new TV one
  weekend. While checking out, Jill mistakenly
  used her companys procurement card. On Monday
  she received an email from Paymentnet confirming
  the purchase when she realized her mistake.
• Jill decided to wait until Anna returned from out
  of town to ask her advice. Jill was certain Anna
  would understand and help her straighten things
  out. The statement arrived a week later and Jill
  had Jack, the office assistant, approve the
  statement since Anna wasnt due back for another
  two weeks.
• Upon Annas return, Jill had not saved enough
  money to repay the company for the TV. Since
  Anna had not seen the statement and it had
  already been processed by Accounting, Jill
  decided not to bring it up. She had been an
  exceptional employee for years and had seen many
  of her coworkers receive bonuses. She decided it
  was her turn. This would be her bonus. She had
  earned it.

RIT
27
28
To Summarize What Can You Do

• Set the right tone your behavior influences
  others.
• Be aware of your organizations objectives and
  risks.
• Adhere to policies and procedures
• Call IACA or the Controllers Office with
  internal control questions
• Report violations

RIT
28