Understanding Internal Controls

Internal Audit Division

Edward A. Dion County Auditor's Office

Why are we here?



The Countys emphasis on internal controls. Give you tools to prepare:

 System

Implementation  On-going Operations

Training Objectives


Convey that management is responsible for internal controls. Convey that all employees of the County are responsible for compliance with internal controls. Give you tools to establish, document, and maintain a system of internal controls.

Why is this important?

 Reduces the

likelihood of errors and irregularities resulting in:

Efficient and effective departments Good custodianship of County Resources Compliance with laws and regulations

What is internal control?



Definition
 Ongoing

process  Effected by everyone  Reasonable--not absolute--assurance  Applies to:

Operations objectives Financial reporting objectives Compliance objectives

Internal Control is a Process



The internal control process has five components : y Control environment y Risk assessment y Control activities y Information and communication y Monitoring All five must be present to be effective.

Internal Control Process



Control Environment What is a control environment?

 It

is the control consciousness of an organization.  It is the extent to which management and employees are committed to doing whats right and doing it the right way.  It encompasses technical competence and ethical commitment.  It is an intangible factor that is essential to effective internal control.

Control Environment-What is a good environment?

      

Code of ethics; standards of conduct. Ethical behavior. Good hiring practices. Adequate training. Clear policies and procedures. Employee development. Assignment of authority and responsibility.

Risk Assessment Determine goals and objectives.



Internal control is pointless without goals and objectives. Written goals and objectives focus efforts toward desired outcomes. Written goals and objectives provide a rationale for resource allocation.

Risk Assessment - What objectives do we need?

 

 

Operations objectives. Financial reporting objectives. (All transactions are recorded, all recorded transactions are real, properly valued, timely, properly classified, and correctly summarized and posted.) Compliance objectives. Related to Department/Agency and activity.

Risk Assessment Identify risks.



A risk is anything that could jeopardize the achievement of an objective. Once identified, a risk analysis is performed where risks are ranked/prioritized in order to address significant risks.

Risk Assessment - How do we identify risks?

 

You know your risks. For each objective, ask yourself:

 What   

could go wrong? What assets do we need to protect? How could someone steal from us? What is our greatest legal exposure?

Identify risks at the department level and at the activity (or process) level.

Risk Assessment-What is risk analysis?



Risk analysis is the process of determining which risks are significant. It involves ranking/prioritizing. For each identified risk, ask two questions:
 What

is the likelihood of occurrence?  What is the potential impact?



A risk is significant if it has a reasonable likelihood of occurrence and a large potential impact.

Control Activities-What control activities do we need?

 

Enough to help ensure that you are managing your significant risks. Actions should be taken and control activities should be performed to mitigate significant risks to prudently acceptable levels. Control activities can be preventive and detective, and include approvals, reconciliations, reviewing reports, securing assets, segregating duties, and Information Technology controls.

Control Activities - Preventive & Detective Controls



Preventive Controls:
 They attempt

to deter or prevent

undesirable events from occurring. Examples: separation of duties and proper authorization.


Detective Controls:
 They attempt

to detect undesirable

acts. Examples: reviews and reconciliations.

Control Activities-What needs to be approved? (Preventive)

 

It depends on the risk assessment. High risk activities should be approved by management. Generally, high dollar transactions should be approved by the Director of the department or agency. Approval means that the approver has reviewed the supporting documentation and is satisfied that the transaction is appropriate.

Control Activities What needs to be reconciled? (Detective)

 

It depends on the risk assessment. Information about high risk activities should be reconciled to ensure its accuracy and completeness. Reconciliations compare different sets of data (check logs/deposit slips to financial reports). Generally, monthly financial reports from Auditor-Controller should be reconciled to departmental records.

Control Activities-What reports should be reviewed?(Detective)

 

It depends on the risk assessment. Information about high risk activities should be reviewed by management. Generally, the Director should review reports which compare budget to actual and prior year to current year amounts
 To  To

measure performance. detect problems.

Managements review should be documented.

Control Activities (Preventive & Detective) - What assets need to be secured?

 

 

It depends on the risk assessment. Liquid assets, assets with alternative uses, dangerous assets, vital documents, critical systems, and confidential information need to be secured. Access to these assets should be restricted. Perpetual records should be maintained; periodic physical counts should be performed--differences should be checked.

Control Activities (Preventive & Detective) - What duties need to be segregated?

 

It depends on the risk assessment. The approval, accounting/reconciling, and asset custody functions should be segregated. Generally, duties related to cash receipts and purchases are high risk and should be segregated.

Control Activities Information Systems General Controls



Apply to entire information systems and all applications which reside on the systems. Maintain the integrity & availability of networks, information processing functions, & associated application systems.

Control Activities General Controls (Preventive and Detective)



General Controls Include:

 Access

Security, Data & Program Security, Physical Security  Software Development & Program Change Controls  Data Center Operations  Disaster Recovery

Control Activities Application Controls (Preventive and Detective)



Application Controls:
 Specific

to Computer Application

Systems  Prevent, Detect, and Correct Errors and Irregularities  Programmed Procedures Within Application Software

Control Activities Application Controls (Preventive and Detective)



Application Controls Include:

 Input

Controls-Authorized & Validated Data , Errors Detected, Corrected Controls-Ensure Data Not Lost, Mishandled

 Processing  Output

Controls-Accurate, Complete, Properly Distributed Data

Edit Checks Record Counts Distribution Lists

 Examples

Control Activities Balancing Risks and Controls



Excessive Risks
    

Loss of Assets Poor Business Decisions Noncompliance Increased Regulations Public Scandals

Excessive Controls
    

Increased Bureaucracy Reduced Productivity Increase Complexity Increased Cycle Time Increased No-Value Activity

Information and Communication Why information and communication?



Employees need information to do their jobs; management needs information to effect control.
 Information

about plans, risks, and performance. Information in a form and time frame that is useful. Information from internal and external sources.

When completing a Business Controls Worksheet for a significant activity (or process), evaluate the quality of related information and communication systems.

Monitoring-What is monitoring?


Monitoring is the assessment of internal control performance over time to determine whether internal control is adequately designed, properly executed, and effective.
 Ongoing

supervisory activities

 Periodic evaluations

Self-assessment Peer review Internal audit

Monitoring - When is internal control effective?



All five internal control components are present and functioning as designed. The Commissioners Court and management have reasonable assurance that:
 They understand

the extent to which operations objectives are being achieved.  Published financial statements are being prepared reliably.  Applicable laws and regulations are being complied with.