sasbo conference april 29, 2008 presenters: kathy h. isenhour, cpa associate superintendent hickory...
TRANSCRIPT
SASBO Conference April 29, 2008
Presenters:Kathy H. Isenhour, CPAAssociate SuperintendentHickory Public SchoolsHickory, NCLynne E. Hensley,Retired CFO and ConsultantBurnsville, NC
Developing An Internal Control Plan For Your LEA
In-ter-nal Con-trol
Internal- Of or on the inside: having to do with or belonging to the
inner nature of a thing
Control- To exercise authority over, direct
Internal Control Defined
The plan of organization and all of the co-ordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies.
SAP No. 33
Internal Control Pronouncements
SAS No. 1 (SAS 104-Amendment to SAS 1)
Accounting controls: Safeguarding of assets, reliability of financial records
Managerial controls: Promote operational efficiency, encourage adherence to prescribed managerial
Changes to Scope of Audit as a result of SAS 112-Communicating Internal Control Matters Identified in an Audit
Expands the quality and depth of the auditor’s required understanding of the entity and its environment including internal control
Requires the auditor to assess the risks of material misstatements at the financial statements
Emphasizes importance of the entity’s risk assessment process
Overall Changes to Audit Processin relation to Internal Control Matters
Auditor must evaluate identified control deficiencies
Auditor required to communicate in writing significant deficiencies and material weaknesses to management and Board of Education.
SAS takes away the option to communicate orally matters related to deficiencies and weaknesses.
Auditor to Evaluate Design of Internal Controls
Auditor will specifically review : Points where transactions are
– Initiated– Processed– Recorded– Reported
and will assess risk that errors may not be
prevented and detected
Examples of Deficiencies:
Inadequate design of internal control over the preparation of the financial statements being audited
Employees or management who lack qualifications & training to fulfill their assigned functions (unfamiliar with GAAP)
Inadequate documentation of the components of internal control
Inadequate design of monitoring controls Inadequate design and control of information
technology Q & A survey no longer adequate
Components of An Internal Control Plan
When developing and writing an internal control plan, the
plan should address the following:
Control the environment Define the risks Control activities to minimize risk Inform and communicate procedures and policies Monitor activities
Control Environment
Controlling the environment is greatly influenced by the extent to which individuals recognize they will be held accountable
Control Activities
Who is responsible?
The Board of Education, Superintendent and Chief Finance Officer are ultimately responsible for identifying the financial and compliance risks and for designing, implementing and monitoring the internal control system for the Local Education Agency.
Tips to enhance a department’s control environment
Administrative Procedures Employee Handbook stating policies and procedures Finance Department Standards of Conduct Clearly defined job descriptions Adequate training Appropriate disciplinary action when an employee
does not comply
Risk Assessment
Identify the risks by determining:
What could go wrong Where there are vulnerabilities How theft and fraud could take place What assets need to be protected
Expect Auditor to ask these questions
Some Examples of High Risk Transactions
Petty Cash ( if high volumes are processed)
Cash Receipts Travel Expenditures Equipment Purchases Payment to Non-Vendors Supplies for Maintenance and Bus Garage
Characteristics of Fraud
Generally there are three requirements for fraud to occur:
• motivation – need for money• opportunity- weakness in internal controls• personal characteristics-willingness to commit the crime
It is difficult to have an effect on an individual’s motivation for fraud, but having an effective internal control plan can remove opportunities to commit fraud.
Control Activities
General Controls include: Access Security including data and
program security Physical Security Software and program change controls Disaster Recovery
Software Application Controls
Input controls -authorized users
-error listings -limit checks written; dollar amounts -self-checking digits for duplicates Processing controls
-control totals -audit trails Output controls -listing of master file changes
-distribution of registers -review of output
Examples of Control Activities
Approvals, Authorizations, and Verifications ( Preventive)
Reconciliations –Bank Statements, External Reports (Detective)
Access to Equipment, Inventories, cash is limited and periodically counted and compared to previous inventory (Preventive and Detective)
Segregation of Duties (Preventive)
Segregation of Duties
No one person should Initiate the transaction Approve the transaction Record the transaction Reconcile balances Handle assets Review reportsEven in the smallest LEAs –at least Two Sets of EYES
Balancing Risk and Control
Internal controls should be proactive,
value added, cost-effective and address the
exposure to risk.
The cost of a control should not exceed the benefit to be derived from it.
Information and Communciation
Information and communication are
essential to effecting control.
Reliable and relevant information from both
internal and external sources must be
identified, processed and communicated to
people in a timeframe that is useful.
Communication
Communication can be formal or informal Communication as simple as staff meetings can
provide input and feedback relative to the LEAs operations, financial reporting and compliance reporting.
Employees often provide some of the most critical information needed to identify risks and opportunities for wrong doing.
Monitoring
Monitoring is the assessment of internal control
performance over time; it is accomplished by ongoing
monitoring activities such as: Annual evaluation of personnel Conduct periodic internal audits Review applicable laws and regulations to ensure
compliance
Effectiveness of Internal Control Plan
Internal control is effective and adequatelydesigned if all internal control components areproperly executed and functioning as planned:
Control of the environment Assessment of the Risks Control the Activities Information and Communication Monitoring
What is the Price for NOT Having Good Internal Controls?
Loss of public trust Loss of future grants School system’s reputation Violation of laws
Elements To Use in Internal Control Exercise
Bank Statement Reconciliation
Vending Machine Change
Payroll Master File
Maintenance
Facsimile Signature (Rubber Stamp)
Travel Reimbursement Claim
Plumbing Contractor
Cafeteria Daily Cash Collection
Superintendent’s Sister-in-Law
Individual School Fund Raising Receipts
Parts for School Bus Garage
Sample Internal Control PlanControl Activities for Budget
Hickory Public Schools
Control Activities for Budget
I. The Board of Education adopts an annual budget for all funds in accordance with state statutes.
II. Budget amendments over $10,000 are required to be approved by the Board of Education.
III. Accounting principals used in the budget preparation are the same as those used in preparing the financial statements.
Sample Internal Control PlanControl Activities for Cash Receipts
Hickory Public SchoolsControl Activities for Cash
I. Mail is opened and a list of daily receipts is prepared by the receptionist.
II. Checks are forwarded to accounts receivable to process daily deposits.
III. Deposits are made daily when cash/checks exceed $50.IV. Cash receipts are promptly and accurately recorded as to
the account, amount and date.V. Petty Cash is permissible not to exceed $25 at reception
area for change when citizens request transcripts.VI. Reconciliation is done monthly to reconcile cash collected to
receipts.
