county of riverside ■ office of the auditor-controller understanding internal controls presented...
TRANSCRIPT
County of Riverside ■ Office of the Auditor-Controller
Understanding Internal Controls
Presented by
Megan Gomez, Internal Auditor
Audit & Specialized Accounting Division
County of Riverside ■ Office of the Auditor-Controller
Training ObjectivesWhat you should know after this discussion
– Internal Control
• Myths & Facts
• Definitions
• Who needs it?– Components of Internal Control– Making it real– How you can help!
County of Riverside ■ Office of the Auditor-Controller
Internal Controls Are…
Actions taken by management, the board of supervisors, and other parties to enhance risk management and increase the likelihood that
established objectives and goals will be achieved.
County of Riverside ■ Office of the Auditor-Controller
Myths & Facts
• MYTH #1:
Internal Control – That’s the Internal Auditors’ job!
• FACT #1:
While Internal Auditors do play a key role in the system of control, management is the primary owner of internal control.
County of Riverside ■ Office of the Auditor-Controller
Myths & Facts
• MYTH #2:
Internal Control starts with a strong set of policies and procedures.
• FACT #2:
Internal Control starts with a strong control environment.
County of Riverside ■ Office of the Auditor-Controller
Myths & Facts
• MYTH #3:
Internal Control is a finance thing.
• FACT #3:
Internal Control is integral to every aspect of business.
County of Riverside ■ Office of the Auditor-Controller
Myths & Facts
• MYTH #4:
Internal Controls are essentially negative, like a list of “thou-shalt-nots”.
• FACT #4:
Internal Control makes the right things happen the first time, and every time.
County of Riverside ■ Office of the Auditor-Controller
Myths & Facts
• MYTH #5:
If controls are strong enough, we can be sure financial statements will be accurate.
• FACT #5:
Internal Control provides reasonable, but not absolute, assurance that the organization’s objectives will be achieved.
County of Riverside ■ Office of the Auditor-Controller
Myths & Facts
• MYTH #6:
Internal Controls take time away from our core activities of making products and serving customers.
• FACT #6:
Internal Controls should be built “into”, not “onto”, business processes.
County of Riverside ■ Office of the Auditor-Controller
Myths & Facts
• MYTH #7:
With budget cuts and downsizing, we have to give up a certain amount of control.
• FACT #7:
With budget cuts and downsizing, we need different forms of control.
County of Riverside ■ Office of the Auditor-Controller
Internal Control “gets us to where we want to go, without surprises along the way.
Internal Control is everyone’s responsibility…
Internal control is me.”
-From Cargill Corporations’ Internal Control Statement
County of Riverside ■ Office of the Auditor-Controller
What Internal Controls do…
• Communicate vision and objectives
• Protect assets
• Comply with laws and regulations
• Provide boundaries
• Utilize resources efficiently & effectively
• Promote financial reliability and integrity
• Monitor results
• Provide feedback
County of Riverside ■ Office of the Auditor-Controller
Examples of Internal Control
Think about what you do…at home:• Lock your home and vehicle
• Keep your ATM/debit card PIN number secure
• Review bills and statements before paying them
• Reconcile your bank statement
• Don’t leave blank checks or cash lying around
• Expect your children to ask permission before they do certain things
County of Riverside ■ Office of the Auditor-Controller
Examples of Internal Control
Think about what you do…at work:• Lock County vehicles, desk drawers
• Change your computer passwords, keep secure
• Check vendor invoices against source documents
• Locked cash drawers, secure storage for warrants
• Daily deposit of cash receipts
• Authorization required for certain activities
County of Riverside ■ Office of the Auditor-Controller
So… who needs it?
County of Riverside ■ Office of the Auditor-Controller
Components of Internal Control
Who is responsible for Internal Control?
Management
County of Riverside ■ Office of the Auditor-Controller
Components of Internal Control
Control Environment
The foundation upon which everything rests
County of Riverside ■ Office of the Auditor-Controller
Control Environment
Key Factors -
Management’s Attitude:
“Tone at the Top”
Individual Attributes:
Integrity, ethical values, competence
County of Riverside ■ Office of the Auditor-Controller
Components of Internal Control
Risk Assessment
County of Riverside ■ Office of the Auditor-Controller
What is Risk?
Anything that could negatively impact the County’s ability to meet its operational
objectives.
County of Riverside ■ Office of the Auditor-Controller
Changes that Affect Risk Levels
• Globalization
• Organizational Ethics
• Financial Demands
• Technology
• Consolidations and Alliances
• Legislative Imperatives
Risk cannot be avoided or ignored!
County of Riverside ■ Office of the Auditor-Controller
How to Identify Risk• What could go wrong?
• How could we fail?
• What must go right to succeed?
• What decisions require the most judgment?
• What activities are the most complex?
• What activities are regulated?
• On what do we spend the most money?
• How is related revenue collected?
• On what information do we rely most?
• What assets do we need to protect?
• How could our operations be disrupted?
County of Riverside ■ Office of the Auditor-Controller
5 Types of Risk
• Strategic
• Financial
• Regulatory (Compliance)
• Reputational
• Operational
County of Riverside ■ Office of the Auditor-Controller
Conditions that Increase Risk
• Lack of segregation of duties
• Too much trust
• Lack of follow-up
• Lack of knowledge of Policies & Procedures
• Lack of control over:– Cash– Purchasing of supplies/materials
County of Riverside ■ Office of the Auditor-Controller
Components of Internal Control
Control Activities
County of Riverside ■ Office of the Auditor-Controller
Control Activities
Actions
supported by policies and procedures
that help assure
management directives that address risks
are carried out properly
and in a timely manner.
County of Riverside ■ Office of the Auditor-Controller
Examples of Control Activities• Authorization and approval procedures
• Review of operating performances• Supervision: assigning, reviewing/approving, guidance, training
• Segregation of duties
• Controls over access to resources and records
• Reconciliations
• Verifications
• Reviews of processes and activities
County of Riverside ■ Office of the Auditor-Controller
Types of Control Activities
• Directive
• Preventive
• Detective
• Corrective
• Recovery
Policies & Procedures
Purchase Requisition Approval Procedures
Passwords
Data input validation
Cash Counts
Bank Reconciliations
Payroll report review
Compare statements to source documents
Compare budget to actual spending
County of Riverside ■ Office of the Auditor-Controller
Components of Internal Control
Monitoring
County of Riverside ■ Office of the Auditor-Controller
Monitoring Activities
• Ongoing Monitoring– Covers each component– Action against deficiencies
• Separate Evaluations– External auditors– Internal auditors– Findings reported to management
County of Riverside ■ Office of the Auditor-Controller
Components of Internal Control
Information &
Communication
County of Riverside ■ Office of the Auditor-Controller
Information & Communication
• Management Decisions
• Reliable Reporting
• Effective Communication
County of Riverside ■ Office of the Auditor-Controller
Quick Quiz!Which of the following best describes segregation of duties:
1) Split the work so no one has to work more than anyone else.
2) When you make sure you have one person reconciling all the transactions.
3) Procedures designed to ensure one individual cannot complete an entire transaction.
4) Something you can only achieve when you have at least five accounting personnel.
County of Riverside ■ Office of the Auditor-Controller
Quick Quiz!Until deposited, cash receipts should be stored:
1) In a sealed Ziplock bag.
2) In a zippered bank bag in the Department Head’s desk drawer.
3) In a secured, locked location at the department/division.
4) By the Department Head in his/her home for safekeeping.
County of Riverside ■ Office of the Auditor-Controller
Quick Quiz!Checks should be restrictively endorsed just prior to
deposit.
TRUE
FALSE
County of Riverside ■ Office of the Auditor-Controller
Case Studies
“The Employee Bonus”
“The Favored Vendor”
Stories summarized from Internal Auditor magazine
County of Riverside ■ Office of the Auditor-Controller
Recent HeadlinesSeptember 23, 2008 Press Enterprise
“Former Fire Department employee pleads guilty in $1.2 million embezzlement scheme”
September 21, 2008 Personal Computer World
“Downturn brings risk to the fore”
September 21, 2008 The Washington Post
“Financial titans’ fall promises big shifts ahead”
December 6, 2007 Press-Enterprise
“Redlands treasurer pleads not guilty; his attorney reports “bombshell: two sets of books”
November 3, 2007 The Californian
“Murrieta audit notes deficiencies”
August 2006 GovPro.com
“P-card transactions raise control concerns”
County of Riverside ■ Office of the Auditor-Controller
Why Controls Don’t Always Work
• Inadequate knowledge of policies or governing regulations
• Inadequate segregation of duties
• Inappropriate access to assets
• Form over substance
• Control override
• Inherent limitations
County of Riverside ■ Office of the Auditor-Controller
Control Awareness Can…
• Create a culture in which every employee understands internal control.
• Make internal control an integral part of everyone’s job responsibilities.
• Effectively manage risk.
County of Riverside ■ Office of the Auditor-Controller
How you can help!
• Current policies and procedures
• Communicate authorization limits
• Safeguard assets and data
• Document control
• Visible/legible authorization
• Understand your risks
• Adhere to County policies and codes
County of Riverside ■ Office of the Auditor-Controller
How you can help!
• Establish Objectives and Measures
• Track performance
• Evaluate Success!
County of Riverside ■ Office of the Auditor-Controller
How you can help!
When thinking about controls, consider:
– Propriety of transactions
– Reliability/integrity of information
– Compliance with policies & regulations
– Safeguarding assets
– Economy/efficiency of operations
County of Riverside ■ Office of the Auditor-Controller
Internal Auditing Can Help
Control self-assessment (CSA) program
County of Riverside ■ Office of the Auditor-Controller
Questions
?? ??? ?
?
? ?
?