INTERNAL CONTROLS

2/2/2012 – Mt. Laurel2/7/2012 – Rockaway

2/9/2012 – Robbinsville

Internal Control Guide

• State of New Jersey• Office of the State Comptroller• A. Matthew Boxer, State Comptroller

• November 2011• Report of Fraud Toll Free Hotline 1-866-OSC-TIPS

• Link• http://www.nj.gov/comptroller/doc/internal_control_guide_nov_2011.pdf

Management of Organization

Four Basic Functions

– Planning– Organizing– Leading– Controlling

Effective Management

Allows Managers to:

– Delegate responsibilities to staff

– Have comfort that expectations will be realized

What is Internal Control

COSO (Committee of Sponsoring Organizations)

A process…designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

– Effectiveness and efficiency of operations– Reliability of financial and management data– Compliance with applicable laws and regulations

– Safeguard resources against loss

Internal Control System

• Integral part of managing any organization

• To meet goals and objectives system includes:– Plans– Methods– Procedures

• First line of Defense in safeguarding assets

• Preventing and detecting errors and fraud

IMPORTANCE

• Keeps organization on course• Protects organization by catching small mistakes

• Protects organization by mitigating opportunities for innocent mistakes or internal fraud

• Impacts organization’s people, processes, and physical structure

Fundamental Concepts

• Internal Controls will change with organizational changes

• Degree of control employed is a business judgment

• Cost should not exceed benefit derived

Fundamental Concepts

• Considerations of Weaknesses– Increase supervision– Institute additional or compensating controls– Accept the risk inherent with the control weakness

Fundamental Concepts

• Organizational Self Regulation– Affects every aspect including staff, processes and operations

– Integrated into day-to-day operations and responsibilities

– Incorporates the qualities of good management– Depends upon people– Must make sense within each unique environment

LIMITATIONS• Human errors and poor judgments• Controls can be circumvented by collusion

• Management can intentionally override controls

• Excess costs can prevent management from implementing ideal controls

• More controls are not always better• Balance between risk and controls

– Proactive– Value-added– Cost effective– Decrease exposure

Design Considerations

– Organizational size– Organizational structure– Nature of business operations– Diversity and complexity of operations

– Method of transmitting, processing, maintaining and accessing information

– Applicable legal and regulatory requirements

ONE SIZE DOES NOT FIT ALL!

FRAMEWORK COMPOENENTS

• Control Environment• Risk Assessment• Control Activities• Information &

Communication• Monitoring

Control Environment• Integrity and Ethical Values• Commitment to Competence• Organizational Structure• Organizational Structure• Delegation of Authority and Responsibility

• Relationship with Oversight Agencies• Human Resources Policies and procedures

Risk Assessment• Risk Identification

– Change in operating cycle– New employees– New or enhanced technology systems– New programs– New and revised laws and regulations

• Questions to Ask– What could go wrong– What is worst case scenario– What would cause us to fail– What areas are we most vulnerable– What assets do we need to safeguard

Risk Assessment• Methods

– Periodic management conferences– Executive round tables– Forecasting– Strategic planning– Consideration of findings from audits– Other assessments

• Risk Management– Accept the risk and not institute further controls– Share the risk– Reduce the risk by instituting controls– Avoid the risk by avoiding the function

Control Activities – Specific Policies and Procedures

• Security Assets• Segregation of Duties• Authorization of Activities• Approval, Verification and Reconciliation

• Adequate Documentation• Information Processing• Independent Performance Review

Security Assets

• Unique user IDs and passwords• Physical security of tangible and intangible assets

• Backup for computer records and programs – secure offsite facility

• Disaster recovery plans• Performing periodic unannounced verifications

Segregation of Duties

• Prevent one person from performing incompatible duties

• Require responsibility for operations be separate from related record-keeping

• Ensure three functions of authorizing, recording, and maintaining assets are separate

Authorization of Activities

• Define parameters– Execution of transactions– Requirement of signature– Appropriate monetary thresholds– Documentation requirements adhered to

Approval, Verification and Reconciliation

• Identify activities or transactions that require supervisory approval

• Require supervisory approval to ensure transaction has been validated and conforms

• Prior to transaction review all supporting documentation

Adequate Documentation

• Concise and clear• Implementation of storage and retention policies

• Documents periodically verified to ensure accountability and compliance

Information Processing

• Access within the computing environment controlled by unique user passwords

• Change passwords on a periodic basis

• Restrict Access

Independent Performance Review

• Periodic reconciliations performed• Comparison of different sets of data to identify differences

• Implement necessary corrective actions

• Management review of reports, statements, reconciliations

• Comparison of information about current performance

INFORMATION COMMUNICATION

RelevantReliableTimely

Information and Communication

• Written policies and procedures• Mission statements, goals and objectives• Organization charts• Job descriptions and performance evaluations

• Training materials• Period reports measuring progress towards goals

• Internal/external audit report• Financial reports

Types of Communication

• Performance and management systems• Information systems• Policy and procedure manuals• Management directives• Memos and e-mails• Internet and intranet• Speeches and briefings

Characteristics of Effective Communication

• Relevant information on operational performance

• Current, accurate, complete and timely

• Shared with appropriate staff at right time

• Management receptive to employee recommendations

• Appropriate channels

MONITORING

Assessment of Internal Control performance over time- Self Assessments- Peer Reviews

- Internal Audits

Monitoring should focus on:

• Control Activities• Mission• Control Environment• Communication• Risk and Opportunities

Fraud Awareness

Common Anti-fraud measuresThree elements Present when

Fraud OccursTypes of Fraud

Examples

Common Anti-Fraud Measures

• External Audits• Internal Audits• Fraud Training• Surprise Audits• Establishment of hotline

Three Elements Present

• Opportunity– Caused by ability to circumvent internal controls or internal control weaknesses

• Motive– Pressure or perceived pressure – financial– Greed– Revenge– Thrill Seeking

• Rationalization– Excuse or perceived validation for action

Types of Fraud

• Management Fraud– Top management’s manipulation of financial statements

• Employee Fraud– Embezzlement of assets

• Vendor– Overcharging for goods– Shipping inferior goods– Not shipping goods but billed and payment received

Examples of Fraud

• Theft or misappropriation of assets• Fictitious revenues or

disbursements• Check tampering• Fictitious refunds• Fictitious vendor or employee

payments• False statements• False Overtime• Forgery or alteration of documents• Invoice Kickbacks• Bid Rigging

• Unauthorized use of records• Falsification of Reports• Conflicts of interest• Inaccurate employment records• Authorizing or receiving

compensation for hours not worked

• Incurring obligation in excess of appropriate authority

• Willful violation of laws, regulations, policies or contractual obligations

Indicators of Fraud

• Unsupported or unauthorized transactions

• Missing or altered documents• Inconsistent, vague, or

implausible responses• Denial of access to records• Unusual delays in providing

requested information• Numerous complaints• Significant transactions involving

related-parties• Inadequate or absent internal

controls

• Analytical anomalies• Unexplained inventory shortages• Purchases in excess of needs• Excessive voided transactions• Cash shortages

• A CRITICAL COMPONENT IS PROPER EDUCATION OF EMPLOYEES CONCERING FRAUD AWARENESS

• THE PERCEPTION OF THE POSSIBILITY OF DETECTION IS THE BIGGEST DETERENT