Overview of Internal Controls

1
Overview of Internal Controls
Internal control is a process designed to
provide reasonable assurance regarding the
achievement of effectiveness and efficiency of
operations, reliability of financial reporting,
and compliance with laws and regulations.
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
2
Overview of Internal Controls
Prepared and Presented by
Dan Allen, MBA, CFE, CISA Student Affairs
Controller and Director of Fiscal Support
Services PH 688-3318 E-mail allen.31_at_osu.edu
IC-02
3
Overview of Internal Controls
Objectives
Define internal controls and relate it to the
day-to-day management of our operations.
We will discuss

• How controls (internal controls) are part of
  the management process
• The purpose of internal controls
• The five interrelated components of internal
  controls
• The relationship between risks, costs, and
  controls
• University-required internal controls and
  sub-certification
• Other important University-related internal
  controls

IC-03
4
Internal Controls Overview Key Management Process
Many people equate controls with accountants and
auditors, however, controls are part of the
day-to-day management process. Internal control
simply refers to the controlling activities that
are performed within an organization.
Management Process (from Wikipedia)
Management process is a process of planning and
controlling the performance or execution of any
type of activity. . . . Organizations top
management is responsible for carrying out this
management process.
IC-04
5
Internal Controls Overview Purpose of Internal
Controls

• Purpose of Internal Controls
• Keeps an organization on course toward its
  objectives and the achievement of its mission,
  and minimizes surprises along the way.
• Promotes effectiveness and efficiency of
  operations, reduces the risk of asset loss, and
  helps to ensure compliance with laws and
  regulations.
• Ensures the reliability of financial reporting
  (i.e., all transactions are recorded and that all
  recorded transactions are real, properly valued,
  recorded on a timely basis, properly classified,
  and correctly summarized and posted.)
• Helps protect our students, our staff, our
  management, and the public.
• Safety
• Integrity
• Reputation

Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
IC-05
6
Internal Controls Overview Components of Internal
Controls

• Internal control consists of five interrelated
  components which all five must be present to
  conclude that internal control is effective.
• The components include
• Control (or operating) environment
• Risk assessment
• Control activities
• Monitoring, and
• Information and communication

Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
IC-06
7
Internal Controls Overview Relationship Between
Risks, Costs and Controls
An effective control system provides reasonable,
but not absolute assurance for the safeguarding
of assets, the reliability of financial
information, and the compliance with laws and
regulations.
Reasonable assurance is a concept that
acknowledges that control systems should be
developed and implemented to provide management
with the appropriate balance between risk of a
certain business practice and the level of
control required to ensure business objectives
are met.
The cost of a control should not exceed the
benefit to be derived from it.
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
IC-07
8
Internal Controls Overview Components of Internal
Controls

• Control Environment the control consciousness
  of an organization. The control environment is
  greatly influenced by the extent to which
  individuals recognize that they will be held
  accountable.

The control environment includes technical
competence and ethical commitment it is an
intangible factor that is essential to effective
internal control. Management is responsible for
setting the tone for the organization by
fostering the highest levels of integrity and
personal and professional standards,
demonstrating a leadership philosophy and
operating style which promotes internal control,
and the assignment of authority and
responsibility.
In a control conscious environment, all employees
are responsible for implementing internal
controls and for reporting or taking other
corrective actions to mitigate possible control
issues/weaknesses.
IC-08
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
9
Internal Controls Overview Components of Internal
Controls

• 2. Risk Assessment the identification and
  analysis of risks associated with the achievement
  of operations, financial reporting, and
  compliance goals and objectives. This, in turn,
  forms a basis for determining how those risks
  should be managed.

Risk is the probability that an event or action
will adversely affect the organization. To
achieve goals and objectives, management needs to
effectively balance risks and controls.
Therefore, control procedures need to be
developed so that they decrease risk to a level
where management can accept the exposure to that
risk. By performing this balancing act
reasonable assurance can be attained.
To achieve a balance between risk and controls,
internal controls should be proactive,
value-added, cost-effective and address exposure
to risk.
IC-09
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
10
Internal Controls Overview Components of Internal
Controls
2. Risk Assessment (continued)

• Risk Analysis
• After risks have been identified, a risk analysis
  should be performed to prioritize those risks
• Assess the likelihood (or probability and
  threat) of the risk occurring
• Estimate the potential impact if the risk were
  to occur consider both quantitative and
  qualitative costs
• Determine how the risk should be managed
  decide what actions are necessary.

Examples of Quantitative costs include the
cost of property, equipment, or inventory, cash
dollar loss, damage and repair costs, cost of
defending a lawsuit, etc. Qualitative costs can
have wide-ranging implications to the University.
These costs may include loss of public trust,
loss of future grants, gifts and donations,
injury to the Universitys reputation, increased
litigation, violation of laws, etc.
IC-10
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
11
Internal Controls Overview Components of Internal
Controls

• Control Activities the actions, supported by
  policies and procedures that, when carried out
  properly and in a timely manner, manage or reduce
  risks.
• Controls can be classified as preventive,
  detective, or corrective controls.
• Preventive controls (P) - attempt to deter or
  prevent undesirable events from occurring.
• 
  They are proactive controls that help prevent a
  loss.
• Detective controls (D) - attempt to detect
  undesirable acts.
• Corrective controls (C) - are procedures that fix
  an error or control situation
• Control activities generally include
• approvals, authorizations, and verifications
• reconciliations,
• reviews of performance,
• security of assets,
• segregation of duties,
• training, and
• controls over information systems.

IC-11
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
12
Internal Controls Overview Components of Internal
Controls

• Control Activities (continued)
• Control Activities Approvals (Preventive)

• Approvers should review supporting documentation,
  question unusual items, and make sure that
  necessary information is present to justify the
  transaction before they sign it. Signing blank
  forms is never allowed. Approval authority is
  delegated in writing and may be linked to
  specific dollar levels. Transactions that
  exceed the specified dollar level would require
  approval at a higher level.
• Key approval controls
• Written policies and procedures
• Limits to authority
• Supporting documentation
• Question unusual items
• No rubber stamps, and
• No blank signed forms

IC-12
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
13
Internal Controls Overview Components of Internal
Controls

• Control Activities (continued)
• Control Activities Reconciliations (Detective)

A reconciliation is a comparison of different
sets of data to one another, identifying and
investigating differences, and taking corrective
action, when necessary Reconciliations help to
ensure the accuracy, completeness of
transactions, and that transactions were properly
approved, that have been charged to a
departments accounts. A critical element of the
reconciliation process is to resolve
differences. Reconciliations should be
documented and approved by management.
IC-13
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
14
Internal Controls Overview Components of Internal
Controls

• Control Activities (continued)
• Control Activities Reviews (Detective)

• Reviewing reports, statements, reconciliations,
  and other information by management is an
  important control activity. Management should
  review such information for consistency and
  reasonableness.
• Management reviews should generally include
• Budget to actual comparison
• Current to prior period comparison
• Performance indicators
• Follow-up on unexpected results or unusual
  items

Reviews of performance provide a basis for
detecting problems. Management should compare
information about current performance to budgets,
forecasts, prior periods or other benchmarks to
measure the extent to which goals and objectives
are being achieved and to identify unexpected
results or unusual conditions which require
follow-up. Managements review of reports,
statements, reconciliations, and other
information should be documented as well as the
resolution of items noted for follow-up.
IC-14
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
15
Internal Controls Overview Components of Internal
Controls

• Control Activities (continued)
• Control Activities Asset Security (Preventive
  and Detective)

• Assets, such as cash, checks, credit cards,
  laptops, vital documents, critical systems, and
  confidential information must be safeguarded
  against unauthorized use or disposition.
  Typically, access controls are the best way to
  safeguard these assets.
• Examples of access controls are
• Locked doors
• Card key systems
• Locked filing cabinet
• Guard
• Computer password
• Data encryption
• Departments with capital assets or significant
  inventories should establish perpetual inventory
  control over these items by recording purchases
  and issuances.
• Periodically, items should be physically counted
  by a person who is independent of the purchase,
  authorization and asset custody functions, and
  the counts should be compared to balances per
  perpetual records.
• Missing items should be investigated, resolved,
  and analyzed for possible control deficiencies
  perpetual records should be adjusted to physical
  counts if missing items are not located.

IC-15
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
16
Internal Controls Overview Components of Internal
Controls

• Control Activities (continued)
• Control Activities Segregation of Duties
  (Preventive and Detective)

• Segregation of duties is critical to effective
  internal control it reduces the risk of both
  erroneous and inappropriate actions. In general,
  the approval function, the accounting/reconciling
  function, and the asset custody function should
  be separated among employees. Segregation of
  duties is a deterrent to fraud because it
  requires collusion with another person to
  perpetrate a fraudulent act.
• No one person should . . .
• Initiate the transaction
• Approve the transaction
• Record the transaction
• Reconcile balances
• Handle assets
• Review reports
• At least two sets of eyes required of all
  transactions

IC-16
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
17
Internal Controls Overview Components of Internal
Controls

• Control Activities (continued)
• Control Activities Segregation of Duties
  (Preventive and Detective)

• Specific examples of segregation of duties
  include
• The person who requisitions the purchase of
  goods or services should not be the person who
  approves the purchase.
• The person who approves the purchase of goods
  or services should not be the person who
  reconciles the monthly financial reports.
• The person who approves the purchase of goods
  or services should not be able to obtain custody
  of checks.
• The person who maintains and reconciles the
  accounting records should not be able to obtain
  custody of checks.
• The person who opens the mail and prepares a
  listing of checks received should not be the
  person who makes the deposit.
• The person who opens the mail and prepares a
  listing of checks received should not be the
  person who maintains the accounts receivable
  records.

IC-17
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
18
Internal Controls Overview Components of Internal
Controls
4. Monitoring the assessment of internal
control performance over time it is accomplished
by ongoing monitoring activities and by separate
evaluations of internal control such as
self-assessments, peer reviews, and internal
audits.

• The purpose of monitoring is to determine whether
  internal control is adequately designed, properly
  executed, and effective.
• Internal control is effective if management and
  interested stakeholders have reasonable assurance
  that
• They understand the extent to which operations
  objectives are being achieved.
• Published financial statements are being
  prepared reliably.
• Applicable laws and regulations are being
  compiled.
• While internal control is a process, its
  effectiveness is an assessment of the condition
  of the process at one or more points in time.

IC-18
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
19
Internal Controls Overview Components of Internal
Controls
5. Information and Communication information
about an organizations plans, control
environment, risks, control activities, and
performance must be communicated up, down, and
across an organization.

• When assessing internal control, the key
  questions to ask about information and
  communication include
• Does the department get the information it
  needs from internal and external sources in a
  form and timeframe that is useful?
• Does the department get information that alerts
  it to internal or external risks (e.g.,
  legislative, regulatory, and developments)?
• Does the department get information that
  measures its performance-information that tells
  the department whether it is achieving its
  operations, financial reporting, and compliance
  objectives?
• Does the department identify, capture, process,
  and communicate the information that others needs
  (e.g., information used by our customers or other
  departments) in a form and timeframe that is
  useful?
• Does the department provide information to
  others that alerts them to internal or external
  risks?
• Does the department communicate effectively
  internally and externally?

IC-19
Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
20
Internal Controls Overview Universitys Internal
Control Questions
What are the primary internal controls that the
University has specified as being required?
IC-20
21
Internal Controls Overview Universitys Internal
Control Questions

• In an effort to assess and improve the
  Universitys internal controls, beginning in
  FY2006, the University requested operations to
  annually assess whether sufficient internal
  control structures are in place to effectively
  identify weaknesses in financial processes and
  systems, and to sub-certify compliance on 16 key
  internal controls.
• The controls status is based on the following
  criteria
• Green generally complies with policies and
  control activities
• Yellow partially complies with policies and
  control activities opportunities for improvement
  exist
• Red routinely does not comply with policies and
  control activities improvement is needed.
• Areas assessed as yellow or red require
  action plans to resolve the control gaps.
• By being required to be assessed annually, these
  16 controls (or control processes) should be
  assumed to be required University controls.

IC-21
22
Internal Controls Overview Universitys Internal
Control Questions
Does the College/Office . . .

1. Require staff with fiscal responsibilities to
   attend system training offered by OIT and
   financial training offered by the Controllers
   Office?
2. Follow personnel and payroll policies set forth
   by the Office of Human Resources?
3. Have an effective control structure that includes
   monitoring activities, to ensure compliance with
   University policies regarding use of Procurement
   Cards?
4. Have processes and monitoring activities in place
   to ensure compliance with the guidelines on
   alcohol, meals, entertainment, recruiting,
   cellular phones, employee recognition events,
   professional dues and subscriptions, and payment
   for services set forth in the University
   Expenditure Policies?
5. Have processes and monitoring activities in place
   to ensure compliance with University Travel
   Policies?

IC-22
23
Internal Controls Overview Universitys Internal
Control Questions
Does the College/Office . . .

• Coordinate all gift and fundraising activities
  with the Office of University Development?
• Process all sponsored research proposals and
  agreements through the OSU Research Foundation?
• Submit proposed rates and earnings budgets to
  Resource Planning for all operations that sell
  goods or services?
• Maintain supporting documentation for its
  financial transactions, in accordance with
  retention guidelines set forth by University
  Archives?
• Perform monthly reconciliations of transactions
  appearing in its general ledger reports (e.g.
  payroll, purchasing, travel, etc.) to internal
  source documents?
• Have an established process for reporting
  financial errors, problems, etc. to senior
  administrators within the college?

IC-23
24
Internal Controls Overview Universitys Internal
Control Questions
Does the College/Office . . .

1. Reconcile all non-cash assets and liabilities to
   supporting detail on a monthly basis?
2. Have processes and monitoring activities in place
   to ensure compliance with fund restrictions
   imposed by donors, granting agencies and other
   resource providers?
3. Have processes and monitoring activities in place
   to ensure compliance with University Treasurer
   policies on cash handling (including separation
   of duties, timely preparation of deposits, rules
   on petty cash/change funds, management review of
   deposit corrections, and reporting of cash
   shortages to Internal Audit and OSU Police)?
4. Require faculty and staff with fiscal
   responsibilities to understand and observe the
   Ohio Ethics Law?
5. Have processing and monitoring activities in
   place to ensure effective custody over non-cash
   assets, including maintenance of accurate
   equipment inventory records, measures to prevent
   loss/theft of items, and compliance with
   University surplus/disposal policies?

IC-24
25
Internal Controls Overview Other University
Internal Controls

• The following are other important
  University-related internal controls or
  requirements
• Emergency Management and Business Continuity
  Plans.
• PeopleSoft access security, limiting access and
  functionality.
• Conflict of Interest disclosures completed
  annually.
• University error/violation reporting procedures
  and anonymous reporting line.
• Dollar limits for transactions, such as for
  purchases and authorizations.
• Requirement for budgets and frequent
  comparisons of budget to actuals.
• Requirement of submission of fees and rates,
  and approval by BOT.
• Payroll certifications.

IC-25
26
Internal Controls Overview Other University
Internal Controls

• Other important University-related internal
  controls (continued)
• Requirement to tag all items purchased over a
  dollar threshold.
• Maintain listings of delegation of
  authorities.
• Requirements for background checks for staff
  (based on responsibilities).
• Multiple ways to perform purchasing, reducing
  risk of not being able to purchase items that are
  needed.
• Independent controls monitoring and reporting
  by the Department of Internal Audit.
• Independent controls monitoring and reporting
  by external auditors (for the State).
• (just to name a few . . . )

This completes the course material, now lets
summarize.
IC-26
27
Internal Controls Overview Summary
Summary Management Process

• Effective internal control is a built-in part of
  the management process of planning and
  controlling.
• Keeps an organization on course toward its
  objectives and the achievement of its mission,
  and minimizes surprises along the way.
• Promotes effectiveness and efficiency of
  operations, reduces the risk of asset loss, and
  helps to ensure compliance with laws and
  regulations.
• Ensures the reliability of financial reporting
  (i.e., all transactions are recorded and that all
  recorded transactions are real, properly valued,
  recorded on a timely basis, properly classified,
  and correctly summarized and posted.)
• Helps protect our students, our staff, our
  management, and the public.
• Safety
• Integrity
• Reputation

Summary Purpose of Internal Controls
IC-27
28
Internal Controls Overview Summary
Summary 5 Components of Internal Controls

• Internal control consists of five interrelated
  components which all five must be present to
  conclude that internal control is effective. The
  components include
• Control (or operating) environment
• Risk assessment
• Control activities
• Monitoring, and
• Information and communication

Source Understanding Internal Controls, A
Reference Guide for Managing University Business
Practices, by University of California.
IC-28
29
Internal Controls Overview Summary
Summary Overall Purpose
The purpose of this class was to provide an
overview of internal controls and to relate
internal controls to the day-to-day management of
operations. Have we achieved our objective?

• If you have questions about internal controls,
  please contact
• Your Senior Fiscal Officer or other appropriate
  unit staff
• University Controllers Office, or
• Internal Audit

Thank you for your participation!!
Please complete the course review questions.
Successful completion of the review questions is
required to indicate completion of the course.
IC-29