internal control for cooperatives
TRANSCRIPT
INTERNAL INTERNAL CONTROLCONTROLfor Cooperativesfor Cooperatives
A lecture delivered by Ms. Janirose Z. Fernandez LBP Ilocos Sur during the 2017 Cooperative Month Celebration
NSCC Plaza, Caoayan Ilocos Sur.
22
Comprises the plan of organization and all coordinated methods and measures
adopted within a business to safeguard its assets, check the accuracy and reliability of
its accounting data, promote operational efficiency and encourage adherence to
prescribed managerial policies.
Internal ControlInternal Control
33
Internal ControlInternal ControlInternal ControlInternal Control – is the systems, policies, procedures and processes effected by the BOD, management and other personnel to safeguard the assets, limit or control
risk and achieve the objectives of the entity.
while
Internal Audit – provides an objective, independent review of the entity’s activities, internal control, and
management information system to help the board and management monitor and evaluate the adequacy and
effectiveness of internal control.
44
PURPOSE OF INTERNAL PURPOSE OF INTERNAL CONTROLCONTROL
1.1. Ensure that the business of Ensure that the business of the Coop is conducted in a the Coop is conducted in a prudent manner in accordance prudent manner in accordance with policies and strategies with policies and strategies established by the board of established by the board of directors;directors;
2.2. That transactions are only That transactions are only entered into with appropriate entered into with appropriate authorityauthority
3.3. That assets are safeguarded That assets are safeguarded and liabilities controlled;and liabilities controlled;
55
PURPOSE OF INTERNAL PURPOSE OF INTERNAL CONTROLCONTROL
4.4. That accounting and That accounting and other records provide other records provide complete accurate and complete accurate and timely informationtimely information
5.5. That management is That management is able to identify, assess, able to identify, assess, manage and control the manage and control the risks of the risks of the business.business.
66
PRIMARY AREAS OFPRIMARY AREAS OF INTERNAL CONTROLS INTERNAL CONTROLS
1.1. Organizational structures Organizational structures (definitions of duties and (definitions of duties and responsibilities, responsibilities, discretionary limits for discretionary limits for loan approval, and loan approval, and decision-making decision-making procedures).procedures).
2.2. Accounting procedures Accounting procedures (reconciliation of account, (reconciliation of account, control lists, periodic trial control lists, periodic trial balances, etc.)balances, etc.)
77
PRIMARY AREAS OF INTERNAL PRIMARY AREAS OF INTERNAL CONTROLSCONTROLS
3.3. The “four eyes” The “four eyes” principles (segregation principles (segregation of various functions, of various functions, cross-checking, dual cross-checking, dual control of assets, double control of assets, double signatures, etc).signatures, etc).
4.4. Physical control over Physical control over assets and investmentsassets and investments
88
Internal Audit – What is it?Internal Audit – What is it?
A A systematicsystematic and and independentindependent review review of the operations and controls of the of the operations and controls of the organizationorganization
- SystematicSystematic: the work is done : the work is done according to pre-designed plans and according to pre-designed plans and programsprograms
- IndependentIndependent: the work is done : the work is done independent of managementindependent of management
99
Internal Audit – Internal Audit –
Why do it?Why do it?
To fulfill a key link in the risk To fulfill a key link in the risk management processmanagement process
Primary Goals are:Primary Goals are:- to ensure that internal policies and - to ensure that internal policies and procedures are being followedprocedures are being followed- to ensure that financial and operating - to ensure that financial and operating information is accurateinformation is accurate-- To identify previously unrecognized risksTo identify previously unrecognized risks
1010
Internal Audit –
should do it?should do it?
Chief Internal AuditorChief Internal Auditor- Banking and Accounting Professional usually CPA - Banking and Accounting Professional usually CPA with credit background of financial institutionwith credit background of financial institution- Maintains membership and/or ties with - Maintains membership and/or ties with professional associationsprofessional associations
StaffStaff- - Qualified candidates from within the Coop or Qualified candidates from within the Coop or through recruitmentthrough recruitment
1111
Personal QualitiesPersonal Qualities
Focused, well organizedFocused, well organized Attentive to detailsAttentive to details Exercises good judgment – knows what’s Exercises good judgment – knows what’s
importantimportant Excellent written and verbal communication Excellent written and verbal communication
skillsskills Trustworthy – will do the right thingTrustworthy – will do the right thing Pleasant personality – can manage and train Pleasant personality – can manage and train
staffstaff Creative and independent thinker – can draw Creative and independent thinker – can draw
sound conclusions and form relevant sound conclusions and form relevant recommendationsrecommendations
1212
Auditor Auditor IndependenceIndependence
Reports directly to the board Reports directly to the board of directorsof directors
Maintains appropriate communication Maintains appropriate communication with the general manager/CEOwith the general manager/CEO
Manages the budget and schedule for Manages the budget and schedule for the departmentthe department
Works in a separate and secure spaceWorks in a separate and secure space Direct access to informationDirect access to information
1313
Components of Internal Components of Internal ControlControl
Control environmentControl environment Risk AssessmentRisk Assessment Control ActivitiesControl Activities Accounting, information Accounting, information
and communication and communication systemsystem
Self-assessment or Self-assessment or monitoringmonitoring
1414
Assessing the Control EnvironmentAssessing the Control Environment Control EnvironmentControl Environment – sets the tone of the – sets the tone of the
Coop, influencing control consciousness of its Coop, influencing control consciousness of its people. It is the foundation for all other people. It is the foundation for all other component of internal controlscomponent of internal controls
Points of FocusPoints of Focus•Organizational structure assignment of authority and Organizational structure assignment of authority and responsibilityresponsibility•Human resource policies and proceduresHuman resource policies and procedures•Integrity and ethical valuesIntegrity and ethical values•Commitment to competenceCommitment to competence•Management philosophy and operating styleManagement philosophy and operating style
An effective Control Environment is one that An effective Control Environment is one that establishes and promotes collective positive establishes and promotes collective positive attitude toward achieving effective internal attitude toward achieving effective internal control over the unit’s businesscontrol over the unit’s business
1515
Evaluating Risk Assessment Evaluating Risk Assessment Process Process
Risk AssessmentRisk Assessment – is the process of identifying – is the process of identifying and analyzing relevant risks to the achievement and analyzing relevant risks to the achievement of the Coop’s objectives and determining the of the Coop’s objectives and determining the appropriate responseappropriate response
Point of FocusPoint of Focus• Risk identificationRisk identification• Risk analysis and prioritizationRisk analysis and prioritization• Risk managementRisk management
An effective Risk Assessment establishes and An effective Risk Assessment establishes and maintains process to identify, analyze, and maintains process to identify, analyze, and manage risk relevant to achieving a unit’s goals manage risk relevant to achieving a unit’s goals and objectives.and objectives.
1616
6. Revise policies
4. Implement policies and assign responsibility
5. Test effectiveness and monitor results
1. Identify risks
2. Develop strategies and procedures to prioritize risks
3. Design policies to mitigate risks
1717
RISKRISK
Is the potential Is the potential for realization for realization of the of the unwanted unwanted negative negative consequences consequences of an eventof an event
The possibility of loss, The possibility of loss, injury, disadvantage or injury, disadvantage or
destructiondestruction
1818
Types of Major RisksTypes of Major Risksfor Coopsfor Coops
Liquidity RisksLiquidity Risks Operations RiskOperations Risk Credit RiskCredit Risk
1919
Assessing Control Assessing Control ActivitiesActivities
Control ActivitiesControl Activities – are the policies and – are the policies and procedures established and implemented to procedures established and implemented to address the risks and to achieve the Coop’s address the risks and to achieve the Coop’s objectives.objectives.
Point of FocusPoint of Focus• Severity and frequency of audit findings, specifically Severity and frequency of audit findings, specifically
on the :on the : Design of the controlDesign of the control Operating effectiveness of the controlOperating effectiveness of the control
An effective Control Activity is one that is An effective Control Activity is one that is properly designed and implemented to properly designed and implemented to mitigate the risksmitigate the risks
2020
Assessing Control Activities Assessing Control Activities (Attributes)(Attributes)
Design of the controlsDesign of the controls• Existence of Appropriate policies and Existence of Appropriate policies and
procedures necessary with respect to each procedures necessary with respect to each of the entity’s activitiesof the entity’s activities
Operating effectiveness of the controlsOperating effectiveness of the controls• Identified control activities in place are being Identified control activities in place are being
applied properlyapplied properly
Examples of Control ActivitiesExamples of Control Activities• DocumentationDocumentation• Approval and authorizationApproval and authorization• VerificationVerification• SupervisionSupervision• Segregation of DutiesSegregation of Duties• Safeguarding of AssetSafeguarding of Asset• ReportingReporting• IT ControlsIT Controls
2121
Assessing the Information Assessing the Information and Communication Systemand Communication System
Information and CommunicationInformation and Communication – encompasses the – encompasses the methods for identifying, capturing, and methods for identifying, capturing, and communicating pertinent information in a time frame communicating pertinent information in a time frame that enables people to carry out their responsibilitiesthat enables people to carry out their responsibilities
Points of FocusPoints of Focus• InformationInformation• CommunicationCommunication
An effective Information and Communication System An effective Information and Communication System ensures that information relevant to operating the ensures that information relevant to operating the business and the maintenance of internal control and business and the maintenance of internal control and records are identifies, captured, and communicated records are identifies, captured, and communicated to appropriate individual on a timely basisto appropriate individual on a timely basis
2222
Assessing the Assessing the Monitoring Monitoring
SystemSystem
MonitoringMonitoring – Assessing the – Assessing the quality of internal control quality of internal control system performance over system performance over timetime
Points of FocusPoints of Focus• Ongoing Monitoring ActivitiesOngoing Monitoring Activities• Separate Evaluation*Separate Evaluation*• Reporting DeficienciesReporting Deficiencies
An effective Monitoring An effective Monitoring System detects and System detects and remedies control deficiencies remedies control deficiencies throughout the entire throughout the entire internal control systeminternal control system
Minimum Minimum Internal Control Internal Control
StandardsStandards
2323
2424
Proper Accounting Proper Accounting
RecordsRecords
Accounting records should satisfy the Accounting records should satisfy the needs of a particular financial needs of a particular financial intermediaryintermediary
These should contain sufficient These should contain sufficient details to meet management and details to meet management and supervisory needs and should be supervisory needs and should be properly and currently posted.properly and currently posted.
2525
Division of Duties and Division of Duties and ResponsibilitiesResponsibilities
Division of Duties and Division of Duties and ResponsibilitiesResponsibilities
Duties must be segregated to allow Duties must be segregated to allow the proper functioning of automatic the proper functioning of automatic checks.checks.
No one person should be in complete No one person should be in complete charge of business transactionscharge of business transactions
Operating instructions for each Operating instructions for each position should be reduced in writingposition should be reduced in writing
2626
Signing AuthoritiesSigning Authorities Different levels of officers to sign for Different levels of officers to sign for
and in behalf of the institution should and in behalf of the institution should be approved by the Board of be approved by the Board of DirectorsDirectors
Extent of authority should Extent of authority should be clearly definedbe clearly defined
2727
Dual Dual ControlControl
Routine of each Routine of each transaction should transaction should be so designed be so designed that at least two that at least two or more or more individuals are individuals are involved in the involved in the completion of completion of every transactionevery transaction
2828
Independent BalancingIndependent Balancing
This means that someone runs and This means that someone runs and balances records that are normally balances records that are normally posted by another person, or that posted by another person, or that someone counts someone counts
held by another held by another personperson
2929
Joint CustodyJoint Custody Two or more persons are involved in Two or more persons are involved in
the safekeeping of physical the safekeeping of physical properties including documentsproperties including documents
3030
PhysicalPhysical ControlControl Safeguarding and housing Safeguarding and housing
of assets demand adequate of assets demand adequate physical protection. Physical physical protection. Physical control includes the vault gate keys control includes the vault gate keys of equipment, alarms and other of equipment, alarms and other physical devices to protect the physical devices to protect the premises.premises.
3131
Number Number CoNtrolCoNtrol
Sequence number controls Sequence number controls incorporated in the accounting incorporated in the accounting system serves two purposed: (a) to system serves two purposed: (a) to control processing and (b) to identify control processing and (b) to identify individual transactionsindividual transactions
3232
Knowledge of Knowledge of Outside Activities Outside Activities
of Employeesof Employees
Periodic submission of statement of assets Periodic submission of statement of assets and liabilities ascertains the financial and liabilities ascertains the financial status of officers and employeesstatus of officers and employees
Any immediate or sudden change in Any immediate or sudden change in appearance or habits of officers and appearance or habits of officers and employees may be indicative of employees may be indicative of misconduct, particularly when the change misconduct, particularly when the change reflect spending habits that go beyond the reflect spending habits that go beyond the limit of their incomelimit of their income
3333
Rotation of DutiesRotation of Duties
Rotation reduces the opportunity for Rotation reduces the opportunity for fraud points to the adaptability of an fraud points to the adaptability of an employee and often results in new employee and often results in new ideas for the organizationideas for the organization
3434
This policy is closely related to This policy is closely related to rotation of duty as both result to a rotation of duty as both result to a forced absence from regular duties. forced absence from regular duties. Vacation for those in position of trust Vacation for those in position of trust must be enforcedmust be enforced
3535
Direct VerificationDirect Verification
This pertains to This pertains to confirmation of confirmation of accounts or accounts or records by means records by means of direct of direct correspondence correspondence with the coop’s with the coop’s customerscustomers
3636
Sound Personnel Sound Personnel PoliciesPolicies
RecruitmentRecruitment – A formal – A formal procedure must be followed when procedure must be followed when employing new people. A check of employing new people. A check of their previous employment and their previous employment and credit references in mandatory in credit references in mandatory in order to hire individuals of order to hire individuals of competence and integritycompetence and integrity
Fair Salary ScaleFair Salary Scale – To attract and – To attract and keep honest staffkeep honest staff
Incentive and other Benefits – to Incentive and other Benefits – to keep employees morale highkeep employees morale high
3737
Sound Personnel Sound Personnel PoliciesPolicies
Code of Discipline. Code of Discipline. This should be a This should be a code of discipline that serves as a guide code of discipline that serves as a guide for the conduct expected of the officers for the conduct expected of the officers and employees in their day-to-day and employees in their day-to-day pursuit of company objectives. Code of pursuit of company objectives. Code of discipline must also spell out what discipline must also spell out what constitutes violations and their constitutes violations and their corresponding penalities.corresponding penalities.
3838
Internal Audit-Internal Audit-How is it done?How is it done?
Develop a comprehensive annual Develop a comprehensive annual work planwork plan for for board approval, including time schedule, budgets board approval, including time schedule, budgets and scopeand scope
Design a generic audit Design a generic audit work programswork programs for each for each area of Coop operationarea of Coop operation
Design Design work paperswork papers that clearly document the that clearly document the evidence of work performed, conclusions drawn, evidence of work performed, conclusions drawn, and meets requirementsand meets requirements
Prepare Prepare audit reportaudit report for the board and for the board and management on a timely basis, and provide management on a timely basis, and provide status updates at least on a quarterly basesstatus updates at least on a quarterly bases
Follow up on status of implementing Follow up on status of implementing recommendationsrecommendations
3939
SAMPLE AUDIT PROGRAMSAMPLE AUDIT PROGRAM
TASKTASK YYEESS
NNOO
NNFFAA
SOURCESSOURCES COMMENTSCOMMENTS
Verify Petty CashVerify Petty CashCount cash and agree to petty cash Count cash and agree to petty cash balancebalanceConfirm the cash is counted periodically Confirm the cash is counted periodically by a supervisorby a supervisorReview paid transactions for appropriate Review paid transactions for appropriate receipts and approvalreceipts and approvalReview replenishment vouchers for the Review replenishment vouchers for the periodperiodConfirm that cashbox is reasonably Confirm that cashbox is reasonably safeguardedsafeguardedEnsure segregation of duties in cash Ensure segregation of duties in cash handling (approval, disbursement, and handling (approval, disbursement, and accounting)accounting)
Office _________________ Audit Date:__________________Audit Period ____________ Reviewer: ___________________Source Code: 1 Document, 2 – Interview, 3 - Observation
4040
Audit ReportAudit Report Keep it short and to the pointKeep it short and to the point Report on a timely basisReport on a timely basis Include four parts, at a minimum:Include four parts, at a minimum:
1.1. Executive summary: bullet list items of Executive summary: bullet list items of concern that require immediate attentionconcern that require immediate attention
2.2. Describe the scope of work (period Describe the scope of work (period covered, business process or funding covered, business process or funding source, etc.)source, etc.)
3.3. List key findings of exception to policy, List key findings of exception to policy, risks and recommendationsrisks and recommendations
4.4. Note any prior recommendations that Note any prior recommendations that have not been implementedhave not been implemented
4141
FRAUD TRIANGLEFRAUD TRIANGLE
Incentives/Incentives/ PressuresPressures
OpportunityOpportunity
Attitude/IntegrityAttitude/Integrity
4242
SITUATIONS THAT SITUATIONS THAT OFFER OPPORTUNITY OFFER OPPORTUNITY
FOR FRAUDFOR FRAUD Ineffective internal controlsIneffective internal controls Too much trust placed on employeesToo much trust placed on employees Employees have detailed knowledge of Employees have detailed knowledge of
the accounting system and its the accounting system and its weaknessweakness
Management domination can subvert Management domination can subvert normal internal controlsnormal internal controls
Expected moral behavior is not Expected moral behavior is not communicated to employees (no code communicated to employees (no code of ethics)of ethics)
4343
SITUATIONS THAT OFFER SITUATIONS THAT OFFER OPPORTUNITY FOR FRAUDOPPORTUNITY FOR FRAUD
Unreasonable budgets and expectationsUnreasonable budgets and expectations Related party transactionsRelated party transactions Incomplete or out of date procedural Incomplete or out of date procedural
documentationdocumentation Management sets a bad exampleManagement sets a bad example Conflicts of interestConflicts of interest
4444
PROFILE OF A FRAUDSTERPROFILE OF A FRAUDSTER
Big spenderBig spender (expensive hobbies, living beyond (expensive hobbies, living beyond means, high personal debt)means, high personal debt)
Under stressUnder stress (suffering from personal crisis (suffering from personal crisis such as financial problems or bad marriage)such as financial problems or bad marriage)
Has evident financial needsHas evident financial needs (illness, drugs, (illness, drugs, gambling)gambling)
Intelligent Intelligent (challenged by a secured system, (challenged by a secured system, bored by routines)bored by routines)
4545
PROFILE OF PROFILE OF A FRAUDSTERA FRAUDSTER
Inquisitive Inquisitive (tempted by the discovery (tempted by the discovery of a computer vulnerability)of a computer vulnerability)
Risk takerRisk taker (willing to bend the rules (willing to bend the rules and take chances)and take chances)
Rule breaker Rule breaker (takes short cuts, self-(takes short cuts, self-justifies, infractions of law)justifies, infractions of law)
Hard workerHard worker (first to arrive in the (first to arrive in the morning and last to leave at night, morning and last to leave at night, never absent)never absent)
4646
REMINDERS REMINDERS ON FRAUDON FRAUD
Internal auditors are not expected Internal auditors are not expected to be fraud specialiststo be fraud specialists
Audit procedures, even if done Audit procedures, even if done with due professional care, do not with due professional care, do not guarantee fraud detectionguarantee fraud detection
Detection of Fraud is only a by-Detection of Fraud is only a by-product of the audit function, not product of the audit function, not its main goalits main goal
Thank You!