Understanding Internal Controls

County of Riverside ■ Office of the Auditor-Controller

Understanding Internal Controls

Presented by

Megan Gomez, Internal Auditor

Audit & Specialized Accounting Division


Training ObjectivesWhat you should know after this discussion

– Internal Control

• Myths & Facts

• Definitions

• Who needs it?– Components of Internal Control– Making it real– How you can help!


Internal Controls Are…

Actions taken by management, the board of supervisors, and other parties to enhance risk management and increase the likelihood that

established objectives and goals will be achieved.


Myths & Facts

• MYTH #1:

Internal Control – That’s the Internal Auditors’ job!

• FACT #1:

While Internal Auditors do play a key role in the system of control, management is the primary owner of internal control.


Myths & Facts

• MYTH #2:

Internal Control starts with a strong set of policies and procedures.

• FACT #2:

Internal Control starts with a strong control environment.


Myths & Facts

• MYTH #3:

Internal Control is a finance thing.

• FACT #3:

Internal Control is integral to every aspect of business.


Myths & Facts

• MYTH #4:

Internal Controls are essentially negative, like a list of “thou-shalt-nots”.

• FACT #4:

Internal Control makes the right things happen the first time, and every time.


Myths & Facts

• MYTH #5:

If controls are strong enough, we can be sure financial statements will be accurate.

• FACT #5:

Internal Control provides reasonable, but not absolute, assurance that the organization’s objectives will be achieved.


Myths & Facts

• MYTH #6:

Internal Controls take time away from our core activities of making products and serving customers.

• FACT #6:

Internal Controls should be built “into”, not “onto”, business processes.


Myths & Facts

• MYTH #7:

With budget cuts and downsizing, we have to give up a certain amount of control.

• FACT #7:

With budget cuts and downsizing, we need different forms of control.


Internal Control “gets us to where we want to go, without surprises along the way.

Internal Control is everyone’s responsibility…

Internal control is me.”

-From Cargill Corporations’ Internal Control Statement


What Internal Controls do…

• Communicate vision and objectives

• Protect assets

• Comply with laws and regulations

• Provide boundaries

• Utilize resources efficiently & effectively

• Promote financial reliability and integrity

• Monitor results

• Provide feedback


Examples of Internal Control

Think about what you do…at home:• Lock your home and vehicle

• Keep your ATM/debit card PIN number secure

• Review bills and statements before paying them

• Reconcile your bank statement

• Don’t leave blank checks or cash lying around

• Expect your children to ask permission before they do certain things


Examples of Internal Control

Think about what you do…at work:• Lock County vehicles, desk drawers

• Change your computer passwords, keep secure

• Check vendor invoices against source documents

• Locked cash drawers, secure storage for warrants

• Daily deposit of cash receipts

• Authorization required for certain activities


So… who needs it?


Components of Internal Control

Who is responsible for Internal Control?

Management



Control Environment

The foundation upon which everything rests


Control Environment

Key Factors -

Management’s Attitude:

“Tone at the Top”

Individual Attributes:

Integrity, ethical values, competence



Risk Assessment


What is Risk?

Anything that could negatively impact the County’s ability to meet its operational

objectives.


Changes that Affect Risk Levels

• Globalization

• Organizational Ethics

• Financial Demands

• Technology

• Consolidations and Alliances

• Legislative Imperatives

Risk cannot be avoided or ignored!


How to Identify Risk• What could go wrong?

• How could we fail?

• What must go right to succeed?

• What decisions require the most judgment?

• What activities are the most complex?

• What activities are regulated?

• On what do we spend the most money?

• How is related revenue collected?

• On what information do we rely most?

• What assets do we need to protect?

• How could our operations be disrupted?


5 Types of Risk

• Strategic

• Financial

• Regulatory (Compliance)

• Reputational

• Operational


Conditions that Increase Risk

• Lack of segregation of duties

• Too much trust

• Lack of follow-up

• Lack of knowledge of Policies & Procedures

• Lack of control over:– Cash– Purchasing of supplies/materials



Control Activities


Control Activities

Actions

supported by policies and procedures

that help assure

management directives that address risks

are carried out properly

and in a timely manner.


Examples of Control Activities• Authorization and approval procedures

• Review of operating performances• Supervision: assigning, reviewing/approving, guidance, training

• Segregation of duties

• Controls over access to resources and records

• Reconciliations

• Verifications

• Reviews of processes and activities


Types of Control Activities

• Directive

• Preventive

• Detective

• Corrective

• Recovery

Policies & Procedures

Purchase Requisition Approval Procedures

Passwords

Data input validation

Cash Counts

Bank Reconciliations

Payroll report review

Compare statements to source documents

Compare budget to actual spending



Monitoring


Monitoring Activities

• Ongoing Monitoring– Covers each component– Action against deficiencies

• Separate Evaluations– External auditors– Internal auditors– Findings reported to management



Information &

Communication


Information & Communication

• Management Decisions

• Reliable Reporting

• Effective Communication


Quick Quiz!Which of the following best describes segregation of duties:

1) Split the work so no one has to work more than anyone else.

2) When you make sure you have one person reconciling all the transactions.

3) Procedures designed to ensure one individual cannot complete an entire transaction.

4) Something you can only achieve when you have at least five accounting personnel.


Quick Quiz!Until deposited, cash receipts should be stored:

1) In a sealed Ziplock bag.

2) In a zippered bank bag in the Department Head’s desk drawer.

3) In a secured, locked location at the department/division.

4) By the Department Head in his/her home for safekeeping.


Quick Quiz!Checks should be restrictively endorsed just prior to

deposit.

TRUE

FALSE


Case Studies

“The Employee Bonus”

“The Favored Vendor”

Stories summarized from Internal Auditor magazine


Recent HeadlinesSeptember 23, 2008 Press Enterprise

“Former Fire Department employee pleads guilty in $1.2 million embezzlement scheme”

September 21, 2008 Personal Computer World

“Downturn brings risk to the fore”

September 21, 2008 The Washington Post

“Financial titans’ fall promises big shifts ahead”

December 6, 2007 Press-Enterprise

“Redlands treasurer pleads not guilty; his attorney reports “bombshell: two sets of books”

November 3, 2007 The Californian

“Murrieta audit notes deficiencies”

August 2006 GovPro.com

“P-card transactions raise control concerns”


Why Controls Don’t Always Work

• Inadequate knowledge of policies or governing regulations

• Inadequate segregation of duties

• Inappropriate access to assets

• Form over substance

• Control override

• Inherent limitations


Control Awareness Can…

• Create a culture in which every employee understands internal control.

• Make internal control an integral part of everyone’s job responsibilities.

• Effectively manage risk.


How you can help!

• Current policies and procedures

• Communicate authorization limits

• Safeguard assets and data

• Document control

• Visible/legible authorization

• Understand your risks

• Adhere to County policies and codes


How you can help!

• Establish Objectives and Measures

• Track performance

• Evaluate Success!


How you can help!

When thinking about controls, consider:

– Propriety of transactions

– Reliability/integrity of information

– Compliance with policies & regulations

– Safeguarding assets

– Economy/efficiency of operations


Internal Auditing Can Help

Control self-assessment (CSA) program


Questions

?? ??? ?

?

? ?

?

Understanding Internal Controls

Documents

Transcript of Understanding Internal Controls