School Board Audit Committee Training

Module 3

Evaluation of Internal Controls

1

Session Objectives

2

After completing this session you will:

Understand internal controls and why they are important

Distinguish between preventative and detective controls

Be Familiar with the COSO Framework• Control Environment• Risk Assessment• Internal Controls• Information & Communication• Monitoring

Understand how internal controls moderate inherent risk, reducing the likelihood and /or significance of a risk (resulting in residual risk)

Appreciate the competing demands of process efficiency and effectiveness

Understand the Audit Committee’s responsibilities related to internal controls

3

Audit Committee Duties related to Internal Controls[ON Regulation 361/10 9(2)]

• To review the overall effectiveness of internal controls.

• To review the scope of the internal and external auditor’s reviews of internal controls, as well as the findings, recommendations and management’s responses.

• To discuss with School Board officials the significant financial risks and the measures the officials have taken to monitor and manage these risks.

A definition of the internal control process

4

It is a “process effected by an entity’s board of directors/trustees, management, and other personnel, designed to provide reasonable assurance regarding the achievement of business objectives” Compliance

Compliance with law and regulations

FinancialPreparation of

reliable financial

statements

OperationsEffective and

efficient use of resources

Internal controls are needed to help achieve key business objectives

Internal control objectives

The objectives of an internal control system are as follows:

1. Enforce organizational policies and rules

2. Promote the effectiveness and efficiency of operations and optimize the use of resources

3. Increase the reliability of financial/management/ministry reporting

4. Ensure compliance with applicable laws and regulations

5

“The system of Internal Control is dependent on people”

• Whereas manuals and forms are tools used by people, it is people that make or break the internal control system.

• Without proper control education and motivation, people cannot and will not make the internal controls system work.

• Individuals will support the internal control system when they understand the system’s benefits to their personal interests and then to the organization. Without such an understanding, employees are apathetic at best and at worst, will fight the system.

• A control must have Substance over Form, and NOT Form over Substance.

6

Example: Directors are required to review and approve invoices prior to payment. However; if the director approves a stack of invoices at the end of a week in a five minute period, you must question whether the control is not operating effectively.

“Internal controls can be expected to provide only reasonable assurance, not absolute assurance”

• Internal controls should not be expected to guarantee that risks are mitigated or that undesirable conditions are prevented.

• Internal controls do not prevent failures caused by poor management judgment, or changing economic conditions.

• Management should not expect that all potential losses can be avoided.• On the other hand, no entity should fail to install proper controls. A system

of internal controls will provide the discipline and structure to provide the checks and balances to reduce risk exposure and enhance achievement of organizational (process) objectives.

7

Example: Only overtime that has been approved can be paid by payroll. However, there is a possibility that employees may claim overtime to which they are not entitled, which

could be potentially approved and paid.

“Effectiveness is doing the things that achieve results, and efficiency is doing these things the right way”

• An organization must operate both effectively and efficiently, otherwise it risks failure.

• When an organization is effective, it is serving its stakeholders well. In the context of a school board, this includes serving students, parents, teachers, and the community at large.

• When an organization is efficient, it is wisely using the resources entrusted to it and achieving the best outcomes possible.

8

Types of internal controls

9

Detective controls are designed to detect errors after they have occurred and spur a prompt investigation. They are considered after-the-fact controls as they will not identify an undesirable outcome until after it has occurred. However, effective detective controls will help identify issues in a timely manner and may reduce severity of losses.

Preventative controls

Preventive Controls are designed to prevent an error or misappropriation from occurring. They are considered to be before-the-fact controls that will prevent an undesirable outcome from occurring.

Detective controls

Discussion – Control type exercise

1. An accounting department receives a listing of aged accounts receivable that details the amount and number of days the account has been past due.

a) Preventative

b) Detective

2. School board facilities may be rented for community use, after school hours. The custodian of the school whose facilities were rented, performs a site inspection after community use and reports any damages he/she finds.

a) Preventative

b) Detective

3. Beth works in the accounting department and can process payments for employee expense reports that have been approved in the system. However, Beth does not have the ability to approve expense reports.

a) Preventative

b) Detective

4. Purchase Orders are required in order to allow the School Board to purchase goods or services. Buyers cannot obtain a purchase order from procurement unless 3 quotes are submitted.

a) Preventative

b) Detective 10

Other types of internal controls

11

Organizations use directive controls to guide management behavior and decisions, as well as to direct organization policy and activities.

Compensating controls

At times what appears to be a weakness in control may not be a problem. The weakness is offset by compensating controls found elsewhere in the control structure. These controls are intended to compensate for system shortcomings and are a back-up approach to limiting risk exposure.

Directivecontrols

Monitoring Controls (usually a management control) to monitor effectiveness of an entity’s internal controls and help in identifying problems in a proactive, rather than reactive manner.

Monitoringcontrols

Discussion – Control exercise

Within your groups, perform the following:

1. Consider various business cycles in your School Board (i.e. payroll, expenditures/payments/revenues) . What do you think some of the key controls are in this business cycle?

2. How would you classify these controls? (preventative, detective, compensating, directive or monitoring).

3. As an audit committee member what are some examples of due diligence activities you could perform relating to the oversight of internal controls.

12

Internal controls can aid in the reduction of the likelihood and significance of risk

• A quick refresher…• Inherent risk is the assessed level of risk before considering controls.• Residual risk is the assessed level of risk once internal controls are assessed.

Sig

nific

ance

of r

isk

Likelihood of occurrence

Process

Internal controls

Process

Inherent risk

Residual risk

13

Internal controls help provide reasonable assurance that the organization:

• Adheres to laws, regulations, and provincial directives

• Promotes orderly, economical, efficient, and effective operations that achieve planned outcomes

• Safeguards resources against fraud, waste, abuse, and mismanagement

• Develops and maintains reliable financial and management information and fairly discloses that data through timely reporting

• Demonstrates appropriate care of tax payer funds

Internal controls DO NOT provide absolute assurance over the appropriateness, efficiency and effectiveness of business processes as there is a risk of:

• Bad judgment

• Error / mistake

• Collusion

• Cost / benefit constraints

How can internal controls add value to the organization?

14

COSO framework

The control conscience of an organization. The “tone at the top”

The evaluation of internal and external factors that impact an organization’s performance

The policies and procedures that help ensure that actions identified to manage risk are executed and timely

The process to determine whether internal control is adequately designed, executed, effective and adaptive

The process which ensures that relevant information is identified and communicated in a timely manner

15

Control environment

• The control environment is the foundation for the internal control system. Without the control environment, the other components will collapse like a house built without a foundation.

• A number of elements influence the control environment:

– Governance model

– Organizational structure

– Management’s philosophy and operating style

– Assignment of authority and responsibility

– Integrity and ethical values

– Human Resource policies and practices

– Commitment to competence

• People are the critical aspect of the internal control system.

16

16

Monitoring

Control activities

Control environment

Com

mun

icat

ion

InformationRisk

assessment

Risk assessment

• As discussed in Module 2, Risk assessment is identifying and analyzing the events and conditions (risks) that may prevent the achievement of the entity's objectives.

• Every entity faces both internal and external risks from a variety of sources. Through proper assessment, the entity can determine how to reduce or eliminate the impact of those risks.

17

Monitoring

Control activities

Control environment

Com

mun

icat

ion

InformationRisk

assessment

Control activities

• Control activities provide the means to prevent the occurrence of identified risks, or if they cannot be prevented, to detect them as early as possible.

• Control policies and procedures must be established and executed to help ensure that the actions identified by management as necessary to address risks are effectively carried out.

• Includes both manual and automated controls, internal and external.

18

Monitoring

Control activities

Control environment

Com

mun

icat

ion

InformationRisk

assessment

Information and communication

• Relevant information needed to conduct, manage and control operations is captured and communicated throughout the organization.

• Information systems produce reports containing operational, financial and compliance related information that make it possible to run and control the organization.

• Relevant information must be identified, captured and communicated in a form and timeframe that enables people both inside the organization and external stakeholders to carry out their responsibilities.

19

Monitoring

Control activities

Control environment

Com

mun

icat

ion

InformationRisk

assessment

Monitoring

• Internal control systems need to be monitored. Monitoring is a process that assesses the quality of the internal control system's performance over time

• The purpose of the monitoring activity is to assure the ongoing quality of the internal control system. This function monitors the internal control system.

• Monitoring is the capstone component covering all the other components.

20

Monitoring

Control activities

Control environment

Com

mun

icat

ion

InformationRisk

assessment

Monitoring Activities

• Ongoing monitoring activities are built into the normal recurring activities of the entity . Examples are as follows:

J Regular managerial activities (e.g. variance analysis)

J Code of conduct compliance statements

J Internal feedback (e.g., internal audit reports)

J External feedback (e.g. Ministry communications/questions)

J Training seminars and planning sessions

21