Got Internal Got Internal Controls?Controls?

presented bypresented by South Texas CollegeSouth Texas College

Business OfficeBusiness Office“Count on Satisfaction”“Count on Satisfaction”

Definition of I/C:Definition of I/C:

““Internal control is a process - effected by an Internal control is a process - effected by an entity’s board of directors, management, and other entity’s board of directors, management, and other personnel - designed to provide personnel - designed to provide reasonablereasonable assuranceassurance regarding the regarding the achievement achievement of objectives of objectives in the following categories:in the following categories:

a) reliability of financial reportinga) reliability of financial reporting

b) effectiveness b) effectiveness and and efficiency of operations, efficiency of operations,

c) compliance with applicable laws and c) compliance with applicable laws and regulations.regulations.

* Committee of Sponsoring Organizations of the Treadway Commission

The COSO* Definition of Internal Control

Simple DefinitionSimple Definition

Internal control is what we do to see that the Internal control is what we do to see that the things we want to happen things we want to happen will will happen …happen …

And the things we don’t want to happen won’t happen.

Internal Controls Are CInternal Controls Are Common Senseommon Sense

What do you worryabout going wrong?

What steps have been takento assure it doesn’t?

How do you knowthings are under control?

-It’s an on-going process…….-It’s an on-going process…….

You exercise internal control You exercise internal control principles in your personal life principles in your personal life

when you:when you:

Lock-up valuable belongingsLock-up valuable belongings Balance your checkbookBalance your checkbook Keep your ATM/debit card PIN number Keep your ATM/debit card PIN number

separate from your cardseparate from your card Go to restaurants where you pay the Go to restaurants where you pay the

cashier directly with your credit cardcashier directly with your credit card Review your credit card statementsReview your credit card statements

There are eight components. The eight components of the frameworkare interrelated …

The Integrated Framework of The Integrated Framework of Enterprise Risk Management/Internal Enterprise Risk Management/Internal ControlsControls

Entity objectives can

be viewed in the context of four categories:

• Strategic • Operations• Reporting• Compliance

The Integrated Framework of Enterprise The Integrated Framework of Enterprise Risk Management/Internal ControlsRisk Management/Internal Controls

ERM considers activities at all levels of the organization:

• Enterprise-level• Division • Business unit• Subsidiary

The Integrated Framework of The Integrated Framework of Enterprise Risk Management/Internal Enterprise Risk Management/Internal

ControlsControls

Five components of I/C:Five components of I/C:

1) Control environment1) Control environment2) Risk assessment2) Risk assessment3) Control activities3) Control activities4) Communication and Information4) Communication and Information5) Monitoring5) Monitoring

Control EnvironmentControl Environment

This component includes the This component includes the attitude ofattitude of managementmanagement at all levels toward at all levels toward operations in general and specifically operations in general and specifically the concept of controls. This includes:the concept of controls. This includes: ethics, ethics, competence, competence, integrity, integrity, a demonstrated interest in the well being of a demonstrated interest in the well being of

the organization and the organization and organization structure and management's organization structure and management's

policies and philosophy.policies and philosophy.

Risk AssessmentRisk Assessment

Risks are internal & external events Risks are internal & external events (economic conditions, staffing changes, new (economic conditions, staffing changes, new systems, regulatory changes, natural systems, regulatory changes, natural disasters, etc.) that threaten the disasters, etc.) that threaten the accomplishment of objectives.accomplishment of objectives.

Risk assessment is the process of identifying, Risk assessment is the process of identifying, evaluating, and deciding how to manage evaluating, and deciding how to manage these events… these events… What is the likelihood of the What is the likelihood of the event occurring? What would be the impact if event occurring? What would be the impact if it were to occur? What can we do to prevent it were to occur? What can we do to prevent or reduce the risk?or reduce the risk?

Control ActivitiesControl Activities

This component includes those activities that are This component includes those activities that are traditionally associated with the concept of internal traditionally associated with the concept of internal control. These activities include:control. These activities include: approvals, approvals, responsibilities responsibilities authorities, authorities, separation of duties, separation of duties, Documentation, written policies, procedures, Documentation, written policies, procedures,

processes, processes, reconciliation, reconciliation, competent and honest personnel,competent and honest personnel, internal check, internal check, and internal auditing. and internal auditing.

These activities should be risk evaluated throughout These activities should be risk evaluated throughout the entire organization considering the organization the entire organization considering the organization as a universe.as a universe.

Communication & InformationCommunication & Information

Pertinent information must be captured, Pertinent information must be captured, identified and communicated on a timely identified and communicated on a timely basis.basis.

Effective information and communication Effective information and communication systems enable the organization’s people to systems enable the organization’s people to exchange the information needed to exchange the information needed to conduct, manage, and control its operations.conduct, manage, and control its operations.

MonitoringMonitoring

Internal control systems must be monitored Internal control systems must be monitored to assess their effectiveness… to assess their effectiveness… Are they Are they operating as intended?operating as intended?

Ongoing monitoring is necessary to react Ongoing monitoring is necessary to react dynamically to changing conditions…dynamically to changing conditions…Have Have controls become outdated, redundant, or controls become outdated, redundant, or obsolete?obsolete?

Monitoring occurs in the course of everyday Monitoring occurs in the course of everyday operations, it includes regular management operations, it includes regular management & supervisory activities and other actions & supervisory activities and other actions personnel take in performing their duties.personnel take in performing their duties.

Strong Internal Controls Benefits

Reducing and preventing errors in a cost- Reducing and preventing errors in a cost- effective manner.effective manner.

Ensuring priority issues are identified and Ensuring priority issues are identified and addressed.addressed.

Protecting employees & resources.Protecting employees & resources. Providing appropriate checks and Providing appropriate checks and

balances.balances. Having more efficient audits, resulting in Having more efficient audits, resulting in

shorter timelines, less testing, and fewer shorter timelines, less testing, and fewer demands on staff.demands on staff.

Five KeyFive Key Internal Control Internal Control Activities…Activities…

1.Separation of Duties2.Documentation3.Authorization &

approvals4.Security of assets5.Reconciliation & review

1. Separation of Duties1. Separation of Duties

Divide responsibilities between different Divide responsibilities between different employees so one individual doesn’t employees so one individual doesn’t control all aspects of a transaction.control all aspects of a transaction.

Reduce the opportunity for an employee to Reduce the opportunity for an employee to commit and conceal errors (intentional or commit and conceal errors (intentional or unintentional) or perpetrate fraud.unintentional) or perpetrate fraud.

A fundamental element of internal control is the segregation of certain key duties. In general, the principal incompatible duties to be segre gated are:

Custody of assets. Authorization or approval of related trans

actions affecting those assets. Recording or reporting of related transac

tions.

Separation of DutiesSeparation of Duties

2. Documentation

Document & preserve evidence to substantiate:Document & preserve evidence to substantiate: Critical decisions and significant Critical decisions and significant

events...typically involving the use, events...typically involving the use, commitment, or transfer of resources.commitment, or transfer of resources.

Transactions…enables a transaction to be Transactions…enables a transaction to be traced from its inception to completion.traced from its inception to completion.

Policies & Procedures…documents which set Policies & Procedures…documents which set forth the fundamental principles and methods forth the fundamental principles and methods that employees rely on to do their jobs.that employees rely on to do their jobs.

3. Authorization & Approvals

Management documents and communicates Management documents and communicates which activities require approval, and by which activities require approval, and by whom, based on the level of risk to the whom, based on the level of risk to the organization.organization.

Ensure that transactions are approved and Ensure that transactions are approved and executed only by employees acting within the executed only by employees acting within the scope of their authority granted by scope of their authority granted by management.management.

4. Security of Assets

Secure and restrict access to equipment, cash, Secure and restrict access to equipment, cash, inventory, confidential information, etc. to inventory, confidential information, etc. to reduce the risk of loss or unauthorized use.reduce the risk of loss or unauthorized use.

Perform periodic physical inventories to verify Perform periodic physical inventories to verify existence, quantities, location, condition, and existence, quantities, location, condition, and utilization.utilization.

Base the level of security on the vulnerability Base the level of security on the vulnerability of items being secured, the likelihood of loss, of items being secured, the likelihood of loss, and the potential impact should a loss occur.and the potential impact should a loss occur.

5. Reconciliation & Review

Examine transactions, information, and Examine transactions, information, and events to verify accuracy, completeness, events to verify accuracy, completeness, appropriateness, and compliance.appropriateness, and compliance.

Base level of review on materiality, risk, Base level of review on materiality, risk, and overall importance to organization’s and overall importance to organization’s objectives.objectives.

Ensure frequency is adequate enough to Ensure frequency is adequate enough to detect and act upon questionable activities detect and act upon questionable activities in a timely manner.in a timely manner.

Criminologist Donald R. Cressey identified three traits that are commonly present when people perpetrate fraud. Cressey created an hypothesis known as the ‘fraud triangle.’ The three sides of the fraud triangle are: Rationalization – Since the majority of individuals who commit

serious occupation fraud are not career criminals, they feel a strong need to justify their actions.

Opportunity – Access to company assets and a lack of internal controls that will prevent immediate detection of the fraud.

Pressure – This is a financial need (real or perceived) that the individual cannot share with others due to potential shame or loss of social status.

Fraud TriangleFraud Triangle

Fraud TriangleFraud Triangle

When these three sides of the triangle are present, there is a much higher than normal chance of an individual committing a fraud.

¿Questions?

Got Internal Controls?Got Internal Controls?