Under the Microscope

Business Officers MeetingMarch 7, 2006

Presented by Randy Van Dyke

Internal Control

Overview

• Quiz

• Background

• Internal Control Defined

• Internal Control Framework

• Self Assessment Checklist

Quiz – Handout Pages 2-4

“First, get your facts. Then you can distort ‘em as you please.”

Mark Twain

Background

A Rough Ride for Business– War on Terrorism / Natural

Disasters– Economic downturn / Aftermath– Financial frauds / Business

failures

Sarbanes Oxley Act

“This law says to every dishonest corporate leader: you will be exposed and punished; the era of low standards is over.”

George W. Bush

Sarbanes Oxley Act

• Audit Committee organization and function

• Companies must document and evaluate the effectiveness of internal controls

• CEOs and CFOs must personally certify financial statement accuracy

Sarbanes Oxley Act

• Outside audit reports must include a statement on the effectiveness of internal controls

• Companies must have in place mechanisms for reporting and investigating wrongdoing (including anonymous reports)

Impact on U

• Board of Regents Policy

• Trustees Audit Committee

– Level of Involvement

– Scope of Oversight

Impact on U

• Ethical Conduct Guidance

• Ethics & Compliance Hotline585-1593

hotline@admin.utah.edu

Core Process Assessments

This assessment focused on internal controls for 15 business processes.

192 risks and related controls were evaluated.

Core Process Assessments

Core Process Assessments

Potential Risk: Unauthorized access to check stock and printing capability.

Primary Control: A secured laser printer is used to print checks at the time they are issued.

College-Wide Reviews

Reviewed 44 potential issues in each of the College’s 14 organizational units.

College-Wide Reviews

Audit Follow-Up

Responsible Person: Peggy HallidayCompletion Date: March 1, 2006

Internal Control Defined

Activities undertaken to increase the likelihood of achieving management objectives in three areas:

– Efficiency and effectiveness of operations

– Financial accountability

– Compliance with laws and regulations

Internal Control Defined

“Internal control gets us where we want to go, with no surprises along the way. Internal control is everyone’s responsibility. . . . Internal control is me.”

Cargill Corporation

Internal Control Framework

Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Control EnvironmentControl Environment

Risk AssessmentRisk Assessment

Control ActivitiesControl Activities

MonitoringMonitoringInform

ation & C

omm

unication

Information &

Com

municationIn

form

atio

n &

Com

mun

icat

ion

Info

rmat

ion

& C

omm

unic

atio

n

Control Environment

• Integrity and ethical values• Commitment to Competence• Management Operating Style• Organizational Structure• Assignment of Authority and

Responsibility• Human Resource Policies and

Practices

Risk Assessment

• Organizational Goals and Objectives

• Risk Identification and Prioritization

• Managing Change

Control Activities

• Written Policies and Procedures

• Control Procedures

• Controls over Information Systems

Information & Communication

• Access to Information

• Communication Patterns

Monitoring

• Management Supervision

• Outside Sources

• Response Mechanisms

• Self-assessment Mechanisms

Quiz

1. Internal control starts with a strong set of policies and procedures.

False: Internal control starts with a strong control environment.

Quiz

2. Internal and external auditors are responsible to develop and monitor internal controls.

False: While auditors play an important role, management is the owner of internal control.

Quiz

3. Internal controls are mostly concerned with control over assets, cash receipts, and cash disbursements.

False: Internal control is integral to every aspect of business.

Quiz

4. Internal controls are essentially negative, like a list of “thou-shalt-nots.”

False: Internal control makes the right things happen the first time.

Quiz

5. Internal controls take time away from core activities, such as serving faculty and students.

False: Internal control should be built “into,” not “onto” business processes.

Quiz

6. When delegating authority and empowering employees, it is necessary to give up a certain amount of internal control.

False: Decentralized decision-making requires different forms of control.

Quiz

7. If controls are strong, we can be assured employees will be prevented from committing fraud.

False: Internal control provides reasonable, but not absolute assurance.

Quiz

8. What are some impediments to establishing effective internal controls?

• Lack of knowledge and ‘ownership’

• Lack of creativity• Lack of interest

Links & Contact Information

• Internal Audit Department http://www.utah.edu/Internal Audit/

• Ethics and Compliance Hotline 585-1593; hotline@admin.utah.edu

• Ethical Standards and Code of Conduct http://www.hr.utah.edu/ethicalstandards/

• University of Utah Policies and Procedures http://www.admin.utah.edu/ppmanual/

• COSO http://www.coso.org/• Randy.VanDyke@admin.utah.edu, 581-5988

• Chuck.Piele@admin.utah.edu, 581-6561

• Pamela.Mollner@admin.utah.edu, 585-3529