Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Training Objectives
Convey that management is responsible for internal controls. Convey that all employees of the County are responsible for compliance with internal controls. Give you tools to establish, document, and maintain a system of internal controls.
Definition
Ongoing
The internal control process has five components : y Control environment y Risk assessment y Control activities y Information and communication y Monitoring All five must be present to be effective.
is the control consciousness of an organization. It is the extent to which management and employees are committed to doing whats right and doing it the right way. It encompasses technical competence and ethical commitment. It is an intangible factor that is essential to effective internal control.
Code of ethics; standards of conduct. Ethical behavior. Good hiring practices. Adequate training. Clear policies and procedures. Employee development. Assignment of authority and responsibility.
Internal control is pointless without goals and objectives. Written goals and objectives focus efforts toward desired outcomes. Written goals and objectives provide a rationale for resource allocation.
Operations objectives. Financial reporting objectives. (All transactions are recorded, all recorded transactions are real, properly valued, timely, properly classified, and correctly summarized and posted.) Compliance objectives. Related to Department/Agency and activity.
A risk is anything that could jeopardize the achievement of an objective. Once identified, a risk analysis is performed where risks are ranked/prioritized in order to address significant risks.
could go wrong? What assets do we need to protect? How could someone steal from us? What is our greatest legal exposure?
Identify risks at the department level and at the activity (or process) level.
Risk analysis is the process of determining which risks are significant. It involves ranking/prioritizing. For each identified risk, ask two questions:
What
A risk is significant if it has a reasonable likelihood of occurrence and a large potential impact.
Enough to help ensure that you are managing your significant risks. Actions should be taken and control activities should be performed to mitigate significant risks to prudently acceptable levels. Control activities can be preventive and detective, and include approvals, reconciliations, reviewing reports, securing assets, segregating duties, and Information Technology controls.
Preventive Controls:
They attempt
to deter or prevent
undesirable events from occurring. Examples: separation of duties and proper authorization.
Detective Controls:
They attempt
to detect undesirable
It depends on the risk assessment. High risk activities should be approved by management. Generally, high dollar transactions should be approved by the Director of the department or agency. Approval means that the approver has reviewed the supporting documentation and is satisfied that the transaction is appropriate.
It depends on the risk assessment. Information about high risk activities should be reconciled to ensure its accuracy and completeness. Reconciliations compare different sets of data (check logs/deposit slips to financial reports). Generally, monthly financial reports from Auditor-Controller should be reconciled to departmental records.
It depends on the risk assessment. Information about high risk activities should be reviewed by management. Generally, the Director should review reports which compare budget to actual and prior year to current year amounts
To To
It depends on the risk assessment. Liquid assets, assets with alternative uses, dangerous assets, vital documents, critical systems, and confidential information need to be secured. Access to these assets should be restricted. Perpetual records should be maintained; periodic physical counts should be performed--differences should be checked.
It depends on the risk assessment. The approval, accounting/reconciling, and asset custody functions should be segregated. Generally, duties related to cash receipts and purchases are high risk and should be segregated.
Apply to entire information systems and all applications which reside on the systems. Maintain the integrity & availability of networks, information processing functions, & associated application systems.
Security, Data & Program Security, Physical Security Software Development & Program Change Controls Data Center Operations Disaster Recovery
Application Controls:
Specific
to Computer Application
Systems Prevent, Detect, and Correct Errors and Irregularities Programmed Procedures Within Application Software
Controls-Authorized & Validated Data , Errors Detected, Corrected Controls-Ensure Data Not Lost, Mishandled
Processing Output
Examples
Excessive Risks
Loss of Assets Poor Business Decisions Noncompliance Increased Regulations Public Scandals
Excessive Controls
Increased Bureaucracy Reduced Productivity Increase Complexity Increased Cycle Time Increased No-Value Activity
Employees need information to do their jobs; management needs information to effect control.
Information
about plans, risks, and performance. Information in a form and time frame that is useful. Information from internal and external sources.
When completing a Business Controls Worksheet for a significant activity (or process), evaluate the quality of related information and communication systems.
Monitoring-What is monitoring?
Monitoring is the assessment of internal control performance over time to determine whether internal control is adequately designed, properly executed, and effective.
Ongoing
supervisory activities
Periodic evaluations
All five internal control components are present and functioning as designed. The Commissioners Court and management have reasonable assurance that:
They understand
the extent to which operations objectives are being achieved. Published financial statements are being prepared reliably. Applicable laws and regulations are being complied with.